Ace Module - VI (System Secutiry & Auditing)_ami

8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami

1/44

Amity School of Business

111

Amity School of

BusinessBBA General, 2nd Semester

System Analysis and Design

Apeksha Hooda


2/44


2222

Module- VI

System Security &

Auditing


3/44


3

System Security: Data Security Backup Recovery during System Database failure

Ethical Issues in System Development Threat and Risk Analysis Audit

System Audit

System Audit Standards (Planning,Implantation and Reporting Standards)

System Analysis and Programming(Overview, Role & Duties of System Experts asAnalyst and Programmer).

Topics


4/44


4

System Security The Protection of data or hardware against

accidental or intentional damage from adefined threat.

The system security problem can be dividedinto four related issues : Security

Integrity Privacy

confidentiality


5/44


5

System Security refers to the technical innovation

and procedures applied to the hardware and operatingsystems to protect against deliberate or accidentaldamage from a defined threat.

System Integrity refers to the proper functioning ofhardware and programs without any impropermodification, appropriate physical security, and safetyagainst external threats.

Privacy defines the rights of the users ororganizations to determine what information they are

willing to share with or accept from others and howthe organization can be protected against unwelcome,unfair excessive dissemination of information about it.

Confidentially is a special status given to sensitive

information in a database to minimize the possibleinvasion of rivac .


6/44

Amity School of BusinessBasic Components of Security

Confidentiality

Keeping data and resources hidden from

unauthorized disclosure.

Integrity(Data integrity and origin integrity )

It refers to the requirement that information be

protected from improper modification.

Availability

Enabling access to data and resources to

users who have legitimate right.

6


7/44

Amity School of BusinessGoals of Security

Prevention

Prevent attackers from violating securitypolicy

Detection Detect attackers violation of security policy

Recovery

Stop attack, assess and repair damage Continue to function correctly even if attack

succeeds

7


8/44

Amity School of BusinessThreat & Risk Analysis

Natural Threat

Physical threat

Malicious attack(virus, worm , trojan)

Attack by hackers

8


9/44


9

Data Security :- Protection of data from loss,disclosure, modification, or destruction. Backup & Recovery :- Restoring a damage database

is generally done by rollforward or rollbackprocedure.

The rollforward approach involves updating a prior valid copyof the data base with the necessary changes to produce acurrent version of database.

The rollback approach starts current invalid state andremoves the record of activity to produce the prior validstate of the database. Either approach depends largely on

the software to bring the backup copy up to date anddetermine the cause of failure.

Backup can be extremely important in a recoveryprocedure. If database is physically damage, onecould not rollback because of the damage database

only roll forward.

Data Security, Backup &

Recovery


10/44


10

Database Failure In a database environment, there are three types offailures : Catastrophic, logical, and structural

Catastrophic failure is one where part of a database

is unreadable. It is restoring using rollforwardmethod of recovery.

A logical failure occurs when activity to the databaseis interrupted with no chance of completing the

currently executing transaction.

Structural damage is that when a pointer incorrectlystored in a record that points to unrelated or

nonexistent data.


11/44


11

Ethical Issues In System

Development Ethical behavior of the analysts and computerprofessionals has led to the development of standards andcodes of behavior by a number of professionalassociations. Three association are worth mentioning :

Association for Computing Machinery (ACM) Data Processing Management Association (DPMA)

Institute for Certificate of Computer Professional (ICCP)

Ethics can be described as Fairness, Justice, Equity,

Honesty, Trustworthiness, and equality. Stealing, cheating, lying or backing out of ones words alldescribe lack of Ethics.

Code of Ethics: is a declaration of the principles andbeliefs that govern how employees of an organization are

expected to behave.


12/44


12

What is Audit ? Evaluation of a person, organization, system,

process, project or product.

An audit provides a baseline of the existingsystem from which new investment can beaccurately planned, avoiding excessive orinappropriate expenditure.

The goal of an audit is to express an opinion onthe person/organization/system in question,under evaluation based on work done.


13/44


13

Audit is performed by an AUDITOR

There are two types of auditors Internal Auditor

External Auditor


14/44


14

1. In ternal Auditors Employees of the company hiredto assess and evaluate its system of internal control.

To maintain independence, they present their

reports directly to the top level management.

2. External Auditors Independent staff assigned by

an auditing firm to assess and evaluate financial

statements of their clients or to perform other

agreed upon evaluations. They are called on fromoutside the company.


15/44


15

System Audit It is also called Process Audit: can be conducted for

any activity. Usually made against a specific documentsuch as operating procedure, work instruction,

training manual, etc. A series of activities in which a system auditor, an

impartial position independent of the object of audit,performs overall inspection and evaluation of an

information system, issues advice andrecommendations, and provides any necessary follow-

up.


16/44


16

System audits will help spot any errors inconfiguration which can leave vulnerabilities inthe most secure products.

Audits can help overcome 'rule-creep' as

small system changes over time cumulativelyproduce a significant shift in overall systemsecurity.

A policy audit will check that the securitypolicies which management has communicatedare being adhered to.


17/44


17

System AuditorA person who engages in system audits with the

following knowledge and abilities:

Basic knowledge of information systems Knowledge of system audits

Ability to perform system audits

Related knowledge for the performance ofsystem audits


18/44


18

System Audit Standard Purpose

Definitions of Terms

Composition of the Standards

Philosophy behind the ImplementationStandards

General Standards

Implementation Standards


19/44


19

System Audit Standard

Purpose - The purpose of the Standards is to

improve the reliability, security, andefficiency of information systems and thus

contribute to the realization of a healthy

information society by enumerating thematters necessary for system audits.


20/44


20

Definitions of Terms

These are the principal terms used in the Standards

i. Sys tem Audit : A series of activities in which asystem auditor, an impartial position independent of theobject of audit, performs overall inspection andevaluation of an information system, issues advice andrecommendations, and provides any necessary follow-up.

ii. Sys tem Auditor : A person who engages in systemaudits with the following knowledge and abilities:

a. Basic knowledge of information systems.b. Knowledge of system audits.

c. Ability to perform system audits.

d. Related knowledge for the performance of system

audits.


21/44


21

iii. Improvement of reliability: To improve thequality of information systems, prevent failure,minimize the effects of failure, and speed uprecovery.

iv. Improvement of security: To make aninformation system more secure from naturaldisasters, unauthorized access, and destructiveactions.

v. Improvement of efficiency: To improve the costperformance of an information system by makingthe most of its resources.

vi. Basic plan: A general plan of system audits to beperformed during any given year.


22/44


22

vii. Individual plan: A plan for any of the individual systemaudit operations based on a basic plan.

viii. Risk analysis: To identify the risks that may arise fromor in connection with the use of an information systemand analyze the degrees of their effects.

ix. Audited division: A division that is an object of a systemaudit

x. Ma tter noted: A problem pointed out by a systemauditor according to his or her criteria and noted on asystem audit report.

xi. Recommendation of improvement: A matter noted thatis judged by a system auditor as requiring improvementand noted as such on a system audit report

xii. Follow-up: The measure or measures taken by a systemauditor to ensure the audited division carries out any

recommendations of improvement


23/44


23

Composition of theStandards

The Standards are composed of -

General Standards Implementation Standards

Reporting Standards


24/44


24

General StandardsGeneral Standards outline the principles of an auditplan that provides a basis for a system audit, thequalifications of a system auditor, and so forth.

1. System

The organization shall prepare a system for properimplementation of system audit

2. Audit PlanPreparation of a basic plan and individual plan forsystem audit.


25/44


25

3. Responsibility and Authority of a system auditor

The system auditor shall make the grounds foreach of his or her judgments clear.

The system auditor may demand data andmaterials from the audited division.

The system auditor may demand a report on theimplementation of improvement be issued by thehead of an organization to an audited division.

4. Professional EthicsThe system auditor shall firmly maintain his or her

position as an impartial evaluator.The system auditor shall be aware of the ethicaldemands on himself or herself and meet the internaland external trust by performing an accurate andsincere system audit.


26/44


26

5. Confidentiality

The system auditor must not divulge any secret he orshe may come to know in the course of performing hisor her job or use such secret for any undue purpose.


27/44


27

Implementation Standards1. Planning Information Strategy Formulation of a General Plan

Formulation of a Development Plan System Analysis and Definitions of Requirements

2. Development Development Procedures System Design Program Design Programming System Tests Conversion


28/44


28

3. Operation Operation Control Input Management Data Management Output Management Software Management Hardware Management Network Management Configuration Management

Management of Buildings and Related Facilities


29/44


29

4. Maintenance Maintenance Procedures Maintenance Plan Implementation of Maintenance Confirmation of Maintenance System Conversion Disposal of Old Systems


30/44


30

5. Common Work Document Management

Preparation Management

Progress Management

Implementation Evaluation

Personnel Management Responsibility and Authority

Implementation of Work Education and Training Health Management


31/44


31

Outsourcing Outsourcing plan Selection of service providers Service agreements

Contents of services Measures against Disasters

Risk Analysis Anti-Disaster Plan

Backup Alternative Processing and Recovery


32/44


32

Reporting Standards

1. Preparation of Reports The system auditor must prepare a system audit report. The system audit report must state the results of evaluation

of the reliability, security, and efficiency of an informationsystem. The system audit report must state, as matters noted, the

problems based on the results of the audit. The system audit report must state, as recommendations of

improvement, the important matters that need to be

improved. The system audit report must state improvements that can

be proposed for the matters that need to be improved. The system auditor must state on his or her system audit

report any other matters he or she considers necessary.


33/44


33

2. Reporting - The system audit report must besubmitted to the head of the organization.

3. Follow-up - The system auditor must try to graspthe progress of improvement made based on

recommendations of improvement and promote thatimprovement.


34/44


34

System AnalystThe System Analyst designs and implements

systems to suit the organizations needs. He plays a

major role in seeking business benefits fromcomputer technology. His job is not just confined to

data processing, but also deals heavily with people,

procedures and technology.


35/44


35

Interpersonal Skills

Technical Skills

Skills of System Analyst


36/44


36

7Roles of a System Analyst

Change Agent

Investigator and Monitor

Architect

Psychologist

Salesperson Motivator

Politician


37/44


37

Change Agent


38/44


38

Investigator andMonitor


39/44


39

Architect


40/44


40

Psychologist


41/44


41

Salesperson


42/44


42

Motivator


43/44


44/44


44

Thank You

&

All the best !

Documents

Ace Module - VI (System Secutiry & Auditing)_ami