Information systems

523 views
476 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
523
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information systems

  1. 1. 16. INFORMATION SYSTEMS SECURITY & CONTROL
  2. 2. LEARNING OBJECTIVES <ul><li>DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMS </li></ul><ul><li>COMPARE GENERAL AND APPLICATION CONTROLS </li></ul><ul><li>SELECT FACTORS FOR DEVELOPING CONTROLS </li></ul><ul><li>* </li></ul>
  3. 3. CONTENTS <ul><li>SYSTEM VULNERABILITY & ABUSE </li></ul><ul><li>CREATING A CONTROL ENVIRONMENT </li></ul><ul><li>* </li></ul>
  4. 4. SYSTEM VULNERABILITY & ABUSE <ul><li>WHY SYSTEMS ARE VULNERABLE </li></ul><ul><li>HACKERS & VIRUSES </li></ul><ul><li>CONCERNS FOR BUILDERS & USERS </li></ul><ul><li>SYSTEM QUALITY PROBLEMS </li></ul><ul><li>* </li></ul>
  5. 5. THREATS TO INFORMATION SYSTEMS <ul><li>HARDWARE FAILURE, FIRE </li></ul><ul><li>SOFTWARE FAILURE, ELECTRICAL PROBLEMS </li></ul><ul><li>PERSONNEL ACTIONS, USER ERRORS </li></ul><ul><li>ACCESS PENETRATION, PROGRAM CHANGES </li></ul><ul><li>THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMS </li></ul><ul><li>* </li></ul>
  6. 6. WHY SYSTEMS ARE VULNERABLE <ul><li>SYSTEM COMPLEXITY (PERFECTION) </li></ul><ul><li>COMPUTERIZED PROCEDURES APPEAR TO BE INVISIBLE AND ARE NOT EASILY UNDERSTOOD OR AUDITED </li></ul><ul><li>EXTENSIVE EFFECT OF DISASTER (ALL RECORDS CAN BE DESTROYED AND LOST FOREVER) </li></ul><ul><li>UNAUTHORIZED ACCESS POSSIBLE </li></ul><ul><li>* </li></ul>
  7. 7. <ul><li>COMMUNICATION LINES: Intercept data through tapping or interfering communication lines </li></ul><ul><li>HARDWARE: Improper connections, failure of protection circuits </li></ul><ul><li>SOFTWARE: Failure of protection features, access control </li></ul><ul><li>FILES: Subject to theft, copying, unauthorized access </li></ul><ul><li>* </li></ul>VULNERABILITIES
  8. 8. VULNERABILITIES <ul><li>USER: Identification, authentication, appropriate use of software </li></ul><ul><li>PROGRAMMER: Disables protective features; reveals protective measures </li></ul><ul><li>MAINTENANCE STAFF: Disables hardware devices and protective measures </li></ul><ul><li>OPERATOR: Doesn’t notify supervisor, reveals protective measures </li></ul><ul><li>* </li></ul>
  9. 9. <ul><li>HACKER: Person gains access to computer for profit, criminal mischief or personal pleasure </li></ul><ul><li>COMPUTER VIRUS: Computer program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memory </li></ul><ul><li>* </li></ul>HACKERS & COMPUTER VIRUSES
  10. 10. COMMON COMPUTER VIRUSES <ul><li>CONCEPT: Word documents, e-mail. Deletes files </li></ul><ul><li>FORM: Makes clicking sound, corrupts data </li></ul><ul><li>ONE_HALF: Corrupts hard drive, flashes its name on screen </li></ul><ul><li>MONKEY: Windows won’t run </li></ul><ul><li>JUNKIE: Infects files, boot sector, memory conflicts </li></ul><ul><li>RIPPER: Randomly corrupts hard drive files </li></ul><ul><li>* </li></ul>
  11. 11. ANTIVIRUS SOFTWARE <ul><li>SOFTWARE TO DETECT AND ELIMINATE VIRUSES </li></ul><ul><li>ADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILES </li></ul><ul><li>* </li></ul>
  12. 12. CONCERNS FOR BUILDERS & USERS <ul><li>DISASTER </li></ul><ul><li>BREACH OF SECURITY </li></ul><ul><li>ERRORS </li></ul><ul><li>* </li></ul>
  13. 13. <ul><li>LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY </li></ul><ul><li>FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing) </li></ul><ul><li>* </li></ul>DISASTER
  14. 14. SECURITY <ul><li>POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS </li></ul><ul><li>* </li></ul>
  15. 15. <ul><li>DATA PREPARATION </li></ul><ul><li>TRANSMISSION </li></ul><ul><li>CONVERSION </li></ul><ul><li>FORM COMPLETION </li></ul><ul><li>ON-LINE DATA ENTRY </li></ul><ul><li>KEYPUNCHING; SCANNING; OTHER INPUTS </li></ul><ul><li>* </li></ul>WHERE ERRORS OCCUR DURING PROCESSING
  16. 16. WHERE ERRORS OCCUR DURING PROCESSING <ul><li>VALIDATION </li></ul><ul><li>PROCESSING / FILE MAINTENANCE </li></ul><ul><li>OUTPUT </li></ul><ul><li>TRANSMISSION </li></ul><ul><li>DISTRIBUTION </li></ul><ul><li>* </li></ul>
  17. 17. SYSTEM QUALITY PROBLEMS <ul><li>BUGS: Program code defects or errors </li></ul><ul><li>MAINTENANCE: Modifying a system in production use; can take up to 50% of information systems staff time </li></ul><ul><li>DATA QUALITY PROBLEMS: Finding, correcting errors; costly; tedious </li></ul><ul><li>* </li></ul>
  18. 18. COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE COSTS ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION
  19. 19. CREATING A CONTROL ENVIRONMENT <ul><li>CONTROLS: METHODS, POLICIES, PROCEDURES TO PROTECT ASSETS; ACCURACY & RELIABILITY OF RECORDS; ADHERENCE TO MANAGEMENT STANDARDS </li></ul><ul><li>GENERAL </li></ul><ul><li>APPLICATION </li></ul><ul><li>* </li></ul>
  20. 20. <ul><li>IMPLEMENTATION: Audit system development to assure proper control and management </li></ul><ul><li>SOFTWARE: Ensure security (access) and reliability of software </li></ul><ul><li>PHYSICAL HARDWARE: Ensure physical security and performance of computer hardware </li></ul><ul><li>* </li></ul>GENERAL CONTROLS
  21. 21. <ul><li>COMPUTER OPERATIONS: Ensure procedures are consistently and correctly applied to data storage and processing </li></ul><ul><li>DATA SECURITY: Ensure data disks and tapes are protected from unauthorized access, change or destruction </li></ul><ul><li>ADMINISTRATIVE: Ensure controls are properly executed and enforced </li></ul><ul><li>SEGREGATION OF FUNCTIONS: Divide responsibility from tasks </li></ul><ul><li>* </li></ul>GENERAL CONTROLS
  22. 22. APPLICATION CONTROLS <ul><li>INPUT </li></ul><ul><li>PROCESSING </li></ul><ul><li>OUTPUT </li></ul><ul><li>* </li></ul>
  23. 23. INPUT CONTROLS <ul><li>INPUT AUTHORIZATION: Record and monitor source documents </li></ul><ul><li>BATCH CONTROL TOTALS: Count transactions prior to and after processing </li></ul><ul><li>EDIT CHECKS: Verify input data, correct errors </li></ul><ul><li>* </li></ul>
  24. 24. EDIT CHECKS <ul><li>REASONABLENESS CHECKS </li></ul><ul><li>FORMAT CHECKS </li></ul><ul><li>EXISTENCE CHECKS </li></ul><ul><li>DEPENDENCY CHECKS </li></ul><ul><li>* </li></ul>
  25. 25. PROCESSING CONTROLS <ul><li>ESTABLISH THAT DATA IS COMPLETE AND ACCURATE DURING PROCESSING </li></ul><ul><li>RUN CONTROL TOTALS: Generate control totals before & after processing </li></ul><ul><li>COMPUTER MATCHING: Match input data to master files </li></ul><ul><li>* </li></ul>
  26. 26. OUTPUT CONTROLS <ul><li>ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE AND PROPERLY DISTRIBUTED </li></ul><ul><li>BALANCE OUTPUT TOTALS WITH INPUT AND PROCESSING TOTALS </li></ul><ul><li>REVIEW PROCESSING LOGS </li></ul><ul><li>ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS </li></ul><ul><li>* </li></ul>
  27. 27. SECURITY AND THE INTERNET <ul><li>ENCRYPTION: Coding & scrambling messages to deny unauthorized access </li></ul><ul><li>AUTHENTICATION: Ability to identify another party </li></ul><ul><ul><li>MESSAGE INTEGRITY </li></ul></ul><ul><ul><li>DIGITAL SIGNATURE </li></ul></ul><ul><ul><li>DIGITAL CERTIFICATE </li></ul></ul><ul><li>* </li></ul>
  28. 28. SECURITY AND THE INTERNET <ul><li>SECURE ELECTRONIC TRANSACTION : Standard for securing credit card transactions on Internet </li></ul><ul><li>ELECTRONIC CASH: Currency represented in electronic form, preserving user anonymity </li></ul><ul><li>* </li></ul>
  29. 29. DEVELOPING A CONTROL STRUCTURE <ul><li>COSTS: Can be expensive to build; complicated to use </li></ul><ul><li>BENEFITS: Reduces expensive errors, loss of time, resources, good will </li></ul><ul><li>RISK ASSESSMENT: Determine frequency of occurrence of problem, cost, damage if it were to occur </li></ul><ul><li>* </li></ul>
  30. 30. MIS AUDIT <ul><li>IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS </li></ul><ul><li>TESTING: Early, regular controlled efforts to detect, reduce errors </li></ul><ul><ul><li>WALKTHROUGH </li></ul></ul><ul><ul><li>DEBUGGING </li></ul></ul><ul><li>DATA QUALITY AUDIT: Survey samples of files for accuracy, completeness </li></ul><ul><li>* </li></ul>
  31. 31. 16. INFORMATION SYSTEMS SECURITY & CONTROL

×