318 Part Two Information Technology Infrastructure
to be used for security applications, with many PC laptops (and some smart-
phones) equipped with fingerprint identification devices and some models
with built-in webcams and face recognition software. Financial service firms
such as Vanguard and Fidelity have implemented voice authentication systems
for their clients.
The steady stream of incidents in which hackers have been able to access
traditional passwords highlights the need for more secure means of authentica-
tion. Two-factor authentication increases security by validating users through
a multistep process. To be authenticated, a user must provide two means of
identification, one of which is typically a physical token, such as a smartcard
or chip-enabled bank card, and the other of which is typically data, such as
a password or personal identification number (PIN). Biometric data, such as
fingerprints, iris prints, or voice prints, can also be used as one of the authenti-
cating mechanisms. A common example of two-factor authentication is a bank
card; the card itself is the physical item, and the PIN is the other piece of data
that goes with it.
Firewalls, Intrusion Detection Systems, and
Anti-malware Software
Without protection against malware and intruders, connecting to the Internet
would be very dangerous. Firewalls, intrusion detection systems, and anti-
malware software have become essential business tools.
Firewalls
Firewalls prevent unauthorized users from accessing private networks. A
firewall is a combination of hardware and software that controls the flow of
incoming and outgoing network traffic. It is generally placed between the orga-
nization’s private internal networks and distrusted external networks, such as
the Internet, although firewalls can also be used to protect one part of a com-
pany’s network from the rest of the network (see Figure 8.5).
The firewall acts like a gatekeeper that examines each user’s credentials be-
fore it grants access to a network. The firewall identifies names, IP addresses,
applications, and other characteristics of incoming traffic. It checks this infor-
mation against the access rules that the network administrator has programmed
into the system. The firewall prevents unauthorized communication into and
out of the network.
In large organizations, the firewall often resides on a specially designated
computer separate from the rest of the network, so no incoming request directly
accesses private network resources. There are a number of firewall screening
technologies, including static packet filtering, stateful inspection, Network
Address Translation, and application proxy filtering. They are frequently used
in combination to provide firewall protection.
Packet filtering examines selected fields in the headers of data packets flow-
ing back and forth between the trusted network and the Internet, examining
individual packets in isolation. This filtering technology can miss many types
of attacks.
Stateful inspection provides additional security by determining whether pack-
ets are part of an ongoing dialogue between a sender and a receiver. It sets up
state tables to track information over multiple packets. Packets are accepted
or rejected based on whether they are part of an approved conversation or at-
tempting to establish a legitimate connection.
Chapter 8 Securing Information Systems 319
FIGURE 8.5 A CORPORATE FIREWALL
The firewall is placed between the firm’s private network and the public Internet or another distrusted
network to protect against unauthorized traffic.
Internet Outer Web Inner Corporate
firewall server firewall systems
Databases
Policy
rules
LANs
Network Address Translation (NAT) can provide another layer of protection
when static packet filtering and stateful inspection are employed. NAT con-
ceals the IP addresses of the organization’s internal host computer(s) to prevent
sniffer programs outside the firewall from ascertaining them and using that
information to penetrate internal systems.
Application proxy filtering examines the application content of packets. A
proxy server stops data packets originating outside the organization, inspects
them, and passes a proxy to the other side of the firewall. If a user outside the
company wants to communicate with a user inside the organization, the out-
side user first communicates with the proxy application, and the proxy appli-
cation communicates with the firm’s internal computer. Likewise, a computer
user inside the organization goes through the proxy to talk with computers on
the outside.
To create a good firewall, an administrator must maintain detailed internal
rules identifying the people, applications, or addresses that are allowed or re-
jected. Firewalls can deter, but not completely prevent, network penetration
by outsiders and should be viewed as one element in an overall security plan.
Intrusion Detection Systems
In addition to firewalls, commercial security vendors now provide intrusion
detection tools and services to protect against suspicious network traffic and
attempts to access files and databases. Intrusion detection systems feature
full-time monitoring tools placed at the most vulnerable points or hot spots
of corporate networks to detect and deter intruders continually. The system
320 Part Two Information Technology Infrastructure
generates an alarm if it finds a suspicious or anomalous event. Scanning soft-
ware looks for patterns indicative of known methods of computer attacks such
as bad passwords, checks to see whether important files have been removed or
modified, and sends warnings of vandalism or system administration errors.
The intrusion detection tool can also be customized to shut down a particularly
sensitive part of a network if it receives unauthorized traffic.
Anti-malware Software
Defensive technology plans for both individuals and businesses must include
anti-malware protection for every computer. Anti-malware software prevents,
detects, and removes malware, including computer viruses, computer worms,
Trojan horses, spyware, and adware. However, most anti-malware software is
effective only against malware already known when the software was written.
To remain effective, the software must be continually updated. Even then it is
not always effective because some malware can evade detection. Organizations
need to use additional malware detection tools for better protection.
Unified Threat Management Systems
To help businesses reduce costs and improve manageability, security vendors
have combined into a single appliance various security tools, including firewalls,
virtual private networks, intrusion detection systems, and web content filtering
and anti-spam software. These comprehensive security management products
are called unified threat management (UTM) systems. UTM products are
available for all sizes of networks. Leading UTM vendors include Fortinent,
Sophos, and Check Point, and networking vendors such as Cisco Systems and
Juniper Networks provide some UTM capabilities in their products.
Securing Wireless Networks
The initial security standard developed for Wi-Fi, called Wired Equivalent
Privacy (WEP), is not very effective because its encryption keys are relatively
easy to crack. WEP provides some margin of security, however, if users remem-
ber to enable it. Corporations can further improve Wi-Fi security by using it
in conjunction with virtual private network (VPN) technology when accessing
internal corporate data.
In June 2004, the Wi-Fi Alliance industry trade group finalized the 802.11i
specification (also referred to as Wi-Fi Protected Access 2 or WPA2) that re-
places WEP with stronger security standards. Instead of the static encryption
keys used in WEP, the new standard uses much longer keys that continually
change, making them harder to crack. The most recent specification is WPA3,
introduced in 2018.
Encryption and Public Key Infrastructure
Many businesses use encryption to protect digital information that they store,
physically transfer, or send over the Internet. Encryption is the process of
transforming plain text or data into cipher text that cannot be read by anyone
other than the sender and the intended receiver. Data are encrypted by using a
secret numerical code, called an encryption key, that transforms plain data into
cipher text. The message must be decrypted by the receiver.
Two methods for encrypting network traffic on the web are SSL and S-HTTP.
Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS),
enable client and server computers to manage encryption and decryption
Chapter 8 Securing Information Systems 321
activities as they communicate with each other during a secure web session.
Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for
encrypting data flowing over the Internet, but it is limited to individual mes-
sages, whereas SSL and TLS are designed to establish a secure connection be-
tween two computers.
The capability to generate secure sessions is built into Internet client browser
software and servers. The client and the server negotiate what key and what
level of security to use. Once a secure session is established between the client
and the server, all messages in that session are encrypted.
Two methods of encryption are symmetric key encryption and public key
encryption. In symmetric key encryption, the sender and receiver establish a
secure Internet session by creating a single encryption key and sending it to
the receiver so both the sender and receiver share the same key. The strength
of the encryption key is measured by its bit length. Today, a typical key will be
56 to 256 bits long (a string of from 56 to 256 binary digits) depending on the
level of security desired. The longer the key, the more difficult it is to break
the key. The downside is that the longer the key, the more computing power it
takes for legitimate users to process the information.
The problem with all symmetric encryption schemes is that the key itself
must be shared somehow among the senders and receivers, which exposes
the key to outsiders who might just be able to intercept and decrypt the key.
A more secure form of encryption called public key encryption uses two
keys: one shared (or public) and one totally private as shown in Figure 8.6. The
keys are mathematically related so that data encrypted with one key can be
decrypted using only the other key. To send and receive messages, communica-
tors first create separate pairs of private and public keys. The public key is kept
in a directory, and the private key must be kept secret. The sender encrypts a
message with the recipient’s public key. On receiving the message, the recipi-
ent uses his or her private key to decrypt it.
Digital certificates are data files used to establish the identity of users and
electronic assets for protection of online transactions (see Figure 8.7). A digital
certificate system uses a trusted third party, known as a certificate authority
(CA), to validate a user’s identity. There are many CAs in the United States and
around the world, including Symantec, GoDaddy, and Comodo.
The CA verifies a digital certificate user’s identity offline. This information is
put into a CA server, which generates an encrypted digital certificate contain-
ing owner identification information and a copy of the owner’s public key. The
certificate authenticates that the public key belongs to the designated owner.
FIGURE 8.6 PUBLIC KEY ENCRYPTION
A public key encryption system can be viewed as a series of public and private keys that lock data when they
are transmitted and unlock data when they are received. The sender locates the recipient’s public key in a di-
rectory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private
network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and
read the message.
Sender Scrambled Recipient
Message
Encrypt Decrypt
with with
public key private key
322 Part Two Information Technology Infrastructure
FIGURE 8.7 DIGITAL CERTIFICATES
Digital certificates help establish the identity of people or electronic assets. They protect
online transactions by providing secure, encrypted, online communication.
Institution/
individual
subject
Request
certificate
Certificate Internet Certification
received Digital Certificate Serial Number Authorities
Version
Issuer Name (CAs)
Issuance/Expiration Date Transaction partner:
Subject Name
Subject Public Key online merchant
CA Signature or customer
Other Information
The CA makes its own public key available either in print or perhaps on the
Internet. The recipient of an encrypted message uses the CA’s public key to
decode the digital certificate attached to the message, verifies it was issued by
the CA, and then obtains the sender’s public key and identification informa-
tion contained in the certificate. By using this information, the recipient can
send an encrypted reply. The digital certificate system would enable, for exam-
ple, a credit card user and a merchant to validate that their digital certificates
were issued by an authorized and trusted third party before they exchange data.
Public key infrastructure (PKI), the use of public key cryptography working
with a CA, is now widely used in e-commerce.
Securing Transactions with Blockchain
Blockchain, which we introduced in Chapter 6, is gaining attention as an alter-
native approach for securing transactions and establishing trust among mul-
tiple parties. A blockchain is a chain of digital “blocks” that contain records of
transactions. Each block is connected to all the blocks before and after it, and
the blockchains are continually updated and kept in sync This makes it difficult
to tamper with a single record because one would have to change the block con-
taining that record as well as those linked to it to avoid detection.
Once recorded, a blockchain transaction cannot be changed. The records in a
blockchain are secured through cryptography, and all transactions are encrypted.
Blockchain network participants have their own private keys that are assigned to
the transactions they create and act as a personal digital signature. If a record is
altered, the signature will become invalid, and the blockchain network will know
immediately that something is amiss. Because blockchains aren’t contained in a
central location, they don’t have a single point of failure and cannot be changed
from a single computer. Blockchain is especially suitable for environments with
high security requirements and mutually unknown actors.
Chapter 8 Securing Information Systems 323
Ensuring System Availability
As companies increasingly rely on digital networks for revenue and opera-
tions, they need to take additional steps to ensure that their systems and
a pplications are always available. Firms such as those in the airline and finan-
cial services industries with critical applications requiring online transaction
processing have traditionally used fault-tolerant computer systems for many
years to ensure 100 percent availability. In online transaction p rocessing,
transactions entered online are immediately processed by the computer.
Multitudinous changes to databases, reporting, and requests for information
occur each instant.
Fault-tolerant computer systems contain redundant hardware, software,
and power supply components that create an environment that provides
continuous, uninterrupted service. Fault-tolerant computers use special soft-
ware routines or self-checking logic built into their circuitry to detect hard-
ware failures and automatically switch to a backup device. Parts from these
computers can be removed and repaired without disruption to the computer
or downtime. Downtime refers to periods of time in which a system is not
operational.
Controlling Network Traffic: Deep Packet Inspection
Have you ever tried to use your campus network and found that it was very
slow? It may be because your fellow students are using the network to down-
load music or watch YouTube. Bandwidth-consuming applications such as
file-sharing programs, Internet phone service, and online video can clog and
slow down corporate networks, degrading performance. A technology called
deep packet inspection (DPI) helps solve this problem. DPI examines data
files and sorts out low-priority online material while assigning higher prior-
ity to business-critical files. Based on the priorities established by a network’s
operators, it decides whether a specific data packet can continue to its destina-
tion or should be blocked or delayed while more important traffic proceeds.
Security Outsourcing
Many companies, especially small businesses, lack the resources or expertise
to provide a secure high-availability computing environment on their own.
They can outsource many security functions to managed security service
providers (MSSPs) that monitor network activity and perform vulnerability
testing and intrusion detection. SecureWorks, AT&T, Verizon, IBM, Perimeter
eSecurity, and Symantec are leading providers of MSSP services.
Security Issues for Cloud Computing and the Mobile
Digital Platform
Although cloud computing and the emerging mobile digital platform have the
potential to deliver powerful benefits, they pose new challenges to system se-
curity and reliability. We now describe some of these challenges and how they
should be addressed.
Security in the Cloud
When processing takes place in the cloud, accountability and responsibility
for protection of sensitive data still reside with the company owning that data.
Understanding how the cloud computing provider organizes its services and
manages the data is critical (see the Interactive Session on Management).
324 Part Two Information Technology Infrastructure
INTERACTIVE SESSION MANAGEMENT
How Secure Is the Cloud?
Over the last several years, many companies have cloud services. Organizations using cloud services
altered their IT strategies to shift an increasing share often need to apply additional controls at the user,
of their applications and data to public-cloud infra- application, and data level.
structure and platforms. However, using the public
cloud disrupts traditional cybersecurity models that Cloud service providers have made great strides in
many companies have built up over years. As a re- tightening security for their areas of responsibility.
sult, as companies make use of the public cloud, Amazon’s security for its cloud service leaves little
they need to revise their cybersecurity practices to chance. The company keeps careful constraints
in order to consume public-cloud services in a way around its staff, watches what they do every day,
that enables them both to protect critical data and to and instructs service teams to restrict access to data
fully exploit the speed and agility that these services through tooling and automation. Amazon also rotates
provide. security credentials for authentication and verifi-
cation of identity and changes them frequently—
Managing security and privacy for cloud services sometimes in a matter of hours.
is similar to managing traditional IT infrastructures.
However, the risks may be different because some, The biggest threats to cloud data for most com-
but not all, responsibilities shift to the cloud service panies involve lack of software patching or miscon-
provider. The category of cloud service (IaaS, PaaS, figuration. Many organizations have been breached
or SaaS) affects exactly how these responsibilities are because they neglected to apply software patches to
shared. For IaaS, the provider typically supplies and newly identified security vulnerabilities when they
is responsible for securing basic IT resources such became available or waited too long to do so. (See
as machines, storage systems, and networks. The the discussion of patch management earlier in this
cloud services customer is typically responsible for chapter.) Companies have also experienced security
its operating system, applications, and corporate data breaches because they did not configure aspects
placed into the cloud computing environment. This of cloud security that were their responsibility.
means that most of the responsibility for securing Some users forget to set up AWS bucket password
the applications and the corporate data falls on the protection. (A bucket is a logical unit of storage in
customer. Amazon Web Services [AWS] Simple Storage Solution
S3 storage service. Buckets are used to store objects,
Cloud service customers should carefully review which consist of data and metadata that describes
their cloud services agreement with their cloud the data.) Others don’t understand basic security
provider to make sure their applications and data features in Amazon such as resource-based access
hosted in cloud services are secured in accordance policies (access control lists) or bucket permissions
with their security and compliance policies. But checks, unwittingly exposing data to the public
that’s not all. Although many organizations know Internet.
how to manage security for their own data center—
they’re unsure of exactly what they need to do Financial publisher Dow Jones & Co. confirmed
when they shift computing work to the cloud. They reports in July 2017 that it may have publicly
need new tool sets and skill sets to manage cloud exposed personal and financial information of
security from their end to configure and launch 2.2 m illion customers, including subscribers to
cloud instances, manage identity and access con- The Wall Street Journal and Barron’s. The leak was
trols, update security controls to match configu- traced back to a configuration error in a reposi-
ration changes, and protect workloads and data. tory in AWS S3 security. Dow Jones had intended
There’s a misconception among many IT depart- to provide semi-public access to select customers
ments that whatever happens in the cloud is not over the Internet. However, it wound up granting
their responsibility. It is essential to update security access to download the data via a URL to “authen-
requirements developed for enterprise data centers ticated users,” which included anyone who reg-
to produce requirements suitable for the use of istered (for free) for an AWS account. Accenture,
Verizon, Viacom, Tesla, and Uber Technologies are
Chapter 8 Securing Information Systems 325
other high-profile names in the steady stream of easily when an Amazon S3 bucket is open to the
companies that have exposed sensitive information public. Amazon also added default encryption to
via AWS S3 security misconfigurations. Such mis- all objects when they are stored in an AWS bucket
configurations were often performed by employ- and access control lists for cross-region replication.
ees who lacked security experience when security Another new tool called Zelkova examines AWS S3
configurations should have been handled by skilled security policies to help users identify which one
IT professionals. Stopping AWS bucket miscon- is more permissive than the others. Amazon Macie
figurations may also require enacting policies that is a managed service that uses machine learning
limit the damage caused by careless or untrained to detect personally identifiable information and
employees. intellectual property, and has been available for S3
since August 2017.
Although customers have their choice of secu-
rity configurations for the cloud, Amazon has been Sources: Kathleen Richards, “New Cloud Threats as Attackers
taking its own steps to prevent misconfigurations. Embrace the Power of the Cloud,” SearchCloudSecurity.com, April
In November 2017, the company updated its AWS 3, 2018; “AWS S3 Security Falls Short at High-profile Companies,”
dashboard, encasing public in bright orange on the SearchCloudSecurity.com, April 2018; “Making a Secure Transition to
AWS S3 console so that cloud customers could eas- the Public Cloud,” McKinsey & Company, January 2018; and “Security
ily see the status of access permissions to buckets for Cloud Computing: Ten Steps to Ensure Success,” Cloud Standards
and their objects. This helps everyone see more Customer Council, December 2017.
CASE STUDY QUESTIONS 3. What steps can organizations take to make their
cloud-based systems more secure?
1. What kinds of security problems does cloud com-
puting pose? How serious are they? Explain your 4. Should companies use the public cloud to run
answer. their mission-critical systems? Why or why not?
2. What management, organization, and technology
factors are responsible for cloud security prob-
lems? To what extent is cloud security a manage-
ment issue?
Cloud computing is highly distributed. Cloud applications reside in large
remote data centers and server farms that supply business services and
data management for multiple corporate clients. To save money and keep
costs low, cloud computing providers often distribute work to data centers
around the globe where work can be accomplished most efficiently. When
you use the cloud, you may not know precisely where your data are being
hosted.
Virtually all cloud providers use encryption to secure the data they handle
while the data are being transmitted. However, if the data are stored on devices
that also store other companies’ data, it’s important to ensure that these stored
data are encrypted as well. DDoS attacks are especially harmful because they
render cloud services unavailable to legitimate customers.
Companies expect their systems to be running 24/7. Cloud providers still
experience occasional outages, but their reliability has increased to the point
where a number of large companies are using cloud services for part of their
IT infrastructures. Most keep their critical systems in-house or in private
clouds.
Cloud users need to confirm that regardless of where their data are stored,
they are protected at a level that meets their corporate requirements. They
326 Part Two Information Technology Infrastructure
should stipulate that the cloud provider store and process data in specific ju-
risdictions according to the privacy rules of those jurisdictions. Cloud clients
should find how the cloud provider segregates their corporate data from those
of other companies and ask for proof that encryption mechanisms are sound.
It’s also important to know how the cloud provider will respond if a disaster
strikes, whether the provider will be able to restore your data completely, and
how long this should take. Cloud users should also ask whether cloud provid-
ers will submit to external audits and security certifications. These kinds of
controls can be written into the service level agreement (SLA) before signing
with a cloud provider. The Cloud Security Alliance (CSA) has created indus-
trywide standards for cloud security, specifying best practices to secure cloud
computing.
Securing Mobile Platforms
If mobile devices are performing many of the functions of computers, they
need to be secured like desktops and laptops against malware, theft, acci-
dental loss, unauthorized access, and hacking attempts. Mobile devices ac-
cessing corporate systems and data require special protection. Companies
should make sure that their corporate security policy includes mobile de-
vices, with additional details on how mobile devices should be supported,
protected, and used. They will need mobile device management tools to au-
thorize all devices in use; to maintain accurate inventory records on all mo-
bile devices, users, and applications; to control updates to applications; and
to lock down or erase lost or stolen devices so they can’t be compromised.
Data loss prevention technology can identify where critical data are saved,
who is accessing the data, how data are leaving the company, and where the
data are going. Firms should develop guidelines stipulating approved mobile
platforms and software applications as well as the required software and pro-
cedures for remote access of corporate systems. The organization’s mobile
security policy should forbid employees from using unsecured, consumer-
based applications for transferring and storing corporate documents and files
or sending such documents and files to oneself by email without encryption.
Companies should encrypt communication whenever possible. All mobile
device users should be required to use the password feature found in every
smartphone.
Ensuring Software Quality
In addition to implementing effective security and controls, organizations can
improve system quality and reliability by employing software metrics and rig-
orous software testing. Software metrics are objective assessments of the sys-
tem in the form of quantified measurements. Ongoing use of metrics allows the
information systems department and end users to measure the performance of
the system jointly and identify problems as they occur. Examples of software
metrics include the number of transactions that can be processed in a specified
unit of time, online response time, the number of payroll checks printed per
hour, and the number of known bugs per hundred lines of program code. For
metrics to be successful, they must be carefully designed, formal, objective,
and used consistently.
Early, regular, and thorough testing will contribute significantly to system
quality. Many view testing as a way to prove the correctness of work they have
done. In fact, we know that all sizable software is riddled with errors, and we
must test to uncover these errors.
Chapter 8 Securing Information Systems 327
Good testing begins before a software program is even written, by using a
walkthrough—a review of a specification or design document by a small group
of people carefully selected based on the skills needed for the particular ob-
jectives being tested. When developers start writing software programs, cod-
ing walkthroughs can also be used to review program code. However, code
must be tested by computer runs. When errors are discovered, the source is
found and eliminated through a process called debugging. You can find out
more about the various stages of testing required to put an information system
into operation in Chapter 12. Our Learning Tracks also contain descriptions of
methodologies for developing software programs that contribute to software
quality.
8-5 How will MIS help my career?
Here is how Chapter 8 and this book can help you find an entry-level job as an
identity access and management support specialist.
The Company
No. 1 Value Supermarkets, a major supermarket grocery store chain headquar-
tered in Plano, Texas, is looking to fill an entry-level position for an identity
access and management support specialist. The company has 59 retail loca-
tions in 23 Texas cities, more than 8,000 workers, and nearly a million weekly
shoppers.
Position Description
The identity access and management support specialist will be responsible
for monitoring the company’s identity management system to ensure that the
company is meeting its audit and compliance controls. This position reports to
the company’s security operations manager. Job responsibilities include:
• Performing data integrity testing of identity management system integrations
with business applications.
• Integrating Windows Active Directory files with the identity management
system.
• Maintaining information on system user roles and privileges.
Job Requirements
• Bachelor’s degree
• Proficiency with computers
• Ability to multitask and work independently
• Attention to detail
• Strong time management skills
• Ability to communicate with both technical and non-technical staff
Interview Questions
1. What do you know about authentication and identity management? Have
you ever worked with identity management or other IT security systems?
What did you do with this software?
328 Part Two Information Technology Infrastructure
2. Have you ever worked with Windows Active Directory? What exactly did you
do with this software?
3. What knowledge and experience do you have with ensuring data integrity?
4. Can you give an example of a situation where you had to multitask and man-
age your time and how you handled it?
5. Can you tell us about the computer experience you’ve had? What software
tools have you worked with?
Author Tips
1. Review the last two sections of this chapter, especially the discussions of
identity management and authentication. Also review the Chapter 6 discus-
sions of data integrity and data quality.
2. Use the web to find out more about identity management, data integrity
testing, leading identity management software tools, and Windows Active
Directory.
3. Use the web to find out more about the company, the kinds of systems it
uses, and who might be using those systems.
REVIEW SUMMARY
8-1 Why are information systems vulnerable to destruction, error, and abuse?
Digital data are vulnerable to destruction, misuse, error, fraud, and hardware or software fail-
ures. The Internet is designed to be an open system and makes internal corporate systems more
vulnerable to actions from outsiders. Hackers can unleash denial-of-service (DoS) attacks or pen-
etrate corporate networks, causing serious system disruptions. Wi-Fi networks can easily be pen-
etrated by intruders using sniffer programs to obtain an address to access the resources of the
network. Malware can disable systems and websites, with mobile devices a major target. The
dispersed nature of cloud computing makes it difficult to track unauthorized activity or to apply
controls from afar. Software presents problems because software bugs may be impossible to elimi-
nate and because software vulnerabilities can be exploited by hackers and malicious software. End
users often introduce errors.
8-2 What is the business value of security and control?
Lack of sound security and control can cause firms relying on computer systems for their core
business functions to lose sales and productivity. Information assets, such as confidential employee
records, trade secrets, or business plans, lose much of their value if they are revealed to outsiders or if
they expose the firm to legal liability. Laws, such as HIPAA, the Sarbanes-Oxley Act, and the Gramm-
Leach-Bliley Act, require companies to practice stringent electronic records management and adhere
to strict standards for security, privacy, and control. Legal actions requiring electronic evidence and
computer forensics also require firms to pay more attention to security and electronic records manage-
ment.
8-3 What are the components of an organizational framework for security and control?
Firms need to establish a good set of both general and application controls for their information sys-
tems. A risk assessment evaluates information assets, identifies control points and control weaknesses,
and determines the most cost-effective set of controls. Firms must also develop a coherent corporate
security policy and plans for continuing business operations in the event of disaster or disruption.
Chapter 8 Securing Information Systems 329
The security policy includes policies for acceptable use and identity management. Comprehensive and
systematic information systems auditing helps organizations determine the effectiveness of security and
controls for their information systems.
8-4 What are the most important tools and technologies for safeguarding information resources?
Firewalls prevent unauthorized users from accessing a private network when it is linked to the Internet.
Intrusion detection systems monitor private networks for suspicious network traffic and attempts to access
corporate systems. Passwords, tokens, smart cards, and biometric authentication are used to authenticate
system users. Anti-malware software checks computer systems for infections by viruses and worms and
often eliminates the malicious software. Encryption, the coding and scrambling of messages, is a widely
used technology for securing electronic transmissions over unprotected networks. Blockchain technology
enables companies to create and verify tamper-proof transactions on a network without a central authority.
Digital certificates combined with public key e ncryption provide further protection of electronic transac-
tions by authenticating a user’s identity. Companies can use fault-tolerant computer systems to make sure
that their information systems are always available. Use of software metrics and rigorous software testing
help improve software quality and reliability.
Key Terms Information systems audit, 315
Intrusion detection systems, 319
Acceptable use policy (AUP), 314 Keyloggers, 302
Anti-malware software, 320 Malware, 299
Application controls, 312 Managed security service providers (MSSPs), 323
Authentication, 317 Online transaction processing, 323
Biometric authentication, 317 Password, 317
Botnet, 303 Patches, 307
Bugs, 307 Pharming, 304
Business continuity planning, 315 Phishing, 304
Click fraud, 305 Public key encryption, 321
Computer crime, 303 Public key infrastructure (PKI), 322
Computer forensics, 311 Ransomware, 302
Computer virus, 299 Risk assessment, 313
Controls, 297 Sarbanes-Oxley Act, 310
Cybervandalism, 302 Secure Hypertext Transfer Protocol (S-HTTP), 321
Cyberwarfare, 306 Secure Sockets Layer (SSL), 320
Deep packet inspection (DPI), 323 Security, 297
Denial-of-service (DoS) attack, 303 Security policy, 314
Digital certificates, 321 Smart card, 317
Disaster recovery planning, 315 Sniffer, 302
Distributed denial-of-service (DDoS) attack, 303 Social engineering, 307
Downtime, 323 Spoofing, 302
Drive-by download, 301 Spyware, 302
Encryption, 320 SQL injection attack, 302
Evil twin, 304 Token, 317
Fault-tolerant computer systems, 323 Trojan horse, 301
Firewall, 318 Two-factor authentication, 318
General controls, 312 Unified threat management (UTM), 320
Gramm-Leach-Bliley Act, 310 War driving, 299
Hacker, 302 Worm, 300
HIPAA, 310 Zero-day vulnerabilities, 307
Identity management, 316
Identity theft, 303
MyLab MIS
To complete the problems with MyLab MIS, go to the EOC Discussion Questions in MyLab MIS.
330 Part Two Information Technology Infrastructure • Define application controls and describe
each type of application control.
Review Questions
• Describe the function of risk assessment
8-1 Why are information systems vulnerable to and explain how it is conducted for infor-
destruction, error, and abuse? mation systems.
• List and describe the most common threats • Define and describe the following: security
against contemporary information systems. policy, acceptable use policy, and identity
management.
• Define malware and distinguish among a
virus, a worm, and a Trojan horse. • Explain how information systems auditing
promotes security and control.
• Define a hacker and explain how hackers
create security problems and damage 8-4 What are the most important tools and
systems. technologies for safeguarding information
resources?
• Define computer crime. Provide two
e xamples of crime in which computers are • Name and describe three authentication
targets and two examples in which computers methods.
are used as instruments of crime.
• Describe the roles of firewalls, intrusion
• Define identity theft and phishing and detection systems, and anti-malware
e xplain why identity theft is such a big s oftware in promoting security.
problem today.
• Explain how encryption protects
• Describe the security and system reliability information.
problems employees create.
• Describe the role of encryption and
• Explain how software defects affect system digital certificates in a public key
reliability and security. infrastructure.
8-2 What is the business value of security and control? • Distinguish between disaster recov-
ery planning and business continuity
• Explain how security and control provide planning.
value for businesses.
• Identify and describe the security problems
• Describe the relationship between security cloud computing poses.
and control and recent U.S. government regu-
latory requirements and computer forensics. • Describe measures for improving software
quality and reliability.
8-3 What are the components of an organizational
framework for security and control?
• Define general controls and describe each
type of general control.
Discussion Questions 8-7 Suppose your business had an e-commerce
MyLab MIS website where it sold goods and accepted
8-5 Security isn’t simply a technology issue, it’s
MyLab MIS a business issue. Discuss. credit card payments. Discuss the major
8-6 If you were developing a business security threats to this website and their
MyLab MIS continuity plan for your company, where potential impact. What can be done to
minimize these threats?
would you start? What aspects of the
business would the plan address?
Hands-On MIS Projects
The projects in this section give you hands-on experience analyzing security vulnerabilities, using spreadsheet
software for risk analysis, and using web tools to research security outsourcing services. Visit MyLab MIS to access
this chapter’s Hands-On MIS Projects.
Chapter 8 Securing Information Systems 331
Management Decision Problems
8-8 Zynga is a leading online gaming company, offering web and mobile versions of games such as Farmville,
Zynga Poker, Hit it Rich!, and CSR Racing. Zynga’s games are available on a number of global platforms,
including Apple iOS, Google Android, Facebook, and Zynga.com, and have been played by over 1 billion
people. Prepare a security analysis for this Internet-based business. What kinds of threats should it
anticipate? What would be their impact on the business? What steps can it take to prevent damage to its
websites and continuing operations?’
8-9 A survey of your firm’s IT infrastructure has identified a number of security vulnerabilities. Review the
data about these vulnerabilities, which can be found in a table in MyLab MIS. Use the table to answer the
following questions:
• Calculate the total number of vulnerabilities for each platform. What is the potential impact on the or-
ganization of the security problems for each computing platform?
• If you only have one information systems specialist in charge of security, which platforms should you
address first in trying to eliminate these vulnerabilities? Second? Third? Last? Why?
• Identify the types of control problems these vulnerabilities illustrate and explain the measures that
should be taken to solve them.
• What does your firm risk by ignoring the security vulnerabilities identified?
Improving Decision Making: Using Spreadsheet Software to Perform a Security
Risk Assessment
Software skills: Spreadsheet formulas and charts
Business skills: Risk assessment
8-10 This project uses spreadsheet software to calculate anticipated annual losses from various security
threats identified for a small company.
Mercer Paints is a paint manufacturing company located in Alabama that uses a network to link its busi-
ness operations. A security risk assessment that management requested identified a number of potential expo-
sures. These exposures, their associated probabilities, and average losses are summarized in a table, which can
be found in MyLab MIS. Use the table to answer the following questions:
• In addition to the potential exposures listed, identify at least three other potential threats to Mercer
Paints, assign probabilities, and estimate a loss range.
• Use spreadsheet software and the risk assessment data to calculate the expected annual loss for each
exposure.
• Present your findings in the form of a chart. Which control points have the greatest vulnerability?
What recommendations would you make to Mercer Paints? Prepare a written report that summarizes
your findings and recommendations.
Improving Decision Making: Evaluating Security Outsourcing Services
Software skills: Web browser and presentation software
Business skills: Evaluating business outsourcing services
8-11 This project will help develop your Internet skills in using the web to research and evaluate security
outsourcing services.
You have been asked to help your company’s management decide whether to outsource security or keep
the security function within the firm. Search the web to find information to help you decide whether to out-
source security and to locate security outsourcing services.
• Present a brief summary of the arguments for and against outsourcing computer security for your
company.
• Select two firms that offer computer security outsourcing services and compare them and their
services.
332 Part Two Information Technology Infrastructure
• Prepare an electronic presentation for management, summarizing your findings. Your presentation
should make the case of whether your company should outsource computer security. If you believe
your company should outsource, the presentation should identify which security outsourcing service
you selected and justify your decision.
Collaboration and Teamwork Project
Evaluating Security Software Tools
8-12 With a group of three or four students, use the web to research and evaluate security products from two
competing vendors, such as for anti-malware software, firewalls, or antispyware software. For each prod-
uct, describe its capabilities, for what types of businesses it is best suited, and its cost to purchase and
install. Which is the best product? Why? If possible, use Google Docs and Google Drive or Google Sites to
brainstorm, organize, and develop a presentation of your findings for the class.
Chapter 8 Securing Information Systems 333
Is the Equifax Hack the Worst Ever—and Why?
CASE STUDY
Equifax (along with TransUnion and Experian) of all of Yahoo’s 3 billion customers. The Equifax
is one of the three main U.S. credit bureaus, breach was especially damaging because of the
which maintain vast repositories of personal amount of sensitive personal and financial data
and financial data used by lenders to determine stored by Equifax that was stolen, and the role such
credit-worthiness when consumers apply for a credit data play in securing consumers’ bank accounts,
card, mortgage, or other loans. The company handles medical histories, and access to financing. In one
data on more than 820 million consumers and more swoop the hackers gained access to several essential
than 91 million businesses worldwide and manages a pieces of personal information that could help attack-
database with employee information from more than ers commit fraud. According to Avivah Litan, a fraud
7,100 employers, according to its website. These data analyst at Gartner Inc., on a scale of risk to consum-
are provided by banks and other companies directly ers of 1 to 10, this is a 10.
to Equifax and the other credit bureaus. Consumers
have little choice over how credit bureaus collect and After taking Equifax public in 2005, CEO Smith
store their personal and financial data. transformed the company from a slow-growing
credit-reporting company (1–2 percent organic
Equifax has more data on you than just about any- growth per year) into a global data powerhouse.
one else. If any company needs airtight security for Equifax bought companies with databases housing
its information systems, it should be credit reporting information about consumers’ employment histories,
bureaus such as Equifax. Unfortunately this has not savings, and salaries, and expanded internationally.
been the case. The company bought and sold pieces of data that en-
abled lenders, landlords, and insurance companies to
On September 7, 2017 Equifax reported that from make decisions about granting credit, hiring job seek-
mid-May through July 2017 hackers had gained ers, and renting an apartment. Equifax was trans-
access to some of its systems and potentially the formed into a lucrative business housing $12 trillion
p ersonal information of about 143 million U.S. of consumer wealth data. In 2016, the company gen-
consumers, including Social Security numbers and erated $3.1 billion in revenue.
driver’s license numbers. Credit card numbers for
209,000 consumers and personal information used in Competitors privately observed that Equifax
disputes for 182,000 people were also compromised. did not upgrade its technological capabilities to
Equifax reported the breach to law enforcement and keep pace with its aggressive growth. Equifax ap-
also hired a cybersecurity firm to investigate. The peared to be more focused on growing data it could
size of the breach, importance, and quantity of per- commercialize.
sonal information compromised by this breach are
considered unprecedented. Hackers gained access to Equifax systems contain-
ing customer names, Social Security numbers, birth
Immediately after Equifax discovered the breach, dates, and addresses. These four pieces of data are
three top executives, including Chief Financial generally required for individuals to apply for vari-
Officer John Gamble, sold shares worth a combined ous types of consumer credit, including credit cards
$1.8 million, according to Securities and Exchange and personal loans. Criminals who have access to
Commission filings. A company spokesman claimed such data could use it to obtain approval for credit
the three executives had no knowledge that an using other people’s names. Credit specialist and for-
intrusion had occurred at the time they sold their mer Equifax manager John Ulzheimer calls this is a
shares on August 1 and August 2. Bloomberg re- “nightmare scenario” because all four critical pieces
ported that the share sales were not planned in of information for identity theft are in one place.
advance. On October 4, 2017 Equifax CEO Richard
Smith testified before Congress and apologized for The hack involved a known vulnerability in
the breach. Apache Struts, a type of open-source software
Equifax and other companies use to build websites.
The size of the Equifax data breach was second This software vulnerability had been publicly identi-
only to the Yahoo breach of 2013, which affected data fied in March 2017, and a patch to fix it was released
334 Part Two Information Technology Infrastructure
at that time. That means Equifax had the information databases to match up information such as driver li-
to eliminate this vulnerability two months before the cense or Social Security numbers needed to create a
breach occurred. It did nothing. complete data profile for identity theft.
Weaknesses in Equifax security systems were Equifax management stated that although the
evident well before the big hack. A hacker was able hack potentially accessed data on approximately 143
to access credit-report data between April 2013 and million U.S. consumers, it had found no evidence of
January 2014. The company discovered that it mis- unauthorized activity in the company’s core credit
takenly exposed consumer data as a result of a “tech- reporting databases. The hack triggered an uproar
nical error” that occurred during a 2015 software among consumers, financial organizations, privacy
change. Breaches in 2016 and 2017 compromised in- advocates, and the press. Equifax lost one-third of
formation on consumers’ W-2 forms that were stored its stock market value. Equifax CEO Smith resigned,
by Equifax units. Additionally, Equifax disclosed in with the CSO (chief security officer) and CIO depart-
February 2017 that a “technical issue” compromised ing the company as well. Banks will have to replace
credit information of some consumers who used approximately 209,000 credit cards that were stolen
identity-theft protection services from LifeLock. in the breach, a major expense. Lawsuits are in the
works.
Analyses earlier in 2017 performed by four com-
panies that rank the security status of companies Unfortunately the worst impact will be on con-
based on publicly available information showed that sumers themselves, because the theft of uniquely
Equifax was behind on basic maintenance of web- identifying personal information such as Social
sites that could have been involved in transmitting Security numbers, address history, debt history, and
sensitive consumer information. Cyberrisk analysis birth dates could have a permanent effect. These
firm Cyence rated the danger of a data breach at pieces of critical personal data could be floating
Equifax during the next 12 months at 50 percent. around the Dark Web for exploitation and identity
It also found the company performed poorly when theft for many years. Such information would help
compared with other financial-services companies. hackers answer the series of security questions
The other analyses gave Equifax a higher overall that are often required to access financial accounts.
ranking, but the company fared poorly in overall According to Pamela Dixon, executive director of
web-services security, application security, and soft- the World Privacy Forum, “This is about as bad as it
ware patching. gets.” If you have a credit report, there’s at least a 50
percent chance or more that your data were stolen in
A security analysis by Fair Isaac Corporation this breach.
(FICO), a data analytics company focusing on credit
scoring services, found that by July 14 public-facing The data breach exposed Equifax to legal and
websites run by Equifax had expired certificates, er- financial challenges, although the regulatory envi-
rors in the chain of certificates, or other web-security ronment is likely to become more lenient under the
issues. Certificates are used to validate that a user’s current presidential administration. It already is too
connection with a website is legitimate and secure. lenient. Credit reporting bureaus such as Equifax are
very lightly regulated. Given the scale of the data
The findings of the outside security analyses ap- compromised, the punishment for breaches is close
pear to conflict with public declarations by Equifax to nonexistent. There is no federally sanctioned
executives that cybersecurity was a top priority. insurance or audit system for data storage, the way
Senior executives had previously said cybersecurity the Federal Deposit Insurance Corporation provides
was one of the fastest-growing areas of expense for insurance for banks after losses. For many types of
the company. Equifax executives touted Equifax’s data, there are few licensing requirements for hous-
focus on security in an investor presentation that ing personally identifiable information. In many
took place weeks after the company had discovered cases, terms-of-service documents indemnify compa-
the attack. nies against legal consequences for breaches.
Equifax has not revealed specifics about the at- Experts said it was highly unlikely that any
tack, but either its databases were not encrypted or regulatory body would shut Equifax down over this
hackers were able to exploit an application vulnera- breach. The company is considered too critical to the
bility that provided access to data in an unencrypted American financial system. The two regulators that
state. Experts think—and hope—that the hackers do have jurisdiction over Equifax, the Federal Trade
were unable to access all of Equifax’s encrypted
Chapter 8 Securing Information Systems 335
Commission and the Consumer Financial Protection Harmful data breaches keep happening. In al-
Bureau, declined to comment on any potential pun- most all cases, even when the data concerns tens or
ishments over the credit agency’s breach. hundreds of millions of people, companies such as
Equifax and Yahoo that were hacked continue to op-
Even after one of the most serious data erate. There will be hacks—and afterward, there will
breaches in history, no one is really in a position be more. Companies need to be even more diligent
to stop Equifax from continuing to do business about incorporating security into every aspect of
as usual. And the scope of the problem is much their IT infrastructure and systems development ac-
wider. Public policy has no good way to heav- tivities. According to Litan, to prevent data breaches
ily punish companies that fail to safeguard our such as Equifax’s, organizations need many layers of
data. The United States and other countries have security controls. They need to assume that preven-
allowed the emergence of huge phenomenally tion methods are going to fail.
detailed databases full of personal information
available to financial companies, technology com- Sources: Selena Larson, “Equifax Says Hackers Stole More than
panies, medical organizations, advertisers, insur- Previously Reported,” CNN, March 1, 2018; AnnaMaria Andriotis
ers, retailers, and the government. and Michael Rapoport, “Equifax Upends CEO’s Drive to Be a Data
Powerhouse,” Wall Street Journal, September 22, 2017; AnnaMaria
Equifax has offered very weak remedies for con- Andriotis and Robert McMillan, “Equifax Security Showed Signs of
sumers. People can go to the Equifax website to see Trouble Months Before Hack,” Wall Street Journal, September 26,
if their information has been compromised. The 2017; AnnaMaria Andriotis and Ezequiel Minaya, “Equifax Reports
site asks customers to provide their last name and Data Breach Possibly Affecting 143 Million Consumers,” Wall Street
the last six digits of their Social Security number. Journal, September 7, 2017; Tara Siegel Bernard and Stacy Cowley,
However, even if they do that, they do not neces- “Equifax Hack Exposes Regulatory Gaps, Leaving Customers
sarily learn whether they were affected. Instead, Vulnerable,” New York Times, September 8, 2017; Farhad Manjoo,
the site provides an enrollment date for its protec- “Seriously, Equifax? This Is a Breach No One Should Get Away
tion service. Equifax offered a free year of credit With,” New York Times, September 8, 2017; Eileen Chang, “Why
protection service to consumers enrolling before Equifax Breach of 143 Million Consumers Should Freak You Out,”
November 2017. Obviously, all of these measures thestreet.com, September 8, 2017; Tara Siegel Bernard, Tiffany
won’t help much because stolen personal data will Hsu, Nicole Perlroth, and Ron Lieber, “Equifax Says Cyberattack
be available to hackers on the Dark Web for years May Have Affected 143 Million Customers,” New York Times,
to come. Governments involved in state-sponsored September 7, 2017; and Nicole Perlroth and Cade Metz, “What We
cyberwarfare are able to use the data to populate Know and Don’t Know About the Equifax Hack,” New York Times,
databases of detailed personal and medical informa- September 14, 2017.
tion that can be used for blackmail or future attacks.
Ironically, the credit-protection service that Equifax CASE STUDY QUESTIONS
is offering requires subscribers to waive their legal 8-13 Identify and describe the security and control
rights to seek compensation from Equifax for their
losses in order to use the service, while Equifax goes weaknesses discussed in this case.
unpunished. On March 1, 2018, Equifax announced 8-14 What management, organization, and technol-
that the breach had compromised an additional 2.4
million more Americans’ names and driver’s license ogy factors contributed to these problems?
numbers. 8-15 Discuss the impact of the Equifax hack.
8-16 How can future data breaches like this one be
prevented? Explain your answer.
MyLab MIS
Go to the Assignments section of MyLab MIS to complete these writing exercises.
8-17 Describe three spoofing tactics employed in identity theft by using information systems.
8-18 Describe four reasons mobile devices used in business are difficult to secure.
336 Part Two Information Technology Infrastructure Kaspersky Lab. “Mobile Malware Evolution 2017.” (2018).
McMillan, Robert. “Software Bug at Internet Service Provider
Chapter 8 References
Sparks Privacy Concerns.” Wall Street Journal (February 24,
Anderson, Chad, Richard L. Baskerville, and Mala Kaul. “Infor- 2017).
mation Security Control Theory: Achieving a Sustainable Menard, Philip, Gregory J. Bott, and Robert E. Crossler. “User Mo-
Reconciliation Between Sharing and Protecting the Privacy of tivations in Protecting Information Security: Protection Moti-
Information.” Journal of Management Information Systems 34 vation Theory Versus Self-Determination Theory.” Journal of
No. 4 (2017). Management Information Systems 34 No. 4 (2017).
Moody, Gregory D., Mikko Siponen, and Seppo Pahnila. “Toward
Bauer, Harald, Ondrej Burkacky, and Christian Knochenhauer. a Unified Model of Information Security Policy Compliance.”
“Security in the Internet of Things.” McKinsey and Company MIS Quarterly 42 No. 1 (March 2018).
(May 2017). Panda Security. “Cybersecurity Predictions 2018.” (2017).
Panko, Raymond R., and Julie L. Panko. Business Data Networks
Carson, Brant, Giulio Romanelli, Patricia Walsh, and Askhat Zhu- and Security, 11th ed. (Upper Saddle River, NJ: Pearson, 2019).
maev. “Blockchain Beyond the Hype: What Is the Strategic Ponemon Institute. “2017 Cost of Cybercrime Study and the Risk
Business Value?” McKinsey and Company (June 2018). of Business Innovation.” (2017a).
___________. “2017 Cost of Data Breach Study: Global Analysis.”
Cloud Standards Customer Council. “Security for Cloud (2017b).
C omputing: Ten Steps to Ensure Success, Version 3.0” Rothrock, Ray A., James Kaplan, and Friso Van der Oord. “The
( December 2017). Board’s Role in Managing Cybersecurity Risks.” MIT Sloan
Management Review (Winter 2018).
Esteves, Jose, Elisabete Ramalho, and Guillermo de Haro. “To Samtani, Sagar, Ryan Chinn, Hsinchun Chen, and Jay F. Nuna-
Improve Cybersecurity, Think Like a Hacker.” MIT Sloan maker. “Exploring Emerging Hacker Assets and Key Hackers
Management Review (Spring 2017). for Proactive Cyber Threat Intelligence.” Journal of Manage-
ment Information Systems 34 No. 4 (2017).
Goode, Sigi, Hartmut Hoehle, Viswanath Venkatesh, and Susan Symantec Corporation. “Internet Security Threat Report.” (2018).
A. Brown. “User Compensation as a Data Breach Recovery Tapscott, Don, and Alex Tapscott. “How Blockchain Will Change
Action: An Investigation of the Sony PlayStation Network Organizations.” MIT Sloan Management Review (Winter 2017).
Breach.” MIS Quarterly 41 No. 3 (September 2017). Verizon. “2018 Data Breach Investigations Report.” (2018).
Wang, Jingguo, Manish Gupta, and H. Raghav Rao.
Gwebu, Kholekile L., Jing Wang, and Li Wang. “The Role of Corpo- “Insider Threats in a Financial Institution: Analysis of
rate Reputation and Crisis Response Strategies in Data Breach Attack-Proneness of Information Systems Applications.” MIS
Management.” Journal of Management Information Systems 35 Quarterly 39, No. 1 (March 2015).
No. 2 (2018). Young, Carl S. “The Enemies of Data Security: Convenience and
Collaboration.” Harvard Business Review (February 11, 2015).
Hui, Kai-Lung, Seung Hyun Kim, and Qiu-Hong Wang. “Cyber-
crime Deterrence and International Legislation: Evidence
from Distributed Denial of Service Attacks.” MIS Quarterly 41,
No. 2 (June 2017).
Iansiti, Marco, and Karim R. Lakhani. “The Truth About Block-
chain.” Harvard Business Review (January–February 2017).
Javelin Strategy & Research. “2018 Identity Fraud Study.” (Febru-
ary 6, 2018).
Kaminski, Piotr, Chris Rezek, Wolf Richter, and Marc Sorel. “Protect-
ing Your Digital Assets.” McKinsey & Company (January 2017).
PART THREE
Key System Applications
for the Digital Age
CHAPTER 9 CHAPTER 11
Achieving Operational Excellence and Managing Knowledge and Artificial
Customer Intimacy: Enterprise Applications Intelligence
CHAPTER 10 CHAPTER 12
E-commerce: Digital Markets, Digital Enhancing Decision Making
Goods
PART THREE examines the core information system applications businesses are using today
to improve operational excellence and decision making. These applications include enterprise
systems; systems for supply chain management, customer relationship management, artificial
intelligence, and knowledge management; e-commerce applications; and business intelligence
systems. This part answers questions such as: How can enterprise applications improve busi-
ness performance? How do firms use e-commerce to extend the reach of their businesses?
How can systems improve decision making and help companies benefit from artificial intel-
ligence and knowledge management?
337
CHAPTER 9 Achieving Operational Excellence
and Customer Intimacy: Enterprise
Applications
LEARNING OBJECTIVES CHAPTER CASES
After reading this chapter, you will be able to Avon Beautifies Its Supply Chain
answer the following questions: Soma Bay Prospers with ERP in the Cloud
Kenya Airways Flies High with Customer
9-1 How do enterprise systems help
businesses achieve operational Relationship Management
excellence? Clemens Food Group Delivers with New
9-2 How do supply chain management Enterprise Applications
systems coordinate planning,
production, and logistics with VIDEO CASES
suppliers?
Life Time Fitness Gets in Shape with
9-3 How do customer relationship Salesforce CRM
management systems help firms
achieve customer intimacy? Instructional Video:
GSMS Protects Patients by Serializing Every
9-4 What are the challenges that
enterprise applications pose, and how Bottle of Drugs
are enterprise applications taking
advantage of new technologies?
9-5 How will MIS help my career?
MyLab MIS
Discussion Questions: 9-5, 9-6, 9-7; Hands-on MIS Projects: 9-8, 9-9, 9-10, 9-11;
Writing Assignments: 9-17, 9-18; eText with Conceptual Animations
338
Avon Beautifies Its Supply Chain
Avon Products Inc. is the oldest beauty company in the United States, © Casimiro PT/Shutterstock
and has been in business for over 130 years. It manufactures and sells
cosmetics, fragrances, toiletries, accessories, apparel, and various
decorative home furnishings. Avon is also the world’s leading direct seller of
beauty and related products, with 6 million independent door-to-door sales
representatives in 143 countries and over $8 billion in annual revenue. Avon
also sells through other channels, including the Internet, catalog, and physi-
cal outlets.
To survive in a highly competitive, fast-changing industry, motivate repre-
sentatives, and stimulate sales, Avon launches marketing campaigns with fresh
products and promotions every few weeks. To be successful, Avon must be able
to anticipate and react quickly to market trends and customer preferences. Avon
processes 50,000 orders each day and there is little margin for error. Avon’s
warehouses must stock the items customers want and deliver them quickly,
often to remote locations around the
globe.
Until recently, Avon’s global sup-
ply chain was not up to the task. Avon
had recently expanded operations in
Europe, the Middle East, and Africa,
but there was no central planning
function responsible for demand, in-
ventory, and supply planning across
the enterprise. Production planning
at Avon’s three factories in Germany,
the United Kingdom, and Poland was
highly manual, inflexible, and incapa-
ble of supporting Avon’s growth in new
markets.
To improve how the company
dealt with product availability and
inventory, Avon implemented
JDA Software’s Manufacturing and
Intelligent Fulfillment solutions to centralize planning for demand, inven-
tory, and supply across its entire global enterprise. The software helps Avon
achieve consistent forecast accuracy in an environment that includes chal-
lenges of shorter product lifecycles, seasonality, multiple sales channels,
frequent promotions, and continuously changing localized shopper prefer-
ences. JDA Intelligent Fulfillment helps companies make intelligent and
profitable distribution decisions. The software helps reduce inventory lev-
els and costs, improve customer service, and support more agile, profitable,
339
340 Part Three Key System Applications for the Digital Age
and responsive operations, meeting the needs of many different types of
Avon markets in a single implementation.
The JDA software collects supply chain data about inventory, future sales de-
mands, transport schedules, and sales history from Avon’s many markets. The
system uses these data along with JDA advanced planning parameters to create
a strategic distribution and manufacturing plan. The system also provides Avon
with a list of inventory imbalances, service risks, and shipping requirements.
Avon can now streamline order processing across borders and respond more
quickly to changes in customer demand.
JDA’s capabilities for advanced planning and distribution, coupled with
its flexibility, made it possible for Avon to meet the needs of many different
types of Avon markets with a single system. Avon implemented the JDA soft-
ware across 29 markets in Europe, Middle East, and Africa (EMEA) within four
months, delivering training across the EMEA region in eight languages. Since
Avon implemented the JDA supply chain solution, its cost of servicing cus-
tomers has been reduced, while its customer service rating has increased to
99.5 percent. Inventory levels have dropped by 17 percent in just six months,
providing immediate savings of $20 million. Avon now has complete visibility
into all aspects of its supply chain and will be able to enter new countries and
markets much more easily.
Sources: https://jda.com, accessed January 21, 2018; https://about.avon.com, accessed
January 20, 2018; and “Avon Supply Chain Makeover,” JDA Software Group, 2016.
Avon’s problems with planning, inventory, and supply in a global mul-
tichannel marketplace illustrate the critical role of supply chain man-
agement systems in business. Avon’s business performance was impeded
because it could not balance supply and constantly changing demand for
its products in many different markets around the world. Avon’s existing
systems were highly manual and lacked the flexibility to support Avon’s
growth in new markets. Products were not always available when customers
ordered them. Sometimes this left the company holding too much inventory
it couldn’t sell or not enough at the right time or place to fulfill customer
orders.
The chapter-opening diagram calls attention to important points raised by
this case and this chapter. Avon competes in the global beauty industry where
customer tastes change rapidly, demand is very volatile, and the company is
expected to come up quickly with enticing new products. The company’s sup-
ply chain is far-reaching and complex, servicing customers ordering items in
many different locations around the globe. Avon’s legacy systems were unable
to coordinate demand, inventory, and supply planning across its entire global
enterprise. Implementing JDA software tools for supply chain planning and
fulfillment has made it much easier for Avon’s management to access and ana-
lyze demand data for forecasting, inventory planning, and fulfillment, greatly
improving both decision making and operational efficiency across the global
enterprise.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 341
• Plan production Management Business
• Establish inventory Problem
• Volatile demand
requirements • Global operations
• Select new • Complex supply chain
• Manual processes
technology
• Revise supply Organization Information Business
chain processes System Solutions
• Deploy JDA Centralized Planning • Reduce costs
Manufacturing and & Distribution • Increase sales
Intelligent Fulfillment • Increase customer
• Forecast demand more
accurately satisfaction
Technology • Centralize planning
globally for demand,
inventory, and supply
• Create strategic distribution
& manufacturing plan
Here are some questions to think about: How is Avon’s business model
affected by having an inefficient supply chain? How did JDA software tools
improve the way Avon ran its business?
9-1 How do enterprise systems help businesses
achieve operational excellence?
Around the globe, companies are increasingly becoming more connected, both
internally and with other companies. If you run a business, you’ll want to be
able to react instantaneously when a customer places a large order or when a
shipment from a supplier is delayed. You may also want to know the impact of
these events on every part of the business and how the business is performing
at any point in time, especially if you’re running a large company. Enterprise
systems provide the integration to make this possible. Let’s look at how they
work and what they can do for the firm.
What are Enterprise Systems?
Imagine that you had to run a business based on information from tens or even
hundreds of databases and systems, none of which could speak to one another.
Imagine your company had 10 major product lines, each produced in separate
factories, and each with separate and incompatible sets of systems controlling
production, warehousing, and distribution.
At the very least, your decision making would often be based on manual
hard-copy reports, often out of date, and it would be difficult to understand
what is happening in the business as a whole. Sales personnel might not be
able to tell at the time they place an order whether the ordered items are in
inventory, and manufacturing could not easily use sales data to plan for new
production. You now have a good idea of why firms need a special enterprise
system to integrate information.
342 Part Three Key System Applications for the Digital Age
FIGURE 9.1 HOW ENTERPRISE SYSTEMS WORK
Enterprise systems feature a set of integrated software modules and a central database by
which business processes and functional areas throughout the enterprise can share data.
Finance & • Cash on hand
Accounting • Accounts receivable
• Customer credit
• Revenue
Sales & Centralized Human
Marketing Database Resources
• Orders • Hours worked
• Sales forecasts Manufacturing & • Labor cost
• Return requests Production • Job skills
• Price changes
• Materials
• Production schedules
• Shipment dates
• Production capacity
• Purchases
Chapter 2 introduced enterprise systems, also known as enterprise resource
planning (ERP) systems, which are based on a suite of integrated software mod-
ules and a common central database. The database collects data from many
divisions and departments in a firm and from a large number of key business
processes in manufacturing and production, finance and accounting, sales and
marketing, and human resources, making the data available for applications
that support nearly all an organization’s internal business activities. When new
information is entered by one process, the information is made immediately
available to other business processes (see Figure 9.1).
If a sales representative places an order for tire rims, for example, the sys-
tem verifies the customer’s credit limit, schedules the shipment, identifies the
best shipping route, and reserves the necessary items from inventory. If inven-
tory stock is insufficient to fill the order, the system schedules the manufacture
of more rims, ordering the needed materials and components from suppliers.
Sales and production forecasts are immediately updated. General ledger and
corporate cash levels are automatically updated with the revenue and cost in-
formation from the order. Users can tap into the system and find out where that
particular order is at any minute. Management can obtain information at any
point in time about how the business is operating. The system can also generate
enterprise-wide data for management analyses of product cost and profitability.
Enterprise Software
Enterprise software is built around thousands of predefined business pro-
cesses that reflect best practices. Table 9.1 describes some of the major business
processes that enterprise software supports.
Companies implementing this software first have to select the functions of the
system they wish to use and then map their business processes to the predefined
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 343
TABLE 9.1 BUSINESS PROCESSES SUPPORTED BY ENTERPRISE SYSTEMS
Financial and accounting processes, including general ledger, accounts payable, accounts receivable, fixed assets, cash
management and forecasting, product-cost accounting, cost-center accounting, asset accounting, tax accounting, credit
management, and financial reporting
Human resources processes, including personnel administration, time accounting, payroll, personnel planning and
development, benefits accounting, applicant tracking, time management, compensation, workforce planning, performance
management, and travel expense reporting
Manufacturing and production processes, including procurement, inventory management, purchasing, shipping,
production planning, production scheduling, material requirements planning, quality control, distribution, transportation
execution, and plant and equipment maintenance
Sales and marketing processes, including order processing, quotes, contracts, product configuration, pricing, billing,
credit checking, incentive and commission management, and sales planning
business processes in the software. (One of our Learning Tracks shows how SAP
enterprise software handles the procurement process for a new piece of equip-
ment.) Configuration tables provided by the software manufacturer enable the
firm to tailor a particular aspect of the system to the way it does business. For
example, the firm could use these tables to select whether it wants to track rev-
enue by product line, geographical unit, or distribution channel.
If the enterprise software does not support the way the organization does
business, companies can rewrite some of the software to support the way their
business processes work. However, enterprise software is unusually complex,
and extensive customization may degrade system performance, compromising
the information and process integration that are the main benefits of the sys-
tem. If companies want to reap the maximum benefits from enterprise soft-
ware, they must change the way they work to conform to the business pro-
cesses defined by the software.
To implement a new enterprise system, Tasty Baking Company identified
its existing business processes and then translated them into the business pro-
cesses built into the SAP ERP software it had selected. To ensure that it obtained
the maximum benefits from the enterprise software, Tasty Baking Company de-
liberately planned for customizing less than 5 percent of the system and made
very few changes to the SAP software itself. It used as many tools and features
that were already built into the SAP software as it could. SAP has more than
3,000 configuration tables for its enterprise software.
Leading enterprise software vendors include SAP, Oracle, IBM, Infor Global
Solutions, and Microsoft. Versions of enterprise software packages are designed
for small and medium-sized businesses and on-demand software services run-
ning in the cloud (see the chapter-opening case and Section 9-4).
Business Value of Enterprise Systems
Enterprise systems provide value by both increasing operational efficiency and
providing firmwide information to help managers make better decisions. Large
companies with many operating units in different locations have used enter-
prise systems to enforce standard practices and data so that everyone does busi-
ness the same way worldwide.
Coca-Cola, for instance, implemented a SAP enterprise system to standardize
and coordinate important business processes in 200 countries. Lack of stan-
dard, companywide business processes had prevented the company from using
its worldwide buying power to obtain lower prices for raw materials and from
reacting rapidly to market changes.
344 Part Three Key System Applications for the Digital Age
Enterprise systems help firms respond rapidly to customer requests for in-
formation or products. Because the system integrates order, manufacturing,
and delivery data, manufacturing is better informed about producing only what
customers have ordered, procuring exactly the right number of components or
raw materials to fill actual orders, staging production, and minimizing the time
that components or finished products are in inventory.
Alcoa, the world’s leading producer of aluminum and aluminum products
with operations spanning 31 countries and more than 200 locations, had ini-
tially been organized around lines of business, each of which had its own set of
information systems. Many of these systems were redundant and inefficient.
Alcoa’s costs for executing requisition-to-pay and financial processes were much
higher, and its cycle times were longer than those of other companies in its in-
dustry. (Cycle time refers to the total elapsed time from the beginning to the
end of a process.) The company could not operate as a single worldwide entity.
After implementing enterprise software from Oracle, Alcoa eliminated many
redundant processes and systems. The enterprise system helped Alcoa reduce
requisition-to-pay cycle time by verifying receipt of goods and automatically gen-
erating receipts for payment. Alcoa’s accounts payable transaction processing
dropped 89 percent. Alcoa was able to centralize financial and procurement activ-
ities, which helped the company reduce nearly 20 percent of its worldwide costs.
Enterprise systems provide much valuable information for improving
m anagement decision making. Corporate headquarters has access to up-to-
the-m inute data on sales, inventory, and production and uses this information
to create more accurate sales and production forecasts. Enterprise software
includes analytical tools to use data the system captures to evaluate overall
organizational performance. Enterprise system data have common standard-
ized definitions and formats that are accepted by the entire organization.
Performance figures mean the same thing across the company. Enterprise sys-
tems allow senior management to find out easily at any moment how a par-
ticular organizational unit is performing, determine which products are most
or least profitable, and calculate costs for the company as a whole. For example,
Alcoa’s enterprise system includes functionality for global human resources
management that shows correlations between investment in employee train-
ing and quality, measures the companywide costs of delivering services to
e mployees, and measures the effectiveness of employee recruitment, compen-
sation, and training. The Interactive Session on Management describes more of
these benefits in detail.
9-2 How do supply chain management
systems coordinate planning, production,
and logistics with suppliers?
If you manage a small firm that makes a few products or sells a few services,
chances are you will have a small number of suppliers. You could coordinate
your supplier orders and deliveries by using just a telephone and fax machine.
But if you manage a firm that produces more complex products and services,
you will have hundreds of suppliers, and each of your suppliers will have its
own set of suppliers. Suddenly, you will need to coordinate the activities of hun-
dreds or even thousands of other firms to produce your products and services.
Supply chain management (SCM) systems, which we introduced in Chapter 2,
are an answer to the problems of supply chain complexity and scale.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 345
INTERACTIVE SESSION MANAGEMENT
Soma Bay Prospers with ERP in the Cloud
Soma Bay is a 10-million-square-mile resort com- seamlessly combines data from the general ledger
munity on the Egyptian shore of the Red Sea. It has and other financial systems with data from opera-
many attractions that make it a first-class vacation tional systems.
paradise, including five hotels, a championship golf
course, water sport facilities, a world-class spa, and Soma Bay’s Enterprise One cloud platform makes
luxury vacation homes. Soma Bay Development it easy to create cash flow reports, project manage-
Company is headquartered in Hurghada, Egypt and ment reports, accounts receivable aging reports,
has more than 2,000 employees. facility management reports, and key performance
indicator reports throughout Soma Bay’s distributed
Unfortunately, political upheavals and economic organization. Company management also appreci-
conditions have taken a toll on occupancy rates and ates Oracle Cloud IaaS disaster recovery capabilities.
profitability. When President Hosni Mubarak was Several years ago, water from an upper floor flooded
overthrown during the Egyptian revolution of 2011, Soma Bay’s Cairo data center. The company was able
there was a sharp devaluation of Egyptian currency. to restore data and resume operations quickly be-
In the years that followed, political conditions stabi- cause it had backups stored in Oracle Cloud.
lized and the Egyptian economy recovered, but the
tourism industry lost U.S. $1.3 billion after the down- JD Edwards Enterprise One contains more than
ing of a commercial airliner over the Sinai Desert in 80 separate application modules designed to sup-
late 2015. Soma Bay Development Company’s hotel port a wide range of business processes. The soft-
occupancy rates plummeted from more than 50 per- ware suite also features mobile applications that
cent in 2015 to 25 percent in the first quarter of 2016. support both iOS and Android and can be used on
smartphones and tablets. Soma Bay uses the JD
Foreign exchange fluctuations and political up- Edwards Enterprise One modules for Financials,
heavals are forces beyond Soma Bay’s control, but Procurement, Inventory Management, Job Cost, Real
what the company’s management can do during Estate Management, Homebuilder Management,
downturns is react intelligently by closely monitor- Capital Asset Maintenance, Service Management,
ing operations and costs. This is possible thanks to and Time and Labor. JD Edwards Enterprise One
the company’s use of a JD Edwards Enterprise One Homebuilder Management helps Soma Bay coordi-
ERP system from Oracle with applications and data nate activities and analyze profitability throughout
residing in Oracle’s Cloud Infrastructure as a Service its home-building cycle down to the lot level. JD
(Oracle Cloud IaaS). Edwards Enterprise One Real Estate Management
streamlines financial, operational, and facilities man-
In the past, Soma Bay Development Company had agement processes for finished properties, coordinat-
tried to run much of the company using unwieldy ing tasks among teams and providing a comprehen-
Excel-based systems. Managers had to manually ma- sive management view of each unit. The Job Cost
nipulate spreadsheets to understand the basic drivers module shows ongoing costs for the real estate busi-
of profitability, and it often took too long to obtain ness, which helps management allocate expenses for
the information needed for sound decision making. materials, labor, and other needs and also track ex-
These systems made it difficult for Soma Bay to man- penses against the budgets and forecasts established
age its aggressive growth plans, which included con- at the outset of each facilities management project.
struction of 1000 new homes over a five-year period. Managers can identify projects with codes and merge
them with financial account numbers to determine
Mohammed Serry, Soma Bay Company’s CFO, and budget expenses versus actual expenses. They can
his team selected JD Edwards Enterprise One for a thereby verify if complex projects are on track and
solution because it could create standardized busi- share expense data among divisions.
ness processes across functional areas and provide
timely reports that explain the profitability of each The Enterprise One software creates currency-
business unit using a standard chart of accounts. neutral financial reports. This helps reconcile
The software can identify the profitability drivers revenue from Soma Bay’s tourism division (which
and growth drivers of a business. Enterprise One
346 Part Three Key System Applications for the Digital Age
caters to Germany and other parts of Europe) with One provided a solid understanding of costs and
its home sales division (which is aimed primarily at profitability, even though revenue came from differ-
Egyptians) to neutralize the effect of different cur- ent currencies and markets. It was able to show the
rencies on financial results. Home building accounts impact of falling occupancy rates on the business, ex-
for about 25 percent of corporate revenue. cluding foreign exchange effect, to help management
measure overall performance by legal entity. This
Having a dual revenue stream mitigates risks. If knowledge helped Soma Bay weather the downturn
the tourism business is slow, Soma Bay still has rev- and implement an aggressive turnaround plan.
enue from the real estate business, and vice versa.
The ERP system provides the data required to closely Today, 95 percent of Soma Bay staff members
track costs. For example, in 2017 Soma Bay spent use the Enterprise One software in some capacity.
100 million Egyptian pounds (equivalent to approxi- The company has a more stable operating model.
mately U.S. $5.7 million) on new construction. The Occupancy rates at its five hotels are rising. Soma
Enterprise One system provided the information Bay Development Company is building 500 vaca-
about cash management and cash flow for sustain- tion homes in six seaside communities. According
ing this level of expansion. Soma Bay can carefully to Cherif Samir, Financial Controller for Soma Bay,
monitor cash flow and payments to contractors. being able to track every penny the company spends
on a project has revolutionized the business.
During the 2016 downturn, Soma Bay used the
Enterprise One cost management and profitability Sources: www.searchoracle.com, accessed January 30, 2018; David
capabilities to provide detailed financial data that Baum, “Destination: Cloud,” Profit Magazine, Fall 2017; and www.
helped managers carefully control fixed operating somabay.com, accessed January 31, 2018.
expenses, helping to minimize losses. Enterprise
CASE STUDY QUESTIONS 3. What were the business benefits of Soma Bay’s
new enterprise system? How did it change deci-
1. Identify and describe the problem discussed in sion making and the way the company operated?
this case. What management, organization, and
technology factors contributed to the problem?
2. Why was an ERP system required for a solution?
How did having a cloud-based ERP system con-
tribute to the solution?
The Supply Chain
A firm’s supply chain is a network of organizations and business processes for
procuring raw materials, transforming these materials into intermediate and
finished products, and distributing the finished products to customers. It links
suppliers, manufacturing plants, distribution centers, retail outlets, and custom-
ers to supply goods and services from source through consumption. Materials,
information, and payments flow through the supply chain in both directions.
Goods start out as raw materials and, as they move through the supply chain,
are transformed into intermediate products (also referred to as components or
parts) and, finally, into finished products. The finished products are shipped to
distribution centers and from there to retailers and customers. Returned items
flow in the reverse direction from the buyer back to the seller.
Let’s look at the supply chain for Nike sneakers as an example. Nike designs,
markets, and sells sneakers, socks, athletic clothing, and accessories through-
out the world. Its primary suppliers are contract manufacturers with factories
in China, Thailand, Indonesia, Brazil, and other countries. These companies
fashion Nike’s finished products.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 347
FIGURE 9.2 NIKE’S SUPPLY CHAIN
This figure illustrates the major entities in Nike’s supply chain and the flow of information upstream and
downstream to coordinate the activities involved in buying, making, and moving a product. Shown here is a
simplified supply chain, with the upstream portion focusing only on the suppliers for sneakers and sneaker soles.
Upstream
Contract Capacity, inventory level, delivery schedule, payment terms
Supplier
Nike Distributor Retailer Customer
Contract Orders, return requests, repair and service requests, payments
Supplier Downstream
Tier 3 Tier 2 Tier 1
Suppliers Suppliers Suppliers
Nike’s contract suppliers do not manufacture sneakers from scratch. They
obtain components for the sneakers—the laces, eyelets, uppers, and soles—
from other suppliers and then assemble them into finished sneakers. These
suppliers in turn have their own suppliers. For example, the suppliers of soles
have suppliers for synthetic rubber, suppliers for chemicals used to melt the
rubber for molding, and suppliers for the molds into which to pour the rubber.
Suppliers of laces have suppliers for their thread, for dyes, and for the plastic
lace tips.
Figure 9.2 provides a simplified illustration of Nike’s supply chain for sneak-
ers; it shows the flow of information and materials among suppliers, Nike,
Nike’s distributors, retailers, and customers. Nike’s contract manufacturers
are its primary suppliers. The suppliers of soles, eyelets, uppers, and laces are
the secondary (Tier 2) suppliers. Suppliers to these suppliers are the tertiary
(Tier 3) suppliers.
The upstream portion of the supply chain includes the company’s suppli-
ers, the suppliers’ suppliers, and the processes for managing relationships with
them. The downstream portion consists of the organizations and processes for
distributing and delivering products to the final customers. Companies that
manufacture, such as Nike’s contract suppliers of sneakers, also manage their
own internal supply chain processes for transforming materials, components,
and services their suppliers furnish into finished products or intermediate
products (components or parts) for their customers and for managing materials
and inventory.
The supply chain illustrated in Figure 9.2 has been simplified. It only shows
two contract manufacturers for sneakers and only the upstream supply chain
for sneaker soles. Nike has hundreds of contract manufacturers turning out fin-
ished sneakers, socks, and athletic clothing, each with its own set of suppliers.
348 Part Three Key System Applications for the Digital Age
The upstream portion of Nike’s supply chain actually comprises thousands
of entities. Nike also has numerous distributors and many thousands of retail
stores where its shoes are sold, so the downstream portion of its supply chain is
also large and complex.
Information Systems and Supply Chain Management
Inefficiencies in the supply chain, such as parts shortages, underused plant
capacity, excessive finished goods inventory, or high transportation costs,
are caused by inaccurate or untimely information. For example, manufactur-
ers may keep too many parts in inventory because they do not know exactly
when they will receive their next shipments from their suppliers. Suppliers
may order too few raw materials because they do not have precise information
on demand. These supply chain inefficiencies waste as much as 25 percent of a
company’s operating costs.
If a manufacturer had perfect information about exactly how many units of
product customers wanted, when they wanted them, and when they could be
produced, it would be possible to implement a highly efficient just-in-time
strategy. Components would arrive exactly at the moment they were needed,
and finished goods would be shipped as they left the assembly line.
In a supply chain, however, uncertainties arise because many events can-
not be foreseen—uncertain product demand, late shipments from suppliers,
defective parts or raw materials, or production process breakdowns. To satisfy
customers, manufacturers often deal with such uncertainties and unforeseen
events by keeping more material or products in inventory than they think they
may actually need. The safety stock acts as a buffer for the lack of flexibility in
the supply chain. Although excess inventory is expensive, low fill rates are also
costly because business may be lost from canceled orders.
One recurring problem in supply chain management is the bullwhip effect,
in which information about the demand for a product gets distorted as it passes
from one entity to the next across the supply chain. A slight rise in demand for
an item might cause different members in the supply chain—distributors, man-
ufacturers, suppliers, secondary suppliers (suppliers’ suppliers), and tertiary
suppliers (suppliers’ suppliers’ suppliers)—to stockpile inventory so each has
enough just in case. These changes ripple throughout the supply chain, mag-
nifying what started out as a small change from planned orders and creating
excess inventory, production, warehousing, and shipping costs (see Figure 9.3).
For example, Procter & Gamble (P&G) found it had excessively high inven-
tories of its Pampers disposable diapers at various points along its supply chain
because of such distorted information. Although customer purchases in stores
were fairly stable, orders from distributors spiked when P&G offered aggressive
price promotions. Pampers and Pampers’ components accumulated in ware-
houses along the supply chain to meet demand that did not actually exist. To
eliminate this problem, P&G revised its marketing, sales, and supply chain pro-
cesses and used more accurate demand forecasting.
The bullwhip effect is tamed by reducing uncertainties about demand and supply
when all members of the supply chain have accurate and up-to-date information.
If all supply chain members share dynamic information about inventory levels,
schedules, forecasts, and shipments, they have more precise knowledge about
how to adjust their sourcing, manufacturing, and distribution plans. Supply chain
management systems provide the kind of information that helps members of the
supply chain make better purchasing and scheduling decisions.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 349
FIGURE 9.3 THE BULLWHIP EFFECT
Inaccurate information can cause minor fluctuations in demand for a product to be amplified as one moves further
back in the supply chain. Minor fluctuations in retail sales for a product can create excess inventory for distributors,
manufacturers, and suppliers.
Upstream
Manufacturer Distributor Retailer Customer
Downstream
Tier 3 Tier 2 Tier 1
Suppliers Suppliers Suppliers
Supply Chain Management Software
Supply chain software is classified as either software to help businesses plan
their supply chains (supply chain planning) or software to help them execute
the supply chain steps (supply chain execution). Supply chain planning
systems enable the firm to model its existing supply chain, generate demand
forecasts for products, and develop optimal sourcing and manufacturing plans.
Such systems help companies make better decisions, such as determining how
much of a specific product to manufacture in a given time period; establishing
inventory levels for raw materials, intermediate products, and finished goods;
determining where to store finished goods; and identifying the transportation
mode to use for product delivery.
For example, if a large customer places a larger order than usual or changes
that order on short notice, it can have a widespread impact throughout the
supply chain. Additional raw materials or a different mix of raw materials may
need to be ordered from suppliers. Manufacturing may have to change job
scheduling. A transportation carrier may have to reschedule deliveries. Supply
chain planning software makes the necessary adjustments to production and
350 Part Three Key System Applications for the Digital Age
distribution plans. Information about changes is shared among the relevant
supply chain members so that their work can be coordinated. One of the
most important—and complex—supply chain planning functions is demand
planning, which determines how much product a business needs to make to
satisfy all its customers’ demands. JDA Software, SAP, and Oracle all offer sup-
ply chain management solutions.
Supply chain execution systems manage the flow of products through dis-
tribution centers and warehouses to ensure that products are delivered to the
right locations in the most efficient manner. They track the physical status of
goods, the management of materials, warehouse and transportation operations,
and financial information involving all parties. An example is the Warehouse
Management System (WMS) that Haworth Incorporated uses. Haworth is a
world-leading manufacturer and designer of office furniture, with distribution
centers in four states. The WMS tracks and controls the flow of finished goods
from Haworth’s distribution centers to its customers. Acting on shipping plans
for customer orders, the WMS directs the movement of goods based on immedi-
ate conditions for space, equipment, inventory, and personnel.
Global Supply Chains and the Internet
Before the Internet, supply chain coordination was hampered by the difficulties
of making information flow smoothly among disparate internal supply chain
systems for purchasing, materials management, manufacturing, and distribu-
tion. It was also difficult to share information with external supply chain part-
ners because the systems of suppliers, distributors, or logistics providers were
based on incompatible technology platforms and standards. Enterprise and
supply chain management systems enhanced with Internet technology supply
some of this integration.
A manager uses a web interface to tap into suppliers’ systems to determine
whether inventory and production capabilities match demand for the firm’s
products. Business partners use web-based supply chain management tools to
collaborate online on forecasts. Sales representatives access suppliers’ produc-
tion schedules and logistics information to monitor customers’ order status.
Global Supply Chain Issues
More and more companies are entering international markets, outsourcing
manufacturing operations, and obtaining supplies from other countries as well
as selling abroad. Their supply chains extend across multiple countries and
regions. There are additional complexities and challenges to managing a global
supply chain.
Global supply chains typically span greater geographic distances and time
differences than domestic supply chains and have participants from a number
of countries. Performance standards may vary from region to region or from
nation to nation. Supply chain management may need to reflect foreign govern-
ment regulations and cultural differences.
The Internet helps companies manage many aspects of their global supply
chains, including sourcing, transportation, communications, and international
finance. Today’s apparel industry, for example, relies heavily on outsourcing to
contract manufacturers in China and other low-wage countries. Apparel com-
panies are starting to use the web to manage their global supply chain and pro-
duction issues. (Review the discussion of Li & Fung in Chapter 3.)
In addition to contract manufacturing, globalization has encouraged out-
sourcing warehouse management, transportation management, and related
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 351
operations to third-party logistics providers, such as UPS Supply Chain Solutions
and Schneider National. These logistics services offer web-based software to
give their customers a better view of their global supply chains. Customers can
check a secure website to monitor inventory and shipments, helping them run
their global supply chains more efficiently.
Demand-Driven Supply Chains: From Push to Pull
Manufacturing and Efficient Customer Response
In addition to reducing costs, supply chain management systems facilitate ef-
ficient customer response, enabling the workings of the business to be driven
more by customer demand. (We introduced efficient customer response sys-
tems in Chapter 3.)
Earlier supply chain management systems were driven by a push-based
model (also known as build-to-stock). In a push-based model, production mas-
ter schedules are based on forecasts or best guesses of demand for products, and
products are pushed to customers. With new flows of information made possible
by web-based tools, supply chain management more easily follows a pull-based
model. In a pull-based model, also known as a demand-driven or build-to-order
model, actual customer orders or purchases trigger events in the supply chain.
Transactions to produce and deliver only what customers have ordered move up
the supply chain from retailers to distributors to manufacturers and eventually
to suppliers. Only products to fulfill these orders move back down the supply
chain to the retailer. Manufacturers use only actual order demand information
to drive their production schedules and the procurement of components or raw
materials, as illustrated in Figure 9.4. Walmart’s continuous replenishment sys-
tem described in Chapter 3 is an example of the pull-based model.
The Internet and Internet technology make it possible to move from sequen-
tial supply chains, where information and materials flow sequentially from
company to company, to concurrent supply chains, where information flows
in many directions simultaneously among members of a supply chain network.
Complex supply networks of manufacturers, logistics suppliers, outsourced
manufacturers, retailers, and distributors can adjust immediately to changes in
schedules or orders. Ultimately, the Internet will enable a digital logistics ner-
vous system for supply chains (see Figure 9.5).
FIGURE 9.4 PUSH- VERSUS PULL-BASED SUPPLY CHAIN MODELS
The difference between push- and pull-based models is summarized by the slogan
“Make what we sell, not sell what we make.”
Push-Based Model
Supplier Manufacturer Distributor Retailer Customer
Supply to Stock based Purchase what
forecast Production based Inventory based on forecasts is on shelves
on forecasts on forecasts
Pull-Based Model
Supplier Manufacturer Distributor Retailer Customer
Supply to Produce to Automatically Automatically Customer
order replenish stock
order replenish orders
warehouse
352 Part Three Key System Applications for the Digital Age
FIGURE 9.5 THE EMERGING INTERNET-DRIVEN SUPPLY CHAIN
The emerging Internet-driven supply chain operates like a digital logistics nervous
s ystem. It provides multidirectional communication among firms, networks of firms, and
e -marketplaces so that entire networks of supply chain partners can immediately adjust
inventories, orders, and capacities.
Distributors
Manufacturers Retailers
Suppliers Logistics Customers
Providers Logistics
Private Exchanges
Industrial Virtual
Networks Manufacturers
Net
Marketplaces
Contract
Manufacturers
Business Value of Supply Chain Management Systems
You have just seen how supply chain management systems enable firms to
streamline both their internal and external supply chain processes and provide
management with more accurate information about what to produce, store, and
move. By implementing a networked and integrated supply chain management
system, companies match supply to demand, reduce inventory levels, improve
delivery service, speed product time to market, and use assets more effectively.
Total supply chain costs represent the majority of operating expenses for
many businesses and in some industries approach 75 percent of the total operat-
ing budget. Reducing supply chain costs has a major impact on firm profitability.
In addition to reducing costs, supply chain management systems help in-
crease sales. If a product is not available when a customer wants it, customers
often try to purchase it from someone else. More precise control of the supply
chain enhances the firm’s ability to have the right product available for cus-
tomer purchases at the right time.
9-3 How do customer relationship management
systems help firms achieve customer intimacy?
You’ve probably heard phrases such as “the customer is always right” or “the cus-
tomer comes first.” Today these words ring truer than ever. Because competitive
advantage based on an innovative new product or service is often very short lived,
companies are realizing that their most enduring competitive strength may be
their relationships with their customers. Some say that the basis of competition
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 353
has switched from who sells the most products and services to who “owns” the
customer and that customer relationships represent a firm’s most valuable asset.
What Is Customer Relationship Management?
What kinds of information would you need to build and nurture strong, long-
lasting relationships with customers? You’d want to know exactly who your cus-
tomers are, how to contact them, whether they are costly to service and sell
to, what kinds of products and services they are interested in, and how much
money they spend on your company. If you could, you’d want to make sure
you knew each of your customers well, as if you were running a small-town
store. And you’d want to make your good customers feel special.
In a small business operating in a neighborhood, it is possible for business
owners and managers to know their customers well on a personal, face-to-face
basis, but in a large business operating on a metropolitan, regional, national, or
even global basis, it is impossible to know your customer in this intimate way.
In these kinds of businesses, there are too many customers and too many ways
that customers interact with the firm (over the web, the phone, email, blogs,
and in person). It becomes especially difficult to integrate information from all
these sources and deal with the large number of customers.
A large business’s processes for sales, service, and marketing tend to be highly
compartmentalized, and these departments do not share much essential customer
information. Some information on a specific customer might be stored and orga-
nized in terms of that person’s account with the company. Other pieces of informa-
tion about the same customer might be organized by products that were purchased.
In this traditional business environment, there is no convenient way to consolidate
all this information to provide a unified view of a customer across the company.
This is where customer relationship management systems help. Customer
relationship management (CRM) systems, which we introduced in Chapter 2,
capture and integrate customer data from all over the organization, consolidate
the data, analyze the data, and then distribute the results to various systems
and customer touch points across the enterprise. A touch point (also known
as a contact point) is a method of interaction with the customer, such as tele-
phone, email, customer service desk, conventional mail, Facebook, Twitter,
website, wireless device, or retail store. Well-designed CRM systems provide a
single enterprise view of customers that is useful for improving both sales and
customer service (see Figure 9.6.)
Good CRM systems provide data and analytical tools for answering questions
such as these: What is the value of a particular customer to the firm over his or
her lifetime? Who are our most loyal customers? Who are our most profitable
customers? What do these profitable customers want to buy? Firms use the an-
swers to these questions to acquire new customers, provide better service and
support to existing customers, customize their offerings more precisely to cus-
tomer preferences, and provide ongoing value to retain profitable customers.
Customer Relationship Management Software
Commercial CRM software packages range from niche tools that perform limited
functions, such as personalizing websites for specific customers, to large-scale
enterprise applications that capture myriad interactions with customers, ana-
lyze them with sophisticated reporting tools, and link to other major e nterprise
applications, such as supply chain management and enterprise systems. The
more comprehensive CRM packages contain modules for partner r elationship
m anagement (PRM) and employee relationship management (ERM).
354 Part Three Key System Applications for the Digital Age
FIGURE 9.6 CUSTOMER RELATIONSHIP MANAGEMENT (CRM)
CRM systems examine customers from a multifaceted perspective. These systems use a
set of integrated applications to address all aspects of the customer relationship, includ-
ing customer service, sales, and marketing.
Sales
• Telephone sales
• Web sales
• Retail store sales
• Field sales
Marketing Customer Service
• Campaign data • Call center data
• Content
• Data analysis • Web self-service
data
• Wireless data
• Field service
data
• Social
networking
data
PRM uses many of the same data, tools, and systems as customer relation-
ship management to enhance collaboration between a company and its selling
partners. If a company does not sell directly to customers but rather works
through distributors or retailers, PRM helps these channels sell to customers
directly. It provides a company and its selling partners with the ability to trade
information and distribute leads and data about customers, integrating lead
generation, pricing, promotions, order configurations, and availability. It also
provides a firm with tools to assess its partners’ performances so it can make
sure its best partners receive the support they need to close more business.
ERM software deals with employee issues that are closely related to CRM,
such as setting objectives, employee performance management, performance-
based compensation, and employee training. Major CRM application software
vendors include Oracle, SAP, Salesforce.com, and Microsoft Dynamics CRM.
Customer relationship management systems typically provide software and
online tools for sales, customer service, and marketing. We briefly describe
some of these capabilities.
Sales Force Automation
Sales force automation (SFA) modules in CRM systems help sales staff increase
productivity by focusing sales efforts on the most profitable customers, those who
are good candidates for sales and services. SFA modules provide sales prospect
and contact information, product information, product configuration capabilities,
and sales quote generation capabilities. Such software can assemble information
about a particular customer’s past purchases to help the salesperson make per-
sonalized recommendations. SFA modules enable sales, marketing, and shipping
departments to share customer and prospect information easily. SFA increases
each salesperson’s efficiency by reducing the cost per sale as well as the cost of
acquiring new customers and retaining old ones. SFA modules also provide capa-
bilities for sales forecasting, territory management, and team selling.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 355
Customer Service
Customer service modules in CRM systems provide information and tools to
increase the efficiency of call centers, help desks, and customer support staff.
They have capabilities for assigning and managing customer service requests.
One such capability is an appointment or advice telephone line. When a cus-
tomer calls a standard phone number, the system routes the call to the correct
service person, who inputs information about that customer into the system only
once. When the customer’s data are in the system, any service representative can
handle the customer relationship. Improved access to consistent and accurate
customer information helps call centers handle more calls per day and decrease
the duration of each call. Thus, call centers and customer service groups achieve
greater productivity, reduced transaction time, and higher quality of service at
lower cost. The customer is happier because he or she spends less time on the
phone restating his or her problem to customer service representatives.
CRM systems may also include web-based self-service capabilities: The com-
pany website can be set up to provide inquiring customers personalized support
information as well as the option to contact customer service staff by phone for
additional assistance.
Marketing
CRM systems support direct-marketing campaigns by providing capabilities for
capturing prospect and customer data, for providing product and service infor-
mation, for qualifying leads for targeted marketing, and for scheduling and track-
ing direct-marketing mailings or email (see Figure 9.7). Marketing modules also
include tools for analyzing marketing and customer data, identifying profitable
and unprofitable customers, designing products and services to satisfy specific
customer needs and interests, and identifying opportunities for cross-selling.
Cross-selling is the marketing of complementary products to customers.
(For example, in financial services, a customer with a checking account might
be sold a money market account or a home improvement loan.) CRM tools also
FIGURE 9.7 HOW CRM SYSTEMS SUPPORT MARKETING
Customer relationship management software provides a single point for users to
m anage and evaluate marketing campaigns across multiple channels, including email,
direct mail, telephone, the web, and social media.
Responses by Channel for January 2019
Promotional Campaign
Social Media
6.7%
Email Direct Mail
17.3% 29.2%
Web
16.0%
Telephone
30.8%
356 Part Three Key System Applications for the Digital Age
FIGURE 9.8 CRM SOFTWARE CAPABILITIES
The major CRM software products support business processes in sales, service, and
marketing, integrating customer information from many sources. Included is support for
both the operational and analytical aspects of CRM.
Sales Customer Data Service
Account Marketing Service
Management Delivery
Lead Campaign Customer Satisfaction
Management Management Management
Order Channel Promotions Returns
Management Management Management
Sales Events Service
Planning Management Planning
Field Market Call Center
Sales Planning & Help Desk
Sales Marketing Service
Analytics Operations Analytics
Marketing
Analytics
help firms manage and execute marketing campaigns at all stages, from plan-
ning to determining the rate of success for each campaign.
Figure 9.8 illustrates the most important capabilities for sales, service, and
marketing processes found in major CRM software products. Like enterprise soft-
ware, this software is business-process driven, incorporating hundreds of business
processes thought to represent best practices in each of these areas. To achieve
maximum benefit, companies need to revise and model their business processes
to conform to the best-practice business processes in the CRM software.
Figure 9.9 illustrates how a best practice for increasing customer loyalty
through customer service might be modeled by CRM software. Directly servic-
ing customers provides firms with opportunities to increase customer reten-
tion by singling out profitable long-term customers for preferential treatment.
CRM software can assign each customer a score based on that person’s value
and loyalty to the company and provide that information to help call centers
route each customer’s service request to agents who can best handle that cus-
tomer’s needs. The system would automatically provide the service agent with
a detailed profile of that customer that includes his or her score for value and
loyalty. The service agent would use this information to present special offers
or additional services to the customer to encourage the customer to keep trans-
acting business with the company. You will find more information on other
best-practice business processes in CRM systems in our Learning Tracks.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 357
FIGURE 9.9 CUSTOMER LOYALTY MANAGEMENT PROCESS MAP
This process map shows how a best practice for promoting customer loyalty through customer service would
be modeled by customer relationship management software. The CRM software helps firms identify high-value
c ustomers for preferential treatment.
Receive Obtain Customer Yes High value Yes
service customer information Score and loyalty? Provide special
request information available? customer
o ers and service
No No
Route to
Customer best agent Resolve
database service issue
Operational and Analytical CRM
All of the applications we have just described support either the operational or
analytical aspects of customer relationship management. Operational CRM
includes customer-facing applications, such as tools for sales force automa-
tion, call center and customer service support, and marketing automation.
Analytical CRM includes applications that analyze customer data generated
by operational CRM applications to provide information for improving business
performance.
Analytical CRM applications are based on data from operational CRM sys-
tems, customer touch points, and other sources that have been organized in
data warehouses or analytic platforms for use in online analytical process-
ing (OLAP), data mining, and other data analysis techniques (see Chapter 6).
Customer data collected by the organization might be combined with data from
other sources, such as customer lists for direct-marketing campaigns purchased
from other companies or demographic data. Such data are analyzed to identify
buying patterns, to create segments for targeted marketing, and to pinpoint
profitable and unprofitable customers (see Figure 9.10).
Another important output of analytical CRM is the customer’s lifetime value
to the firm. Customer lifetime value (CLTV) is based on the relationship be-
tween the revenue produced by a specific customer, the expenses incurred in
acquiring and servicing that customer, and the expected life of the relationship
between the customer and the company.
Business Value of Customer Relationship
Management Systems
Companies with effective customer relationship management systems realize
many benefits, including increased customer satisfaction, reduced direct-
marketing costs, more effective marketing, and lower costs for customer acqui-
sition and retention. Information from CRM systems increases sales revenue
358 Part Three Key System Applications for the Digital Age
FIGURE 9.10 ANALYTICAL CRM
Analytical CRM uses a customer data warehouse or analytic platform and tools to
a nalyze customer data collected from the firm’s customer touch points and from other
sources.
Channels Customer data • Profitable customers
• Call center warehouse • Market segments
• Website or • Customer profiles
• Wireless • Churn rates
• Field sales analytic platform
• Direct mail
• Email • OLAP
• Retail store • Data mining
• Partner • Other data
• Social media
analysis tools
Other sources
• Legacy systems
• Demographic data
• Third-party data
• Marketing campaign
data
Customer data
by identifying the most profitable customers and segments for focused market-
ing and cross-selling (see the Interactive Session on Organizations).
Customer churn is reduced as sales, service, and marketing respond better to
customer needs. The churn rate measures the number of customers who stop
using or purchasing products or services from a company. It is an important
indicator of the growth or decline of a firm’s customer base.
9-4 What are the challenges that enterprise
applications pose, and how are enterprise
applications taking advantage of new technologies?
Many firms have implemented enterprise systems and systems for supply
chain and customer relationship management because they are such powerful
instruments for achieving operational excellence and enhancing decision
making. But precisely because they are so powerful in changing the way the or-
ganization works, they are challenging to implement. Let’s briefly examine some
of these challenges as well as new ways of obtaining value from these systems.
Enterprise Application Challenges
Promises of dramatic reductions in inventory costs, order-to-delivery time,
more efficient customer response, and higher product and customer profitabil-
ity make enterprise systems and systems for SCM and CRM very alluring. But
to obtain this value, you must clearly understand how your business has to
change to use these systems effectively.
Enterprise applications involve complex pieces of software that are very ex-
pensive to purchase and implement. It might take a large Fortune 500 company
several years to complete a large-scale implementation of an enterprise system
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 359
INTERACTIVE SESSION ORGANIZATIONS
Kenya Airways Flies High with Customer Relationship Management
Kenya Airways is the flag carrier of Kenya and firms’ marketing data, centrally orchestrate cross-
ranks among the top ten African airlines in terms of channel customer interactions, engage the right audi-
seat capacity, with a fleet of 33 aircraft covering 53 ence, and analyze performance. It includes tools for
destinations domestically and abroad. It is the only managing marketing automation campaigns, provid-
African airline in the SkyTeam alliance, whose 20 ing cross-channel customer experiences, creating and
members include Delta Airlines, Air France, Alitalia, managing engaging content, “listening” to customer
Aeromexico, China Airlines, and Korean Air, and is conversations about a product, brand or service, and
expected to live up to a very high global standard. engaging with messaging (social marketing).
One area of the business that needed improve- A few weeks after implementing Oracle Marketing
ment was the airline’s relationship to its customers. Cloud, the airline ran its first automated marketing
Africa’s current population of 1 billion is expected campaign, which directed emails, SMS texts, and so-
to reach 1.5 billion within a decade, with a rapidly cial media posts about special holiday season fares to
growing middle class in many countries. Until re- Kenyan emigrants in Dubai. Kenya Airways then cre-
cently, Kenya Airways was unable to fully capitalize ated campaigns to promote new and expanded routes
on this market opportunity because it didn’t know to Hanoi and Zanzibar. As time went on, the airline’s
enough about its customers. Although the airline had marketing team became more skillful at tracking
added more planes, passenger numbers had been revenue flows generated by those campaigns and
decreasing, partly due to the fear of Ebola virus out- identifying new sources of data to target the cam-
breaks, regional terrorism, and increased competi- paigns more effectively. Kenya Airways Marketing
tion from Persian Gulf carriers. Profitability suffered. Automation Lead, Harriet Luyai, reported in early
2015 that “reachable contacts” rose from 40 percent
The airline didn’t know who clicked on its email to 89 percent, open rates on marketing emails rose
campaigns. It was advertising mostly on billboards, in from 40 percent to 65 percent, and the airline’s “ac-
newspapers, and on flyers, with no way to measure quisition rate”—the percentage of respondents who
the effectiveness of those campaigns. Management opt in to its campaigns—was up to 20 percent. The
could not tell what its sales representatives in differ- airline can measure the impact of marketing cam-
ent offices were doing. Data on customers were lo- paigns on ticket sales. Campaigns that previously
cated in many different repositories, such as spread- took three days to execute using an agency now take
sheets and files in company and partner travel agent 30 minutes and are much less expensive.
offices, reservation systems, and airport check-ins,
and the data were not integrated. Without a single After implementing Oracle Marketing Cloud,
repository for customer data, Kenya Airways was Kenya Airways started using Oracle Sales Cloud to au-
unable to identify the preferences, special needs, or tomate its sales activities and Oracle RightNow Cloud
other personal characteristics of its “guests,” who in- Service for its customer service activities, linking all
cluded commercial traders, business executives, gov- three clouds in one central data repository. Marketing,
ernment officials, students, missionaries, and medical sales, and service could now integrate their customer
tourists. Marketing, sales, and customer service ac- data and coordinate business processes. The airline
tivities were operating in the dark. For example, each pulled together information on age, income, educa-
May the airline would send every customer in its tion level, job function, job level, revenue generated
scattered data repositories a Mother’s Day greeting, for the airline, geography, status, preferences, interest
although many of the recipients were not mothers. areas, service calls, email activity, form submissions,
and purchase history to help it create very detailed
In 2014 Kenya Airways initiated a multiyear pro- customer profiles for personalizing offerings.
gram to automate and integrate all of its customer
data so that it could engage in effective customer To help the Kenya Airways marketing team drive
relationship management using Oracle’s Marketing, additional revenue by converting leads to ticket sales,
Sales, Data, and Service Clouds. Oracle Marketing increasing website traffic, and increasing social fol-
Cloud provides a cloud-based platform to connect lowers, the airline implemented Oracle Social Cloud.
360 Part Three Key System Applications for the Digital Age
This tool helps the Kenya Airways customer service originally estimated—more than a year instead of
team follow social media posts and discussions about six months. The required data, which resided in
the airline’s services and respond to questions and many different applications, needed to be cleansed
problems within 30 minutes. It also helps agents pri- to make sure they were all in the right format
oritize their follow-up posts and manage workflows before they could be transferred to the new data
for the appropriate approvals and for troubleshooting. repository. Much of this work was manual. Airline
staff had to be trained in new ways of working
Although Kenya Airways had a customer loyalty with digital CRM tools because so much of its work
program, it had previously been unable to identify had previously been manual. Kenya Airways man-
high-value customers. Now Kenya Airways can agement feels the airline has been richly rewarded
track all its high-value customers and show how for this effort.
much revenue each customer generates. It can
also segment customers across the customer life Sources: “Company View of Kenya Airways PLC,” www.b loomberg.
cycle, making it possible to distinguish a new cus- com, accessed January 31, 2018; Rob Preston, “First-Class Flight,”
tomer from a longtime high-value customer. Kenya Profit Magazine, August 2016; www.kenya-airways.com, accessed
Airways now has a 360-degree view of each of its January 31, 2018; “Kenya Airways Turns to McKinsey for Turn-
customers. around Strategy,” Consultancy.uk, February 8, 2016; and Tilde
Herrera, “Kenya Airways Fuels with Data to Lift Marketing,”
It took much more time to implement the October 29, 2015.
Oracle Cloud suite than Kenya Airways had
CASE STUDY QUESTIONS
1. What was the problem at Kenya Airways described 3. Describe Kenya Airway’s solution to its problem.
in this case? What management, organization, and What management, organization, and technology
technology factors contributed to this problem? issues had to be addressed by the solution?
2. What was the relationship of customer relation- 4. How effective was this solution? How did it affect
ship management to Kenya Airways’ business per- the way Kenya Airways ran its business and its
formance and business strategy? business performance?
or a system for SCM or CRM. According to a 2018 survey of 237 ERP users con-
ducted by Panorama Consulting Solutions, ERP projects took an average of 17.4
months to complete, and 44 percent of the projects delivered 50 percent or less
of the expected benefits. Approximately 64 percent of these projects experi-
enced cost overruns, and 79 percent exceeded their initial timelines (Panorama
Consulting Solutions, 2018). Changes in project scope and additional customiza-
tion work add to implementation delays and costs.
Enterprise applications require not only deep-seated technological changes
but also fundamental changes in the way the business operates. Companies
must make sweeping changes to their business processes to work with the
software. Employees must accept new job functions and responsibilities. They
must learn how to perform a new set of work activities and understand how the
information they enter into the system can affect other parts of the company.
This requires new organizational learning and should also be factored into ERP
implementation costs.
SCM systems require multiple organizations to share information and busi-
ness processes. Each participant in the system may have to change some of its
processes and the way it uses information to create a system that best serves
the supply chain as a whole.
Some firms experienced enormous operating problems and losses when
they first implemented enterprise applications because they didn’t understand
how much organizational change was required. For example, Kmart had trouble
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 361
getting products to store shelves when it first implemented i2 Technologies
(now JDA Software) SCM software. The i2 software did not work well with Kmart’s
promotion-driven business model, which created sharp spikes in demand for prod-
ucts. Supermarket giant Woolworth’s Australia encountered data-related problems
when it transitioned from an antiquated home-grown ERP system to SAP. Weekly
profit-and-loss reports tailored for individual stores couldn’t be generated for nearly
18 months. The company had to change its data collection procedures, but failed
to understand its own processes or properly document these business processes.
Enterprise applications also introduce switching costs. When you adopt an
enterprise application from a single vendor, such as SAP, Oracle, or others, it is
very costly to switch vendors, and your firm becomes dependent on the vendor
to upgrade its product and maintain your installation.
Enterprise applications are based on organization-wide definitions of data.
You’ll need to understand exactly how your business uses its data and how the
data would be organized in a CRM, SCM, or ERP system. CRM systems typically
require some data cleansing work.
Enterprise software vendors are addressing these problems by offering pared-
down versions of their software and fast-start programs for small and medium-
sized businesses and best-practice guidelines for larger companies. Companies
are also achieving more flexibility by using cloud applications for functions not
addressed by the basic enterprise software so that they are not constrained by a
single do-it-all type of system.
Companies adopting enterprise applications can also save time and money
by keeping customizations to a minimum. For example, Kennametal, a
$2 b illion metal-cutting tools company in Pennsylvania, had spent $10 million
over 13 years maintaining an ERP system with more than 6,400 customiza-
tions. The company replaced it with a plain-vanilla, uncustomized version of
SAP enterprise software and changed its business processes to conform to the
software. Office Depot avoided customization when it moved from in-house
s ystems to the Oracle ERP Cloud. The retailer is using best practices embedded
in Oracle’s Supply Chain Management Cloud and in its cloud-based Human
Capital Management (HCM) and Enterprise Performance Management (EPM)
systems. By not customizing its Oracle ERP applications, Office Depot simpli-
fied its information systems and reduced the cost of maintaining and managing
them (Thibodeau, 2018).
Next-Generation Enterprise Applications
Today, enterprise application vendors are delivering more value by becoming
more flexible, user-friendly, web-enabled, mobile, and capable of integration with
other systems. Stand-alone enterprise systems, customer relationship manage-
ment systems, and SCM systems are becoming a thing of the past. The major
enterprise software vendors have created what they call enterprise solutions, enter-
prise suites, or e-business suites to make their CRM, SCM, and ERP systems work
closely with each other and link to systems of customers and suppliers.
Next-generation enterprise applications also include cloud solutions as well
as more functionality available on mobile platforms. Large enterprise software
vendors such as SAP, Oracle, Microsoft, and Epicor now feature cloud ver-
sions of their flagship ERP systems and also cloud-based products for small
and medium-sized businesses (as described earlier in the Interactive Session on
Management). SAP, for example, offers SAP S/4HANA Cloud for large compa-
nies, and SAP Business ByDesign and SAP Business One enterprise software for
medium-sized and small businesses. Microsoft offers the Dynamics 365 cloud
362 Part Three Key System Applications for the Digital Age
version of its ERP and CRM software. Cloud-based enterprise systems are also
offered by smaller vendors such as NetSuite.
The undisputed global market leader in cloud-based CRM systems is
Salesforce.com, which we described in Chapter 5. Salesforce.com delivers its ser-
vice through Internet-connected computers or mobile devices, and it is widely
used by small, medium-sized, and large enterprises. As cloud-based products
mature, more companies, including very large Fortune 500 firms, are choosing to
run all or part of their enterprise applications in the cloud.
Social CRM
CRM software vendors are enhancing their products to take advantage of social
networking technologies. These social enhancements help firms identify new
ideas more rapidly, improve team productivity, and deepen interactions with
customers (see Chapter 10). Using social CRM tools, businesses can better en-
gage with their customers by, for example, analyzing their sentiments about
their products and services.
Social CRM tools enable a business to connect customer conversations and re-
lationships from social networking sites to CRM processes. The leading CRM ven-
dors now offer such tools to link data from social networks to their CRM software.
SAP, Salesforce.com, and Oracle CRM products now feature technology to monitor,
track, and analyze social media activity on Facebook, LinkedIn, Twitter, YouTube,
and other sites. Business intelligence and analytics software vendors such as SAS
also have capabilities for social media analytics (with several measures of customer
engagement across a variety of social networks) along with campaign management
tools for testing and optimizing both social and traditional web-based campaigns.
Salesforce.com connected its system for tracking leads in the sales process
with social-listening and social-media marketing tools, enabling users to tailor
their social-marketing dollars to core customers and observe the resulting com-
ments. If an ad agency wants to run a targeted Facebook or Twitter ad, these
capabilities make it possible to aim the ad specifically at people in the client’s
lead pipeline who are already being tracked in the CRM system. Users will be
able to view tweets as they take place in real time and perhaps uncover new
leads. They can also manage multiple campaigns and compare them all to fig-
ure out which ones generate the highest click-through rates and cost per click.
Business Intelligence in Enterprise Applications
Enterprise application vendors have added business intelligence features to
help managers obtain more meaningful information from the massive amounts
of data these systems generate, including data from the Internet of Things
(IoT). SAP now makes it possible for its enterprise applications to use HANA
in-memory computing technology so that they are capable of much more rapid
and complex data analysis. Included are tools for flexible reporting; ad hoc
analysis; interactive dashboards; what-if scenario analysis; data visualization;
and machine learning to analyze very large bodies of data, make connections,
make predictions, and provide recommendations for operations optimization.
For example, SAP created a machine learning and neural network application
(see Chapter 11) that recognizes patterns associated with machine performance
in the oil and gas industry. The software automatically generates notifications
of potential machine failures and sends them to SAP Plant Maintenance, which
planners use to schedule machine repair and replacement (Franken, 2018).
The major enterprise application vendors offer portions of their prod-
ucts that work on mobile handhelds. You can find out more about this topic
in our Learning Track on Wireless Applications for Customer Relationship
Management, Supply Chain Management, and Healthcare.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 363
9-5 How will MIS help my career?
Here is how Chapter 9 and this book can help you find a job as a manufacturing
management trainee.
The Company
XYZ Global Industrial Components is a large Michigan-headquartered company
with 40 global manufacturing facilities and more than 4,000 employees world-
wide, and it has an open position for a new college graduate in its Manufacturing
Management Program. The company produces fastener, engineered, and link-
age and suspension components for automotive, heavy-duty trucks, aerospace,
electric utility, telecommunications, and other industries worldwide.
Position Description
The Manufacturing Management Program is a rotational, two-year program de-
signed to nurture and train future managers by enabling recent college gradu-
ates to acquire critical skills and industry experience in plant, technical, and
corporate environments. Job responsibilities include:
• Working with business units and project teams on systems implementation,
including implementation of ERP and JDA manufacturing systems.
• Understanding business processes and data requirements for each business
unit.
• Proficiency in supporting and conducting business requirement analysis
sessions.
• Tracking and documenting changes to functional and business specifications.
• Writing user documentation, instructions, and procedures.
• Monitoring and documenting post-implementation problems and revision
requests.
Job Requirements
• Bachelor’s degree in IT, MIS, engineering, or related field or equivalent, with
a GPA higher than 3.0
• Demonstrated skills in Microsoft Office Suite
• Strong written and verbal communication skills
• Proven track record of accomplishments both inside and outside the
educational setting
• Experience in a leadership role in a team
Interview Questions
• Describe the projects you have worked on in a team. Did you play a leader-
ship role? Exactly what did you do to help your team achieve its goal? Were
any of these projects IT projects?
• What do you know about ERP or JDA manufacturing systems? Have you ever
worked with them? What exactly did you do with these systems?
• Tell us what you can do with Microsoft Office software. Which tools have you
used? Do you have any Access and Excel skills? What kinds of problems have
you used these tools to solve? Did you take courses in Access or Excel?
364 Part Three Key System Applications for the Digital Age
Author Tips
1. Do some research on the company, its industry, and the kinds of challenges
it faces. Look through the company’s LinkedIn page and read their posts over
the past twelve months. Are there any key trends in the LinkedIn posts for
this company?
2. Review this text’s Chapter 9 on enterprise applications, Chapter 13 on develop-
ing systems, and Chapter 14 on IT project management and implementation.
3. View YouTube videos created by major IT consulting firms that discuss the
latest trends in manufacturing technology and enterprise systems.
4. Inquire how you would be using Microsoft Office tools for the job and what
Excel and Access skills you would be expected to demonstrate. Bring ex-
amples of the work you have done with this software. Show that you would
be eager to learn what you don’t know about these tools to fulfill your job
assignments.
5. Bring examples of your writing (including some from your Digital Portfolio
described in MyLab MIS) demonstrating your analytical skills and project
experience.
REVIEW SUMMARY
9-1 How do enterprise systems help businesses achieve operational excellence?
Enterprise software is based on a suite of integrated software modules and a common central data-
base. The database collects data from and feeds the data into numerous applications that can support
nearly all of an organization’s internal business activities. When one process enters new information,
the information is made available immediately to other business processes.
Enterprise systems support organizational centralization by enforcing uniform data standards and
business processes throughout the company and a single unified technology platform. The firmwide
data that enterprise systems generate help managers evaluate organizational performance.
9-2 How do supply chain management systems coordinate planning, production, and logistics with
suppliers?
Supply chain management (SCM) systems automate the flow of information among members of the
supply chain so they can use it to make better decisions about when and how much to purchase, pro-
duce, or ship. More accurate information from supply chain management systems reduces uncertainty
and the impact of the bullwhip effect.
Supply chain management software includes software for supply chain planning and for supply
chain execution. Internet technology facilitates the management of global supply chains by providing
the connectivity for organizations in different countries to share supply chain information. Improved
communication among supply chain members also facilitates efficient customer response and move-
ment toward a demand-driven model.
9-3 How do customer relationship management systems help firms achieve customer intimacy?
Customer relationship management (CRM) systems integrate and automate customer-facing pro-
cesses in sales, marketing, and customer service, providing an enterprise-wide view of customers.
Companies can use this customer knowledge when they interact with customers to provide them with
better service or sell new products and services. These systems also identify profitable or unprofitable
customers or opportunities to reduce the churn rate.
The major customer relationship management software packages provide capabilities for both oper-
ational CRM and analytical CRM. They often include modules for managing relationships with selling
partners (partner relationship management) and for employee relationship management.
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 365
9-4 What are the challenges that enterprise applications pose, and how are enterprise applications taking
advantage of new technologies?
Enterprise applications are difficult to implement. They require extensive organizational change, large
new software investments, and careful assessment of how these systems will enhance organizational per-
formance. Enterprise applications cannot provide value if they are implemented atop flawed processes or
if firms do not know how to use these systems to measure performance improvements. Employees require
training to prepare for new procedures and roles. Attention to data management is essential.
Enterprise applications are now more flexible, web-enabled, and capable of integration with other systems,
using web services and service-oriented architecture (SOA). They also can run in cloud infrastructures or on
mobile platforms. CRM software has added social networking capabilities to enhance internal collaboration,
deepen interactions with customers, and use data from social networking sites. Enterprise applications are
incorporating business intelligence capabilities for analyzing the large quantities of data they generate.
Key Terms Partner relationship management (PRM), 353
Pull-based model, 351
Analytical CRM, 357 Push-based model, 351
Bullwhip effect, 348 Sales force automation (SFA), 354
Churn rate, 358 Social CRM, 362
Cross-selling, 355 Supply chain, 346
Customer lifetime value (CLTV), 357 Supply chain execution systems, 350
Demand planning, 350 Supply chain planning systems, 349
Employee relationship management (ERM), 353 Touch point, 353
Enterprise software, 342
Just-in-time strategy, 348
Operational CRM, 357
MyLab MIS
To complete the problems with MyLab MIS, go to the EOC Discussion Questions in MyLab MIS.
Review Questions • Distinguish between a push-based and a
pull-based model of supply chain manage-
9-1 How do enterprise systems help businesses ment and explain how contemporary sup-
achieve operational excellence? ply chain management systems facilitate a
pull-based model.
• Define an enterprise system and explain
how enterprise software works. 9-3 How do customer relationship management
systems help firms achieve customer intimacy?
• Describe how enterprise systems provide
value for a business. • Define customer relationship management
and explain why customer relationships are
9-2 How do supply chain management systems so important today.
coordinate planning, production, and logistics
with suppliers? • Describe how partner relationship manage-
ment (PRM) and employee relationship
• Define a supply chain and identify each of management (ERM) are related to customer
its components. relationship management (CRM).
• Explain how supply chain management sys- • Describe the tools and capabilities of cus-
tems help reduce the bullwhip effect and tomer relationship management software
how they provide value for a business. for sales, marketing, and customer service.
• Define and compare supply chain plan- • Distinguish between operational and ana-
ning systems and supply chain execution lytical CRM.
systems.
• Describe the challenges of global supply
chains and how Internet technology can
help companies manage them better.
366 Part Three Key System Applications for the Digital Age • Describe how enterprise applications are
taking advantage of cloud computing and
9-4 What are the challenges that enterprise business intelligence.
applications pose, and how are enterprise
applications taking advantage of new • Define social CRM and explain how cus-
technologies? tomer relationship management systems
• List and describe the challenges enterprise are using social networking.
applications pose.
• Explain how these challenges can be
addressed.
Discussion Questions its homework. Discuss the implications of
this statement.
9-5 Supply chain management is less about
MyLab MIS managing the physical movement of goods 9-7 Which enterprise application should a
MyLab MIS business install first: ERP, SCM, or CRM?
and more about managing information.
Discuss the implications of this statement. Explain your answer.
9-6 If a company wants to implement an
MyLab MIS enterprise application, it had better do
Hands-On MIS Projects
The projects in this section give you hands-on experience analyzing business process integration, suggesting sup-
ply chain management and customer relationship management applications, using database software to manage
customer service requests, and evaluating supply chain management business services. Visit MyLab MIS to ac-
cess this chapter’s Hands-On MIS Projects,
Management Decision Problems
9-8 Toronto-based Mercedes-Benz Canada, with a network of 55 dealers, did not know enough about its
customers. Dealers provided customer data to the company on an ad hoc basis. Mercedes did not force
dealers to report this information. There was no real incentive for dealers to share information with the
company. How could CRM and PRM systems help solve this problem?
9-9 Office Depot sells a wide range of office supply products and services in the United States and
internationally. The company tries to offer a wider range of office supplies at lower cost than other retailers
by using just-in-time replenishment and tight inventory control systems. It uses information from a demand
forecasting system and point-of-sale data to replenish its inventory in its 1,600 retail stores. Explain how
these systems help Office Depot minimize costs and any other benefits they provide. Identify and describe
other supply chain management applications that would be especially helpful to Office Depot.
Improving Decision Making: Using Database Software to Manage Customer Service
Requests
Software skills: Database design; querying and reporting
Business skills: Customer service analysis
9-10 In this exercise, you’ll use database software to develop an application that tracks customer service
requests and analyzes customer data to identify customers meriting priority treatment.
Prime Service is a large service company that provides maintenance and repair services for close to 1,200
commercial businesses in New York, New Jersey, and Connecticut. Its customers include businesses of all sizes.
Customers with service needs call into its customer service department with requests for repairing heating ducts,
broken windows, leaky roofs, broken water pipes, and other problems. The company assigns each request a num-
ber and writes down the service request number, the identification number of the customer account, the date of
the request, the type of equipment requiring repair, and a brief description of the problem. The service requests
Chapter 9 Achieving Operational Excellence and Customer Intimacy: Enterprise Applications 367
are handled on a first-come-first-served basis. After the service work has been completed, Prime calculates the
cost of the work, enters the price on the service request form, and bills the client. This arrangement treats the
most important and profitable clients—those with accounts of more than $70,000—no differently from its clients
with small accounts. Management would like to find a way to provide its best customers with better service. It
would also like to know which types of service problems occur most frequently so that it can make sure it has
adequate resources to address them.
Prime Service has a small database with client account information, which can be found in MyLab MIS.
Use database software to design a solution that would enable Prime’s customer service representatives to identify
the most important customers so that they could receive priority service. Your solution will require more than
one table. Populate your database with at least 10 service requests. Create several reports that would be of inter-
est to management, such as a list of the highest—and lowest—priority accounts and a report showing the most
frequently occurring service problems. Create a report listing service calls that customer service representatives
should respond to first on a specific date.
Achieving Operational Excellence: Evaluating Supply Chain Management Services
Software skills: Web browser and presentation software
Business skills: Evaluating supply chain management services
9-11 In addition to carrying goods from one place to another, some trucking companies provide supply chain
management services and help their customers manage their information. In this project, you’ll use the
web to research and evaluate two of these business services. Investigate the websites of two companies,
UPS and Schneider National, to see how these companies’ services can be used for supply chain
management. Then respond to the following questions:
• What supply chain processes can each of these companies support for its clients?
• How can customers use the websites of each company to help them with supply chain management?
• Compare the supply chain management services these companies provide. Which company would
you select to help your firm manage its supply chain? Why?
Collaboration and Teamwork Project
Analyzing Enterprise Application Vendors
9-12 With a group of three or four other students, use the web to research and evaluate the products of two vendors
of enterprise application software. You could compare, for example, the SAP and Oracle enterprise systems,
the supply chain management systems from JDA Software and SAP, or the customer relationship management
systems of Oracle and Salesforce.com. Use what you have learned from these companies’ websites to compare
the software products you have selected in terms of business functions supported, technology platforms, cost,
and ease of use. Which vendor would you select? Why? Would you select the same vendor for a small business
(50–300 employees) as well as for a large one? If possible, use Google Docs and Google Drive or Google Sites to
brainstorm, organize, and develop a presentation of your findings for the class.
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Management Information Systems - Managing the Digital Firm 16th Edition 2020
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Management Information Systems - Managing the Digital Firm 16th Edition 2020
- 1 - 50
- 51 - 100
- 101 - 150
- 151 - 200
- 201 - 250
- 251 - 300
- 301 - 350
- 351 - 400
- 401 - 450
- 451 - 500
- 501 - 550
- 551 - 600
- 601 - 650
- 651 - 660
Pages: