Your SlideShare is downloading. ×
0
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Information systems
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information systems

425

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
425
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 16. INFORMATION SYSTEMS SECURITY & CONTROL
  • 2. LEARNING OBJECTIVES <ul><li>DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMS </li></ul><ul><li>COMPARE GENERAL AND APPLICATION CONTROLS </li></ul><ul><li>SELECT FACTORS FOR DEVELOPING CONTROLS </li></ul><ul><li>* </li></ul>
  • 3. CONTENTS <ul><li>SYSTEM VULNERABILITY & ABUSE </li></ul><ul><li>CREATING A CONTROL ENVIRONMENT </li></ul><ul><li>* </li></ul>
  • 4. SYSTEM VULNERABILITY & ABUSE <ul><li>WHY SYSTEMS ARE VULNERABLE </li></ul><ul><li>HACKERS & VIRUSES </li></ul><ul><li>CONCERNS FOR BUILDERS & USERS </li></ul><ul><li>SYSTEM QUALITY PROBLEMS </li></ul><ul><li>* </li></ul>
  • 5. THREATS TO INFORMATION SYSTEMS <ul><li>HARDWARE FAILURE, FIRE </li></ul><ul><li>SOFTWARE FAILURE, ELECTRICAL PROBLEMS </li></ul><ul><li>PERSONNEL ACTIONS, USER ERRORS </li></ul><ul><li>ACCESS PENETRATION, PROGRAM CHANGES </li></ul><ul><li>THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMS </li></ul><ul><li>* </li></ul>
  • 6. WHY SYSTEMS ARE VULNERABLE <ul><li>SYSTEM COMPLEXITY (PERFECTION) </li></ul><ul><li>COMPUTERIZED PROCEDURES APPEAR TO BE INVISIBLE AND ARE NOT EASILY UNDERSTOOD OR AUDITED </li></ul><ul><li>EXTENSIVE EFFECT OF DISASTER (ALL RECORDS CAN BE DESTROYED AND LOST FOREVER) </li></ul><ul><li>UNAUTHORIZED ACCESS POSSIBLE </li></ul><ul><li>* </li></ul>
  • 7. <ul><li>COMMUNICATION LINES: Intercept data through tapping or interfering communication lines </li></ul><ul><li>HARDWARE: Improper connections, failure of protection circuits </li></ul><ul><li>SOFTWARE: Failure of protection features, access control </li></ul><ul><li>FILES: Subject to theft, copying, unauthorized access </li></ul><ul><li>* </li></ul>VULNERABILITIES
  • 8. VULNERABILITIES <ul><li>USER: Identification, authentication, appropriate use of software </li></ul><ul><li>PROGRAMMER: Disables protective features; reveals protective measures </li></ul><ul><li>MAINTENANCE STAFF: Disables hardware devices and protective measures </li></ul><ul><li>OPERATOR: Doesn’t notify supervisor, reveals protective measures </li></ul><ul><li>* </li></ul>
  • 9. <ul><li>HACKER: Person gains access to computer for profit, criminal mischief or personal pleasure </li></ul><ul><li>COMPUTER VIRUS: Computer program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memory </li></ul><ul><li>* </li></ul>HACKERS & COMPUTER VIRUSES
  • 10. COMMON COMPUTER VIRUSES <ul><li>CONCEPT: Word documents, e-mail. Deletes files </li></ul><ul><li>FORM: Makes clicking sound, corrupts data </li></ul><ul><li>ONE_HALF: Corrupts hard drive, flashes its name on screen </li></ul><ul><li>MONKEY: Windows won’t run </li></ul><ul><li>JUNKIE: Infects files, boot sector, memory conflicts </li></ul><ul><li>RIPPER: Randomly corrupts hard drive files </li></ul><ul><li>* </li></ul>
  • 11. ANTIVIRUS SOFTWARE <ul><li>SOFTWARE TO DETECT AND ELIMINATE VIRUSES </li></ul><ul><li>ADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILES </li></ul><ul><li>* </li></ul>
  • 12. CONCERNS FOR BUILDERS & USERS <ul><li>DISASTER </li></ul><ul><li>BREACH OF SECURITY </li></ul><ul><li>ERRORS </li></ul><ul><li>* </li></ul>
  • 13. <ul><li>LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY </li></ul><ul><li>FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing) </li></ul><ul><li>* </li></ul>DISASTER
  • 14. SECURITY <ul><li>POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS </li></ul><ul><li>* </li></ul>
  • 15. <ul><li>DATA PREPARATION </li></ul><ul><li>TRANSMISSION </li></ul><ul><li>CONVERSION </li></ul><ul><li>FORM COMPLETION </li></ul><ul><li>ON-LINE DATA ENTRY </li></ul><ul><li>KEYPUNCHING; SCANNING; OTHER INPUTS </li></ul><ul><li>* </li></ul>WHERE ERRORS OCCUR DURING PROCESSING
  • 16. WHERE ERRORS OCCUR DURING PROCESSING <ul><li>VALIDATION </li></ul><ul><li>PROCESSING / FILE MAINTENANCE </li></ul><ul><li>OUTPUT </li></ul><ul><li>TRANSMISSION </li></ul><ul><li>DISTRIBUTION </li></ul><ul><li>* </li></ul>
  • 17. SYSTEM QUALITY PROBLEMS <ul><li>BUGS: Program code defects or errors </li></ul><ul><li>MAINTENANCE: Modifying a system in production use; can take up to 50% of information systems staff time </li></ul><ul><li>DATA QUALITY PROBLEMS: Finding, correcting errors; costly; tedious </li></ul><ul><li>* </li></ul>
  • 18. COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE COSTS ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION
  • 19. CREATING A CONTROL ENVIRONMENT <ul><li>CONTROLS: METHODS, POLICIES, PROCEDURES TO PROTECT ASSETS; ACCURACY & RELIABILITY OF RECORDS; ADHERENCE TO MANAGEMENT STANDARDS </li></ul><ul><li>GENERAL </li></ul><ul><li>APPLICATION </li></ul><ul><li>* </li></ul>
  • 20. <ul><li>IMPLEMENTATION: Audit system development to assure proper control and management </li></ul><ul><li>SOFTWARE: Ensure security (access) and reliability of software </li></ul><ul><li>PHYSICAL HARDWARE: Ensure physical security and performance of computer hardware </li></ul><ul><li>* </li></ul>GENERAL CONTROLS
  • 21. <ul><li>COMPUTER OPERATIONS: Ensure procedures are consistently and correctly applied to data storage and processing </li></ul><ul><li>DATA SECURITY: Ensure data disks and tapes are protected from unauthorized access, change or destruction </li></ul><ul><li>ADMINISTRATIVE: Ensure controls are properly executed and enforced </li></ul><ul><li>SEGREGATION OF FUNCTIONS: Divide responsibility from tasks </li></ul><ul><li>* </li></ul>GENERAL CONTROLS
  • 22. APPLICATION CONTROLS <ul><li>INPUT </li></ul><ul><li>PROCESSING </li></ul><ul><li>OUTPUT </li></ul><ul><li>* </li></ul>
  • 23. INPUT CONTROLS <ul><li>INPUT AUTHORIZATION: Record and monitor source documents </li></ul><ul><li>BATCH CONTROL TOTALS: Count transactions prior to and after processing </li></ul><ul><li>EDIT CHECKS: Verify input data, correct errors </li></ul><ul><li>* </li></ul>
  • 24. EDIT CHECKS <ul><li>REASONABLENESS CHECKS </li></ul><ul><li>FORMAT CHECKS </li></ul><ul><li>EXISTENCE CHECKS </li></ul><ul><li>DEPENDENCY CHECKS </li></ul><ul><li>* </li></ul>
  • 25. PROCESSING CONTROLS <ul><li>ESTABLISH THAT DATA IS COMPLETE AND ACCURATE DURING PROCESSING </li></ul><ul><li>RUN CONTROL TOTALS: Generate control totals before & after processing </li></ul><ul><li>COMPUTER MATCHING: Match input data to master files </li></ul><ul><li>* </li></ul>
  • 26. OUTPUT CONTROLS <ul><li>ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE AND PROPERLY DISTRIBUTED </li></ul><ul><li>BALANCE OUTPUT TOTALS WITH INPUT AND PROCESSING TOTALS </li></ul><ul><li>REVIEW PROCESSING LOGS </li></ul><ul><li>ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS </li></ul><ul><li>* </li></ul>
  • 27. SECURITY AND THE INTERNET <ul><li>ENCRYPTION: Coding & scrambling messages to deny unauthorized access </li></ul><ul><li>AUTHENTICATION: Ability to identify another party </li></ul><ul><ul><li>MESSAGE INTEGRITY </li></ul></ul><ul><ul><li>DIGITAL SIGNATURE </li></ul></ul><ul><ul><li>DIGITAL CERTIFICATE </li></ul></ul><ul><li>* </li></ul>
  • 28. SECURITY AND THE INTERNET <ul><li>SECURE ELECTRONIC TRANSACTION : Standard for securing credit card transactions on Internet </li></ul><ul><li>ELECTRONIC CASH: Currency represented in electronic form, preserving user anonymity </li></ul><ul><li>* </li></ul>
  • 29. DEVELOPING A CONTROL STRUCTURE <ul><li>COSTS: Can be expensive to build; complicated to use </li></ul><ul><li>BENEFITS: Reduces expensive errors, loss of time, resources, good will </li></ul><ul><li>RISK ASSESSMENT: Determine frequency of occurrence of problem, cost, damage if it were to occur </li></ul><ul><li>* </li></ul>
  • 30. MIS AUDIT <ul><li>IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS </li></ul><ul><li>TESTING: Early, regular controlled efforts to detect, reduce errors </li></ul><ul><ul><li>WALKTHROUGH </li></ul></ul><ul><ul><li>DEBUGGING </li></ul></ul><ul><li>DATA QUALITY AUDIT: Survey samples of files for accuracy, completeness </li></ul><ul><li>* </li></ul>
  • 31. 16. INFORMATION SYSTEMS SECURITY & CONTROL

×