Disaster Recovery Planning

End User Computing - Policy And Procedure

CONTENTS:

1. Introduction.............................................................................................................3

2. Scope .......................................................................................................................3

3. How EUC Successful …...........................................................................................5

PolicyвЂ¦Ð²Ð‚¦Ð²Ð‚¦Ð²Ð‚¦Ð²Ð‚¦Ð²Ð‚¦.......................................................................................................6

ProcedureвЂ¦Ð²Ð‚¦Ð²Ð‚¦Ð²Ð‚¦Ð²Ð‚¦..................................................................................................6

END-USER COMPUTING

1. Introduction

End-user computing (EUC) may involve a single user on a microcomputer, networks of users downloading data for further processing on workstations, or user-developed mainframe, mini and microcomputer applications using fourth generation or latest languages.

End-user computing represents a way of doing business. Users understand the decisions they need to make, the decision-making process, and the information needed to support the decision. The user wants flexible, easy-to-use tools with standardized interfaces to corporate data for developing and maintaining end-user applications.

Technology alone cannot account for the growth in end-user computing. Rather, the demand for end-user computing stems from:

- An unparalleled systems development backlog and a decreasing ability on the part of Management or Information Systems (IS) departments to meet the ever-increasing user needs on a timely and cost-effective basis

- Better-educated and more demanding users who realize that maximizing computing benefits is integral to achieving a competitive advantage

- The recognition of complete, accurate, and timely information as a corporate resource and competitive advantage

- An increasing specialization and sophistication of business analysis

2. Scope

The oddness of EUC, coupled with the lack of central control, create or recreate exposures that should be addressed by meeting the following measures:

Responsibilities and Development of Policies

Policies must be developed that will control EUC without interfering with the benefits. According to the research findings, both users and data processing personnel support standardization policies, provided that standardization includes support from the IS group, and that standardization does not stifle an end-user's ability to experiment with new technology.

Data Identification and Classification

Corporate policies should specify data security and privacy provisions for all applications. Such policies should require the identification of data ownership and the assignment of security levels to data. Procedures for controlling the data, commensurate with the level of confidentiality classification, should be developed.

Adequate Developmental Budgets

One myth that seems to hamper effective use of end-user computing is a belief that end-user applications can be effectively developed on the job in a user's spare time. The myth prevails because new technologies have piqued the interest of talented individuals, and those individuals have invested personal resources (time) in developing applications to assist in their job.

Departments cannot realize the benefits of end-user developments without providing sufficient time for development. If the organization wants to benefit from end-user development, user development time should be separately budgeted and managed.

Control over Resources

Formal systems development processes are governed by well-defined planning and budgetary procedures to allocate scarce computing resources. Centralized development authorization helps set priorities and control redundant efforts.

Inadequate Controls

In the EUC environment, no one is responsible for enforcing traditional data processing standards as application controls, testing procedures, and documentation. Few companies have implemented comprehensive definitions of end-user controls and procedures, adequate controls cannot be assured.

The common book of knowledge regarding computing risks and controls resides in the Information Systems departments. With IS no longer in charge, there is no assurance that standard safeguards built into the traditional process will be followed.

Reliability of Applications

Many one-of-a-kind applications are developed to replace manual systems, but they are often far more complex than the manual systems replaced. There is a tendency to assume that end-user applications are as reliable as traditionally developed applications. However, many of these systems do not receive the independent testing or control analysis associated with traditional developments.

Ownership of Shared System

A fundamental control principle is that each data item and every application should have an identified owner with responsibility for data and application integrity. Data are being increasingly shared and may be partially or fully duplicated at user

...