14.1 © 2002 by Prentice Hall c h a p t e r 14 INFORMATION SYSTEMS SECURITY & CONTROL

14.14.11 © 2002 by Prentice Hall

c h a p t e r

1414 INFORMATION INFORMATION

SYSTEMS SYSTEMS SECURITY & SECURITY & CONTROLCONTROL


LEARNING OBJECTIVESLEARNING OBJECTIVES

• DEMONSTRATE WHY INFO DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMSQUALITY CONTROL PROBLEMS

• COMPARE GENERAL AND COMPARE GENERAL AND APPLICATION CONTROLSAPPLICATION CONTROLS

**



• DESCRIBE MEASURES TO ENSURE DESCRIBE MEASURES TO ENSURE RELIABILITY, AVAILABILITY, RELIABILITY, AVAILABILITY, SECURITY OF E-COMMERCE, SECURITY OF E-COMMERCE, DIGITAL BUSINESS PROCESSESDIGITAL BUSINESS PROCESSES

**



• DESCRIBE IMPORTANT SOFTWARE DESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE QUALITY- ASSURANCE TECHNIQUESTECHNIQUES

• DEMONSTRATE IMPORTANCE OF DEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS & AUDITING INFO SYSTEMS & SAFEGUARDING DATA SAFEGUARDING DATA QUALITYQUALITY

**


MANAGEMENT MANAGEMENT CHALLENGESCHALLENGES

• SYSTEM VULNERABILITY & ABUSESYSTEM VULNERABILITY & ABUSE

• CREATING A CONTROL CREATING A CONTROL ENVIRONMENTENVIRONMENT

• ENSURING SYSTEM QUALITYENSURING SYSTEM QUALITY

**


SYSTEM VULNERABILITY & SYSTEM VULNERABILITY & ABUSEABUSE

• WHY SYSTEMS ARE VULNERABLEWHY SYSTEMS ARE VULNERABLE

• HACKERS & VIRUSESHACKERS & VIRUSES

• CONCERNS FOR BUILDERS & CONCERNS FOR BUILDERS & USERSUSERS

• SYSTEM QUALITY SYSTEM QUALITY PROBLEMSPROBLEMS

**


THREATS TO THREATS TO INFORMATION SYSTEMSINFORMATION SYSTEMS

HARDWARE FAILURE, FIREHARDWARE FAILURE, FIRE

SOFTWARE FAILURE, ELECTRICAL SOFTWARE FAILURE, ELECTRICAL PROBLEMSPROBLEMS

PERSONNEL ACTIONS, USER ERRORSPERSONNEL ACTIONS, USER ERRORS

ACCESS PENETRATION, PROGRAM ACCESS PENETRATION, PROGRAM CHANGESCHANGES

THEFT OF DATA, SERVICES, EQUIPMENT THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMSTELECOMMUNICATIONS PROBLEMS

**


WHY SYSTEMS ARE WHY SYSTEMS ARE VULNERABLEVULNERABLE

• SYSTEM COMPLEXITYSYSTEM COMPLEXITY

• COMPUTERIZED PROCEDURES NOT COMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITEDALWAYS READ OR AUDITED

• EXTENSIVE EFFECT OF DISASTEREXTENSIVE EFFECT OF DISASTER

• UNAUTHORIZED ACCESS POSSIBLEUNAUTHORIZED ACCESS POSSIBLE

**


• RADIATION:RADIATION: Allows recorders, bugs to tap systemAllows recorders, bugs to tap system

• CROSSTALK:CROSSTALK: Can garble dataCan garble data

• HARDWARE:HARDWARE: Improper connections, failure of Improper connections, failure of protection circuitsprotection circuits

• SOFTWARE:SOFTWARE: Failure of protection features, access Failure of protection features, access control, bounds controlcontrol, bounds control

• FILES:FILES: Subject to theft, copying, unauthorized Subject to theft, copying, unauthorized accessaccess

**

VULNERABILITIESVULNERABILITIES


VULNERABILITIESVULNERABILITIES

• USER:USER: Identification, authentication, Identification, authentication, subtle software modificationsubtle software modification

• PROGRAMMER:PROGRAMMER: Disables protective Disables protective features; reveals protective measuresfeatures; reveals protective measures

• MAINTENANCE STAFF:MAINTENANCE STAFF: Disables hardware Disables hardware devices; uses stand-alone utilitiesdevices; uses stand-alone utilities

• OPERATOR:OPERATOR: Doesn’t notify supervisor, Doesn’t notify supervisor, reveals protective measuresreveals protective measures

**


• HACKER:HACKER: Person gains access to Person gains access to computer for profit, criminal computer for profit, criminal mischief, personal pleasuremischief, personal pleasure

• COMPUTER VIRUS:COMPUTER VIRUS: Rogue program; Rogue program; difficult to detect; spreads rapidly; difficult to detect; spreads rapidly; destroys data; disrupts processing & destroys data; disrupts processing & memorymemory

**

HACKERS & COMPUTER HACKERS & COMPUTER VIRUSESVIRUSES


COMMON COMPUTER VIRUSESCOMMON COMPUTER VIRUSES

• CONCEPT, MELISSA:CONCEPT, MELISSA: Word documents, Word documents, e-mail. Deletes files e-mail. Deletes files

• FORM:FORM: Makes clicking sound, corrupts data Makes clicking sound, corrupts data• EXPLORE.EXE:EXPLORE.EXE: Attached to e-mail, tries to e-mail Attached to e-mail, tries to e-mail

to others, destroys filesto others, destroys files• MONKEY:MONKEY: Windows won’t run Windows won’t run• CHERNOBYL:CHERNOBYL: Erases hard drive, ROM BIOS Erases hard drive, ROM BIOS• JUNKIE:JUNKIE: Infects files, boot sector, memory Infects files, boot sector, memory

conflictsconflicts

**


ANTIVIRUS SOFTWAREANTIVIRUS SOFTWARE

• SOFTWARE TO DETECTSOFTWARE TO DETECT• ELIMINATE VIRUSESELIMINATE VIRUSES• ADVANCED VERSIONS RUN IN ADVANCED VERSIONS RUN IN

MEMORY TO PROTECT MEMORY TO PROTECT PROCESSING, GUARD AGAINST PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON VIRUSES ON DISKS, AND ON INCOMING NETWORK FILESINCOMING NETWORK FILES

**


CONCERNS FOR CONCERNS FOR BUILDERS & USERSBUILDERS & USERS

DISASTERDISASTER

BREACH OF SECURITYBREACH OF SECURITY

ERRORSERRORS**


LOSS OF HARDWARE,LOSS OF HARDWARE, SOFTWARE, SOFTWARE, DATA BY FIRE, DATA BY FIRE, POWER FAILURE, POWER FAILURE, FLOOD OR OTHER CALAMITYFLOOD OR OTHER CALAMITY

• FAULT-TOLERANT COMPUTER FAULT-TOLERANT COMPUTER SYSTEMS:SYSTEMS: Backup systems to Backup systems to prevent system failure prevent system failure (particularly On-(particularly On-line Transaction Processing)line Transaction Processing)

**

DISASTERDISASTER


SECURITYSECURITY POLICIES, PROCEDURES, POLICIES, PROCEDURES, TECHNICAL MEASURES TO TECHNICAL MEASURES TO

PREVENT UNAUTHORIZED ACCESS, PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL ALTERATION, THEFT, PHYSICAL

DAMAGE TO INFORMATION DAMAGE TO INFORMATION SYSTEMSSYSTEMS

**


• DATA PREPARATIONDATA PREPARATION• TRANSMISSIONTRANSMISSION• CONVERSIONCONVERSION• FORM COMPLETIONFORM COMPLETION• ON-LINE DATA ENTRYON-LINE DATA ENTRY• KEYPUNCHING; SCANNING; OTHER KEYPUNCHING; SCANNING; OTHER

INPUTSINPUTS

**

WHERE ERRORS OCCURWHERE ERRORS OCCUR


WHERE ERRORS OCCURWHERE ERRORS OCCUR

• VALIDATION VALIDATION

• PROCESSING / FILE MAINTENANCEPROCESSING / FILE MAINTENANCE

• OUTPUTOUTPUT

• TRANSMISSIONTRANSMISSION

• DISTRIBUTIONDISTRIBUTION

**


SYSTEM QUALITY SYSTEM QUALITY PROBLEMSPROBLEMS

• SOFTWARE & DATASOFTWARE & DATA• BUGS:BUGS: Program code defects or errorsProgram code defects or errors• MAINTENANCE:MAINTENANCE: Modifying a system in Modifying a system in

production use; can take up to 50% of production use; can take up to 50% of analysts’ timeanalysts’ time

• DATA QUALITY PROBLEMS:DATA QUALITY PROBLEMS: Finding, Finding, correcting errors; costly; tediouscorrecting errors; costly; tedious

**


1.001.00

2.002.00

3.003.00

4.004.00

5.005.00

6.006.00

CO

ST

SC

OS

TS

ANALYSIS PROGRAMMING POSTIMPLEMENTATION ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION & DESIGN CONVERSION

COST OF ERRORS DURING COST OF ERRORS DURING SYSTEMS DEVELOPMENT SYSTEMS DEVELOPMENT

CYCLECYCLE


CREATING A CONTROL CREATING A CONTROL ENVIRONMENTENVIRONMENT

CONTROLS:CONTROLS: Methods, policies, Methods, policies, procedures to protect assets; procedures to protect assets; accuracy & reliability of records; accuracy & reliability of records; adherence to management standardsadherence to management standards

• GENERAL CONTROLSGENERAL CONTROLS

• APPLICATION CONTROLSAPPLICATION CONTROLS

**


• IMPLEMENTATION:IMPLEMENTATION: Audit system Audit system development to assure proper control, development to assure proper control, managementmanagement

• SOFTWARE:SOFTWARE: Ensure security, reliability of Ensure security, reliability of softwaresoftware

• PHYSICAL HARDWARE:PHYSICAL HARDWARE: Ensure physical Ensure physical security, performance of security, performance of computer computer hardwarehardware

**

GENERAL CONTROLSGENERAL CONTROLS


• COMPUTER OPERATIONS:COMPUTER OPERATIONS: Ensure procedures Ensure procedures consistently, correctly applied to data storage, consistently, correctly applied to data storage, processingprocessing

• DATA SECURITY:DATA SECURITY: Ensure data disks, tapes Ensure data disks, tapes protected from wrongful access, change, protected from wrongful access, change, destructiondestruction

• ADMINISTRATIVE:ADMINISTRATIVE: Ensure controls properly Ensure controls properly executed, enforcedexecuted, enforced– SEGREGATION OF FUNCTIONS: SEGREGATION OF FUNCTIONS: Divide Divide

responsibility from tasksresponsibility from tasks

**

GENERAL CONTROLSGENERAL CONTROLS


APPLICATION APPLICATION CONTROLSCONTROLS

• INPUTINPUT

• PROCESSINGPROCESSING

• OUTPUTOUTPUT

**


INPUT CONTROLSINPUT CONTROLS

• INPUT AUTHORIZATION:INPUT AUTHORIZATION: Record, monitor Record, monitor source documentssource documents

• DATA CONVERSION:DATA CONVERSION: Transcribe data Transcribe data properly from one form to anotherproperly from one form to another

• BATCH CONTROL TOTALS:BATCH CONTROL TOTALS: Count Count transactions prior to and after processingtransactions prior to and after processing

• EDIT CHECKS:EDIT CHECKS: Verify input data, correct Verify input data, correct errorserrors

**


PROCESSING CONTROLSPROCESSING CONTROLS

ESTABLISH THAT DATA IS COMPLETE, ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSINGACCURATE DURING PROCESSING

• RUN CONTROL TOTALS:RUN CONTROL TOTALS: Generate control Generate control totals before & after processingtotals before & after processing

• COMPUTER MATCHING:COMPUTER MATCHING: Match input data Match input data to master filesto master files

**


OUTPUT CONTROLSOUTPUT CONTROLS

ESTABLISH THAT RESULTS ARE ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY ACCURATE, COMPLETE, PROPERLY DISTRIBUTED DISTRIBUTED

• BALANCE INPUT, PROCESSING, OUTPUT BALANCE INPUT, PROCESSING, OUTPUT TOTALSTOTALS

• REVIEW PROCESSING LOGSREVIEW PROCESSING LOGS• ENSURE ONLY AUTHORIZED RECIPIENTS ENSURE ONLY AUTHORIZED RECIPIENTS

GET RESULTSGET RESULTS

**


• ENCRYPTION:ENCRYPTION: Coding & scrambling Coding & scrambling messages to deny unauthorized accessmessages to deny unauthorized access

• AUTHENTICATION:AUTHENTICATION: Ability to identify Ability to identify another partyanother party– MESSAGE INTEGRITYMESSAGE INTEGRITY– DIGITAL SIGNATUREDIGITAL SIGNATURE– DIGITAL CERTIFICATEDIGITAL CERTIFICATE

**

SECURITY AND THE INTERNETSECURITY AND THE INTERNET


SENDER SCRAMBLEDMESSAGE

RECIPIENT

Encrypt with public key

Decrypt with private key

PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION



• DIGITAL WALLET:DIGITAL WALLET: Software stores credit Software stores credit card, electronic cash, owner ID, address card, electronic cash, owner ID, address for e-commerce transactionsfor e-commerce transactions

• SECURE ELECTRONIC TRANSACTIONSECURE ELECTRONIC TRANSACTION:: Standard for securing credit card Standard for securing credit card transactions on Internettransactions on Internet

**



• CREDIT CARD-SET:CREDIT CARD-SET: Protocol for payment Protocol for payment securitysecurity

• ELECTRONIC CASH:ELECTRONIC CASH: Digital currency Digital currency• ELECTRONIC CHECK:ELECTRONIC CHECK: Encrypted digital Encrypted digital

signaturesignature• SMART CARD:SMART CARD: Chip stores e-cash Chip stores e-cash• ELECTRONIC BILL PAYMENT:ELECTRONIC BILL PAYMENT: Electronic funds Electronic funds

transfertransfer

**

ELECTRONIC PAYMENT SYSTEMSELECTRONIC PAYMENT SYSTEMS



DEVELOPING A CONTROL DEVELOPING A CONTROL STRUCTURESTRUCTURE

• COSTS:COSTS: Can be expensive to build; Can be expensive to build; complicated to usecomplicated to use

• BENEFITS:BENEFITS: Reduces expensive errors, Reduces expensive errors, loss of time, resources, good willloss of time, resources, good will

RISK ASSESSMENT:RISK ASSESSMENT: Determine Determine frequency of occurrence of problem, frequency of occurrence of problem, cost, damage if it were to occurcost, damage if it were to occur

**


SYSTEM BUILDING SYSTEM BUILDING APPROACHESAPPROACHES

• STRUCTURED METHODOLOGIESSTRUCTURED METHODOLOGIES

• COMPUTER AIDED SOFTWARE COMPUTER AIDED SOFTWARE ENGINEERING (CASE)ENGINEERING (CASE)

• SOFTWARE REENGINEERINGSOFTWARE REENGINEERING

**


STRUCTURED STRUCTURED METHODOLOGIESMETHODOLOGIES

TOP DOWN, STEP BY STEP, EACH TOP DOWN, STEP BY STEP, EACH STEP BUILDS ON PREVIOUSSTEP BUILDS ON PREVIOUS

• STRUCTURED ANALYSISSTRUCTURED ANALYSIS

• STRUCTURED DESIGNSTRUCTURED DESIGN

• STRUCTURED PROGRAMMINGSTRUCTURED PROGRAMMING

• FLOWCHARTSFLOWCHARTS

**


STRUCTURED ANALYSISSTRUCTURED ANALYSIS

• DEFINES SYSTEM INPUTS, PROCESSES, DEFINES SYSTEM INPUTS, PROCESSES, OUTPUTSOUTPUTS

• PARTITIONS SYSTEM INTO SUBSYSTEMS PARTITIONS SYSTEM INTO SUBSYSTEMS OR MODULESOR MODULES

• LOGICAL, GRAPHICAL MODEL OF LOGICAL, GRAPHICAL MODEL OF INFORMATION FLOWINFORMATION FLOW

• DATA FLOW DIAGRAM:DATA FLOW DIAGRAM: Graphical display Graphical display of component processes, flow of dataof component processes, flow of data

**


SYMBOLS FOR DATA FLOW DIAGRAMS (DFD):SYMBOLS FOR DATA FLOW DIAGRAMS (DFD):

DATA FLOWDATA FLOW

PROCESSPROCESS

SOURCESOURCEOR SINKOR SINK

FILEFILE


GENERATE BILL

CUSTOMER

GENERATE BALANCE

GENERATE REPORT

MANAGER

PAYMENTFILE

CUSTOMERFILE

DATA FLOW DIAGRAM:DATA FLOW DIAGRAM:


• DATA DICTIONARY:DATA DICTIONARY: Controlled definitions Controlled definitions of descriptions of all data, such as of descriptions of all data, such as variable names & types of datavariable names & types of data

• PROCESS SPECIFICATIONS:PROCESS SPECIFICATIONS: Describes Describes logic of processes at module level logic of processes at module level

**

STRUCTURED ANALYSISSTRUCTURED ANALYSIS


STRUCTURED STRUCTURED DESIGNDESIGN

DESIGN RULES / TECHNIQUES TO DESIGN DESIGN RULES / TECHNIQUES TO DESIGN SYSTEM, TOP DOWN IN HIERARCHICAL SYSTEM, TOP DOWN IN HIERARCHICAL

FASHIONFASHION• STRUCTURE CHARTSTRUCTURE CHART• STRUCTURED PROGRAMMINGSTRUCTURED PROGRAMMING• MODULEMODULE• SEQUENCE CONSTRUCTSEQUENCE CONSTRUCT• SELECTION CONSTRUCTSELECTION CONSTRUCT

**


HIGH LEVEL STRUCTURE CHART:HIGH LEVEL STRUCTURE CHART:HIGH LEVEL STRUCTURE CHART:

CALCULATE

GROSS PAY

CALCULATE

NET PAY

CALCULATE

PAY

PROCESS

PAYROLL

UPDATE

MASTER FILE

GET VALID

INPUTS

WRITE

OUTPUTS

GET

INPUTS

VALIDATE

INPUTS

WRITE

OUTPUTS

(WHITE BOXES ARE MODULES)(WHITE BOXES ARE MODULES)


STRUCTURED PROGRAMMING:STRUCTURED PROGRAMMING:

• DISCIPLINE TO ORGANIZE, CODE DISCIPLINE TO ORGANIZE, CODE PROGRAMSPROGRAMS

• SIMPLIFIES CONTROL PATHSSIMPLIFIES CONTROL PATHS

• EASY TO UNDERSTAND, MODIFYEASY TO UNDERSTAND, MODIFY

• MODULE HAS ONE INPUT, ONE MODULE HAS ONE INPUT, ONE OUTPUTOUTPUT

**


STRUCTURED PROGRAMMING:STRUCTURED PROGRAMMING:

• MODULE:MODULE: Logical unit of program. performs Logical unit of program. performs specific task(s)specific task(s)

• SEQUENCE CONSTRUCT:SEQUENCE CONSTRUCT: Sequential steps Sequential steps or actions in program logic; streamlines flowor actions in program logic; streamlines flow

• SELECTION CONSTRUCT:SELECTION CONSTRUCT: IF condition R is IF condition R is True THEN action C ELSE action DTrue THEN action C ELSE action D

• ITERATION CONSTRUCT:ITERATION CONSTRUCT: WHILE Condition WHILE Condition is True DO action Eis True DO action E

**


PROGRAM FLOWCHART SYMBOLS:PROGRAM FLOWCHART SYMBOLS:

BEGIN OREND

DIRECTION

PROCESS

DECISION

INPUT OROUTPUT

SUBROUTINE

MANUALOPERATION

CONNECTOR


PROGRAM FLOWCHART:PROGRAM FLOWCHART:1

END

REPORT

MORE?2

PRINT

1

2START

READ

>$10,000

<$10,000

PROCESS A

PROCESS B


PROGRAM FLOWCHART:PROGRAM FLOWCHART:PROCESS A

PROCESS B

SEQUENCESEQUENCE

PROCESS E

S

TRUE

ITERATIONITERATION

PROCESS CPROCESS D

R

TRUE

SELECTIONSELECTION


SYSTEM FLOWCHART SYMBOLS:SYSTEM FLOWCHART SYMBOLS:

DOCUMENT

DATABASE

ON-LINE DISPLAY TELECOMMUNICATIONS LINK

INPUT/OUTPUT PROCESS MAGNETIC TAPE

PUNCHED CARD MANUAL OPERATION ON-LINE STORAGE

ON-LINE INPUT


LOAD & VALIDATE

COMPARE & UPDATE

VALID TRANS-

ACTIONS

PAYROLL SYSTEM

TIME CARDS

HUMAN RESOURCES

DATA

PAYROLL MASTER

UPDATED PAYROLL

MASTER

DIRECT DEPOSITS

GENERAL LEDGER

PAYROLL REPORTS &

CHECKS

PAYROLL MASTER

SYSTEM FLOWCHART:SYSTEM FLOWCHART:


COMPUTER AIDED SOFTWARE COMPUTER AIDED SOFTWARE ENGINEERING (CASE)ENGINEERING (CASE)

• AUTOMATION OF SOFTWARE AUTOMATION OF SOFTWARE METHODOLOGIESMETHODOLOGIES

• PRODUCES CHARTS; DIAGRAMS; PRODUCES CHARTS; DIAGRAMS; SCREEN & REPORT GENERATORS; SCREEN & REPORT GENERATORS; DATA DICTIONARIES; PROGRESS DATA DICTIONARIES; PROGRESS REPORTS; ANALYSIS; CHECKING REPORTS; ANALYSIS; CHECKING TOOLS; CODE; DOCUMENTATIONTOOLS; CODE; DOCUMENTATION

**

CASECASE


INCREASES PRODUCTIVITY & QUALITY:INCREASES PRODUCTIVITY & QUALITY:• ENFORCES DEVELOPMENT DISCIPLINEENFORCES DEVELOPMENT DISCIPLINE• IMPROVES COMMUNICATIONIMPROVES COMMUNICATION• DESIGN REPOSITORY FOR OBJECTSDESIGN REPOSITORY FOR OBJECTS• AUTOMATES TEDIOUS TASKSAUTOMATES TEDIOUS TASKS• AUTOMATES TESTING & CONTROLAUTOMATES TESTING & CONTROL• REQUIRES ORGANIZATIONAL DISCIPLINEREQUIRES ORGANIZATIONAL DISCIPLINE

**

COMPUTER AIDED SOFTWARE COMPUTER AIDED SOFTWARE ENGINEERING (CASE)ENGINEERING (CASE)

CASECASE


MIS AUDITMIS AUDIT IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, IDENTIFIES CONTROLS OF INFORMATION SYSTEMS,

ASSESSES THEIR EFFECTIVENESSASSESSES THEIR EFFECTIVENESS

• SOFTWARE METRICS:SOFTWARE METRICS: Objective measurements to Objective measurements to assess systemassess system

• TESTING:TESTING: Early, regular controlled efforts to detect, Early, regular controlled efforts to detect, reduce errorsreduce errors– WALKTHROUGHWALKTHROUGH– DEBUGGINGDEBUGGING

• DATA QUALITY AUDIT:DATA QUALITY AUDIT: Survey samples of files for Survey samples of files for accuracy, completenessaccuracy, completeness

**


c h a p t e r

1414 INFORMATION INFORMATION

SYSTEMS SYSTEMS SECURITY & SECURITY & CONTROLCONTROL

Documents

14.1 © 2002 by Prentice Hall c h a p t e r 14 INFORMATION SYSTEMS SECURITY & CONTROL