Upload
matthew-hines
View
221
Download
0
Embed Size (px)
Citation preview
1
Information SystemsCS-507
Lecture 34
2
Types of Controls• Access Controls – Controlling who can access
the system.• Input Controls – Controls over how the data is
input to the system.• Communication Controls – Controls over the
transfer of data over networks.• Processing Controls – Controlling the
processing of data• Database Controls – Securing the most
important asset of the organization• Output controls – Controlling the privacy of the
data.
3
Objectives of the Access Controls
• The user should be given access to the nature and kind of resources he is entitled to access.
4
Why Access Controls?• Widespread deployment of distributed systems
has resulted in many users being disbursed physically. e.g. through
– Web based systems– Local Area Networks– Wide Area Networks
• The rapid growth of E-Commerce systems has resulted in substantial work being undertaken to identify and authenticate the parties.
5
Cryptography
• “The conversion of data into a secret code for transmission over a public network.”
6
EncryptionThe process of converting data into codes (cryptograms)
EncryptionOriginal DataCipher-text /
Encrypted data
7
Decryption
The process of decoding the code to arrive at data actually encrypted
DecryptionCipher-text / Encrypted data
Original Data
8
• Clear text – it is the data to be encrypted.
• Cipher text – it is the code created out of data after encryption
• The original text, or "plaintext," is converted into a coded equivalent called "cipher text" via an encryption process.
EncryptionClear TextCipher-text /
Encrypted data
9
Identification & Authentication
• What a user remembers – name, birth date, password
• What a user possesses – badge, plastic card
• What a user is – personal characteristics
10
Biometrics
• “Biometrics can be defined as study of automated methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.”
11
Scope of Biometrics
• Finger print
• Hand print
• Voice Print
• Facial profiling – measuring distance between various points on face
• Iris/retinal recognition – eye patterns
12
Other Types of Controls• In addition to the aforesaid access controls,
there may be – Input controls – controls over correct data entry– Communications controls – controls over
transporting data safely through local area networks (LAN’s) or wide area networks (WAN’s).
– Processing controls – Controls over the integrity of processing instructions being executed by the operating system and application softwares.
13
– Database controls – implemented to maintain the integrity of the database.
– Output controls – controls over providing right content to the users.
• The construction of effective security system should take into account the design and implementation of all the above controls.
14
• Operating system – an operating system connecting to a website is at the same time activating concealed link to transfer specified or all information.
• Application software – a software designed to compute interest at month end may contain unauthorized instruction to transfer pennies or cents or paisas to a particular account.
15
• Calculations are accurate and any rounding up or down is adequately explained and carried out
• Data is processed correctly as expected
• Control totals reconcile and processing errors are logged, researched and corrected timely
• Sufficient audit trail to trace from source to output and vice versa