Information Systems

Perfective Maintenance

Perfective maintenance involves changing an operational system to make it more efficient, reliable, or maintainable. Requests for corrective and adaptive maintenance normally come from users, while the IT department usually initiates perfective maintenance.

During system operation, changes in user activity or data patterns can cause a decline in efficiency, and perfective maintenance might be needed to restore performance. When users are concerned about performance, you should determine if a perfective maintenance project could improve response time and system efficiency.

Perfective maintenance also can improve system reliability. For example, input problems might cause a program to terminate abnormally. By modifying the data entry process, you can highlight errors and notify the users that they must enter proper data. When a system is easier to maintain, support is less costly and less risky. In many cases, you can simplify a complex program to improve maintainability.

In many organizations, perfective maintenance is not performed frequently enough. Companies with limited resources often consider new systems development, adaptive maintenance, and corrective maintenance more important than perfective maintenance. Managers and users constantly request new projects, so few resources are available for perfective maintenance work. As a practical matter, perfective maintenance can be performed as part of another project. For example, if a new function must be added to a program, you can include perfective maintenance in the adaptive maintenance project.

Perfective maintenance usually is cost effective during the middle of the system’s operational life. Early in systems operation, perfective maintenance usually is not needed. Later, perfective maintenance might be necessary, but have a high cost. Perfective maintenance is less important if the company plans to discontinue the system.

When performing perfective maintenance, analysts often use a technique called software reengineering. Software reengineering uses analytical techniques to identify potential quality and performance improvements in an information system. In that sense, software reengineering is similar to business process reengineering, which seeks to simplify operations, reduce costs, and improve quality — as you learned in Chapter 1.

Programs that need a large number of maintenance changes usually are good candidates for reengineering. The more a program changes, the more likely it is to become inefficient and difficult to maintain. Detailed records of maintenance work can identify systems with a history of frequent corrective, adaptive, or perfective maintenance.

FIGURE 12-8 Regardless of the type of system, high-quality maintenance must be performed by trained professionals.

DoD photo by Airman Charlie Whetstine, U.S. Navy

Preventive Maintenance

To avoid problems, preventive maintenance requires analysis of areas where trouble is likely to occur. Like perfective maintenance, the IT department normally initiates preventive maintenance. Preventive maintenance often results in increased user satisfaction, decreased downtime, and reduced TCO. Preventive maintenance competes for IT resources along with other projects, and sometimes does not receive the high priority that it deserves.

Regardless of the type of maintenance, computer systems must be supported by trained professionals, just as the aircraft shown in Figure 12-8 must be serviced by skilled technicians. In both cases, the quality of the maintenance will directly affect the organization’s success.


You are a systems analyst at Outback Outsourcing, a firm that handles payroll processing for many large companies. Outback Outsourcing uses a combination of payroll package programs and in-house developed software to deliver custom-made payroll solutions for its clients. Lately, users have flooded you with requests for more new features and Web-based capability to meet customer expectations. Your boss, the IT manager, comes to you with a question. She wants to know when to stop trying to enhance the old software and develop a totally new version better suited to the new marketplace. How would you answer her?


System maintenance requires effective management, quality assurance, and cost control. To achieve these goals, companies use various strategies, such as a maintenance team, a maintenance management program, a configuration management process, and a maintenance release procedure. In addition, firms use version control and baselines to track system releases and analyze the system’s life cycle. These concepts are described in the following sections.

The Maintenance Team

maintenance team includes a system administrator and one or more systems analysts and programmers. The system administrator should have solid technical expertise, and experience in troubleshooting and configuring operating systems and hardware. Successful analysts need a strong IT background, solid analytical abilities, good communication skills, and an overall understanding of business operations.

SYSTEM ADMINISTRATOR   A system administrator manages computer and network systems. À system administrator must work well under pressure, have good organizational and communication skills, and be able to understand and resolve complex issues in a limited time frame. In most organizations, a system administrator has primary responsibility for the operation, configuration, and security of one or more systems. The system administrator is responsible for routine maintenance, and usually is authorized to take preventive action to avoid an immediate emergency, such as a server crash, network outage, security incident, or hardware failure.

Systems administration is a vital function, and various professional associations, such as SAGE, which is shown in Figure 12-9, offer a wide variety of technical information and support for system administrators. Notice that SAGE members subscribe to a code of ethics that includes professionalism, integrity, privacy, and social responsibility, among other topics.

SYSTEMS ANALYSTS   Systems analysts assigned to a maintenance team are like skilled detectives who investigate and rapidly locate the source of a problem by using analysis and synthesis skills. Analysis means examining the whole in order to learn about the individual elements, while synthesis involves studying the parts to understand the overall system. In addition to strong technical skills, an analyst must have a solid grasp of business operations and functions. Analysts also need effective interpersonal and communications skills, and they must be creative, energetic, and eager for new knowledge.

FIGURE 12-9 SAGE seeks to establish standards of professional excellence, improve the technical skills of its members, and promote a comprehensive code of ethics.

© 2012 The USENIX Association

PROGRAMMERS   In a small organization, a programmer might be expected to handle a wide variety of tasks, but in larger firms, programming work tends to be more specialized. For example, typical job titles include an applications programmer , who works on new systems development and maintenance; a systems programmer , who concentrates on operating system software and utilities; and a database programmer , who focuses on creating and supporting large-scale database systems. Many IT departments also use a job title of programmer/analyst to designate positions that require a combination of systems analysis and programming skills.

ORGANIZATIONAL ISSUES   IT managers often divide systems analysts and programmers into two groups: One group performs new system development, and the other group handles maintenance. Some organizations use a more flexible approach and assign IT staff members to various projects as they occur. By integrating development and support work, the people developing the system assume responsibility for maintaining it. Because the team is familiar with the project, additional training or expense is unnecessary, and members are likely to have a sense of ownership from the onset.

Unfortunately, many analysts feel that maintenance is less interesting and creative than developing new systems. In addition, an analyst might find it challenging to trouble-shoot and support someone else’s work that might have been poorly documented and organized.

Some organizations that have separate maintenance and new systems groups rotate people from one assignment to the other. When analysts learn different skills, the organization is more versatile and people can shift to meet changing business needs. For instance, systems analysts working on maintenance projects learn why it is important to design easily maintainable systems. Similarly, analysts working on new systems get a better appreciation of the development process and the design compromises necessary to meet business objectives.

One disadvantage of rotation is that it increases overhead because time is lost when people move from one job to another. When systems analysts constantly shift between maintenance and new development, they have less opportunity to become highly skilled at any one job.

Newly hired and recently promoted IT staff members often are assigned to maintenance projects because their managers believe that the opportunity to study existing systems and documentation is a valuable experience. In addition, the mini-SDLC used in many adaptive maintenance projects is good training for the full-scale systems development life cycle. For a new systems analyst, however, maintenance work might be more difficult than systems development, and it might make sense to assign a new person to a development team where experienced analysts are available to provide training and guidance.


As IT manager at Brightside Insurance Company, you organized your IT staff into two separate groups — one team for maintenance projects and the other team for new systems work. That arrangement worked well in your last position at another company. Brightside, however, previously made systems assignments with no particular pattern.

At first, the systems analysts in your group did not comment about the team approach. Now, several of your best analysts have indicated that they enjoyed the mix of work and would not want to be assigned to a maintenance team. Before a problem develops, you have decided to rethink your organizational strategy. Should you go back to the way things were done previously at Brightside? Why or why not? Do other options exist? What are they?

Maintenance Requests

Typically, maintenance requests involve a series of steps, as shown in Figure 12-10. After a user submits a request, a system administrator determines whether immediate action is needed and whether the request is under a prescribed cost limit. In nonemergency requests that exceed the cost limit, a systems review committee assesses the request and either approves it, with a priority, or rejects it. The system administrator notifies affected users of the outcome.

Users submit most requests for corrective and adaptive maintenance when the system is not performing properly, or if they want new features. IT staff members usually initiate requests for perfective and preventive maintenance. To keep a complete maintenance log, all work must be covered by a specific request that users submit in writing or by e-mail.

FIGURE 12-10 Although the procedure varies from company to company, the chart shows a typical process for handling maintenance requests.

© Cengage Learning 2012

INITIAL DETERMINATION   When a user submits a maintenance request, the system administrator makes an initial determination. If the request is justifiable and involves a severe problem that requires immediate attention, the system administrator takes action at once. In justifiable, but noncritical, situations, the administrator determines whether the request can be performed within a preauthorized cost level. If so, he or she assigns the maintenance tasks and monitors the work.

THE SYSTEMS REVIEW COMMITTEE   When a request exceeds a predetermined cost level or involves a major configuration change, the systems review committee either approves it and assigns a priority, or rejects it.

TASK COMPLETION   The system administrator usually is responsible for assigning maintenance tasks to individuals or to a maintenance team. Depending on the situation and the company’s policy, the system administrator might consider rotating assignments among the IT staff or limiting maintenance tasks to certain individuals or teams, as explained in the previous section.

USER NOTIFICATION   Users who initiate maintenance requests expect a prompt response, especially if the situation directly affects their work. Even when corrective action cannot occur immediately, users appreciate feedback from the system administrator and should be kept informed of any decisions or actions that could affect them.

Establishing Priorities

In many companies, the systems review committee separates maintenance and new development requests when setting priorities. In other organizations, all requests are considered together, and the most important project gets top priority, whether it is maintenance or new development.

Some IT managers believe that evaluating all projects together leads to the best possible decisions because maintenance and new development require similar IT department resources. In IT departments where maintenance and new development are not integrated, it might be better to evaluate requests separately. Another advantage of a separate approach is that maintenance is more likely to receive a proportional share of IT department resources.

The most important objective is to have a procedure that balances new development and necessary maintenance work to provide the best support for business requirements and priorities.

Configuration Management

Configuration management (CM) , sometimes referred to as change control (CC) , is a process for controlling changes in system requirements during software development. Configuration management also is an important tool for managing system changes and costs after a system becomes operational. Most companies establish a specific process that describes how system changes must be requested and documented.

As enterprise-wide information systems grow more complex, configuration management becomes critical. Industry standards have emerged, and many vendors offer configuration management software and techniques, as shown in Figure 12-11.

CM is especially important if a system has multiple versions that run in different hardware and software environments. Configuration management also helps to organize and handle documentation. An operational system has extensive documentation that covers development, modification, and maintenance for all versions of the installed system. Most documentation material, including the initial systems request, project management data, end-of-phase reports, data dictionary, and the IT operations and user manuals, is stored in the IT department.

Keeping track of all documentation and ensuring that updates are distributed properly are important aspects of configuration management.

FIGURE 12-11 CM Crossroads provides a source of information and resources for configuration management professionals.

© 1998–2011 CMC Media, Inc.

Maintenance Releases

Keeping track of maintenance changes and updates can be difficult, especially for a complex system. When a maintenance release methodology is used, all noncritical changes are held until they can be implemented at the same time. Each change is documented and installed as a new version of the system called a maintenance release .

For an in-house developed system, the time between releases usually depends on the level of maintenance activity. A new release to correct a critical error, however, might be implemented immediately rather than saved for the next scheduled release.

When a release method is used, a numbering pattern distinguishes the different releases. In a typical system, the initial version of the system is 1.0, and the release that includes the first set of maintenance changes is version 1.1. A change, for example, from version 1.4 to 1.5 indicates relatively minor enhancements, while whole number changes, such as from version 1.0 to 2.0 or from version 3.4 to 4.0, indicate a significant upgrade.

The release methodology offers several advantages, especially if two teams perform maintenance work on the same system. When a release methodology is used, all changes are tested together before a new system version is released. This approach results in fewer versions, less expense, and less interruption for users. Using a release methodology also reduces the documentation burden because all changes are coordinated and become effective simultaneously.

A release methodology also has some potential disadvantages. Users expect a rapid response to their problems and requests, but with a release methodology, new features or upgrades are available less often. Even when changes would improve system efficiency or user productivity, the potential savings must wait until the next release, which might increase operational costs.

Commercial software suppliers also provide maintenance releases, often called service packs , as shown in Figure 12-12 on the next page. As Microsoft explains, a service pack contains all the fixes and enhancements that have been made available since the last program version or service pack.

Version Control

Version control is the process of tracking system releases, or versions. When a new version of a system is installed, the prior release is archived , or stored. If a new version causes a system to fail, a company can reinstall the prior version to restore operations. In addition to tracking system versions, the IT staff is responsible for configuring systems that have several modules at various release stages. For example, an accounting system might have a one-year-old accounts receivable module that must interface with a brand-new payroll module.

FIGURE 12-12 A Microsoft service pack provides access to up-to-date drivers, tools, security patches, and customer-requested product changes.

Screenshots used with permission from Microsoft.

Most firms use commercial applications to handle version control for complex systems, such as ERP. Serena Software’s PVCS Version Manager, which is shown in Figure 12-13, is a popular example. Serena, a longtime provider of version control solutions, states that PVCS Version Manager can help meet compliance, documentation, and traceability requirements in regulated industries. Serena also mentions that the product uses a “snapshot” technique to capture development effort at any given point in time.


baseline is a formal reference point that measures system characteristics at a specific time. Systems analysts use baselines as yardsticks to document features and performance during the systems development process. The three types of baselines are functional, allocated, and product.

The functional baseline is the configuration of the system documented at the beginning of the project. It consists of all the necessary system requirements and design constraints.

The allocated baseline documents the system at the end of the design phase and identifies any changes since the functional baseline. The allocated baseline includes testing and verification of all system requirements and features.

The product baseline describes the system at the beginning of system operation. The product baseline incorporates any changes made since the allocated baseline and includes the results of performance and acceptance tests for the operational system.

FIGURE 12-13 The more complex the system, the more important the task of version control. Commercial software packages, such as this example from Serena Software, can help companies maintain controls and reduce costs.

© 2012 Serena Software Inc.


Years ago, when most firms used a central computer for processing data, it was relatively simple to manage a system and measure its efficiency. Today, companies use complex networks and client/server systems to support business needs. A user at a client workstation often interacts with an information system that depends on other clients, servers, networks, and data located throughout the company. Rather than a single computer, it is the integration of all those components that determines the system’s capability and performance. In many situations, IT managers use automated software and CASE tools to manage complex systems.

To ensure satisfactory support for business operations, the IT department must manage system faults and interruptions, measure system performance and workload, and anticipate future needs. The following sections discuss these topics.

Fault Management

No matter how well it is designed, every system will experience some problems, such as hardware failures, software errors, user mistakes, and power outages. A system administrator must detect and resolve operational problems as quickly as possible. That task, often called fault management , includes monitoring the system for signs of trouble, logging all system failures, diagnosing the problem, and applying corrective action.

The more complex the system, the more difficult it can be to analyze symptoms and isolate a cause. In addition to addressing the immediate problem, it is important to evaluate performance patterns and trends. Windows 8 and Windows 7 include a built-in fault management feature called Resource Monitor, which is shown in Figure 12-14 on the next page. Resource Monitor can evaluate CPU, memory, disk, and network activity in real time, and save the data in a log file. In addition to automated notification, fault management software can identify underlying causes, speed up response time, and reduce service outages.

Although system administrators must deal with system faults and interruptions as they arise, the best strategy is to prevent problems by monitoring system performance and workload.

FIGURE 12-14 Windows Resource Monitor displays CPU, memory, disk, and network activity in real time.

Screenshot used with permission from Microsoft

Performance and Workload Measurement

In e-business, slow performance can be as devastating as no performance at all. Network delays and application bottlenecks affect customer satisfaction, user productivity, and business results. In fact, many IT managers believe that network delays do more damage than actual stoppages because they occur more frequently and are difficult to predict, detect, and prevent. Customers expect reliable, fast response 24 hours a day, seven days a week. To support that level of service, companies use performance management software, which is available from many vendors, including Cisco, Sun, and HP, among others.

To measure system performance, many firms use benchmark testing , which uses a set of standard tests to evaluate system performance and capacity. In addition to benchmark testing, performance measurements, called metrics , can monitor the number of transactions processed in a given time period, the number of records accessed, and the volume of online data. Network performance metrics include response time, bandwidth, throughput, and turnaround time, among others.

RESPONSE TIME    Response time is the overall time between a request for system activity and the delivery of the response. In the typical online environment, response time is measured from the instant the user presses the ENTER key or clicks a mouse button until the requested screen display appears or printed output is ready. Response time is affected by the system design, capabilities, and processing methods. If the request involves network or Internet access, response time is affected by data communication factors.

Online users expect an immediate response, and they are frustrated by any apparent lag or delay. Of all performance measurements, response time is the one that users notice and complain about most.

BANDWIDTH AND THROUGHPUT   Bandwidth and throughput are closely related terms, and many analysts use them interchangeably. Bandwidth describes the amount of data that the system can transfer in a fixed time period. Bandwidth requirements are expressed in bits per second. Depending on the system, you might measure bandwidth in Kbps (kilobits per second) Mbps (megabits per second) , or Gbps (gigabits per second) . Analyzing bandwidth is similar to forecasting the hourly number of vehicles that will use a highway in order to determine the number of lanes required.

Throughput measures actual system performance under specific circumstances and is affected by network loads and hardware efficiency. Throughput, like bandwidth, is expressed as a data transfer rate, such as Kbps, Mbps, or Gbps. Just as traffic jams delay highway traffic, throughput limitations can slow system performance and response time. That is especially true with graphics-intensive systems and Web-based systems that are subject to Internet-related conditions.

In addition to the performance metrics explained in the previous section, system administrators measure many other performance characteristics. Although no standard set of metrics exists, several typical examples are:

· Arrivals — The number of items that appear on a device during a given observation time.

· Busy — The time that a given resource is unavailable.

· Completions — The number of arrivals that are processed during a given observation period.

· Queue length — The number of requests pending for a service.

· Service time — The time it takes to process a given task once it reaches the front of the queue.

· Think time — The time it takes an application user to issue another request.

· Utilization — How much of a given resource was required to complete a task.

· Wait time — The time that requests must wait for a resource to become available.

The Computer Measurement Group (CMG®) maintains a site, shown in Figure 12-15, that provides support and assistance for IT professionals concerned with performance evaluation and capacity planning.

TURNAROUND TIME    Turnaround time applies to centralized batch processing operations, such as customer billing or credit card statement processing. Turnaround time measures the time between submitting a request for information and the fulfillment of the request. Turnaround time also can be used to measure the quality of IT support or services by measuring the time from a user request for help to the resolution of the problem.

The IT department often measures response time, bandwidth, throughput, and turnaround time to evaluate system performance both before and after changes to the system or business information requirements. Performance data also is used for cost-benefit analyses of proposed maintenance and to evaluate systems that are nearing the end of their economically useful lives.

Finally, management uses current performance and workload data as input for the capacity planning process.

FIGURE 12-15 The Computer Measurement Group is a nonprofit organization that primarily is concerned with performance evaluation and capacity management.

© Computer Measurement Group, Inc.

Capacity Planning

Capacity planning is a process that monitors current activity and performance levels, anticipates future activity, and forecasts the resources needed to provide desired levels of service.

As the first step in capacity planning, you develop a current model based on the system’s present workload and performance specifications. Then you project demand and user requirements over a one- to three-year time period and analyze the model to see what is needed to maintain satisfactory performance and meet requirements. To assist you in the process, you can use a technique called what-if analysis.

What-if analysis allows you to vary one or more elements in a model in order to measure the effect on other elements. For example, you might use what-if analysis to answer questions such as: How will response time be affected if we add more PC workstations to the network? Will our client/server system be able to handle the growth in sales from the new Web site? What will be the effect on server throughput if we add more memory?

Powerful spreadsheet tools also can assist you in performing what-if analysis. For example, Microsoft Excel contains a feature called Goal Seek that determines what changes are necessary in one value to produce a specific result for another value. In the example shown in Figure 12-16, a capacity planning worksheet indicates that the system can handle 3,840 Web-based orders per day, at 22.5 seconds each. The user wants to know the effect on processing time if the number of transactions increases to 9,000. As the Goal Seek solution in the bottom figure shows, order processing will have to be perfwormed in 9.6 seconds to achieve that goal.

FIGURE 12-16 In this Goal Seek example, the user wants to know the effect on processing time if the number of daily transactions increases from 3,840 to 9,000.

© Cengage Learning 2014

When you plan capacity, you need detailed information about the number of transactions; the daily, weekly, or monthly transaction patterns; the number of queries; and the number, type, and size of all generated reports. If the system involves a LAN, you need to estimate network traffic levels to determine whether or not the existing hardware and software can handle the load. If the system uses a client/server design, you need to examine performance and connectivity specifications for each platform.

Most important, you need an accurate forecast of future business activities. If new business functions or requirements are predicted, you should develop contingency plans based on input from users and management. The main objective is to ensure that the system meets all future demands and provides effective support for business operations. Some firms handle their own capacity planning, while others purchase software and services from companies such as TeamQuest, shown in Figure 12-17.


The CASE tools in Part B of the Systems Analyst’s Toolkit can help you document business functions and processes, develop graphical models, and provide an overall framework for information system development. To learn more about these tools, turn to Part B of the four-part Toolkit that follows Chapter 12.

System Maintenance Tools

You can use automated tools that provide valuable assistance during the operation and support phase. Many CASE tools include system evaluation and maintenance features, including the following examples:

· Performance monitor that provides data on program execution times

· Program analyzer that scans source code, provides data element cross-reference information, and helps evaluate the impact of a program change

· Interactive debugging analyzer that locates the source of a programming error

· Reengineering tools

· Automated documentation

· Network activity monitor

· Workload forecasting tool

In addition to CASE tools, you also can use spreadsheet and presentation software to calculate trends, perform what-if analyses, and create attractive charts and graphs to display the results. Information technology planning is an essential part of the business planning process, and you probably will deliver presentations to management. You can review Part A of the Systems Analyst’s Toolkit for more information on using spreadsheet and presentation software to help you communicate effectively.

FIGURE 12-17 TeamQuest is an example of a firm that offers capacity planning software and services.

© 2012 TeamQuest Corporation


Security is a vital part of every information system. Security protects the system, and keeps it safe, free from danger, and reliable. In a global environment that includes many types of threats and attacks, security is more important than ever. This section includes a discussion of system security concepts, risk management, and common attacks against the system.

FIGURE 12-18 System security must provide information confidentiality, integrity, and availability.

© Cengage Learning 2014

System Security Concepts

The CIA triangle in Figure 12-18 shows the three main elements of system security: confidentiality , integrity, and availability. Confidentiality protects information from unauthorized disclosure and safeguards privacy. Integrity prevents unauthorized users from creating, modifying, or deleting information. Availability ensures that authorized users have timely and reliable access to necessary information. The first step in managing IT security is to develop a security policy based on these three elements. Although it is beyond the scope of this chapter, the Microsoft Management Console (MMC) shown in Figure 12-19 is a portal to a broad array of built-in security tools and techniques.

FIGURE 12-19 The Microsoft Management Console (MMC) includes built-in security tools, such as password and lock-out policies, audit policies, user rights, and security configurations, among others.

Screenshot used with permission from Microsoft.

Risk Management

In the real world, absolute security is not a realistic goal. Instead, managers must balance the value of the assets being protected, potential risks to the organization, and security costs. For example, it might not be worth installing an expensive video camera monitoring system to protect an empty warehouse. To achieve the best results, most firms use a risk management approach that involves constant attention to three interactive tasks: risk identification, risk assessment, and risk control, as shown in Figure 12-20.

Risk identification analyzes the organization’s assets, threats, and vulnerabilities. Risk assessment measures risk likelihood and impact. Risk control develops safeguards that reduce risks and their impact.

RISK IDENTIFICATION   The first step in risk identification is to list and classify business assets. An asset might include company hardware, software, data, networks, people, or procedures. For each asset, a risk manager rates the impact of an attack and analyzes possible threats. A threat is an internal or external entity that could endanger an asset. For example, threat categories might include natural disasters, software attacks, or theft, as shown in Figure 12-21.

Next, the risk manager identifies vulnerabilities and how they might be exploited. A vulnerability is a security weakness or soft spot, and an exploit is an attack that takes advantage of a vulnerability. To identify vulnerabilities, a risk manager might ask questions like these: Could backers break through the proxy server? Could employees retrieve sensitive files without proper authorization? Could people enter the computer room and sabotage our servers? Each vulnerability is rated and assigned a value. The output of risk identification is a list of assets, vulnerabilities, and ratings.

Order now and get 10% discount on all orders above $50 now!!The professional are ready and willing handle your assignment.