Information Technology for management Project

Information Technology for management Project: Hotel Business

  1. Business Introduction
    1. Concept/idea

The idea is to start a hotel business unit in London, with a long term plan of extending it to several foreign countries such as in Middle East, Australia, Africa and United States. The hotel is intended to have 7 top level departments, with each department having a department manager, with relevant qualifications and experience who will report to the managing director. This means 8 strategic managers. Other employees will include waiters, cashiers, professional chefs, IT personnel, data entry clerks, hotel drivers, marketers, secretaries, logistic team (for supply chain management), customer representatives, cleaners, security personnel, tour guides, and spa and massage specialists. These will form the bulk of junior staff approximated to be 30 employees. With the need for casuals such as cleaners the total expected employee turnover is approximated to 45 employees.

  • Services/Products you sell and buy

The hotel will provide food (local and exotic), confectionary and pastries, beverages (fresh natural juices, sodas, and animal beverages like milk, alcoholic and other non alcoholic drinks), comfort services such as spa treatment and massage, lodging and accommodation services, tours and travel services,  conference facilities and services and event organization services.

  • Target market

For general services such as basic foods and beverages, the first target market is drawn from all demographics (children, teens, young adults and adults, elderly, families, couples, both males and females) with a target of both locals and international market. The second target group will be wealthy businesses people on business trips, tourists visiting London, and prominent people on business/academic/political matters wishing to hold meetings and conferences in a serene environment. The last target group is high end event revelers such as entertainment events, sporting events, public campaign awareness events and so on. 

  • Business functions/departments

At the start, the hotel is expected to have 7 main departments namely; the administration, production, customer care, marketing, finance, IT, research and development. In case of expansion, each unit will be required to have the following core sections universally: the parking space, cash counter, reception, kitchen, dining hall, side station, family section, dish washing section, pantry section and a toilet. These sections will add up to the already six departments.

How could IT improve your business?

IT will play a very crucial role in helping the Hotel business in the following main areas: process improvements, decision making, operations streamlining, regulatory compliance and obtaining a competitive advantage over the competitors.  In the business process improvement, through automation, IT will help in improving core hotel’s processes such as stock taking, payment processing, online retailing, administrative automation, customer service among other processes. IT will be used as a strategic weapon or tool to assist in decision making. This will be done by examining various products of the information systems such as summary, evaluation and comparisons reports. Such decisions provide the financial and competitive health for the business that will be critical for the management to make choices regarding areas of improvements, market and customer characteristics and so forth. Operations streamlining is mainly a product of automation, where processes can be standardized, accuracy and timely delivery of processes outputs can be evaluated among others. As a regulatory enhancer, IT will provide a crucial role in documenting and evaluating regulatory requirements such as health and safety activities of the hotel as expected by regulatory bodies and laws. Finally, by analyzing market trends, customer behavior, process and operations improvements, IT will play a crucial role in discovering strategies of reduced costs of operations, product/service differentiation according to the market demands, expanding sales and target market among other competitive advantages.

  • Information Management:
    • What kind of data/information you need to run your business

The hotel will require the following categories of data as inputs to its information system: transactional data based on daily transactions such as sales volumes, customer service experience, sales income, daily supply requirements among others. Secondly, it will require management information for different managers such as semi-refined summaries of daily transaction data. Examples include; daily sales volume of a particular service/product or a menu item, particular performance of a newly introduced product, administrative work such as daily personnel turnover (absentees), daily summaries of supplier information and so on. This information will be essential for strategic management. Tactical information that will be important for the top management and the director of the hotel will also be required. This might include refined summaries on the performance of a given product or service such as event organization, market trends of close competitors and so forth. Data for tactical information requirements will be obtained from transactional and strategic management systems, together with decision support systems. Decision support systems will be necessary to predict the future such as in terms of brand attractiveness, supplier characteristics, and consumer behaviors and so on.

  • How will you manage the data?

Data management will be done through the help of an enterprise resource planning (ERP) system. The ERP system will be able to collect, analyze, store, and produce the desired reporting for use by different users and uses.  The database will also act as repository infrastructure from where data can be stored and retrieved on need basis.

More specifically, the following principles will be used: Data planning, data control and organization, access control, long-term data resiliency, and data sharing. This will leverage the business’s core asset – the data.

  • What is the role/importance of a Database to your business?

A database system is composed of the data repository and a database management system that can allow modifications, updating, retrieval and other activities that wishes to be done on the data. The database system will provide a secure, reliable, adequate storage capacity and timely and remote retrieval of the intended information for the authorized users. It will support all the core functional areas of the business with required data and information. Besides, the database system will prevent duplication of data and efforts, allow advantages of pooled information such as shared information resources, data consistency and data searches among others.

  • Networks, Collaboration, and Sustainability

                The information system will rely on a variety of data networks for communication, collaboration and sustainability reasons. The institution’s network infrastructure, will involve a LAN that will serve the internal information needs and an internet connection to allow WAN access.

                Near Field Communication (NFC) and Radio-frequency identification (RFID) will play a major role in facilitating hotel’s operations within the premises of the business. NFC provides for a low-speed connection which is very simple to set up between devices separated by a short range distance. This technology will be used to support contactless payment services that will allow mobile payments. It will offer an ideal, easy and rapid communications for most of consumer devices used within cross-range. With NFC enabled devices within the premise, users can easily store and exchange personal data files such as pictures, messages and MP3 files among others. However, this technology cannot be relied upon in transferring large files or for over larger separation distances. 

                RFID will provide a vital business muscle in identifying and tracking tags automatically that are attached to objects. This technology uses electromagnetic fields for the purposes of data transmission. In the hotel business, RFID tags will be attached to all business assets, from furniture to kitchen equipments, to stock and all items within the premise of the hotel. The technology will allow easy identification and tracking of these items for the purposes of inventory taking and asset profiling. Besides, they will be used by the logistic team to track stock and supplies by facilitating identification of products’ characteristics such as destination, origin, supplier, customer and so forth. Apart from inventory and tracking of other assets, this technology will also prove very beneficial in applications involving access control. For example, these tags can be mounted on staff badges and can also be used to capture car details and authorize vehicles at the entrance. Strategically, RFID technology can be used to track the performance of certain brands provided by the hotel. En example is tracking the performance of a discounted product items (like a menu item) through a supply chain involving other retailers. This can prevent the retailers from diverting the discounted prices.

                Within the Hotel’s premises, information networks will include WiFi and Wireless LAN. WiFi provides a relatively easy and convenient way to send and receive light files. With the increase usage of smart phones, users can easily access the internet, which will be one of the communication and entertainment services provided at the hotel. In addition to having a connection to the internet, users can easily exchange data files such as music and short video clips. The inclusion of a wireless LAN will enhance more sharing of larger data files within the hotel’s staff, within customers as they enjoy the internet services within the hotels, and between the staff and the customers. This can include confirmation of orders especially those in the lodgings and want to communicate with the staff. The staff can also use the mobile devices especially notebooks to do some more research for example on the possibility of introducing a new menu item, exploration of an international market and so forth at the comfort of the hotel’s premises. However, for wireless LAN and WiFi, security and network strength will occupy the central notion in their implementation. Despite there being passwords to regulate their use, sensitive information such as strategic and tactical information will not be allowed to be relayed through wireless LAN and WiFi. The essence behind this is that wireless networks are more prone to attacks such as man-in-the-middle attack, network injection and denial of service attacks. These attacks are more prone to wireless access points. The common or popular standards for a wirelss LAN are the Wired Equivalent Privacy (WEP) and that of WiFi is the WiFi-Protected Access (WPA) which are considered as weak standards. WPA is the most current and more secure but requires firm upgrade which means added investments.

                Besides, wireless networks are easily affected by physical obstructions, and interruptions of other wireless networks, bearing in mind that the hotel will be located in the London busy City with thousands of other wireless networks.  So there will be an essence of dedicated and more stable wired network, connecting critical business units that will be involved in the storage, transmission and retrieval of business critical information (strategic, tactical and decision making). This will also be critical for the support of network-intensive bandwidth applications that require high quality of service such as online conferencing.

                Virtual private network (VPN) will offer an important technology solution to provide mobile and remote users with secured network coverage. VPN technology will make it possible for remote/mobile users to receive and send files via a public or shared network such as internet as if they are connected directly (within a private network), and at the same time, allowing the use of hotel’s specified network management and security policies. This will be very essential in the event of the expansion of the hotel, with several geographically separated branches. The branches can be connected through a unified network and allow access to hotel’s data resources and applications stored on the premise’s internal servers. However for a safe connection, the VPN system must use secure VPN protocols such as Internet Protocol Security (IPsec).

5. CyberSecurity, Compliance, and Business Continuity

  1. Explain your IT infrastructure (i.e. Software, Hardware, and Database)?

                As discussed above, the hotel will seek an ERP solution as the main information system from vendors. Besides this, there are other prerequisites in terms of hardware, software and database systems. For the case of hardware infrastructure, the hotel will require various hardware devices for the work stations, server environment and network infrastructure.

                For the work stations, which represents different stations from which the personnel will work from, the following requirements must be met:

High performing PCs- each for every personnel, that should have RAM of 4GB, speed of i3 processors, external storage capacity of at least 80GB, high speed Ethernet slot and wireless adaptor. PCs will be preferred for fixed working stations while notebooks of similar storage and processing power will be acquired to fulfill mobile working stations. For the server, there will be a local server, installed within the premise’s data center and a backup server hosted service that will conduct information mirroring in a remote location. The essence of having two server environments is to enhance continuity in case of an accident or calamity affecting one of the servers.

                Networking hardware will include network switches, routers, a firewall, cabling, access points, wireless server environment such as RADIUS server to cater for both cable and wireless LAN security requirements , gateways, bridge to connect several network segments, and repeaters to amplify and regenerating received digital signals and resending them from one network segment to another.

                Software requirements include appropriate operating software for both the servers and workstation computers, notebooks and other portable devices such as smart-phones. Application software for different workstation needs. For example, the cahier might need a point of sales software to support his/her daily transitional requirements. Security software such as antivirus programs will also be needed.

                For the database system, it will be imperative to acquire the database program from renowned vendors or rely on customization of open source database software. Based on cost-benefit analysis, possible vendors include Oracle, Microsoft SQL Server, Microsoft Access (available in the MS Office package), IBM Lotus Approach and SAP Sybase IQ. For open source database solutions, customizations can be done to MySQL, PostgreSQL, Firebird or SQLite.

  • How will you secure your IT infrastructure? Explain all measures needed.

               With the advent of ubiquitous computing, a technique for computing everywhere, anytime and using any device, in addition to modern communication technologies such as the internet, business have been exposed to a wide array of cyber-security threats (Yannakogeorgos & Lowther, 2013). Cybercriminals have also devised complex tools and techniques to break into computing systems; therefore, every security conscious business must adopt resilient counter measures covering both the physical and logical infrastructure to deal with potential security threats.

                Securing the IT infrastructure will take physical, administrative, and logical security controls strategies. Physical security control strategies will include physical preventive mechanisms that ensure safety of the IT infrastructure. These includes: doors and locks to sensitive IT infrastructure such as the data center, CCTV cameras to monitor and report any authorized access, fencing and inclusion of security guards. This will also entail prevention of fire, dust, humidity and other environmental factors that might affect the IT infrastructure. Strategies to achieve this will include fire and smoke alarms, and heating and air conditioning systems.

                Logical controls will involve the use of technical parameters through software and applications to prevent unauthorized access or modification of data and information systems. To achieve logical controls, each user of any computing device will be required to use a secure and strong password; there will be access control lists to govern the access privileges into computing systems. For example, the cashier can only be able to input sales volume but cannot edit them after completion of a customer order. Such functions will be designated to the authorized data technician who will be answerable, responsible and accountable of any changes. In addition, there will be both host-based and network based firewalls to prevent against external information threats especially from the internet. Programs to guard against viruses, Trojans and spyware will also be required.

                Lastly, administrative controls will entails laws and regulations that will govern activities and procedures involving the use of computing facilities.  To facilitate this, a computer security policy will be drafted, entailing all the Do’s and Don’ts while dealing with any computing device or resource. Governing policies such as consequences of not adhering to the specified laws and regulations will be put into place (discipline measures).  The administrative department will be tasked with the role of ensuring only capable and qualified personnel are given various computing tasks. For example, the data clerk or an IT support staff cannot assume the roles of the database or network administrators. In the event of inability to hire some of the qualified staff such as a database administrator especially at the start, the hotel management can plan to outsource some of these roles to specialist companies. Separation of duties to ensure responsibility and accountability will form the nucleus of the administrative controls. 

Compliance

According to Yannakogeorgos & Lowther (2013), every company whether privately or publicly held must comply with one or more regulatory agencies in the course of operation. Therefore, the hotel must adhere to set and implied laws and regulations to ensure smooth running, satisfy all customer needs and consequently achieve a competitive edge against rivals. Computing systems, both hardware and software used by the hotel must be robust enough in order to provide the appropriate functionalities without slowing the business down. What the hotel need from the systems vendors is a guarantee for compliance. However, to a larger extent compliance depends on the location of operation, business procedures, workflows, interactivity with customers, handling of customer, partner, and supplier data such as private and confidential data, funds transfer, and overall security. Yannakogeorgos & Lowther (2013) argues that business engaged in computing systems, especially from sources external to the business are at a greater risk of violating one or more law or regulation. This can be attributed to the rising cases of complaints from the customer community with respect to violation of such elements as privacy infringement.

Yannakogeorgos & Lowther (2013) identifies the key elements with respect to compliance to be:

  • Security and privacy: Solid security functionality is paramount. It should be easy to maintain to adapt to changing environments. The information residing on these systems must also be free from access or use by unauthorized people. In addition, systems must comply with set data protection and disposal requirements.
  • Change log: Systems are used by different people with different roles and privileges; therefore, business systems must have a robust audit trail to uphold accountability and non-repudiation.
  • Data sharing: This is an important tool that can help a business to effectively, securely and efficiently share data over communication networks including the internet across the globe.
  • Documents and records capture, approval and storage: Electronic documents and records approval can enable a business accelerate its processes, workflow and information sharing. With proper indexing, system users can easily retrieve documents such as invoices, correspondence, drawings and other documentations.
  • Lot and serial number tracking: This functionality is vital for tracing the production elements to meet particular compliance, for example state contracts and other applications where stakeholders would want to know specifically what was used in actual production. Variants of this tool seek track serial numbers as products leave the business.
  • Quality assurance: The system functionalities must support business-wide decision making through robust analysis and reporting capabilities.
  • Globally supported principles: Systems used in businesses must conform to global principles such as tax and accounting, excise and customs, and VAT automation.
  • Disaster recovery: Systems must have recovery capability to ensure business continuity in case of a disaster.

Business continuity

For the purpose of this business, business continuity will entail creation of a robust ICT infrastructure and techniques that is secure, compliant with laws, regulations and standards, and highly functional to meet all business and user requirements. This way, its operations will be kept on course even when unforeseen threats strike. The major component of business continuity will take the form of a disaster recovery plan to enable the hotel continue operating at acceptable specific levels in case of a disruptive event. Erbschloe (2003) suggests that business continuity should be embedded into a business to enable quick and effective recovery from disasters. Swanson, Bowen, Phillips, Gallup & Lynes (2010) notes that business continuity elements may include: Resilience, using spare capacity and redundancy to protect critical business operations; recovery, aimed at recovering and restoring crucial business functions; and contingency,  an elements that seeks to augment resilience and recovery such that some risks not catered for or unforeseen incidents are effectively resolved.

Business continuity specifications for this business include: Assessment of disaster recoverability during hardware and software acquisition based on documentation on pre-built recovery functionality in the systems; concrete SLAs with vendors to guarantee instantaneous support; solid backup and replication; using cloud computing’s Disaster-Recovery-as-a-Service (DRaaS); authentication and authorization tools and techniques to block unwanted access to business resources; regular systems security patching; and a secured network perimeter and servers with prebuilt low failover capability.

  • E-Business & E-Commerce Models and Strategies
    • Explain the reason(s) beyond your decision to run your business online

                First, through the power of internet, a new economy has been developed. All hotels with just a regional tag have been able to establish their presence on the online space. The creation of the new economy is something that is beyond business management to decide either to adopt an online strategy or not. It is a mandatory requirement if at all any business wishes to keep in touch with the current market conditions. Established companies like Ebay and Amazon have been able to create their dominance already, and hotel businesses are speedily catching up.

                In addition to the creation of new online economies, taking business online has bridged the distance between businesses and customers. It creates an opportunity that has made the world a small digital global village. With this in mind, customers dictate the need for the hotel to take its operations online. Business enterprises have no otherwise as online business transactions continue to dominate business operations of the 21st century. Customers can order, and pay over online means. Businesses can advertise, provide customer service, and increase value of their goods and services through online. By elimination of geographical limitations through virtual technologies, it has become possible to attract a wider market segment, increase brand’s attractiveness and increased presence.

                Like any other enterprises, the aim of any business is to reduce costs of production for a sustainable profit margin. The hotel business is no exception. Through internet and online operations, businesses can cut down on their production costs significantly. Through online technologies, the hotel business can be able to streamline its business operations and allow benefits of virtual trading. Examples of such business processes include billing, procurement, supply chain management, shipping and so forth. An E-business platform allows reduction of operational costs associated with physical contact and can lead to huge savings.

                Days when business operations were done only during the day or for limited number of night times are gone. By adopting an E-business strategy, customers can order at any time, conduct payments, and enquire about prices, menu items, delivery systems at any time of the day. This translates to an opportunity of making sales and business growth as major world economies migrate to 24 hour economy system.

                Lastly, taking business online creates added avenues of information. Customers can use the online platform to compare among different prices, from different competitors. Competitors on the other hand can be able to learn on the activities of their close competitors, to modify their selling, production or value proposition strategies. Therefore, online presence will play a significant role in obtaining business intelligence regarding customers, competitors, and other stakeholders affecting the business such as suppliers, government involvement among others. This has been made possible through online data gathering and analyzing tools such as online customer relationship management systems (CRMs). These factors shift the decision of going online from owners or managements’ perspective to a global and universal strategy that cannot be avoided.

  • Will you run pure or partial e-commerce business? Why?

                At the start, the Hotel will employ a partial a partial-ecommerce approach with an aim of pure e-commerce system as a long-term plan in the future. This will involve an initial system that involve an information dispersing platform that will only allow customers to view goods and services, request customer service duties and other enquiries in general. Fully automation of ordering and payment will be achieved after the business has taken off, approximated after 1 year. This is influenced by a number of factors. First, the initial startup capital of a fully operational e-commerce business is relatively high. At the moment, high priority on capital investment is on the business critical processes such as stock and inventory, personnel, licensing and regulatory compliance, furniture, fixtures and fittings, equipment and other key resources that the business cannot kick without. With time, more capital can be acquired and implement a full or pure e-commerce system. Secondly, before engaging on a full e-commerce system, it becomes imperative to have some experience from the physical transactions. Due to the large amount of online customers expected, it can be a risk to experiment with them before fully understanding the market demands, expected customer preferences and so forth. Abrupt adoption of a full e-commerce system can lead to a massive damage of the brand or hotel’s image to a significant proportion of the target customers. Rectifying such images can be costly and time consuming or lead to a total failure of the whole e-commerce strategy. Gradual implementation of the E-commerce system can be made based on current customer experiences which can take a considerable amount of time. Other factors such as taking time to learn from competitor E-commerce strategies, supplier behavior and other factors that are directly affecting the business will need time.

  • What TYPES OF E-COMMERCE TRANSACTIONS you will run?

                At the initial startup, the partial E-commerce system will support the following transactions:

Customers to make requests on available services, menu items, costs, place a complaint, recommend, and express their all other views regarding the operations of the hotel and their experiences.

                Whereas the hotel will not have an automated online ordering and payment system at the start, the system will play a great role in supporting existing manual processes. For example, a customer can place an order via a phone call or an email, make the upfront payments using the mobile phone and track the order delivery using the E-commerce messaging system and customer service already in place.

Suppliers can enquire on the available opportunities to supply such as inventory, raw materials like fresh fruits and animal products, enquire and negotiate with the procurement department on the pricing, delivery modes and all forms of supplier information.

                The hotel business can promote sales, advertise, market, rectify various types of information relating to products and services, attend to other stakeholders’ queries such as customers, government and regulatory bodies and suppliers.

  • Which e-commerce model will you adopt and why?

                     The business model to adopt is business to consumer (B2C). Major reason behind it is to have a direct connection to the consumer. The customer will be required to place the order via the E-commerce website, then through the E-commerce technologies and user support at the hotel, the order will be processed and sent back to the client. With a direct connection with the customers, middlemen are reduced. This does not only reduce possible costs involved with them but also creates convenience in attending to their orders and other queries.  Besides, B2C model offers flexibility in changing the catalogue details. For example, the management can decide to change price and offerings instantaneously. Call centers and email communications can be integrated within the site, reducing unnecessary phone calls that might lengthen a purchase/sale lifecycle.

                     B2C models also offers unlimited market potential as long as business devise appropriate product/service promotion strategies such as advertising and sales promotion. Through the power of internet, customers can browse, place orders and make purchases at the comfort of their homes, roads, offices, 24 hours, 7days a week. B2C business models also experiences reduced costs of doing businesses such as reduced processing costs associated with intensive data entry or faxing, reduced employees, inventory and purchasing costs. There is also ease in business administration, where with the right software and infrastructure, business administration activities can be automatically classified, stored, real time updated and accessed wherever needed by the customers.

  • Which electronic payment method(s) will you adopt?

                On full automation, the E-commerce system will adopt the following payment methods: the most used method is the use of credit /debit card numbers. For the case of credit cards, after a user makes a purchase, the bank makes the payment on his/her behalf. The customer can then pay the purchase amount a credit card bill. Other payment options involve a third party online banking institution that facilitates the payments. Examples of such include PayPal, Payoneer and Skrill. PayPal which is a global electronic payment system will offer support for customers with PayPal accounts. There is also the Google Wallet, which is a bit similar to PayPal to assist in the transfer of money online. Others include MaterPass, clearXchange, Skrill, Bitcoin, and Dwolla.

  • Mobile Technologies and Commerce
    • Explain any pressure that is pushing your business to go mobile?

Like for the case of going online, the current business environment has also made going mobile a fundamental necessity. Mobile phones and devices have taken the current economy by thrust. Computing strategies are also moving from desktop based applications to mobile computing. Currently, statistics indicates that in most households, the popularity of the use of mobile phone is in such a way that even teens own mobile phones. The convenience brought by mobile phones, especially with the technological developments that have seen the utilization of smart phones into businesses cannot be under-estimated. With the advent of smart apps, most of the e-commerce that has been conducted via the internet can now be possible through mobile phones. This capability, when combined with their convenience provides huge business potential for the future. Mobile business will be of huge value to the hotel business in supporting mobile information services, marketing activities, shopping, logistics and other operations of the hotel.

  • What are the benefits of running your business as an m-commerce business?

Mobile commerce (m-commerce) has seen a growing shift from old e-commerce systems mainly developed for desktop to Smartphone Apps and mobile websites.  By taking the business mobile, the following benefits will be accrued:

  • The size of mobile users is growing day by day. This translates into a growing target and potential market segments.
  • Like E-commerce, M-commerce eliminates most of the limitations involved with geographical distances. This makes it easy to reach most of customers irrespective of their geographical locations.
  • M-commerce will bring significant savings, to all parties that are directly connected to the business operations such as customers, business itself and suppliers. By eliminating the need of physical contacts, uses can save both on their money and time.
  • Mobile phones are relatively easy to use when compared to other technologies such as desktop applications.  The call for skilled consumers or other users is not a necessity. Mobile apps have also made shopping easy. For example, a consumer can be able to browse thousands of the hotel’s services and products without the requirements of undergoing the online checkout process.
  • Mobile apps can function both online and offline, which adds value to their use as opposed to desktop-based E-commerce systems
  • With their availability at apps stores such as Google Play and so on, their visibility is increased. Websites are not visible in apps stores and thus will require additional marketing, either online or offline to improve their visibility.

However, there are various limitations that comes with m-commerce, which the hotel business must take account into. These include: reduced screen size as compared to desktop screens. This makes it difficult to navigate within thousands of items.

  • Will you have an application for your business? Talk about it.

The hotel will create a Smartphone application for the business that will be aimed at supporting both the business and customers in the following ways:

For the hotel business:

  • Building and maintaining customer relationships
  • Reinforcing hotel’s brands (menu items and services)
  • Creating brand’s loyalty
  • Increasing visibility of the hotel’s services and products to target and potential customers
  • Create a repeat business
  • Improve accessibility of the business products and services

For the customers:

  • Easy access to the business goods and services
  • Location directions of the premises
  • Business notifications on discounts, offering, special events and more
  • Appointment scheduling for special customers with unique demands such as customizations or bulk buying
  • Budget calculators to show how much they can save by choosing the hotel’s products and services as opposed to compotators
  • One-touch of the hotel’s contact information
  • Automatic reminders for activities such as the appointment days
  • They can also have QR code scanners embedded in them as a reading device.

Description of the app

Branding: The name of the app should acquire a key letter from the hotel’s name. For example, considering the name to be Fort’s Hotel, the app name can be something like, F-Hotel. This will be part of branding, where each of the hotel’s marketing strategies can be uniquely and clearly identified.

Accessibility-The app to be developed should be accessible in most of Smart-phones’ operating systems. At least the app should be supported by Android, Windows and iOS. This is to increase the app’s presence among the target and potential customers.

What the app should do: the app should have the following capabilities to support earlier stated objectives:

  • Mobile food/drinks/services ordering system- the app will have to support the ordering process by allowing customers to request order as well as make the payment from any Android, Windows, iPhone or iPad device. Options for this feature include customized product menus with food images, pricing information and delivery options. The app will be developed with options of delivery, dine-in or carryout. This should also be supported by necessary notifications for order status such as confirmation of receipt and so on.
  • Support videos and pictures of the hotel’s specials- in addition to basic pictures of the menu items, this feature will be used as a selling point to attract more and more customers. Example of such specials include the past customer experiences, a look on the hygiene, facilities, and so forth.
  • Push messages and notifications- this is the ability of the hotel business to use the app to send messages as well as associated push notifications. This is a great way to keep close interactions and customer engagements between the business and its customers.
  • Incorporate an easy customer loyalty program- the word here is ‘easy’. The loyalty program should be easy, both on the side of customer and the business. For example, there can be redeemable coupons for customers who have visited the hotel or ordered certain mails a specified number of times. The customers should also refer their friends easily to the hotel through supported social or messaging networking system.
  • Event creator- the app will assist customers to create new events as notified through notifications. This can be done by adding new events on their calendars and having a reminder system to remind them.
  • Web 2.0 and Social Media

a. Explain why you will make use of social media for your business

Social media provides on of the excellent social interaction points that modern businesses are using to link up with customers. Social media mainly entails social networks such as Facebook, Google+, twitter, Instagram and Whatsapp. It offers proven ways of reaching to thousands of customers, through a cheaper option to most of the traditional advertisement methods.  Social media can be used as a new customer attraction platform, establishing customer preferences, promoting the business activities and its brands, strengthen relationships with already existing customers to create brand loyalty, informing customers on the products/services details, and all other information that is crucial for the business. By engaging in social media, the hotel business will be able to benefit from the following aspects:

Possibility of targeting specific groups of interests- with social media tools such as Facebook and Foursquare, it becomes possible to target specific groups of customers based on demographics, social and geographical locations. With the ability of targeting a specific group, the hotel’s management and marketing teams can be able to develop relevant content that will catch-up the attention of potential customers, thereby increasing the brand’s visibility.

Broad reach-like E-commerce strategies, the use of social media closes the geographical distance and overcomes limitations associated with physical

b. What social media will you use? For what purpose?

———————————————-talk of fb grps, ads,  en so on———————————————

9. Functional areas

  1. What functional areas will you have in your business?
  2. What functional system will you run?

—————————————————————————————-

10. Enterprise systems and applications

a. Which Enterprise system will be of use to your business, and why?

———————————————————–talk of ERP solutions—————————-

11. Performance management using data visualization

a. Explain why you will make use of business dashboards?

12. IT strategy

a. Define your business strategy and IT strategy as per the table below.

References

Erbschloe, M. (2003). Guide to Disaster Recovery. Thomson/Course Technology.

Swanson, M., Bowen, P., Phillips, A.W., Gallup, D., & Lynes, D. (2010). Contingency Planning Guide for Federal Information Systems. National Institute of Standards and Technology. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf

Yannakogeorgos, A., & Lowther, A.D. (2013). Conflict and Cooperation in Cyberspace: The Challenge to National Security. CRC Press.

West Coast University

West Coast University

  1. Introduction

West Coast University (or the Institution or the University) is an institution of higher learning offering undergraduate and graduate degree programmes in “nursing and other in-demand healthcare” disciplines. The Institution uses a collection of technologically advanced tools to help students gain the “knowledge, experience, and confidence” they need to execute critical responsibilities in today’s healthcare environment (West Coast University, 2016). The Institution has decided to bolster the security of its information assets to prevent and mitigate security risks in the current era of increasingly growing security threats. Therefore, the Institution needs to implement an information security policy which forms the foundation for a concrete information security program reflecting an organisation’s security goals and objectives along with an agreed management strategy to secure information assets according to Whitman and Mattord (2011). An information security policy is a collection of management directives and requirements regarding information security to provide guidelines for security personnel (National Institute of Standards and Technology, 2009; Wood & Lineman, 2009).

  • Information security policy

2.1 Purpose

Fundamentally, information systems are critical to effective and efficient administrative, teaching, and research functions (Wood & Lineman, 2009). The purpose of this information security policy is to provide a framework and associated guidelines for information security management in the Institution to protect the following three major information constraints:

  • Confidentiality: information is accessed by authorized persons only.
  • Integrity: information is accurate, up-to-date, and reliable.
  • Availability: information is ever available to authorized users.
  • University reputation.
  • External compliance issues, including the Western Australian State legislation, Federal legislation, and telecommunications legislation to eliminate financial loss and cause unwanted legal liabilities.

2.2 Scope and applicability

This information security policy addresses all technological facilities, systems, programs, networks, information and data processed by the Institution, internal and external communications, and all technology users in the Institution, without exception. The policy applies to all IT users (employees, students, contractors and visitors) with access to the Institution’s IT systems.

2.3 Roles and responsibilities

2.3.1 University Council

  • Oversee information security management to ensure that the Institution complies with all internal and external requirements.
  • Provide required resources.

2.3.2 ICT sub-committee on information security policy

  • Promote awareness regarding this policy.
  • Seek sufficient implementation and maintenance resources (personnel, technologies and processes).
  • Monitor continuous compliance.
  • Schedule reviews to incorporate relevant changes – legislation, contractual obligations and organizational.
  • Solicit continuous top management support and commitment.

2.3.3 Departmental heads

  • Oversee information security in their functional units in line with this overall information security policy.
  • Validate relevance of different elements of this policy in relation to specific departmental needs.

2.3.4 Other IT Users

  • Responsibly use information assets while complying with this policy.
  • Observe contractual agreements in the course of handling the Institution’s information assets.

2.4 Policies

2.4.1 Risk assessment

  • Identity information assets, define their ownership, and quantify their criticality and/or sensitivity.
  • Security controls should be applied based on the criticality and/or sensitivity of information.
  • Information security assessments should be performed periodically.

2.4.2 Confidential and personal data

  • Should be handled according to existing legal and provisions (e.g. the Western Australian State legislation, Federal legislation, and telecommunications legislation) and the Institutions personal data policy.
  • Relevant organizational, procedural and technical measures should be taken to prevent unauthorized and/or illegal access to or processing of, or destruction or loss of personal data.
  • Sensitive personal data (e.g. religion, health and ethnic origin) should be properly encrypted.
  • Confidential data, which may lead to financial loss, damage to reputation, or adverse impact on public safety should be:
  • Accessed, used and modified by adequately authenticated and authorized persons only.
  • Stored in dedicated and secure storage locations such as file servers as opposed to local or external hard drives.
  • Kept for about 6 months to support investigations.
  • Stored with proper file and disk encryption to implement an additional “layer of defence”.
  • Distributed to only a limited number of and necessary portable media and hard copies.
  • Locked in safe cabinets and locked rooms.
  • Always kept within the University.
  • Disposed in a proper manner that protects confidentiality.

2.4.3 Remote access

  • Remote access should be conducted within proper levels of authentication and encryption.
  • Remote access should be restricted to minimal access.

2.4.4 Strong password policy

Criminals can get your passwords and get into personal accounts, leading to identity and data breaches. Criminals can even go ahead to blackmail compromised account holders (Wood & Lineman, 2009). This policy seeks to help IT users uphold strong password practices. Applicable policies include:

  • Create strong passwords (made up of at least 8 characters, a mixture of alphanumeric characters and symbols as well as upper case and lower case characters, and no dictionary words) for online, PC, and software system accounts to make it reasonably impossible to guess or crack.
  • Never share your account passwords with anyone.
  • Use different passwords for each account, and regularly change them.
  • Suspected instances of password breaches (access or theft) should be changed and reported immediately.
  • Use memorable, but adequately strong passwords to ensure that you do not have to write them down to remember them.

2.4.5 Acceptable internet use policy

Today, criminals are increasingly using email scams (spear phishing) to compromise millions of users’ critical information such as passwords and credit/debit card details. These emails are usually crafted in a way that makes them considerably difficult to differentiate from legitimate ones, thus it constitutes an easy approach to execution of fraudulent activities (Whitman & Mattord, 2011). Applicable policies include:

  • Emails asking for confidential and sensitive information such as passwords and PINs should be immediately reported to the IT department – these are suspicious emails. Moreover, these emails have warning statements such as “Your account will be de-activated after 48 hours”, technical jargons, unknown senders, news about well-known upcoming events, grammatical errors, and generic greetings.
  • Never click on links embedded on suspicious emails.
  • Never open or download attachments that come with suspicious emails.
  • Never use emails bearing the Institution’s domain for personal communications.
  • Verify the URLs of embedded links and website addresses have the right domain name and top-level domain to ensure that they are legitimate.
  • Contact service providers such as banks in case of request for personal information via email or phone.
  • Keep internet usage at minimum.
  • Uphold the legal rights to licensed, patented and copyrighted works such as software and computer games.
  • Never access or download pornographic, ethnic, sexist, and extreme political and such materials which may lead to unwanted legal liability.

2.4.6 PCs and personal devices policy

The Web poses real threats to information held in desktop PCs, laptops, tablets and smart phones (National Institute of Standards and Technology, 2009). The threats range from malware propagation to data theft. Applicable policies include:

  • Use legitimate operating systems and application software such as web browsers to ensure you benefit from regularly released security updates and patches.
  • Install and regularly patch or update anti-virus software, and perform regular malware whole-device scanning.
  • Never install software systems from unknown or untrustworthy sources.
  • Schedule periodic file backups to avoid complete data loss.
  • Scan removable devices (e.g. USB sticks and hard drives) to detect and remove malware.
  • Use secure and legitimate online cloud storage, for example, Google Drive and Dropbox.
  • Encrypt your backup and PCs and test them regularly.
  • Disconnect malware-infected devices from the enterprise network.
  • Use strong passwords for PCs and other personal devices.
  • Only registered mobile devices should be used to connect to the Institution’s network and the internet.

2.4.7 Physical and network security policy

  • Prevent IT infrastructure from physical (vandalism and theft) and environment damage or interference.
  • Protect and manage network equipment, software and information.
  • All information assets should be properly managed.
  • Have SLAs in place to guarantee third-party support in case of a security disaster.

2.4.8 Incident-response policy 

  • There should be a multi-disciplinary incident-response team – senior IT management, legal, PR, business management, and vendor representatives.
  • Prevent potential unauthorized access and/or loss of confidential information.
  • Prevent potential propagation of an information security breach.
  • Restore and test functionality to affected network elements.
  • Perform business continuity planning.

2.5 Enforcement and compliance

  • All IT users should be aware of their roles and responsibilities regarding information security.
  • Any unauthorized disclosure or loss of confidential and personal information should be reported to the IT department and owners of information.
  • Major relevant legislation include: the Western Australian State legislation, Federal legislation, and telecommunications legislation.
  • Any information security breach is treated with the seriousness it deserves, including disciplinary action. 
  • Failure to comply with this policy will result in disciplinary action.
  • References

National Institute of Standards and Technology. (2009). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Whitman, M., & Mattord, H. (2011). Principles of information security. Cengage Learning.

West Coast University. (2016). A Simple Philosophy of Staying Ahead of the Curve. Retrieved from http://westcoastuniversity.edu

Wood, C. C., & Lineman, D. (2009). Information Security Policies Made Easy Version 11. Information Shield, Inc.

Information assurance

Information assurance

Introduction

Information assurance can be defined as the hardware, software, policies, procedures, standards, and personnel that are used to secure data residing in information systems. Information assurance has disparate definitions, but the term has evolved over time to imply information security and beyond. It seeks to emphasize on ensuring that information is sufficiently available on demand, information integrity is sound, authenticity is verifiable, information privacy, and confidentiality is upheld, and provision of origin of data and proof of data integrity. Information assurance is an increasingly growing field in computer technology (Bishop, 2003).

Nearly all aspects of today’s society rely on computer systems – hardware and software. The world has seen increased usage of computing devices and systems than never before. The proliferation of mobile and handheld devices some having computing capabilities exceeding that of most PCs has led to an increase in data creation and circulation across individuals and organizations over the world (Birchall, Ezingeard, McFadzean, Howlin & Yoxall, 2004). Today, computer systems are in wide use in all industries: Transportation, mining, banking, manufacturing, agriculture, shipping, communication among others. However, computer systems infrastructure is increasingly faced with threats of attack from malware, spyware, adware, hacking, information theft, unauthorized access, denial of service, man-in-the-middle attack, and other security breaches (Mowbray, 2013). Therefore, every organization wants an assurance that its information is secure from such threats.

Companies and state agencies need to effectively protect their computer systems. A malware attack can cause unwanted delays and costs, but attacks such as information theft or distributed denial of service can be extremely disastrous. Organizational information stolen from computing systems can be used for extortion, reveal sensitive information related to intellectual property, blackmail individuals and businesses, or steal money from unsuspecting people. Information assurance with respect to computer systems has been practised for over 30 years, but with improvements in computer technology and the ever-growing use of computers for capturing, storage, and transfer of information has significantly changed the field towards increased necessity to improve the security of private and sensitive information.

This paper seeks to discuss the importance of information assurance in businesses. In addition, it explores aspects of building secure and trusted systems, security policies and security/system testing.

Information assurance

Blyth & Kovacich (2006) defines information assurance as the approach to assuring information and risk management with respect to access, use, processing, transmission, and storage of data and information and the information systems, processes and procedures used for such purposes. Information misuse may arise from corporate spies, hackers, disgruntled staff, or former employees who may want to damage or sabotage business operations. It is the work of an information assurance specialist to create robust systems that can effectively and efficiently prevent computer systems security breaches or recover quickly in case of an attack. Information security is the umbrella domain with many components where information assurance constitutes one of the components (Birchall et al., 2004). Therefore, it is difficult to separate the two component and information assurance specialists works closely with security professionals. Failure to build strong working relationships implies that information security and assurance leaves potential points of vulnerabilities. When the entire set of information security elements are functional and roles among responsible personnel understood, then the risk to organizational information is greatly reduced. Information assurance specialist works within the confines of information security to ensure information conformance with complete mitigation of security risks.

The information assurance team also helps remedy security weaknesses in systems by creating a checklist framework to allow an organization trace security transgressors. The computer technology is a constantly changing area, and with continued usage of computer systems in day-to-day business transactions, there are potential risks of security breaches. Therefore, the work of information assurance specialist is never ending. The specialist is involved in all arrangements and implementations targeted at protecting information’s confidentiality, integrity, availability, privacy, and accountability. Information assurance team is tasked with protecting, monitoring, analyzing, detecting, and responding to any form of unauthorized activity in computer networks and organizational information systems. Information assurance specialists employ principles related to action plans associated with information threat. The specialists’ mission is geared towards detecting, reporting, and responding to all kinds of cyber threats and attacks, while allowing for concrete encryption to enable secure information sharing between individuals and computer systems. Therefore, information assurance professionals seek to provide solutions that can effectively and efficiently keep organizational systems and information safe (Mowbray, 2013).

The Importance of Information Assurance in Business

Although information assurance does not mean information security, Bishop (2003) recognizes the crucial role played by information assurance in systems security by protecting an organization’s key computer systems and information assets as well as other critical computing infrastructures. First, information systems are truly unhelpful without correct and verifiable data, because compromised data residing in these systems would be detrimental: No worth turnaround decisions can be drawn from such data. In the corporate world, organizations continue to enhance their reliance on computer technology, and potential threats targeted to organization’s IT infrastructure increases, thus calling for optimal information assurance to counter the wide array of potential threats. The consumer community is likely to feel comfortable when transacting with businesses that have a better information assurance infrastructure in place.

Generally, information assurance enables risk management with regard to the capture, processing, storage, access, and transfer of information. It bolsters devices and systems capability to uphold privacy, confidentiality, governance, disaster recovery, regulatory compliance, business continuity, integrity, and other aspects of information and data quality. According to Blyth & Kovacich (2006), information assurance offers a concrete risk management platform that effectively and efficiently defines how security threats and risks should be mitigated, accepted, or transferred.

Information assurance also plays another role in analysis, control, and management of all systems that runs on computer networks within an organization. Information assurance provide the required risk assessment of a specific software, and depending on the actual or perceived degree of need and benefit that it provides, responsible personnel will approve or reject the software for use. Assessing all systems prior to being installed or hosted on an enterprise host or network, the information assurance personnel has a better knowledge base and understanding of risks when faced by potential threats, for example, a new malware affecting a specific browser version (Blyth & Kovacich, 2006).

IT applications and data have been faced with a wide range of security threats from human errors, environmental disruptions, intentional attacks, and hardware and software failures. In addition, there is a growing trend in complexity and frequency of cyber attacks; therefore, organizations commitment to information assurance plays a critical role in providing sufficient information security. Additionally, information assurance ensures that security risks associated with computer systems are adequately managed to guarantee a smooth operational environment. For example, when alerts are displayed, indicating unapproved or unpatched software running on the network, the information assurance team follows the established plan to handle that incident (Birchall et al., 2004). Therefore, threats and risks are accurately and sufficiently assessed and mitigated.

Information assurance ensures that a business is continually transforming towards a platform that can always withstand the ever-changing operation environment. Information assurance guarantees adaptability by ensuring that business operations and customer experience are supported optimally at all times. Blyth & Kovacich (2006) argues that information assurance builds and maintains the most needed consumer trust and confidence in a particular business since customers undertaking their day-to-day shopping activities are assured of information security and privacy.

According to Schou & Shoemaker (2006), information assurance seeks to resolve issues related to protection of the integrity, availability, and confidentiality of an organization’s computer systems, databases, documents, records, and reports. However, only authorized users should be allowed to access, modify or save information into organizational data repository. Thus, information assurance is unsurprisingly an integral part of almost all disciplines in an organization. Areas of accounting, auditing, business analysis, and reporting can only be successful with a robust information assurance framework in place. Otherwise, important facets of data such as correctness and confidentiality may be lost leading to flawed decision-making (Blyth & Kovacich, 2006). For example, the integrity and accuracy of information is important in achieving reliable financial analysis and reporting and creation of relevant and timely accounting results for purposes of decision-making.

Information assurance plays a critical role in implementing crucial functionalities in information systems and data. It demands a number of requirements that are of great importance to an organization. According to Blyth & Kovacich (2006), the key requirements include:

  • Automation: Businesses can easily implement certification and accreditation suites for management of information systems. This way, staffs are relieved of manual monitoring of systems since certified and accredited software possess industry best practices and standards with respect to information security. These systems carry out normal workflow operations while notifying users of current security status with information assurance and security team receiving alerts in real time. Consequently, corrective measures are applied in a timely manner.
  • Accountability: Data running in approved business systems is tracked for access and modification through audit trails, thus the business can track each transaction. This is implemented through role-based access control systems that enhance information security.
  • Extensibility: Well-managed and secured information systems across an organization provide a better framework for scaling and integration. Data and information resources can be shared across an organization’s environment without risks of unauthorized exposure regardless of their complexity or size.
  • Flexibility: Multiple information assurance requirements, such as integrity, confidentiality, availability and others are supported in all organization’s information systems.

Information assurance offers the much needed end-to-end visibility in information creation, process, sharing, and storage. Information residing in an organization’s enterprise network can be easily monitored for suspected malicious activity. Through robust information assurance mechanisms, the end-to-end visibility is gained regardless of the computing devices used, including handhelds, laptops, PDAs, PCs and other computer technologies. It also ensures that systems have proper data management, sharing and control policies based on laws and regulations. Appropriate access plans and procedures are created for all pieces of information produced by approved computer systems, and the established privileges and roles are consistent across the business (Birchall et al., 2004).

Bishop (2003) argues that information assurance adds business benefits through use of information and data risk management, which enhances the value information and data to authorized users. On the other hand, unauthorized users are denied the opportunity to access or use the utility contained in those data and information. This increases the perceived value of information to mend users. Schou & Shoemaker (2006) claims that information assurance is inclined towards business-level risk management strategies in systems and information security, as opposed to creation and implementation of IT security controls. As a result, information assurance defends against hackers and malware in addition to corporate governance aspects regarding compliance to regulations and standards.

Building secure and trusted systems

Security in all facets of computer technology has been a hot topic ever since introduction of computer systems in businesses. Computer network design is one the major areas that forms the security foundation for a business. A secure network perimeter is a big step towards protecting business resources, including hardware, applications and data, because cybercriminals typically exploit a network node before launching the attack to the wider business infrastructure. A solid network perimeter meeting all business needs and objectives with respect to computer systems security can play a big role in safeguarding information (Blyth & Kovacich, 2006). This way, the network infrastructure is designed in a manner that meets all the organization operation goals with safeguarding the core business information.

As part of security design, cryptography is also key security element. Cryptography mechanisms may be used for controlling access to information, shared drives, and ensures that communication and file sharing is secure. Issues such as sniffing and subsequent exposure to sensitive data are resolved by cryptography. Business databases may also be encrypted to ensure all information is free from unwanted exposure (Suhasini, Marc, Hickey & McBride, 2012). Intrusion detection, control, and prevention systems help business discover inappropriate activities that may be targeted at the computer network and systems. Intrusion detection systems inspects all incoming and outgoing network traffic and activity in order to identify suspicious trends that may imply attempts to compromise or break into a network or computer system (Blyth & Kovacich, 2006; Mowbray, 2013).

User authentication and authorization is another aspect of building secure and trusted systems. With a solid authentication and authentication framework, computer systems are able to effectively grant or deny access to a computing resource in addition to specifying user access levels to different resources depending on the identity of the user. If authentication and authorization system is compromised, the victim’s data may be significantly compromised resulting into damages to data integrity (Mowbray, 2013). In extreme cases, massive data breaches may be cased making recovery difficult or almost impossible. Concrete authentication and authorization schemes enable businesses to control access to sensitive and private information to ensure that only legitimate individuals and applications are granted the opportunity to enjoy such privileges.

Disaster recovery plan is a key element in upholding business continuity. Business continuity is the major mission in most of the worlds corporate strategies, especially in matters related to information security. This can be attributed to the wide usage of computer technology in bolstering business operations and employee productivity. The business world can never function optimally without application of computer systems. Schou & Shoemaker (2006) argues that organizations must ensure that their customers feel comfortable when sharing any piece of information with organisations. Disaster recovery is a key enabler of consumer confidence; thus, businesses must understand the importance of upholding information security to bolster business continuity. Organizational data may be compromised through system crashes, human error, software bugs, denial of service, malware attack, or natural disasters. However, despite continued business operations, it is worth treating organizational data as the most valuable element of customer satisfaction. Information must be recoverable whenever possible to ensure that customers enjoy normal business operations at all times, and a disaster recovery plan plays a big role in ensuring that excessive downtime is not experienced. Backup systems and specialized software suites designed to withstand failures can accomplish securing valuable information. Suhasini et al. (2012) argues that backup systems can handle unforeseen incidents by providing a recovery or restore point in case of a security attack. Specialized failure-resistant software may help recover data and damaged drives and tapes, thus facilitating business continuity.

Securing critical computer systems and data require a comprehensive effort towards building an environment that implements information assurance through enhanced computer systems security. According to Suhasini et al. (2012), robust computer systems security is achieved through a solid IT security infrastructure, implementing a security plan and policy scheme, assessing systems’ threats and vulnerabilities, evaluating existing security architecture to identify weaknesses, bolstering personnel security, provision of security training and awareness, implementing disaster recovery plans and procedures, and promoting physical data center security.

How can organizations ensure their all-important IT infrastructure is behaving in the right manner? How can IT personnel determine whether specific computer systems and mobile devices are trusted hosts on their enterprise networks? How can devices attempting to remotely access information be authenticated? This is the general dilemma experienced by IT administrators in a typical organization setting. Secure and trusted systems attempts to resolve these challenges. These systems allows ensure that that systems running on networks are exclusively the legitimate ones, are up-to-date and exchange strictly authorized information (Suhasini et al., 2012). This way, networks are free from unwanted traffic and activity, while minimizing damages from malware and other internal and external threats.

Secure and trusted infrastructures are made of platforms, services, and networks with in-built security mechanisms and capabilities that provide administrators and end users with assurances that they can be relied upon to support operations. Next-generation high-tech data centers are expected to have built-in capability to support confidentiality, integrity, auditing, non-repudiation, and availability in a manner that is trustworthy and reliable by parties involved in a shared infrastructure (Suhasini et al., 2012). Rather than trying to close all potential security loopholes, organizations should focus on creating technically sound mechanisms to provide acceptable assurance that IT infrastructures are secure and trustworthy. Trusted systems behave in a way IT personnel expect and offer verifiable and accurate information about its state. This kind of acceptable assurance is important in helping IT teams retain maximum control over IT resources and instil a sense of confidence in them. The underlying objective of building secure and trusted systems is to provide a simpler and safer to use IT infrastructure (Proctor, 2009).

In the domain of secure and trusted computing, organizations are exploring ways through which hardware and software systems can be made to allow end users validate the underlying integrity. More precisely, secure and trusted systems are all about developing standards and mechanisms for hardware and software enabled security implementation and trusted computing. Various aspects including virus-safe computing and secure code development initiatives are being employed by organizations to create trusted systems. For example, virus-safe computing may be used to eliminate or limit virus damages while some other kinds of security breaches such as online fraud may be made more difficult (HP, 2009).

The following components may be used as the strategy to incorporate security and trust in systems as described by Proctor (2009):

  • Trusted processes to help mitigate against risks by strengthening security in communication networks.
  • Trusted systems including storage, computing, and networking platforms using security mechanisms such as cryptography.
  • Trusted services including end user services running in networks, cloud or on discrete devices.

Security policies

Security policies are aimed at providing guidance to organizations’ management, system users, personnel involved in security implementation, and third-party service providers. Security policies are geared towards offering best practices and standards for safe usage of organizational IT resources in collection, processing, sharing, storage, data management, and communication. Additionally, a security policy defines appropriate standards for provide secure communications remotely and support for cloud and tele-workers. Areas covered by security policies include the web, file, documents, storage, email, remote access, databases, PCs, and communication devices (Peltier, 2004).

Governments, directorates, and organizations involved in developing global industry standards have recognized the importance of information protection in safeguarding business and national security. Security policies coupled with associated IT security plans form the foundation of a business’s security program. Security policies are developed in accordance with government or industry directives, for example, the NIST Special Publications 800-53. Agency-level instructions may also be followed to ensure that organizations conform to security best practices and standards. Access to sensitive and private business data can create great security and privacy concerns (Peltier, 2004). Organizations across the world have implemented security policies to safeguard organizational network resources by guiding internal and external stakeholders in practising solid security measures to protect computer systems and information.

However, for security policies to be effective, businesses must ensure that everyone using computer systems adhere to all elements embodied in those polices. Businesses use security policies in maintaining systems and data confidentiality, integrity, availability and accountability. Obtaining personnel trustworthiness in operating and maintaining critical computer systems is a big step towards strengthening the security capability of a business. Therefore, organizations should develop security policies that address security-based screening procedures, personnel identification, industrial systems security programs, and more importantly security awareness and training programs. Organizations wishing to derive the best from security policies must develop solid security awareness and training course, covering general awareness and training, systems specific training, best cause-action procedures to counter security incidents, and core technical training for systems developers and technicians (Peltier, 2001).  

Physical security of computer systems should also be implemented to protect hardware devices such as PCs, servers, and networking and communication devices (routers, switches, APs, and others). Physical security tools and techniques may include manual and automated entry control equipment, premise monitoring systems, intrusion detection systems, access control systems and procedures, strong doors, and CCTVs. Other components may include smoke detectors, fire suppressors, and elevated floors especially for the data center to avoid flooding, proper cable management to separate data and electric power cables, and other tools and strategies that can protect organization’s physical infrastructures (Blyth & Kovacich, 2006). The data center and network operation center are two key areas that require a robust physical security policy because they host the most critical business computer systems, including servers, core switch and routers, databases, and core communication systems. Bishop (2003) claims that the data center should be protected with latest security systems and be under 24/7 monitoring to eliminate possibility of an attack because it is the pillar of any organization.

Disaster recovery plan is a key element of security policy. It implements business continuity by ensuring that enterprise’s critical systems, functions, applications, and data are always available (Peltier, 2001). Therefore, organizations should prepare contingency strategies and procedures, disaster recovery plans, incident response procedures, Business Impact Assessment (BIA) for key computer systems, telecommunication networks and data centers, and personnel awareness and training program. These strategies and procedures are focused on ensuring business continuity in terms of uninterrupted operations or acceptable operations at minimum and secure systems and data backup and recovery. Disaster recovery plans should go beyond continuity of business operations after a breach to cover issues related to applications and data recovery. Schou & Shoemaker (2006) argues that restoring operations back to normal after a disaster has hit a business does not imply that some aspects of applications and data integrity, privacy, or confidentiality have not been affected. Therefore, disaster recovery plans must ensure that both business continuity and elements of systems and data integrity, privacy or confidentiality are upheld.

Security/System testing

There are a number of security vulnerabilities in almost all computer systems out there today. With this in mind, it is better if personnel tasked with implementing and maintaining security discovers a weakness rather than a disgruntled present or past employee or a hacker (Suhasini et al., 2012). Security personnel would devise measures to remedy identified vulnerability, but a criminal would exploit the vulnerability to launch an attack. Security or system testing is important to identify and eliminate existing and potential security weaknesses. It helps a business devise defence mechanisms to fight against potential weaknesses to prevent incidents of security breaches. Security weaknesses may arise from factors such as human errors, potential system crashes, programming bugs or malware. An effective security assessment plays a key role in identification and remediation of threats to computer systems in addition to vulnerabilities of those systems to such threats. Peltier (2001) argues that systems testing can be used to detect mitigation procedures, plans, and policies, including required systems modification to eliminate known weaknesses. Consequently, businesses run information systems at acceptable levels of risk.

To determine the strength of an organization’s computer systems and data, it is important to perform security testing in accordance with globally recognized guidelines and procedures such as the National Security Agency (NSA) and NIST SP 800-53 (Peltier, 2001). Personnel involved in systems testing typically specify areas that require emphasis which includes: Router security, firewall security, cyber security, protocol implementations, open ports, authentication and authorization techniques, network intrusion, software bugs, and security patching history (for all antivirus software , operating systems and third party systems) and capability. Security testing may involve determination of the number of devices compromised over a specific time, and identifying potential targets and critical computer systems exposed to risk. According to Bishop (2003), such behind-the-scenes-work is vital for keeping enterprise networks, hosts, applications, and data adequately secure.

Most importantly, security testing is used to determine whether all aspects of IT are running reliably and correctly. Then, it is easier to identify the kind of enforceable and effective policies that can be used to detect, prevent, and sufficiently address problems.

Conclusion

It is evident that the growing introduction and usage of more and more hand held devices with computational capabilities similar to normal PCs together with increasingly powerful cybercriminal tools and techniques have placed business information at high risks of security breaches. Therefore, it is important to protect business data from exposure to unauthorized internal and external people. Information assurance is a component of information security and the components must work together to derive the desired benefits to a business. Information assurance entails protection of authenticity, integrity, availability, non-repudiation, confidentiality, and authenticity of business data and information using physical, administrative, and technical controls to achieve these tasks.  This protection applies to both hardcopy and electronic data at storage or in transit. It is worth noting that information assurance is a field that has grown from information security practices.

The importance of IT security has dramatically increased over the past few years. Organizations are increasingly focusing on developing secured systems to boost trustworthiness and ease of management. In today’s technology world, virus protection and patching are not enough measures to provide desirable levels of security, thus the need to incorporate trust, visibility, and resiliency. Security policies have been in wide usage across the corporate world for provision of secure guidelines in the course of application of IT resources for day-to-day business operations. Security or system testing is also a powerful tool for identifying existing and potential security weaknesses in systems in order to devise remediation strategies.

References

Birchall, D., Ezingeard, N., McFadzean, E., Howlin, N., & Yoxall, D. (2004). Information

assurance: Strategic alignment and competitive advantage. Grist Ltd.

Bishop, M. (2003). Computer Security: Art and Science. Addison-Wesley Professional.

Blyth, A., & Kovacich, G.L. (2006). Information Assurance: Security in the Information

Environment. Springer Science & Business Media

HP. (2009). Platform & infrastructure security. HP. Retrieved from 

http://www.hpl.hp.com/research/about/trusted_platforms.html

Mowbray, T.J. (2013). Cybersecurity: Managing Systems, Conducting Testing, and

Investigating Intrusions. John Wiley & Sons.

Peltier, T.R. (2001). Information Security Policies, Procedures, and Standards: Guidelines

for Effective Information Security Management. CRC Press.

Peltier, T.R. (2004). Information Security Policies and Procedures: A Practitioner’s

Reference. CRC Press.

Proctor, D. (2009, November 29). How to build trust into your network. FCW. Retrieved

from http://fcw.com/articles/2012/11/29/build-trusted-networks.aspx

Schou, C., & Shoemaker, D. (2006). Information Assurance for the Enterprise: A Roadmap

to Information Security. McGraw-Hill Education.

Suhasini, S., Marc, V., Hickey, J., & McBride, A.J. (2012). Intrinsically Secure Next-Generation Networks. Bell Labs Technical Journal. 173): 17-34.

Kuwait

Kuwait

1.0  INTRODUCTION

Kuwait is one of the world’s largest producers of petroleum and related liquids, taking up position ten among the Organization of the Petroleum Exporting Countries (OPEC) members in 2015. In the same year, the country was the 5th largest crude oil producer among OPEC members. Kuwait only trails Iran, Iraq, UAE, and the Kingdom of Saudi Arabia in petroleum production despite its smaller geographical size compared to other OPEC members. Petroleum exports account for approximately 70% of Kuwait’s total revenues, thus playing an integral role in the nation’s economy. Therefore, as a member of OPEC, Kuwait faces a considerable decline in its export revenues due to falling global prices of crude oil. For example, the country’s exports’ value declined by almost 50% between 2014 and 2015. Kuwait is working towards remaining one of the major oil producers globally, targeting production of crude oil as well as condensates in the excess of 4 million b/d by 2020. Nevertheless, the country continues to struggle in its efforts to improve production of oil and natural gas for close to a decade due to delayed upstream projects and lack of adequate foreign investment in the industry.

Founded in 1934, the Kuwait Oil Company (KOC) is a public company that operates in the Kuwait’s oil and gas industry. The Kuwait Petroleum Corporation (KPC), a state-owned holding company is the KOC’s parent company. Its headquarters are located in Ahmadi, Kuwait. The KOC acts as the KPC’s upstream subsidiary. It was until 1936 when the initiated drilling operations. The company’s products range from petroleum to crude oil, natural gas, and other hydrocarbons. KOC undertakes a number of operations in Kuwait, including oil and gas exploration, onshore and offshore surveys, development of production fields, drilling, and production. In addition, the company undertakes crude oil, exploration, production, storage, and distribution to tankers for exportation. A series of oil discoveries were made in Kuwait at different timeframes – Burgan (1938), Maqwa (1951), Ahmadi (1952), Raudhatain (1955), Sabriya (1957), and Minagish (1959). Burgan remains the largest oil reservoir in Kuwait and it is recognized as the second largest reserve and production field globally. For example, in 2010, the field contributed to close to 50% of the country’s oil production. KOC is working on boosting the capacity of Burgan through implementation of enhanced oil recovery techniques such as seawater and carbon dioxide (CO2) injection. Amidst efforts to boost Kuwait’s production of oil and natural gas, KOC projects are expected to support most of the production capacity increments.

In the late 1950s, KOC was able to increase its production capacity necessitating construction of projects such as export terminals to support more tankers in addition to crude oil gathering and distribution control and monitoring systems. This period marked a noteworthy defining moment in the country’s history of oil production and exportation operations mainly undertaken by KOC. The Kuwaiti topography gives KOC an edge with respect to the ease of distributing crude oil from wells to target stations thanks to gravitational pull which eliminates the need for highly specialized pumps. At the same time, KOC has been able to increase its production capacity towards increased oil and natural gas export revenues. In addition, the company employs more than 10,000 persons to fill up various positions. Moreover, KOC supports young engineers and technicians in their quest for technical and leadership competencies in the oil and gas industry. Therefore, KOC continues to play an integral role on Kuwait’s social and economic development and growth.

I successfully underwent a 12-week industrial working program at KOC where I had the opportunity of gaining valuable skills, knowledge, and experiences. During the program, I worked in a number of host institution divisions, including oil and gas field development, exploration, export and marine operations, project management (PM), technical support and maintenance, Health, Safety, Security, and Environment (HSSE) protection, and the central workshop.

  • PROGRAM ACTIVITIES

2.1Orientation

I started the industrial working/training program with immense enthusiasm owing to my passion for learning new skills and knowledge as part of my long-term goal of becoming a distinguished engineer. My first day at KOC started with a health and safety orientation – a presentation that covered occupational risks and potential protection and prevention measures. This orientation was crucial to ensuring that my health and safety as well as that of other colleagues are guaranteed throughout my attachment with the institution. I was also provided with some personal protective equipment (PPE) aimed at protecting myself from potential infection or injury in case of a hazard. As part of PPE, I was given a helmet, safety shoes, and uniform. Potential hazards in oil and gas operations may include exposure to excessive heat, particulate matter, or dust. In addition, there are risks related to working in confined spaces, handling hazardous chemicals, or coming into contact with open electrical cables (electrocution). I was also assigned a person to take me around the plants and equipment as well as areas useful to this industrial working program in that the approach was consistent with knowledge transfer activities targeting a person of average technical capabilities – student. More precisely, I was given the status of a student. I was also introduced to a number of people who I would later come to work with. I also completed all the required forms and signed them having read and understood the company’s rules and policies.

2.2 The field development

The first session was a two-week work at the company’s field development unit. Under the leadership of a senior petroleum engineer, the unit dealt with assessment and development of oil wells. Generally, this unit was responsible for planning and executing the entire lifecycle oil and gas field process – from discovery, assessment, development, operations, optimization, and abandonment. I was exposed to a number of knowledge areas, including reserve estimation, recovery evaluation, oil/gas production scheduling, existing wells and their placement, production planning, well construction, and reservoir depletion among others. I had the opportunity of learning about the operations of one of the largest oil reservoirs globally (the Greater Burgan), including aspects of the flow from this reservoir to target wells and assessment of opportunities for oil discovery and production optimization.

I was privileged to assume a major role in the acquisition and interpretation of log data concerned with oil rigs. The experienced drillers helped me understand a handful of well log measurements captured at different depths that guide the process of identifying sub-surface formations for optimization purposes. I came to understand how the following measurements are logged in a real-world oil rig setting: porosity, permeability, water saturation, resonance, and resistivity. Of much importance are the skills I gained regarding open-hole (OH) logging (measurements carried out on an oil well prior to wellbore casing and cementing procedures but after drilling) and cased-hole (CH) logging (measurements retrieved through the casing/piping).  These are valuable techniques as they help drilling and operations personnel to provide critical insights specific to a well, for example, potential flow inhibitors and well formation. I also experienced wireline surveillance in practice, a technology crucial to drilling operations as it facilitated the process of lowering measurement equipment into wells to log and transmit real-time data for proactive decisions.

2.3 Exploration

Another area where I gained valuable skills is the exploration unit over a two-week period. Here, I was able to achieve some understanding in relation to safe and cost-effective exploration of hydrocarbons as governed by the government of Kuwait to optimize oil and natural gas reserves. KOC places a lot of emphasis on hydrocarbon exploration through competent personnel and technological solutions for delivery of best-quality products. The company also recognizes quality and value maximization as key enablers of improved customer satisfaction. I worked together with a teams drawn from different areas, including exploration operations, exploration studies, prospect evaluation, and discoveries promotion groups. I was exposed to strategies related to planning and executing geophysical tasks necessary for exploration of onshore and offshore hydrocarbons; assessment of potential oil and gas prospects; risk analysis and optimization of well locations; and production analysis and promotion of discoveries to personnel involved in field development for reduced exploration-to-production cycles. I was privileged to be involved in some documentation activity related to the above-mentioned gas and oil exploration activities, for example, geophysical assessment results.  

2.4 Export and marine operations

I undertook a one-week assignment at the exportation and marine operations unit, where I experienced first-hand experience in the fundamental crude oil receiving, mixing, storage, and exportation procedures in addition to marine operations. I was involved in activities related to distribution of crude oil from the production and control centre to exportation tankers. During this process, a number of key decisions are usually to be made by the division management. These include issues to do with availability of KOC fleet vessels, oil combating tools, navigational safety buoys; adherence to health, safety, and environmental sustainability rules and regulations across the work sites and beyond; and delivery of necessary training for personal development. While export operations were mainly focused on transportation of crude oil from the production facilities to the target domestic and international customers, marine operations performed tasks essential to shipping of crude oil export from different Kuwait ports. Therefore, a considerable disruption of the export and marine operations may adversely impact on KOC’s supply chains as it is an undeniable bottleneck.

I came to understand the process of receiving crude oil from KOC gathering centres (GCs) as scheduled to a centralized mixing manifold. Then, it is temporarily stored in KOC tank farms from where it is supplied to export ships through loading terminals, Kuwait National Petroleum Company (KNPC) refineries, and MEW power infrastructures. The following are other activities involved in the crude oil export operations: storage and gravity loading, export loading, metering, lab analysis, emergency response planning, facility (tanks, electrical installations, turbines, pipelines, fire fighting equipment and other items) maintenance and repair, and movement and documentation.  Documentation plays an important role in the effectiveness and efficiency of the export operations unit. I learnt that the crude oil exportation process has to be documented in order to gain a clear end-to-end visibility into the product (oil) movements, daily stock, sale lifecycle, off-take reports, cargo quantities, delivery duration, compliance with third-party inspections, and others for effective communication and decision-making purposes. At the same time, potential environmental impacts arising from activities such as emissions, land use, and waste disposal along with potential protection measures are identified and documented.

2.5 Project management (PM)

KOC undertakes small- to large-scale projects. While smaller projects may be handled by divisions where they fall under, larger ones (costing more than $50 million) are managed by a specialized group – Ahmadi Projects. In my industrial working program, I had a two-week assignment with Ahmadi Projects. Nevertheless, the complex and sensitive nature of such projects made it difficult for me to assume any practical roles and responsibilities. But, I grasped a number of basic skills through work-shadowing including aspects of planning in relation to time, budget, equipment, and workforce requirements; project control and monitoring; risk management; stakeholder involvement; and change management. Other than work-shadowing, I was able to win the attention of one project lead who emphasized the need for proper planning,  clear definition of project goals and scope, availability of skills and competencies, and efficient communications as key enablers of successful delivery of complex projects.

2.6 Technical support and maintenance

I had the privilege of working with the technical support and maintenance services team. Here, I appreciate the need for preventive maintenance services for KOC facilities and equipment to ensure the company’s everyday processes and operations are free from potential disruption arising from plant/equipment failure. KOC requires technical services undertaken by electrical, mechanical, and instrument engineers. I interacted with some of these engineers as they carried out their day-to-day technical plant and equipment maintenance and support to prevent potentially severe problems that may disrupt KOC business processes and operations. I learnt about the need for scheduled tank (for water and crude oils) cleaning and repair in addition to maintenance of pipelines, fire suppression equipment, water section equipment, rotating equipment, air conditioning and ventilation installations, metering tools, fire-outbreak and gas-leakage detection systems, and power turbines. These systems are crucial to improved and sustained operability and reliability of KOC projects. In addition, the team was involved in the process of identifying potential health and safety hazards along with creation of risk prevention measures.

I came to understand how engineers perform regular inspections of tanks, pipelines, and other critical equipment and installations to detect potential corrosion impacts. This activity plays an important role in upholding optimal asset or facility integrity. I came to recognize the fact that corrosion is one of the most severe challenge facing KOC and similar companies because they deal with large quantities of liquid and gaseous products. Therefore, the problem calls for huge prevention and corrective investments. In addition, the company has invested in regular corrosion education and awareness training to keep its engineers well-informed about the problem and potential remediation strategies. Corrosion inspection results help the technical support and maintenance personnel make timely and effective decisions in relation to continued use or replacement of an asset.  

2.7 Health, Safety, Security, and Environment (HSSE) protection

KOC is committed to complying with health, safety, security, and environment rules and regulations. The Kuwait Environmental Protection Authority (KEPA) is the main HSSE regulatory agency and KOC strictly adheres to its provisions. As such, all its divisions carry out their processes and operations while at the same time applying and adhering to industry standards and best practices as well as corporate policy requirements. For example, the company complies with the ISO 14001:2004 Environmental Management System (EMS). The company commits itself to aggressive optimization and promotion of a product portfolio that guarantees sustained growth across its onshore and offshore oil and gas exploration and reservoir management operations. The HSSE personnel perform relevant audits, site visits, and emergency drills. KOC places HSSE signage across its office premises and work sites to keep its workforce, visitors, and the general public adequately informed about relevant health, safety, security, and environment practices. Other HSSE considerations are presented on the corporate website from where everyone can access them. While health, safety, and security considerations were aimed at protecting employees, contractors and sub-contractors, and the public against injury, infection, or fatality, environmental sustainability measures seek to ensure that the company respects the interests of the society at large.

As trainee, I worked with the HSSE team and tasked with the responsibility of communicating relevant information to staff, contractors, and sub-contractors. I ensured that every HSSE signage was legible and strategically located so that the target user groups are guaranteed of locating, reading, and understanding them. I was also involved in the regular HSSE site inspections during my time at the export and marine unit. These efforts were aimed at reducing the impacts of this unit’s operations and processes on the elements of HSSE in addition to the integrity of KOC assets. I participated in the process of developing HSSE risk register that included aspects of enumerating potential risks along with their likelihood of occurrence, impact severity, and countermeasures. The company implements the HSSE strategies while at simultaneously training its employees with optimal commitment.  I had the opportunity of understanding a wide array of health, safety, security, and environment issues, including exposure to hazardous substances and air and noise pollution. Associated experiences helped me understand what the world expects from engineers in relation to ethical and environmental responsibilities.

2.8 Workshops

My two-week stay at the company’s central workshop exposed me to different technologies and techniques. The electrical and welding section is one of the workshops that I visited during my assignment at this unit. Health and safety considerations are especially important in the electrical workshop because of potential exposure to electrocution when working with high voltage power supplies.  The high health and safety risks involved in the electrical and welding workshop prohibited us from carrying out practical activities since they were a preserve of professional engineers and technicians. Nevertheless, I still managed to understand the technical issues regarding the workshop’s mechanical and electrical devices. Welding was an important element of the company’s operations because it could be used to fix broken piping infrastructure and other components.

There was a fitting workshop involved in the planning and integration of different systems critical to KOC operations. The director of this workshop made us (as group of trainees) understand that the section is involved in the development and repair of devices used in the normal operations of the company. I had the opportunity of practicing with equipment marked as damaged as it would be impractical to experiment with systems in production. Nevertheless, I still managed to understand different elements and procedures employed in the fitting process, including tapping, piping, and documentation. Documentation forms a crucial element of fitting operations as it is the major point of reference from where future works borrow ideas and/or concepts necessary for maintenance and repair activities. Proper and sufficient documentation of fitting works also supports the company’s knowledge transfer mission in that new comers can quickly adapt to the organization since they have the information they need at their disposal.

The valves section imparted me with skills and knowledge related to the management of piping installations. Engineers actively monitor and control how the fluids flow in the installations to eliminate potential problems. I witnessed engineers test the fluid pressures, rates of flow, and velocities among other metrics to optimize the overall performance.

In the final days, I also interacted with staff working at the mechanisms section because it was impractical to experiment with machines because the complexities involved were beyond my skills. In addition, there were obvious sensitivity issues in relation to potential impact to the company’s operations in the event the machines were tampered with. Nevertheless, this section proved to be very important for my engineering career because it involved activities such as product design, fabrication, assembly, and considerations for continued maintenance.

  • AN ASSESSMENT OF THE INDUSTRY WORKING EXPERIENCE

The twelve-week industrial working program at KOC was a true eye-opener and a major element of my engineering career. This can be attributed to the fact that the industrial experience exposed me to the real-world of engineering in the context of an oil and gas company. I had the opportunity to gain valuable hands-on and soft skills crucial to my short-term and long-term career goals. The following are some of the invaluable skills I gained from the program:

  • Reservoir assessment and development of oil wells;
  • OH and CH logging of an oil rig’s porosity, permeability, water saturation, resonance, and resistivity measurements;
  • Safe and cost-effective exploration of hydrocarbons; exploration-to-production cycle reduction strategies;
  • Crude oil receiving, mixing, storage, and exportation procedures and marine operations;
  • Documentation of oil and gas operations and processes;
  • Project management – planning, control and monitoring, risk management, and change management; corrosion inspection and countermeasures;
  • HSSE considerations; and
  • Electrical, welding, fitting, valves, and mechanisms workshops.

HSSE considerations (environmental sustainability issues) helped me appreciate what the world expects from me as am engineer in relation to ethical and environmental responsibilities. As a professional engineer, I learnt to never downplay the interests of the society. I learnt to always uphold integrity, honesty, and accountability in my engineering activities for the benefit of all stakeholders. I also improved my problem solving skills, teamwork, and communication, which are critical to a successful career.

4.0 CONCLUSION

It is evident that KOC provided a myriad of learning opportunities. Despite the fact that my activities at the company were limited due to the nature of complex systems and processes in the company’s production environment, I gained immense skills and knowledge that will be crucial to my engineering career. I gained skills in oil and gas field development, exploration, export and marine operations, project management, technical support and maintenance requirements, health, safety, security, and environment protection, and valves and fluid flow monitoring and control. I look forward to securing a job placement at KOC or a similar company with vast engineering implementations to further improve my hands-on skills towards my long-term of goal of becoming a distinguished engineer.