Académique Documents
Professionnel Documents
Culture Documents
Module description
This Module covers knowledge of the development and maintenance of information processing
systems to support decision making and optimize the use of and learning throughout the
organisation.
LEARNING OUTCOMES
Learning Activities
Introduction ..................................................................................................................................... 5
LO1: Obtain, classify and summarize information relevant to business issues .............................. 7
Self-check-1 .............................................................................................................................. 15
Self-check-2 .............................................................................................................................. 24
3.4. Consult Specialists and other relevant groups and individuals ...................................... 30
Self-check-3 .............................................................................................................................. 37
4.4 design and test Systems to meet information requirements of decision makers ............ 41
4.5 Information is up-to-date, accurate and relevant and sufficient for the recipient .......... 46
Self-check-4 .............................................................................................................................. 62
Reference ...................................................................................................................................... 63
Introduction Learning Guide ≠5
Below you can find an info graphic of the main differences, with a short explanation below.
Please keep in mind that IM in many ways is a useful tool for KM, in that information can help
create and refine knowledge, but as a discipline it is a different one.
As I showed in the previous sections, knowledge and information are actually quite different, as
is tacit and explicit knowledge. So, while information and data management are certainly very
useful, particularly as information sources are growing at exponential rates and with the new
focus on big data, it is not synonymous with KM.
When you chose a paper topic and determined your research questions, you conducted
preliminary research to stimulate your thinking. Your research proposal included some general
ideas for how to go about your research—for instance, interviewing an expert in the field or
analyzing the content of popular magazines. You may even have identified a few potential
sources. Now it is time to conduct a more focused, systematic search for informative primary and
secondary sources.
Using Primary and Secondary Sources
Writers classify research resources in two categories: primary sources and secondary
sources. Primary sources are direct, firsthand sources of information or data. For example, if you
were writing a paper about the First Amendment right to freedom of speech, the text of the First
Amendment in the Bill of Rights would be a primary source.
Other primary sources include the following:
Research articles
Literary texts
Historical documents such as diaries or letters
Autobiographies or other personal accounts
The following are examples of secondary sources:
Magazine articles
Biographical books
Literary and scientific reviews
Television documentaries
Policy Statement Information has varying degrees of sensitivity and criticality. Some items may
require an additional level of protection or special handling.
Classify, label and handle information resources based on their sensitivity, criticality, value,
nature and impact of unauthorized disclosure in accordance with legal, regulatory and
contractual requirements. This standard outlines the specific requirements and guidelines for the
implementation of “Information Classification and Handling” in “Information Security Policies”.
Objective The objective of this Information Classification and Handling Standard is to provide
guidance on how the information should be handled in accordance with its classification
standard.
5 Information Classifications the University must classify all its information assets into
appropriate levels to indicate the need, priority and degree of protection required. When handling
personal data, the personal data user must ensure compliance with the Personal Data (Privacy)
Ordinance, and the University’s “Code of Practice for Personal Data (Privacy) Issues”. Research
data and research information are important assets to the University. The University shall protect
the confidentiality and integrity of research data and research information without creating
unjustified obstacles to research activities. Information related assets funded by research grants
shall also conform to the “Policies and Guidelines relating to Research” maintained by Research
Grants and Contracts Office of the University. The degree of protection required for different
types of information is based on security and legislative compliance requirements. The following
four classification levels, from highest to least, shall be used for classifying the University’s
information assets. If information has not been marked with one of the following categories, the
Information Owner/Delegate must initiate the data classification process and assign appropriate
classification levels timely.
1. RESTRICTED This classification applies to the information that is very sensitive in nature
and is strictly confidential to the University, the government or any other agreements
between the University and third parties (including the government). Such information is
considered critical to the University’s capacity to conduct its business. Generally, this
information shall be used exclusively by a small number of predetermined and authorized
named individuals, roles or positions and business partners. Either disclosure of it to
unauthorized parties or being shared internally could have significant adverse impact on the
University’s reputation, its staffs, students and third parties. Inappropriate release of
“RESTRICTED” information could cause unforeseeable damage to or endanger an
individual, and result in financial lost or damage to standing or reputation at University level.
Examples of information with this classification include:
examination papers before being released,
privileged accounts’ passwords of the University’s key information systems
pending criminal investigation “RESTRICTED” and “SECRET” used
interchangeably in the scope of this set of Information Security Policies and
Standards. “RESTRICTED” is the preferred classification label. Existing
information classified as “SECRET” should be reclassified into “RESTRICTED”
upon review of classification.
2. CONFIDENTIAL This classification applies to sensitive information that is intended for
use by specific group of authorized personnel within the University and business partners,
assigned on a need-to-use basis and for authorized intended purpose. The unauthorized
disclosure, modification or destruction of this information would adversely affect the
business performance or the continuity of operations. Inappropriate release of
“CONFIDENTIAL” information could cause inconvenience to individuals, and result in
limited financial lost or damage to a standing or reputation at unit level. Information of
interest for news media, pressure group or electorates is also classified as
“CONFIDENTIAL”. Such information shall not be copied or removed from the University’s
control without specific authorization. Examples of information with this classification
include:
student information (e.g., student HKID, credit card information)
staff information (e.g., staff HKID, personal financial or medical information)
student and staff disciplinary details
patent pending
unpublished research information
Identifiable research subject data
3. INTERNAL This classification related to non-sensitive operational data. It applies to
information that is intended for use within by members of the University and authorized
services providers. Disclosure of such information could have moderate adverse impact.
Disclosures are not expected to cause serious harm to the University and access may be
provided freely to a specific group of staffs based on their roles and responsibilities.
Examples of information with this classification include University’s staff handbooks,
policies, training materials, manuals, procedures, etc.
4. PUBLIC This classification applies to information that has been approved by authorized
parties for public consumption. Public information shall present no perceived risk to the
University, its staff and/or students. Examples of information with this classification include
program and admission information, published academic literature, press releases, address of
a department, etc. Responsibility Information/System Owners/Delegates are responsible for
identifying the classification level of information. All staff members are responsible for
handling information in accordance with this procedure. Head of Departments of all
University Units shall ensure their responsible areas’ compliance to this procedure.
5. Labeling Information Assets Information that is classified as “RESTRICTED”,
“CONFIDENTIAL” or “INTERNAL” should be appropriately labeled. Unlabeled emails are
considered as “Internal”, unlabeled information on other types of media is considered as
“Public”. Tabulated below are some common labeling methods for various types of
information assets.
In Information summary do not include anything that does not appear in the original. (Do not
include your own comments or evaluation.) And be sure to identify your source.
Validity is arguably the most important criteria for the quality of a test. The term
validity refers to whether or not the test measures what it claims to measure. On attest with
high validity the items will be closely linked to the test's intended focus.
It is reported as a number between 0 and 1.00 that indicates the magnitude of the relationship,
"r," between the test and a measure of job performance (criterion). The larger
the validity coefficient, the more confidence you can have in predictions made from the test
scores.
Reliability is the degree to which an assessment tool produces stable and consistent results.
Types of Reliability. Test-retest reliability is a measure of reliability obtained by
administering the same test twice over a period of time to a group of individuals.
In order for research data to be of value and of use, they must be both reliable and
valid. Reliability refers to the repeatability of findings. ... If more than one person is
observing behavior or some event, all observers should agree on what is being recorded in
order to claim that the data are reliable.
Test validity is the extent to which a test (such as a chemical, physical, or scholastic test)
accurately measures what it is supposed to measure.
Validity - the quality or correctness of a measure that it measures what it is supposed to
measure. The reliability of a test refers to stability of measurement over time. When a
person's data entry skills are measured on two occasions (with no special training in
between), the two sets of scores should be similar.
1.6. Formal and informal networks
COMMUNICATION FUNCTION IN ORGANISATIONS
The communications function as the means by which the activities in the organisation are
coordinated to achieve the organisational goals. It is also the means by the behaviour is modified,
change is effected, information is made productive & goals are achieved. Whether it is with a
business enterprise, a family, educational institution or trade exhibition, the transfer of
information from individual to another is absolutely essential. There are two main types of
communication in every organisation – formal & informal communication.
Formal Communication Formal communication refers to official communication which takes
place through a chain of commands. The formal communication may be divided into three
categories which are given as follows:
a) Downward Communication: Under this system, the flow of communication from the top
management downward to be operating level. It may also be called a communication from a
superior to a subordinate. It follows the line of authority from the top to the bottom of the
organisation hierarchy. Downward communication consists of plans & policies, orders and
instructions, procedures & rules etc.
b) Upward Communication: It means the flow of information from the lower levels of the
organisation to the higher level of authority. This communication includes opinions, ideas,
suggestions, complaints, grievances, appeals, reports etc. On the basis of upward
communication, the management revises its plans & policies & makes further planning.
c) Horizontal Communication: The transmission of information and understanding between
people on the same level of organisation hierarchy is called the horizontal communication. This
type of communication is also known as lateral or sideward or crosswise communication.
Usually, it pertains to inter departmental managers working at the same level of organisation or
among subordinates working under one boss.
Horizontal communication speeds up information and promotes mutual understanding. It
enables the managers working at the same level to exchange information and co-ordinate their
activities without referring all matters to the higher level of management. The horizontal
communication is generally of an informal nature. Whenever a departmental head requires some
information from another departmental head, he tends to contact him directly. However, this type
of communication can be oral or written.
Informal Communication There is also a great deal of informal communication in an
organisation. This communication flows through informal channels and may or may not be work
related. Informal communication cuts through the formal organisational structure. Most of us are
familiar with the term ‘grapevine’ used to describe a network of informal communication.
Grapevines are present in all organisations. In fact, in large organisations, there are many
grapevines moving up, down and across departments.
4. When writing the summary there are three main requirements: sate:
Objectives
Objectives are specific statements of outcomes that a jurisdiction is aiming to achieve through
its transport system.
Objectives support the high-level goals and can be expressed for each planning level: the whole
transport system, city or region, a network, an area or corridor, or a specific route or link.
Objectives can also be set for specific initiatives, transport modes and local areas.
The suite of objective statements should be consistent and integrated across planning levels.
The difference between objectives and outcomes should be noted. Objectives are statements
about desired outcomes. Outcomes are the end results that are achieved by meeting the
objectives.
Formulating objectives
In some cases, governments may decide to develop a new set of transport objectives. This is
often the case when developing transport plans.
Usually, however, transport system objective statements already exist, and can be found in a
number of places, including transport-related strategies developed by national, state and territory
governments, and legislation covering transport investment and activities, and municipal
transport plans developed by local councils.
Statistics is a branch of science that deals with the collection, organisation, and analysis of data
and drawing of inferences from the samples to the whole population. This requires a proper
design of the study, an appropriate selection of the study sample and choice of a suitable
statistical test. An adequate knowledge of statistics is necessary for proper designing of an
epidemiological study or a clinical trial. Improper statistical methods may result in erroneous
conclusions which may lead to unethical practice.
VARIABLES
Variable is a characteristic that varies from one individual member of population to another
individual. Variables such as height and weight are measured by some type of scale, convey
quantitative information and are called as quantitative variables. Sex and eye color give
qualitative information and are called as qualitative variables.
2.4. Taking Sensitivity analysis on any options proposed
These DSS has file drawer systems, data analysis systems, analysis information systems, data
warehousing and emphasizes access to and manipulation of large databases of structured data
Model driven
The underlying model that drives the DSS can come from various disciplines or areas of
specialty and might include accounting models, financial models, representation models,
optimization models, etc. With model drive DSS the emphasize is on access to and
manipulation of a model, rather than data, i.e. it uses data and parameters to aid decision
makers in analyzing a situation. These systems usually are not data intensive and
consequently are not linked to very large databases.
Knowledge driven
These systems provide a recommendation and/or suggestion scheme which aids the user in
selecting an appropriate alternative to a problem at hand. Knowledge driven DSS are often
referred to as management expert systems or intelligent decision support systems. They focus
on knowledge and recommends actions to managers based on an analysis of a certain
knowledge base.
2. Document driven
These systems help managers retrieve and mange unstructured documents and web pages by
integrating a variety of storage and processing technologies to provide complete document
retrieval and analysis. It also access documents such as company policies and procedures,
product specification, catalogs, corporate historical documents, minutes of meetings,
important correspondence, corporate records, etc. and are usually driven by a task-specific
search engine.
3. Communication driven
This breed of DSS is often called group decision support systems (GDSS). They are a
special type of hybrid DSS that emphasizes the use of communications and decision models
intended to facilitate the solution of problems by decision makers working together as a
group. GDSS supports electronic communication, scheduling, document sharing and other
group productivity and decision enhancing activities and involves technologies such as two-
way interactive video, bulletin boards, e-mail, etc.
4. Inter- and Intra-organization DSS
These systems are driven by the rapid growth of Internet and other networking technologies
such as broadband WAN’s, LAN’s, WIP, etc. Inter-organization DSS are used to serve
companies stakeholders (customers, suppliers, etc.), whereas intra-organization DSS are
more directed towards individuals inside the company and specific user groups. The latter,
because of their stricter control, are often stand-alone units inside the firm.
5. New breeds of DSS
Hybrid Systems, which are combinations units using aspects of more than one different type
of DSS. A very popular example is Web based DSS, which can be driven by a combination
of different models such as document-driven, communication driven and knowledge drive.
Web-based DSS are computerized systems that delivers decision support information or
decision support tools to a manager or business analyst using a "thin-client" Web browser
like Netscape Navigator or Internet Explorer.18
On-line Analytical Processing (OLAP) - a category of software technology that enables
analysts, managers and executives to gain insight into data through fast, consistent,
interactive access to a wide variety of possible views of information that has been
transformed from raw data to reflect the real dimensionality of the enterprise as understood
by the user.
Keeping the various distinctions and classifications of DSS in mind, a DSS should be described
in terms of:
The dominant technology component or model underlying the system
Targeted users
Specific purpose
Data Data are numbers, words or images that have yet to be organised or analysed
to answer a specific question.
Information Produced through processing, manipulating and organizing data to answer
questions, adding to the knowledge of the receiver.
Knowledge What is known by a person or persons? Involves interpreting information
received, adding relevance and context to clarify the insights the information
contains.
Validity
Data should be recorded and used in compliance with relevant requirements, including the
correct application of any rules or definitions. This will ensure consistency between periods
and with similar organisations, measuring what is intended to be measured.
Reliability
Data should reflect stable and consistent data collection processes across collection points
and over time. Progress toward performance targets should reflect real changes rather than
variations in data collection approaches or methods.
Timeliness
Data should be captured as quickly as possible after the event or activity and must be
available for the intended use within a reasonable time period. Data must be available
quickly and frequently enough to support information needs and to influence service or
management decisions.
Relevance
Data captured should be relevant to the purposes for which it is to be used. This will require a
periodic review of requirements to reflect changing needs.
Completeness
Data requirements should be clearly specified based on the information needs of the
organisation and data collection processes matched to these requirements.
The Risk Management Plan should identify the risk management activities you anticipate and
plan throughout the product’s life-cycle. It is dynamic and should be revisited and updated often.
This is not a do it one time and it’s done activity.
A Risk Management Plan must include the following criteria:
1. Scope of the Risk Management activities. Define the product included. It is possible to
have multiple products described within a single Risk Management Plan.
2. Describe the intended use of the product(s).
3. Identify all Risk Management activities planned throughout the product lifecycle.
4. Define roles and responsibilities. Identify the Risk Management team that will be
reviewing and approving risk documentation.
5. Criteria for the product’s risk acceptability. (Note, that often times this is likely to be
defined within your Risk Management Procedure.)
6. Specify methods to verify Risk Control measures are implemented and reduce risks.
7. Define how post-production information will be captured and fed into Risk Management
activities for the product.
The Role of Executive Leaders in the Risk Management Plan
People often thinks that Risk Management is a job for developers, designers, and engineers. The
product people. While it is true that these resources provide valuable insights to Risk
Management efforts, these individuals are not the only contributors. .
In addition to product developers and engineers, other functional areas including business
development, marketing, manufacturing, sales, and end-users should be an integral part of your
Risk Management process.
Executive management :
The final authority in the company and must be the one to decide if a risk is acceptable.
Responsible for ensuring their adequate resources for risk management activities.
Also has the responsibility for defining the company’s risk management policy. This
involves determining the risk acceptability criteria. The criteria should be based on solid,
objective evidence, such as industry standards.
3.3. Quantitative methods outcomes
Your goal in conducting quantitative research study is to determine the relationship between one
thing [an independent variable] and another [a dependent or outcome variable] within a
population.
Its main characteristics are:
1. Explain the data collected and their statistical treatment as well as all relevant results in
relation to the research problem you are investigating. Interpretation of results is not
appropriate in this section.
2. Report unanticipated events that occurred during your data collection. Explain how the
actual analysis differs from the planned analysis. Explain your handling of missing data
and why any missing data does not undermine the validity of your analysis.
3. Explain the techniques you used to "clean" your data set.
4. Choose a minimally sufficient statistical procedure; provide a rationale for its use and a
reference for it. Specify any computer programs used.
5. Describe the assumptions for each procedure and the steps you took to ensure that they
were not violated.
6. When using inferential statistics provide the descriptive statistics, confidence intervals,
and sample sizes for each variable as well as the value of the test statistic, its direction,
the degrees of freedom, and the significance level [report the actual p value].
7. Avoid inferring causality, particularly in nonrandomized designs or without further
experimentation.
8. Use tables to provide exact values; use figures to convey global effects. Keep figures
small in size; include graphic representations of confidence intervals whenever possible.
9. Always tell the reader what to look for in tables and figures.
In my experience decision making is a process and happens over a period of time. It is when
the decision is constructed and built (made).
A decision is taken at a moment, in an instance. The decision is taken at the moment the
choice is made: the decision is taken from the available options.So, decision making, precedes
decisions being taken.
Decision taking
It is quite easy to spot decisions being taken. Or rather, attempts to take decisions. These
often occur as votes in a meeting. They might be a statement from the chairman or leader
that says, “Right, this is what I have decided” or “This is what we will do”.
What is decision-making?
Is about how you get to the decision. It is about making sure you understand the whole
decision process.
Can include gathering information, creating options, discussing potential actions and
their implications “what if?”
Can involve deciding who needs to make the decision or be involved in the decision-
making process. it includes the consequences of those decisions, either as actions, risks
or benefits.
Can involve judgment and/or more detailed analysis and thought.
In simple words, strategic planning is a planned process in which an organisation defines what it
aims to achieve and how it is going to achieve it.
For an organisation a strategic plan is the fundamental starting point for all its operations. A
strategic plan guides the direction of the organisation by defining explicitly its purpose of
existence and by providing mid-term goals and measurable success indicators. Having clear
indicators or markers allows the organisation to assess whether goals are being reached.
Ethics Filters
The ethical component of the decision making process takes the form of a set of "filters." Their
purpose is to surface the ethics considerations and implications of the decision at hand. When
decisions are classified as being "business" decisions (rather than "ethics" issues), values can
quickly be left out of consideration and ethical lapses can occur.
At key steps in the process, you should stop and work through these filters, ensuring that the
ethics issues imbedded in the decision are given consideration.
We group the considerations into the mnemonic PLUS.
P = Policies
Is it consistent with my organization's policies, procedures and guidelines?
L= Legal
is it acceptable under the applicable laws and regulations?
U = Universal
Does it conform to the universal principles/values my organization has adopted?
S= Self
Does it satisfy my personal definition of right, good and fair?
The PLUS filters work as an integral part of steps 1, 4 and 7 of the decision-making process. The
decision maker applies the four PLUS filters to determine if the ethical component(s) of the
decision are being surfaced/addressed/satisfied.
Step 1: Define the problem (use PLUS to surface the ethics issues)
Does the existing situation violate any of the PLUS considerations?
Step 2: Seek out relevant assistance, guidance and support
Step 3: Identify available alternative solutions to the problem
Step 4: Evaluate the identified alternatives (use PLUS to assess their ethical impact)
Will the alternative I am considering resolve the PLUS violations?
Will the alternative being considered create any new PLUS considerations?
Is the ethical trade-offs acceptable?
Step 5: Make the decision
Step 6: Implement the decision
Step 7: Evaluate the decision (PLUS surface any remaining/new ethics issues)
Does the resultant situation resolve the earlier PLUS considerations?
Are there any new PLUS considerations to be addressed?
The PLUS filters do not guarantee an ethically-sound decision. They merely ensure that the
ethics components of the situation will be surfaced so that they might be considered.
How Organizations Can Support Ethical Decision-Making
Organizations empower employees with the knowledge and tools they need to make ethical
decisions by
Intentionally and regularly communicating to all employees:
Organizational policies and procedures as they apply to the common workplace ethics
issues.
Applicable laws and regulations.
Agreed-upon set of "universal" values (i.e., Empathy, Patience, Integrity, Courage
[EPIC]).
Providing a formal mechanism (i.e., a code and a helpline, giving employees access to a
definitive interpretation of the policies, laws and universal values when they need
additional guidance before making a decision).
3.8.
11 Communicating Decisions taken in a timely manner
It’s not enough to make the right decision. You have to ensure that decision is properly
communicated if you want it to be successfully implemented. The bigger the decision, the more
rigorous you have to be in communicating it. Here are 5 keys to communicating that decision
well.
At some point in your career, you’re going to have to “make the call.” You’ll make a big
decision that will affect a lot of people. Some will be happy. Some will be bent. If you want your
decision to be successful, you’ve got to dedicate a significant amount of thought to how you’re
going to communicate the decision to the organization.
There are five keys you should think about as you’re making big decisions:
Clarity- First, be clear about the call being made. Tell people exactly what the decision is. The
crisper you are in explaining the decision, the higher the likelihood that they’ll carry it out.
Documentation- Document that decision so you have something to true back to. Remember, big
decisions can take a long time to make. The results of those decisions can take a long time to
mature and for you to see what happens.
Rationale- Lay out the rationale for making the decision. Include the assumptions you made, the
facts you were using to make the decision, and the sources of the information you used for
making the call. When things change, you can go back to that rationale and find root errors in the
data you had.
Dissemination- When making the call, do so in writing and disseminate your decision broadly
across the organization. Avoid the most common problem that happens when people make a
decision: misinterpretation. Many times, if you announce your decision verbally, the game of
telephone occurs. Somebody who was there heard it firsthand. They heard the rationale but they
interpreted it slightly differently than you meant to say it.
Inclusion- When you announce major decisions, do so in a group forum and give people time for
Q & A. This is a solid approach for understanding what their concerns might be. Let people
know how the decision was arrived at and who was involved in the decision making process.
This will help reduce execution risk. People might not support your decision if they think their
interests weren’t represented.
Self-check-3 Written test
At each major or significant organisational stage or proposal, assess whether you need to
communicate information to groups of staff or individuals (or a wider audience). Both can be
critical in making sure that you have communicated effectively.
Planning communication
When planning communication, remember to:
build in opportunities for employees and volunteers to feed in their views
ensure that all employees and volunteers can access information: if your only communication
method is by email, check whether everyone has regular access to a computer or a personal
email account
deliver information via a variety of methods but consistently, so that people know what to
expect and where to obtain or access information
maintain communication by regular and timely flows of information: try to avoid the last
minute ‘news scoop’
Review your communication methods regularly and assess their effectiveness to ensure that
your messages are getting through.
Communication methods
When your message is really important, deliver it using more than one method. For example, you
could follow up a general staff meeting with an email, and then confirm the information in a
personalized letter to ensure that it has been received and understood. Possible communication
methods include:
notice boards letters to staff/volunteers
newsletters/in-house magazines/e- press releases
magazines annual reports
emails and intranets focus groups
phone conversations face-to-face formal or informal meetings
presentations between managers and employees
team briefings/group meetings Consultation groups or staff forums.
Communicating through staff meetings
If you decide to hold a meeting (individual or collective), be clear about what you want to
achieve from each agenda item. The goal could be to:
exchange information (report, update, inform or find out)
solve a problem or find a solution
make a decision
plan
evaluate
supervise
consult
Review performance.
Anyone has a right to request information from a public authority. You have two separate duties
when responding to these requests:
to tell the applicant whether you hold any information falling within the scope of their
request; and
to provide that information
For a request to be valid under the Freedom of Information Act it must be in writing, but
requesters do not have to mention the Act or direct their request to a designated member of staff.
It is good practice to provide the contact details of your freedom of information officer or team,
if you have one, but you cannot ignore or refuse a request simply because it is addressed to a
different member of staff. Any letter or email to a public authority asking for information is a
request for recorded information under the Act.
What makes a request valid?
To be valid under the Act, the request must:
Be in writing. This could be a letter or email. Requests can also be made via the web, or even on
social networking sites such as Face book or Twitter if your public authority uses these;
Include the requester’s real name. The Act treats all requesters alike, so you should not normally
seek to verify the requester’s identity.
Include an address for correspondence. This need not be the person’s residential or work address
– it can be any address at which you can write to them, including a postal address or email
address;
Decision makers need information products whose characteristics, attributes or quality are
having the three dimensions of time, content, and form
Decision maker at different levels of the organization are making more or less structured
decisions. Typically there are three types of decision structure:
Unstructured decisions (usually related to the long-term strategy of the organization);
Semi-structured decisions (some decision procedures can be pre-specified but not enough to
lead to a definite recommended decision);
Structured decisions (the procedure to follow, when a decision is needed, can be specified in
advance).
Earlier in this course we discussed the concept of system as a set of interrelated components,
with a clearly defined boundary, working together to achieve a common set of objectives. With
respect to the information system, it can be any organized combination of people, hardware,
software, communication networks, data resources, and policies and procedures that stores,
retrieves, transforms, and disseminates information in an organization (O'Brian, p. 4).
There are three vital roles that information systems can perform for a business enterprise: support
of business processes and operations, support of decision making by employees and managers,
and support of strategies for competitive advantage – see the figure below (O'Brien, p. 8).
The applications of information systems that are implemented in today's business world can be
classified as either operations or management information systems – see the figure, below
(O'Brien, p.13)
Operations Support Systems (OSS) produce a variety of information products for internal and
external use, such as processing business transactions, controlling industrial processes,
supporting enterprise communications and collaborations, and updating corporate databases
effectively. They do not emphasize the specific information products that can best be used by
managers. Further processing by management information systems is usually required.
Management Information Systems (MIS): provide information in the form of reports and
displays to managers and many business professionals that support their day-to-day decision-
making needs.
Decision Support Systems (DSS) are computer-based information systems that provide
interactive information support to managers and business professionals during the decision-
making process. DSS use analytical models, specialized databases, a decision maker's own
insights and judgments, and an interactive, computer-based modeling process to support semi-
structured business decisions.
Executive Information Systems (EIS) or Executive Support Systems (ESS) are information
systems that combine many of the futures of MIS and DSS. Here the information is presented in
forms tailored to the preferences of the executives using the system, such as graphical user
interface, customized to the executives graphics displays, exception reporting, trend analysis, and
abilities to 'drill-down' and retrieve displays of related information quickly at lower levels of
detail.
Specialized Processing Systems (PS) are information systems characterized as functional
business systems, strategic information systems, knowledge management systems, and expert
systems.
It is important to realize that business applications of information systems in the real world are
typically integrated combinations of all these types of information systems. In practice, all these
different types and roles of information systems are combined into integrated or Cross-
Functional Business Information Systems that provide a variety of functions. Thus, most
information systems are designed to produce information and support decision making for
various levels of management and business functions, as well as perform record-keeping and
transaction-processing chores.
The figure below illustrates the scope of the managerial challenges and opportunities facing
business managers and professionals in effectively managing information systems and
technologies.
4.5 Information is up-to-date, accurate and relevant and sufficient
for the recipient
The second of the principles covering information standards, principle 4 covers the accuracy of
personal data. The Data Protection Act imposes obligations on you to ensure the accuracy of the
personal data you process. It must also be kept up to date where necessary.
This requirement is closely linked with the requirement under principle 3 that personal data is
adequate. Ensuring the accuracy of personal data will assist you in complying with this
requirement as well.
In brief – what does the Data Protection Act say about accuracy and updating?
The Act says that:
Personal data shall be accurate and, where necessary, kept up to date.
This is the fourth data protection principle. Although this principle sounds straightforward, the
law recognizes that it may not be practical to double-check the accuracy of every item of
personal data you receive. So the Act makes special provision about the accuracy of information
that individuals provide about themselves, or that is obtained from third parties.
To comply with these provisions you should:
take reasonable steps to ensure the accuracy of any personal data you obtain;
ensure that the source of any personal data is clear;
carefully consider any challenges to the accuracy of information; and
Consider whether it is necessary to update the information.
When is personal data “accurate” or “inaccurate”?
The Data Protection Act does not define the word “accurate”, but it does say that personal data is
inaccurate if it is incorrect or misleading as to any matter of fact. It will usually be obvious
whether information is accurate or not.
What about records of mistakes?
There is often confusion about whether it is appropriate to keep records of things that happened
which should not have happened. Individuals understandably don’t want their records to be
tarnished by, for example, a penalty or other charge that was later cancelled or refunded.
However, the organisation may legitimately wish its records to accurately reflect what actually
happened – in this example, that a charge was imposed, and later cancelled or refunded. Keeping
a record of a mistake and its correction might also be in the individual’s interests.
Where you use your own resources to compile personal data about an individual, then you must
make sure the information is correct. You should take particular care if the information could have
serious implications for the individual. If, for example, you give an employee a pay increase on the
basis of an annual increment and a performance bonus, then there is no excuse for getting the new
salary figure wrong in your payroll records.
Purpose The purpose of this policy is to outline the principles that must be adhered to by all who
work within and have access to personal information and sensitive personal information.
Personal information incorporates the following factors:
Surname, forename, initials
Address, postcode
Telephone number
Date of birth (any other dates e.g. medical dates, dates of diagnosis)
Occupation
Sex
National insurance number
Sensitive personal information is data that contains details of a person’s:
Racial or ethnic origin
Political opinions
Religious beliefs or other beliefs of a similar nature
Membership of a trade union
Physical or mental health or condition
Sexual life, convictions
Legal proceedings
Why Personal Information is collected Information is collected about patients to:
Support patient care
Improve health and social care services
Disclosure of Personal Information for Care Purposes Personal information can be shared
between healthcare professionals when it is in the best interests of an individual and they are
providing direct care.
INFORMATION SECURITY
Physical Security Personal information must always be held securely. In any area which is
not secure, and which can be accessed by a wide range of people (including possibly the
public), such information must be locked away immediately after it has been finished with.
Where it is impractical for this to be achieved, access to the work area must be restricted.
Where it is necessary to take confidential information away from Trust premises in order to
carry out your duties (e.g. home visit to a patient), you must keep the information secure and
make every effort to ensure that it does not get misplaced, lost or stolen.
Electronic Security You must lock your computer and mobile devices when unattended.
Always log off systems and do not leave your Smartcard unattended. Mobile devices,
memory sticks and laptops must be encrypted. Please refer to IT for further guidance.
Information should be held on the organisation’s network servers, and not stored on local
hard drives. Personal information stored on network shared drives should be restricted as
appropriate. IT can assist in establishing folder access rights. Information should not be
saved or copied into any PC or media that has not been approved by IT. Safe Haven folders
should have access restrictions imposed by the IT Helpdesk. The IT helpdesk should be
advised of new access requests for that location.
Safe Transfer of Personal Information When transferring any personal information you
must:
ensure the person is entitled to receive the information
use the most appropriate method to ensure that the information is transferred securely
limit the information to only what is required, irrelevant information must be removed
or redacted (blocked out) before the transferring
ensure that you are sending information to the correct location
ensure that no additional information is sent in error
only send information to those who are entitled to receive it
mark it ‘Private and Confidential’ Confidentiality and Security of Personal
Information Policy
Incoming mail must be opened away from public areas.
All mail must be checked before posting to ensure it is going to the correct address and
that nothing additional has been put in the envelope in error.
All mail that contains personal information must be enclosed in a sealed envelope and
marked ‘Private and confidential’, addressed correctly.
All mail containing sensitive personal information must be sent via Special Delivery
or by a courier (TNT)
Bulk amounts of personal information must be sent via Special Delivery or by a
courier (TNT)
Email
You should put any confidential or sensitive information in an attachment and encrypt the
attachment with a password
You should not set up your emails to be automatically forwarded to another account, you
should set up an out of office to identify who emails should be forwarded to
For HDFT to HDFT or NHS.net to NHS.net
You must check you are sending the email to the correct email address
You should put any confidential or sensitive information in an attachment and encrypt the
attachment with a password
You must not send the password in the body of the email or a following email. You must
contact the person you are sending the email to and confirm the password. For HDFT to
any email address
You must check you are sending the email to the correct email address
You should put any confidential or sensitive information in an attachment and encrypt the
attachment with a password
You must not send the password in the body of the email or a following email. You must
phone the person you are sending the email to and confirm the password.
Send the recipient the Encrypted Email Instructions before emailing them the confidential
or sensitive email
Then type the word 'Encrypt' in the subject field on the email to encrypt the whole email
For NHS.net to any email address
You must check you are sending the email to the correct email address
You should put any confidential or sensitive information in an attachment and encrypt the
attachment with a password
You must not send the password in the body of the email or a following email. You must
contact the person you are sending the email to and confirm the password. Then follow
these instructions to encrypt the whole email Sender Guidance
Verbal
The identity of the enquirer must always be verified by checking the any relevant details,
for example if it is a patient asks them to confirm their date of birth, address, and
attendance dates etc. If the enquiry is via the phone, call them back so that the identity can
be fully verified. In the case of an organisation, the switchboard number must be used to
call back, not a direct dial number.
If answering machines are used by departments they should be setup so that messages left
are recorded silently. This will ensure that no unauthorized personnel overhear confidential
messages whilst they are being recorded.
Fax The fax machine should be sited in a secure location where access to the machine is
controlled. Sending
By each fax machine there should be a laminated copy of the Fax. which acts a prompt to
follow the correct procedures when sending a fax.
All external faxes must use the Trust’s Fax Cover Template
All faxes, internal or external, containing patient information or other confidential
information must use the Trust’s Fax Cover Template
Check the recipients fax number, memory alone must not be relied on when dialing. It is
acceptable to pre-programme commonly used fax numbers into the machine’s memory.
However, a list of speed dial numbers must be prominently displayed next to the
machine.
Check if the fax machine is a Safe Haven. If it isn’t telephone the recipient of the fax let
them know that you are about to send a fax containing confidential information and ask if
they will wait by the fax machine whilst you send the document and acknowledge the
receipt of the fax.
Dial the number carefully.
Monitor the transmission.
Stop the transmission if there appear to be any anomalies with the transmission.
Obtain a printed record of the transmission where possible.
No paperwork must be left unattended at the fax machine.
If a published fax number turns out to be incorrect, inform all interested parties of the
error and amend the list as necessary. Receiving
The recipient should remove the fax from the machine on receipt.
Where necessary, the recipient should contact the sender to confirm receipt and that the
fax will be appropriately dealt with and safely stored.
Audience
The following includes the core audiences you will need to consider with any communications
around area reviews. This is not an exhaustive list, and will have different local variations.
Governors Employers/partners who work with the
Staff college
Unions Potential students
Students MPs
Students Union Councilors
Parents Officers of the council
Other colleges Local
Universities National
Schools in the area Influential local people
Media Local enterprise partnerships
Trade Chamber of commerce
Aims
From the outset you should have aims for the communication work. The following are
suggestions:
Ensure that internal audiences are kept up to date with the area review process.
Provide timely, accurate, consistent information to stakeholders.
Develop a partnership working approach with other colleges for a strategic
communications approach.
Messages
Creating and maintaining a limited number of key messages promotes consistency across
audiences and channels, whether it is a media release, website update or staff meeting.
Contradictory statements weaken a college’s position and can lead to the perception that it is
hiding something and that nothing it says is to be believed.
How often should we update our communications plan?
Since a strategic communications plan is not a list of tactics, you need to know what you are
supporting so your communications plan can drive outcomes set forth in the business plan. Said
another way, update your communications plan when you update your business plan, ideally
annually. That will ensure you work smarter, not harder.
That doesn’t, however, mean it should collect dust throughout the year. Here are five simple but
important exercises to ensure your communications stay fresh:
1. Review your positioning & messaging, more as a reminder than a prompt to change. Your
messaging should remain consistent, customizing it based on your audience.
2. Review data. Take a look at whatever metrics are available to you, even if that is just website
analytics. What does customer behavior tell you? What communication is resonating? What is
causing your audience to act? Depending on the answers, do you need to adjust?
3. Revisit your target audiences, both general and specific. Invest the most time in the people that
matter the most. This could include customers, prospects, investors, industry influencers and/or
employees.
4. Do a website audit. Is your content still consistent with messaging? Is it current?
Comprehensive? Is it mobile-friendly?
5. If you don’t have a social media strategy, develop one. Even the skeptics have learned that
serious business can be done via social media, yet not all companies have a plan. You must have
a carefully designed strategy and supporting tactics, including a plan for sustainability, to make it
work. And doing what your competitors are doing is not a plan.
goodwill.
Consider the following examples:
Failure to protect your data’s confidentiality might result in customer credit card numbers
being stolen, with legal consequences and a loss of goodwill. Lose your clients’ confidential
information and you may have fewer of them in the future.
A data integrity failure might result in a Trojan horse being planted in your software,
allowing an intruder to pass your corporate secrets on to your competitors. If an integrity
failure affects your accounting records, you may no longer really know your company’s true
financial status.
Elements of a good security program
a good security program provides the big picture for how you will keep your company’s data
secure. It takes a holistic approach that describes how every part of your company is involved in
the program. A security program is not an incident handling guide that details what happens if a
security breach is detected. It’s also not a guide to doing periodic assessments, though it
probably does dictate when to do a security.
1. Designated security officer
for most security regulations and standards, having a Designated Security Officer (DSO) is not
optional — it’s a requirement. Your security officer is the one responsible for coordinating and
executing your security program. The officer is your internal check and balance. This person or
role should report to someone outside of the IT organization to maintain independence.
2. Risk assessment
this component identifies and assesses the risks that your security program intends to manage.
This is perhaps the most important section because it makes you think about the risks your
organization faces so that you can then decide on appropriate, cost-effective ways to manage
them. Remember that we can only minimize, not eliminate, risk, so this assessment helps us to
prioritize them and choose cost-effective countermeasures. The risks that are covered in your
assessment might include one or more of the following:
Physical loss of data. You may lose immediate access to your data for reasons ranging from
floods to loss of electric power. You may also lose access to your data for more subtle
reasons: the second disk failure, for example, while your RAID array recovers from the
first.
Unauthorized access to your own data and client or customer data. Remember, if you have
confidential information from clients or customers, you’re often contractually obliged to
protect that data as if it were your own.
Interception of data in transit. Risks include data transmitted between company sites, or
between the company and employees, partners, and contractors at home or other locations.
Your data in someone else’s hands. Do you share your data with third parties, including
contractors, partners, or your sales channel? What protects your data while it is in their
hands?
Data corruption. Intentional corruption might modify data so that it favors an external party:
think Trojan horses or keystroke loggers on PCs. Unintentional corruption might be due to a
software error that overwrites valid data.
3. Policies and Procedures
preparing your risk assessment hopefully gave you lots to worry about. The policies and
procedures component is the place where you get to decide what to do about them. Areas that
your program should cover include the following:
Physical security documents how you will protect all three C-I-A aspects of your data from
unauthorized physical access.
Authentication, authorization, and accountability establish procedures for issuing and
revoking accounts. It specifies how users authenticate, password creation and aging
requirements, and audit trail maintenance.
Security awareness makes sure that all users have a copy of your acceptable use policy and
know their responsibilities; it also makes sure that your IT employees are engaged in
implementing your IT-specific policies.
Risk assessment states how often you will reassess the potential threats to your IT security
and update your security program.
Incident response defines how you will respond to security threats, including potential (such
as unauthorized port scanning) and actual incidents (where security has been compromised).
We discussed the importance of having an incident-handling guide in the Q1 2006 issue of
The Barking Seal.
Virus protection outlines how you protect against viruses. This might include maintaining
workstation-based products and scanning email, Web content, and file transfers for
malicious content.
Business continuity planning includes how you will respond to various man-made and
natural disaster scenarios. This includes setting up appropriate backup sites, systems, and
data, as well as keeping them up-to-date and ready to take over within the recovery time
you have defined.
Relationships with vendors and partners defines who these organizations are, what kind of
data you might exchange with them, and what provisions must be in your contracts to
protect your data. This is an often-overlooked aspect of data security because your IT
organization probably has not had a lot of interaction with your legal organization over
vendor contracts. You may need to take measures such as evaluating your partners’ ability
to safeguard your data and insisting on having reasonable security practices in place.
4. The type of information required by decision makers in a company is directly related to:
Version:
SensitivityAnalysis https://www.investopedia.com/terms/s/sensitivityanalysis.asp#ixzz5FAs6
mOc1
Guidance for designing, monitoring and evaluating peace building projects: Using theories of
change, CARE
Published with permission from Cass Centre for Charity Effectiveness. This material is taken
from "Tools for Success: doing the right things and doing them right", published in October
2008. Download or buy your copy from Cass Centre for Charity Effectiveness.
(andrea_jones@aoc.co.uk)