View
220
Download
0
Category
Preview:
DESCRIPTION
Threats to Information Systems Categories of threats Accidents and Malfunctions Computer Crime Operator Error Hardware Malfunctions Software Bugs Data Errors Accidental disclosure of information Damage to physical facilities Inadequate system performance Liability for system failure Hacking Cyber theft Unauthorized use at work Piracy Computer viruses and worms
Citation preview
SECURITY , CONTROL AND REPORTING
Security refers to the polices, procedures and
technical measures used to prevent unauthorized
access, alteration, theft, or physical damage to
information systems.
Information security means protecting information and
information systems from unauthorized access, use,
disclosure, disruption, modification or destruction.
Need for SecurityMaintaining information
confidentiality.Ensure the integrity and reliability
of data resources.Ensure the uninterrupted
availability of data resources.
Threats to Information Systems Categories
of threatsAccidents and Malfunctions Computer
CrimeOperator ErrorHardware
Malfunctions
Software Bugs
Data ErrorsAccidental
disclosure of information
Damage to physical facilities
Inadequate system performance
Liability for system failure
Hacking
Cyber theft
Unauthorized use at work
Piracy
Computer viruses and
worms
IS Vulnerability A security risk may be classified as a
vulnerability. System vulnerability is a weakness which
allows an attacker to reduces system information assurance.
Vulnerability is the intersection of 3 elements
System weakness Attacker access leads to flaw. Attacker capability to exploit the data base.
Causes of system vulnerabilityVarious system vulnerability are caused by •HackersThrough variety of tricks, access the data flowing over networks.Steel valuable data during transmission.Alter messages without authorization.
Radiation.
• Internet and other networks are vulnerable to disruptions from radiation.
• Intruders can launch denial of services attacks or to disrupt the operation of websites.
• It destroy or alter the corporate data stored in databases or files.
Malfunctioning.
• The major cause for the computer software to fail are:• Errors In Programming, • Improper Installation, or• Unauthorized changes• Other natural disasters can also disrupt computer systems• Power failures• Floods.• Fires.
Information on the network
Domestic or offshore partnering with another company adds to system vulnerability if valuable information resides on networks and computer outside the organizations control.
Internet vulnerabilities Vulnerability has also increased from widespread use of e-mail and
IM.
Employees may use e-mail messages to transmit valuable trade
secrets, financial data or confidential customer information to
unauthorized recipients.
Instant Messaging (IM)
Consumer do not use a secure layer for text messages, so they can
be intercepted and read by outsiders during transmission over the
public internet.
Disaster management DMP is a plan of action to recover from the impact on
the information systems. The objective of DMP is : not only to start the system again but start properly
from a stage when it is stopped with all data integrity maintained after recovery to
ensure that quality of output is not defective due to loss of data, incomplete data or incorrect data.
DMP ProcessStep 1 : Identify the critical business processes.
Step2: Access the business risk. (probability of risk occurrence, risk exposure, time of exposure)
Step3 : Enlist the impact target of the damage for attention to manage and recover.
Step4 : Identify the life saving data, files, software applications, packages, hardware, servers, and database linked to these process.
Step 5 : Segregate need into 2 classes
(i) Switch to manual process.(ii) Work at offsite with data backup
created at offsite location.Step 6 : prepare a plan of bridging
pre - and post- disaster scenario so that community of data and information is maintained.
Step 7 : Ensure all risks are suitably covered by appropriate insurance policies.
Step 8 : Authority, rights for decisions and actions in the event of disaster should be clear in DMP.
Step 9 : Test the DMP plan once a year in simulated live model event.
Threats and controls for disaster management.
1. Threats to facilities and structure
i) Earthquakes, fires, explosions, floods and other events.
ii) Power failures iii) Theftiv) Unauthorized use of IT structure.v) Damage by disgruntled employees.
Controls
Design buildings for the natural threats. Store sensitive data, applications, offsite in a
different building. Provide security training to employees. Provide dedicated power lines with UPS. Screen employees and usual visitors and get the
appropriate secrecy bonds signed from them. Use biometric access controls and IDs.
Threats to communication systemIncorrect input due to communication break down.Intrusion by unauthorized persons and damage to communication system.Insertion of viruses.Defective network operations.
controlsFirewalls.Error deduction and correction methodsUser IDs, passwords and PINs.Encryption and decryption of key inputs/ outputs.
Threats to database and DBMS Corruption of data Theft of data. Unauthorized access. Data inconsistency.Controls: Use of antivirus software Backup copies Restricted authority to update and delete Limited, authorized access to database. Dedicated to DB administrator.
TestingWhen a system is developed, it is hoped
that it performs properly.However, some errors always occur.The main purpose of testing information
systems is to find the errors and correct them.
A successful test is one which finds error.
Objectives of testing To ensure that during operation the system
will perform as per specifications. To make sure that the system meets your
requirements during operation. To see that when correct inputs are fed to
the system so that the outputs are also correct. To make sure that during operations, incorrect
input , processing and outputs will be detected.
Classification of information system tests The test should include both manual operations and
computerized operations.
Information system testing are :
comprehensive evaluation of the programs
Manual procedures
Computer operations and controls
1.Unit Testing• It is a method by which individual units of
source code are tested to determine if they are fit for use.
2.Integration Testing• It is systematic technique for constructing
the program structure while at the same time conducting tests to uncover errors associated with interfacing.
Types of integration testingBig bang integration testing•All components or modules is integrated simultaneously, after which everything is tested as a whole.Top down integration testing•It takes place from top to bottom, following the control flow or architectural structure.•Bottom up
Testing takes place from the bottom of the control flow upward. Components or systems are substituted by drivers.
Mixed Integration testing
It is also called as sandwiched testing.
It follows a combination of top- down and bottom – up testing approaches.
Top- down approach can start only after the top- levels modules have been coded and unit tested.
Bottom – up testing can start only
after the bottom – up modules are
ready.
Mixed approach overcomes this
shortcomings as in it, testing can
start as and when modules
became unavailable.
3.Validation Testing After integration testing, software is assembled as a
package where interfacing errors have been uncovered and corrected, and then validation testing begins.
Validation succeeds when software functions as expected by the customers.
• The types of validation testing are• Alpha testing• Beta testing
4.System testing
• The behavior of whole system/product is tested as defined by the scope of the development project or product.
• It is the final test to verify that the system to be delivered meets the specifications and its purpose.
• Test – carried out by specialist’s testers.• It investigate both functional and non-
functional requirement of the testing.
Error Detection
Software errors are inescapable and they are easily permeable into programs.
The first is to prevent the introduction of errors and the second is to deduct the errors or bugs hidden in the codes.
Software error analysis includes the techniques, used to locate, Analyze, and Estimate errors and data relating to errors.
Static Testing Dynamic Testing
Testing done without executing the program
Testing done by executing the program
This testing does verification processDynamic testing does validation
process
Static testing is about prevention of defects
Dynamic testing is about finding and fixing the defects
Static testing gives assessment of code and documentation
Dynamic testing gives bugs/bottlenecks in the software
system.
Cost of finding defects and fixing is less
Cost of finding and fixing defects is high
Return on investment will be high as this process involved at early stage
Return on investment will be low as this process involves after the
development phase
More reviews comments are highly recommended for good quality
More defects are highly recommended for good quality.
Formal Analysis
Formal methods involve rigorous mathematical techniques to specify or analyze the software requirement specification, design, or code.
Error Detection in phases of Lifecycle
Requirements Design ImplementationTest Installation and CheckoutOperation and Maintenance
Controls Controls are constraints and other restrictions imposed
on a user or a system and they can be used to secure
system against the risk or to reduce caused to
systems, application and data.
Controls are implementation not only for access but
also to implement policies and ensure that nonsensical
data is not entered in to corporate database.
Types of controls
General controls
Application controls
Physical
Biometric Access
Data Security
communication
Administrative
Others
Input
Processing
Output
Storage
Software AuditThe general definition of an audit is an evaluation of a
person, organization, system, process, enterprise, project or
product.
A software audit is the process of checking each computer
in the organization and listing the software packages
installed.
The purpose of software audit is to detect and rectify any
anomalies between the software register and software
installed on the system.
Objectives of software auditOrganizations standards, processes, systems,
and plans are adequate to enable the organization
To meet its policies, requirements, and objectives.
During the execution of its wok activities.Objectives are actually being met.Resources and non- human resources are being
effectively utilized.
Audit Roles and Responsibilities
Client Auditor Management Lead auditorAuditorsAuditee management.
Audit processInitiationPlanningPreparationExecutionReportingCorrective action and follow up
Ethics in IT
Ethics is a study of the principles and practices,
which guides to decide whether the action
taken is morally right or wrong.
Ethics is about values and human behavior.
The values and human behavior is primarily
regulated by various legal provisions and can
be enforced through courts.
Technology Ethics
Ethics of technology referred into
two basic subdivisions.
Ethics in the development of
new technology.
Technological growth.
Ethics to overcome vulnerability
Vulnerability assessment. It is a periodic process that works on a system to
identify, track, and manage the repair of
vulnerabilities on the system.
It does a health check of the system.
• It is essential security process and best practice
for the well – being of the system.
Vulnerability scanning.
It identifies weakness in the
network, the type of weaknesses,
and where they are, it is up to the
security team to fix the identified
loopholes.
Ethical Guidelines
Proportionality
Informed consent
Justice
Minimized risk.
User interfaceAn interface is the common boundary between
the user and the computer system application – the point where the computer and the individual interact.
System model template
Input processin
g
Process and control
Maintenance and
testing
Output processing
User interface processing
A user interface is a part of the system that allows user to input data, to command the operations and to receive outputs from the system.
Purpose of interfaceInterface tells the system what actions
to takeFacilitates the use of systemAvoid users errors.
Types of interfaceNatural language interface
It is designed to understand the user’s own
language.
• These interfaces attempt to interpret what the user
means, and often they present back to the user a
list of interpretations from which they choose.
Eg. Microsoft’s office Assistant.
Question answer interfaceQuestion answer interface are very
popular in web-based applications.For eg. A car reservation system
may ask a series of questions to define what type of car and rental agreement requires.
MENU DRIVEN INTERFACE
The oldest and commonly employed dialogue strategy is menu selection.
Different types of menus cater to novice and expert users.
Menu- driven strategies require that the user select an action from a menu of alternatives.
FORM FILL INTERFACEIf interface has to gather a lot of
information from user, then it often helps if anyone provides a form to fill in.
Most form fill interfaces allow for easy movement around the form and for some fields to be let blank.
Command Language Interface
Instead of menus or in addition to menus, some applications are designed using a dialogue based on command language interface.(instruction driven interface)
Graphical user interfaceA GUI is primary mechanism that enables
the user to interact with a collection of elements, called screen objects that are visible to the user and used by him/her to perform tasks. They are executed by
Direct manipulationIndirect manipulation
Reporting
Report is a business document that contain only predefined data.
Good report design requires effort and attention in detail.
To produce a well-designed report, the analyst must consider design features such as report headers and footers, column headings and alignment , column spacing, field order, and grouping of detail lines.
Characteristics of Reports
Reports should be attractive and easy to understand.
Report must include the information that a user needs.
Report with too little information is of no value.
Too much information can make a report confusing and difficult to understand.
Types of reports•Detail reports
•Exception report
•Summary report
Recommended