The successful deployment (implementation) of information systems/technology is an important responsibility. Implementation is doing what organization planned to do. The implementation should be viewed as a process that carries out the operational plans developed at the end of the information systems planning process. More specifically, the implementation process is a major stage that follows the investigation, analysis, and design stages of the systems development process. Therefore, implementation is an important activity in the deployment of information technology to support an organization and its end users.

Implementation involves a variety of acquisition, testing, documentation, installation, and conversion activities. It involves the training of end users in the operation and use of new information systems. Thus, implementation is a vital step in ensuring the success of new systems. Even a well-designed system can fail if it is not properly implemented.

Acquiring hardware, software, and external IS services is a major implementation activity. These resources can be acquired from many sources in the computer industry. Of course, there are many other firms in the computer industry that supply hardware, software and services. For instance, many larger business and professional organizations, educational institutions, and government agencies have employee purchase plans that let you buy computer hardware and software at substantial discounts. These corporate buying plans are arranged through negotiations with hardware manufacturers and software companies.

Most large business firms and all government agencies formalize these requirements by listing them in a document called an RFP (Request For Proposal) or RFQ (Request For Quotation). The RFP or RFQ is then sent to appropriate vendors, who use it as the basis fro preparing a proposed purchase agreement. Computer users may use a scoring system of evaluation when there are several competing proposals for a hardware or software acquisition. Each evaluation factor is given a certain number of maximum possible points. Then each competing proposal is assigned points for each factor, depending on how well it meets the specifications of the computer user. Scoring each evaluation factor for several proposals helps organize and document the evaluation process. It also spotlights the strengths and weaknesses of each proposal.

A formal evaluation process reduces the possibility of buying inadequate or unnecessary computer hardware or software. badly organized computer operations, inadequate systems development, and poor purchasing practices may cause inadequate or unnecessary acquisitions.

Whatever the claims of hardware manufacturers and software suppliers, the performance of hardware and software must be demonstrated and evaluated. This can be done on the premises of the computer user or by visiting the operations of other computer users who have similar types of hardware or software. Other users are frequently the best source of information needed to evaluate the claims of manufacturers and suppliers. Vendors should be willing to provide the names of such users. Large computer users frequently evaluate proposed hardware and software by requiring the processing of special benchmark test programs and test data.

When evaluating computer hardware, specific physical and performance characteristics for each hardware component to be acquired should be investigated. Specific questions must be answered concerning many important factors. These are called hardware evaluation factors, such as: performance, cost, reliability, availability, compatibility, modularity, technology, ergonomics, connectivity, environmental requirements, software, support, overall rating. Similarly for software evaluation factors, such as: efficiency, flexibility, security, language, documentation, hardware, other factors, overall rating. And finally a similar process should be designed for IS services evaluation factors, such as: performance, systems development, maintenance, conversion, training, backup, accessibility, business position, hardware, software, overall rating.

Management is responsible for the control of the quality and performance of information systems in their business unit. Like any other vital business asset, the resources of information systems hardware, software, and data need to be protected by built-in controls to ensure their quality and security. That's why controls are needed. Computers have proven that they can process huge volumes of data and perform complex calculations more accurately than manual or mechanical information systems. However, we that errors do occur in computer-based systems, computers have been used for fraudulent purposes, and computer systems and their software and data resources have been accidentally or maliciously destroyed.

There is no question that computers have had some detrimental effect on the detection of errors and fraud. Manual and mechanical information processing systems use paper documents and other media that can be visually checked by information processing personnel. Several persons are usually involved in such systems and, therefore, cross-checking procedures are easily performed. These characteristics of manual and mechanical information processing systems facilitate the detection of errors and fraud.

Effective controls are needed to ensure information systems security, that is the accuracy, integrity, and safety of information systems activities and resources. Controls can minimize errors, fraud, and destruction in an information services organization. Effective controls provide quality assurance for information systems. That is, they can make a computer-based information system more free of errors and fraud and able to provide information products of higher quality than manual types of information processing. This can help reduce the potential negative impact (and increase the positive impact) that information technology can have on business survival and success and the quality of life in society.

Based on the above, an organization has far more comprehensive needs for protection then computer security or a disaster recovery plan. It also needs an auditing procedure by both internal and outside auditing personnel. The following is a general description of such capability highly desirable for an organization.

Three major types of controls must be developed to ensure the quality and security of information systems: information systems controls, procedural controls, and physical facility controls.

The information systems controls are methods and devices that attempt to ensure the accuracy, validity, and propriety of information systems activities. Controls must be developed to ensure proper data entry, processing techniques, storage methods, and information output. Thus, information systems controls are designed to monitor and maintain the quality and security of the input, processing, output, and storage activities of any information system. The following are types of information systems controls:

• Input Controls: passwords, security codes, formatted data entry screens, audible error signals, templates over keys of key-driven input devices, and prerecorded and prenumbered forms.

• Processing Controls: identify arithmetic calculations and logical operations.

• Hardware Controls: parity checks, echo checks, redundant components, switches on devices, remote diagnostics.

• Software Controls: operating systems checks, audit trail, system security monitors.

• Output Controls: route slips, visually verifications.

• Storage Controls: security codes, backup files.

The procedural controls are methods that specify how the information services organization should be operated for maximum security. They facilitate the accuracy and integrity of computer operations and systems development activities. The following are examples of procedural controls:

• Standard Procedures and Documentation

• Authorization Requirements

• Disaster Recovery.

The physical facility controls are methods that protect physical facilities and their contents from loss or destruction. Computer centers are subject to such hazards as accidents, natural disasters, sabotage, vandalism, unauthorized use, industrial espionage, destruction, and theft of resources. The following are examples of physical facility controls:

• Physical Protection Controls

• Biometric Controls

• Telecommunications Controls

• Computer Failure Controls

• Computer Failure Controls

• Controls for End User Computing.