320 likes | 455 Views
16. INFORMATION SYSTEMS SECURITY & CONTROL. LEARNING OBJECTIVES. DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMS COMPARE GENERAL AND APPLICATION CONTROLS SELECT FACTORS FOR DEVELOPING CONTROLS *. LEARNING OBJECTIVES.
E N D
16. INFORMATION SYSTEMS SECURITY & CONTROL
LEARNING OBJECTIVES • DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMS • COMPARE GENERAL AND APPLICATION CONTROLS • SELECT FACTORS FOR DEVELOPING CONTROLS *
LEARNING OBJECTIVES • DESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE TECHNIQUES • DEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS & SAFEGUARDING DATA QUALITY *
MANAGEMENT CHALLENGES • SYSTEM VULNERABILITY & ABUSE • CREATING A CONTROL ENVIRONMENT • ENSURING SYSTEM QUALITY *
SYSTEM VULNERABILITY & ABUSE • WHY SYSTEMS ARE VULNERABLE • HACKERS & VIRUSES • CONCERNS FOR BUILDERS & USERS • SYSTEM QUALITY PROBLEMS *
THREATS TO INFORMATION SYSTEMS HARDWARE FAILURE, FIRE SOFTWARE FAILURE, ELECTRICAL PROBLEMS PERSONNEL ACTIONS, USER ERRORS ACCESS PENETRATION, PROGRAM CHANGES THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMS *
WHY SYSTEMS ARE VULNERABLE • SYSTEM COMPLEXITY • COMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITED • EXTENSIVE EFFECT OF DISASTER • UNAUTHORIZED ACCESS POSSIBLE *
VULNERABILITIES • RADIATION:Allows recorders, bugs to tap system • CROSSTALK:Can garble data • HARDWARE:Improper connections, failure of protection circuits • SOFTWARE:Failure of protection features,access control, bounds control • FILES:Subject to theft, copying,unauthorized access *
VULNERABILITIES • USER:Identification, authentication, subtle software modification • PROGRAMMER:Disables protective features; reveals protective measures • MAINTENANCE STAFF: Disables hardware devices; uses stand-alone utilities • OPERATOR: Doesn’t notify supervisor, reveals protective measures *
HACKERS & COMPUTER VIRUSES • HACKER:Person gains access to computer for profit, criminal mischief, personal pleasure • COMPUTER VIRUS:Rouge program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memory *
COMMON COMPUTER VIRUSES • CONCEPT: Word documents, e-mail. Deletes files • FORM: Makes clicking sound, corrupts data • ONE_HALF: Corrupts hard drive, flashes its name on screen • MONKEY: Windows won’t run • JUNKIE: Infects files, boot sector, memory conflicts • RIPPER: Randomly corrupts hard drive files *
ANTIVIRUS SOFTWARE • SOFTWARE TO DETECT • ELIMINATE VIRUSES • ADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILES *
CONCERNS FOR BUILDERS & USERS DISASTER BREACH OF SECURITY ERRORS *
DISASTER • LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing) *
SECURITY POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS *
WHERE ERRORS OCCUR • DATA PREPARATION • TRANSMISSION • CONVERSION • FORM COMPLETION • ON-LINE DATA ENTRY • KEYPUNCHING; SCANNING; OTHER INPUTS *
WHERE ERRORS OCCUR • VALIDATION • PROCESSING / FILE MAINTENANCE • OUTPUT • TRANSMISSION • DISTRIBUTION *
SYSTEM QUALITY PROBLEMS • SOFTWARE & DATA • BUGS:Program code defects or errors • MAINTENANCE:Modifying a system in production use; can take up to 50% of analysts’ time • DATA QUALITY PROBLEMS:Finding, correcting errors; costly; tedious *
COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE 6.00 5.00 4.00 3.00 COSTS 2.00 1.00 ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION
CREATING A CONTROL ENVIRONMENT CONTROLS:METHODS, POLICIES, PROCEDURES TO PROTECT ASSETS; ACCURACY & RELIABILITY OF RECORDS; ADHERENCE TO MANAGEMENT STANDARDS • GENERAL • APPLICATION *
GENERAL CONTROLS • IMPLEMENTATION:Audit system development to assure proper control, management • SOFTWARE:Ensure security, reliability of software • PHYSICAL HARDWARE:Ensure physical security, performance of computer hardware *
GENERAL CONTROLS • COMPUTER OPERATIONS:Ensure procedures consistently, correctly applied to data storage, processing • DATA SECURITY:Ensure data disks, tapes protected from wrongful access, change, destruction • ADMINISTRATIVE:Ensure controls properly executed, enforced SEGREGATION OF FUNCTIONS: Divide responsibility from tasks *
APPLICATION CONTROLS • INPUT • PROCESSING • OUTPUT *
INPUT CONTROLS • INPUT AUTHORIZATION:Record, monitor source documents • DATA CONVERSION:Transcribe data properly from one form to another • BATCH CONTROL TOTALS:Count transactions prior to and after processing • EDIT CHECKS:Verify input data, correct errors *
PROCESSING CONTROLS ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING • RUN CONTROL TOTALS:Generate control totals before & after processing • COMPUTER MATCHING:Match input data to master files *
OUTPUT CONTROLS ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED • BALANCE INPUT, PROCESSING, OUTPUT TOTALS • REVIEW PROCESSING LOGS • ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS *
SECURITY AND THE INTERNET • ENCRYPTION: Coding & scrambling messages to deny unauthorized access • AUTHENTICATION: Ability to identify another party • MESSAGE INTEGRITY • DIGITAL SIGNATURE • DIGITAL CERTIFICATE *
SECURITY AND THE INTERNET • SECURE ELECTRONIC TRANSACTION:Standard for securing credit card transactions on Internet • ELECTRONIC CASH:Currency represented in electronic form, preserving user anonymity *
DEVELOPING A CONTROL STRUCTURE • COSTS:Can be expensive to build; complicated to use • BENEFITS:Reduces expensive errors, loss of time, resources, good will RISK ASSESSMENT:Determine frequency of occurrence of problem, cost, damage if it were to occur *
MIS AUDIT IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS • TESTING: Early, regular controlled efforts to detect, reduce errors • WALKTHROUGH • DEBUGGING • DATA QUALITY AUDIT: Survey samples of files for accuracy, completeness *
Connect to the INTERNET PRESS LEFT MOUSE BUTTON ON ICON TO CONNECT TO LAUDON & LAUDON WEB SITE FOR MORE INFORMATION IN THIS CHAPTER
16. INFORMATION SYSTEMS SECURITY & CONTROL