230 likes | 242 Views
SESSION 14 INFORMATION SYSTEMS SECURITY AND CONTROL. SYSTEM VULNERABILITY AND ABUSE. Advances in telecommunications and computer software Unauthorized access, abuse, or fraud Hackers Denial of service attack Computer virus. Concerns for System Builders and Users. Disaster
E N D
SESSION 14 INFORMATION SYSTEMS SECURITY AND CONTROL
SYSTEM VULNERABILITY AND ABUSE • Advances in telecommunications and computer software • Unauthorized access, abuse, or fraud • Hackers • Denial of service attack • Computer virus
Concerns for System Builders and Users • Disaster • Destroys computer hardware, programs, data files, and other equipment • Security • Prevents unauthorized access, alteration, theft, or physical damage
Concerns for System Builders and Users • Errors • Cause computers to disrupt or destroy organization’s record-keeping and operations
System Quality Problems: Software and Data • Bugs • Program code defects or errors • Maintenance Nightmare • Maintenance costs high due to organizational change, software complexity, and faulty system analysis and design
Figure 15-3 System Quality Problems: Software and Data The Cost of Errors over the Systems Development Cycle
System Quality Problems: Software and Data • Data Quality Problems • Caused due to errors during data input or faulty information system and database design
CREATING A CONTROL ENVIRONMENT Overview • Controls • Methods, policies, and procedures • Ensures protection of organization’s assets • Ensures accuracy and reliability of records, and operational adherence to management standards
CREATING A CONTROL ENVIRONMENT General Controls and Application Controls • General controls • Establish framework for controlling design, security, and use of computer programs • Include software, hardware, computer operations, data security, implementation, and administrative controls
Figure 15-4 CREATING A CONTROL ENVIRONMENT Security Profiles for a Personnel System
CREATING A CONTROL ENVIRONMENT General Controls and Application Controls • Application controls • Unique to each computerized application • Ensure that only authorized data are completely and accurately processed by that application • Include input, processing, and output controls
Protecting the Digital Firm • On-line transaction processing: Transactions entered online are immediately processed by computer • Fault-tolerant computer systems: Contain extra hardware, software, and power supply componentsthat can back the system up and keep it running to prevent system failure
Protecting the Digital Firm • High-availability computing: Tools and technologies enabling system to recover from a crash • Disaster recovery plan: Plan for running business in event of computer outage • Load balancing: Distributes large number of requests for access among multiple servers
Protecting the Digital Firm • Mirroring: Duplicating all processes and transactions of server on backup server to prevent any interruption • Clustering: Linking two computers together so that a second computer can act as a backup to the primary computer or speed up processing
Internet Security Challenges Figure 15-5
Internet Security Challenges • Firewalls • Prevent unauthorized users from accessing private networks • Two types: proxies and stateful inspection • Intrusion Detection System • Monitors vulnerable points in network to detect and deter unauthorized intruders
Security and Electronic Commerce • Encryption: Coding and scrambling of messages to prevent their being accessed without authorization • Authentication: Ability of each party in a transaction to ascertain identity of other party • Message integrity: Ability to ascertain that transmitted message has not been copied or altered
Figure 15-6 Public Key Encryption
Security and Electronic Commerce • Digital signature: Digital code attached to electronically transmitted message to uniquely identify contents and sender • Digital certificate:Attachment to electronic message to verify the sender and to provide receiver with means to encode reply
Figure 15-7 Digital Certificates
Developing a Control Structure: Costs and Benefits • Criteria for determining control • structure • Importance of data • Efficiency, complexity, and expense of each control technique • Level of risk if a specific activity or process is not properly controlled
The Role of Auditing in the Control Process • MIS audit • Identifies all controls that govern individual information systems and assesses their effectiveness
Data Quality Audit and Data Cleansing • Data quality audit • Survey and/or sample of files • Determines accuracy and completeness of data • Data cleansing • Correcting errors and inconsistencies in data to increase accuracy