SeneTech Inc.

Background

SeneTech Inc. is a retail and wholesale business focusing on IT hardware. Its head office is located in Bangkok, Thailand. SeneTech has 20 branches located all over Bangkok. The centralized data center is in Bangkok. SeneTech has more than 20,000 product items. SeneTech implemented a new Warehouse Management System to improve the efficiency of its warehouse operations and a new Mobile Store System to increase its competitive advantage and support the significant increase of sales transactions. Both the Warehouse Management System and the Mobile Store System are integrated with the Enterprise Resource Planning (ERP) system. The Warehouse Management System was implemented to assist SeneTech to control the movement and storage of its inventory and related processes such as shipping, receiving, fulfillment, and packing. The Mobile Store System is an application which facilitates completion of sales transactions on the sales floor by SeneTech sales employees. This means that a customer does not have to wait in line to pay at a cash register.

IT Organization

During an interview with the IT manager, you noted that there are two divisions - the Operations Division and the Application & Change Development Division.

The job descriptions for each division are as follows.

Operations Division:

o Back up applications, database, operating systems, and configurations

o Restore data based on user request

o Manage and maintain user profiles and authorizations

Application & Change Development Division:

o Develop and test applications

o Transfer applications from the test environment to production environment

o Coordinate with IT vendors

o Manage and maintain databases

o Assign database access authority to users

o Review and set up security configurations

Your review of the long- and short-term IT plans showed that SeneTech has three major projects - Enterprise Resource Planning System (ERP) project, Warehouse Management System project, and Mobile Store System project. In the past, SeneTech used accounting software and a point-of-sale system, but both were not integrated with each other. When a customer purchased a product, a salesperson recorded a sales transaction into the point-of-sale system and printed a sales invoice and a receipt for the customer. The next morning, the salesperson submitted an original sales invoice and a copy of the receipt to accounting personnel. Accounting personnel then recorded the sales transactions in the accounting software. Due to the increased number of sales transactions, it became impossible for the accounting staff to re-key all the sales transactions into the accounting system. SeneTech decided to implement a new ERP system to increase its competitive advantage and provide accurate and timely information to management. Since the current point-of-sale system could not integrate with the new ERP system, SeneTech decided to change the current point-of-sale system to a Mobile Store System. A Mobile Store System is an application which facilitates completion of sales transactions on the sales floor by SeneTech salespeople and at the cash registers. With this system, SeneTech can reduce congestion at cash registers and a customer does not have to wait in line to pay. If customers wish to pay on the sales floor instead of at the cash registers, they must pay by either credit or debit card.

SeneTech decided to implement the Warehouse Management System due to its numerous product items and to assist it in controlling the movement and storage of inventory and processes such as shipping, receiving, fulfillment, and packing.

Both the long- and short-term IT plans are reviewed and approved by the IT manager and top management. The IT manager has to report the progress of major projects to top management every quarter.

System Acquisition, Development and Change

During an interview with the IT manager, you learned that SeneTech established a change management procedure. Before changing or upgrading an application, a change request form must be initiated by a requester. A requester completes the form which is approved by the requester's department manager. The requester forwards the approved request form to the assistant IT manager of application and change who logs each request in a change request log, a listing of all requested changes and the status of the requests. After receiving the change request, the assistant IT manager of application and change assigns this request to his team to perform a system analysis and estimate the required development hours. He will give the final approval for the request after he receives the analysis results and time estimation. If the request is not approved, he will inform the requester via email. If the request is approved, he will assign the change to his team members and inform the requester via email. The application programmer copies the source code from the system's production environment to the development environment and makes the change. The programmer uses the production data to test the program in the development environment. The requester is required to perform user acceptance tests and sign off on the change request form. After signing off, the programmer modifying the program will migrate the program from the development environment to the production environment and sign off to close the job in the change request form. Finally, the programmer submits this form to the assistant IT manager of application and change to update the change request log. Your review of the change request log showed that there are only 30 requests. All the requests are for new reports or adjustments to reports.

Upon review of the user acceptance documents of the ERP and Warehouse Management System, you found that the IT application personnel are responsible for creating test scripts and testing both systems prior to implementation. In addition, all documentation used for implementing ERP and Warehouse Management System have not been received from vendors. The IT manager told you that the vendors have been preparing these even though this project has been live for three months. Moreover, there is no user manual for the ERP and Warehouse Management System.

Your review of the vendor selection supporting documents for the Mobile Store System revealed that the assistant IT manager of application and change is responsible for evaluating and selecting applications. In addition, you found that there is no system analysis report. A system analysis report summarizes the preliminary review of the user and system requirements. Your interview of the assistant IT manager of application and change indicated that SeneTech has not updated, patched, or upgraded the operating systems in use. The assistant IT manager of application and change explained that that the applications might not run properly if the operating systems were patched or upgraded.

Computer Operation

You interviewed the IT manager and learned that SeneTech established a computer operation manual and kept this manual in the data center. This manual described the backup and restoration processes of all systems. The backups of the application systems are automated and performed as part of the day-end processing. SeneTech performs full backup of all its data each day on to backup tapes. The backup tapes are kept in a fire-proof safe located in the data center. The IT manager indicated that SeneTech was in the process of selecting an off-site backup location where all the backup tapes would be kept.SeneTech established both business continuity and IT disaster recovery plans to mitigate system disruption risk. However, these plans have not been tested.

Information Security

SeneTech established an IT security policy which required all personnel to attend an IT security training class. SeneTech also implemented a domain controller to ensure that users are authenticated before they access the systems.

The password policy states as follows:

Passwords should be established for individual users to maintain accountability

The minimum password length is 6 characters

Passwords should be changed every 90 days

Passwords should consist of letters (a-Z), numbers (0-9), and other special characters (such as "?", "#", "$", or "%")

The security configurations for a domain controller, ERP, Warehouse Management System, and Mobile Store System are as follows:

Configuration Domain ERP Warehouse Mobile Store Controller Management System System Password Length 8 8 8 8 Password 120 120 Expiration Password Y Y N N Complexity Failed Login 3 Attempt Time-out facility N Not Not Supported Not Supported Supported