Designing System Interfaces, Security and Controls

1
Chapter 14

• Designing System Interfaces, Security and Controls

2
Downslope Ski

• What are the business drivers requiring that
  Downhill provide suppliers with automated
  inventory access?
• What types of information do you think need to be
  shared?
• What kind of analysis does Nathan need to do?
  What information does he need?

3
Learning Objectives

• Discuss examples of system interfaces found in
  information systems
• Define system inputs and outputs based on the
  requirements of the application program
• Explain the importance of integrity controls
• Identify required integrity controls for inputs,
  outputs, data, and processing
• Discuss issues related to security that affect
  the design and operation of information systems

4
Overview

• This chapter focuses on system interfacesand
  system controls that do not require much human
  interaction
• Many system interfaces are electronic
  transmissions or paper outputs to external agents
• System developers need to design and implement
  integrity and security controls to protect system
  and its data
• Outside threats from Internet and e-commerce are
  growing concern

5
Identifying System Interfaces

• System interfaces are broadly defined as inputs
  or outputs with minimal or no human intervention
• Inputs from other systems (messages, EDI)
• Highly automated input devices such as scanners
• Inputs that are from data in external databases
• Outputs to external databases
• Outputs with minimal HCI
• Outputs to other systems
• Real-time connections (both input and output)

6
Full Range of Inputs and Outputs
7
Electronic Data Interchange (EDI)

• The EDI standard was developed around 1982 and is
  in use since 1985 as standard to support doing
  business by means of passing electronic document
  between business partners.
• EDI can be defined as
• Computer to computer exchange of structured
  data. Formatted to allow automatic processing
  without manual intervention. (E-centre, 2002,
  Electronic Data Interchange),
• or as
• Electronic exchange of structured and normalized
  data between computer systems of different
  partners (F. Put, 1998).
• Format and contents of business documents based
  on agreed upon industry standards
• Purchase orders
• Invoices

8
eXtensible Markup Language (XML)

• Extension of HTML that embeds self-defined data
  structures in textual messages
• Transaction that contains data fields can be sent
  with XML codes to define meaning of data fields
• XML provides common system-to-system interface
• XML is simple and readable by people
• Web services is based on XML to send business
  transactions over Internet

9
XML or EDI?
10
Design of System Inputs

• Identify devices and mechanisms used to enter
  input
• High-level review of most up-to-date methods to
  enter data
• Identify all system inputs and develop list of
  data content for each
• Provide link between design of application
  software and design of user and system interfaces
• Determine controls and security necessary for
  each system input

11
Input Devices and Mechanisms

• Capture data as close to original source as
  possible
• Use electronic devices and automatic entry
  whenever possible
• Avoid human involvement as much as possible
• Seek information in electronic form to avoid data
  re-entry
• Validate and correct information at entry point

12
Prevalent Input Devices to Avoid Human Data Entry

• Magnetic card strip readers
• Bar code readers
• Optical character recognition readers and
  scanners
• Radio-frequency identification tags
• Touch screens and devices
• Electronic pens and writing surfaces
• Digitizers, such as digital cameras and digital
  audio devices

13
Defining the Details of System Inputs

• Ensure all data inputs are identified and
  specified correctly
• Can use traditional structured models
• Identify automation boundary
• Use DFD fragments
• Segment by program boundaries
• Examine structure charts
• Analyze each module and data couple
• List individual data fields

14
Automation Boundary on a System-Level DFD
15
Create New Order DFD with an Automation Boundary
16
Structure Chart for Create New Order
17
Using Object-Oriented Models

• Identifying user and system inputs with OO
  approach has same tasks as traditional approach
• OO diagrams are used instead of DFDs and
  structure charts
• System sequence diagrams identify each incoming
  message
• Design class diagrams and sequence diagrams
  identify and describe input parameters and verify
  characteristics of inputs

18
Partial System Sequence Diagram for Payroll
System Use Cases
19
System Sequence Diagram for Create New Order
20
Input Messages and Data Parameters from RMO
System Sequence Diagram
21
Designing System Outputs

• Determine each type of output
• Make list of specific system outputs required
  based on application design
• Specify any necessary controls to protect
  information provided in output
• Design and prototype output layout
• Ad hoc reports designed as needed by user

22
Defining the Details of System Outputs

• Type of reports
• Printed reports
• Electronic displays
• Turnaround documents
• Can use traditional structured models to identify
  outputs
• Data flows crossing automation boundary
• Data couples and report data requirements on
  structure chart

23
Table of System Outputs Based on Traditional
Structured Approach
24
Using Object-Oriented Models

• Outputs indicated by messages in sequence
  diagrams
• Originate from internal system objects
• Sent to external actors or another external
  system
• Output messages based on an individual object are
  usually part of methods of that class object
• To report on all objects within a class,
  class-level method is used that works on entire
  class

25
Table of System Outputs Based on OO Messages
(Figure 14-12)
26
Exercise

• You work for a grocery chain that always has many
  customers in the stores. To facilitate and speed
  checkout, the company wants to develop
  self-service checkout stands. Customers can check
  out their own groceries and pay by credit card or
  cash.
• How would you design the checkout register and
  equipment? What kinds of equipment would you use
  to make it easy and intuitive for the customers,
  make sure that prices are entered correctly, and
  ensure that cash or credit card payments are done
  correctly? In other words, what equipment would
  you have at the checkout station? What other
  measures would you take?

27
Designing Reports, Statements, and Turnaround
Documents

• Printed versus electronic
• Types of output reports
• Detailed
• Summary
• Exception
• Executive
• Internal versus external
• Graphical and multimedia presentation

28
RMO Summary Report with Drill Down to the
Detailed Report
29
Sample Bar Chart and Pie Chart Reports
30
Creating Reports

• What is objective of report?
• What is the context of the report what will it
  be used for?
• Who is the intended audience?
• What is media for presentation?
• How frequently generated and how generated?

31
Integrating reporting into processes/workflows
Information/Metrics What information is needed
to support the individuals engaged in this
activity? Further, what are the required
characteristics of this information in terms of
accuracy, currency and other measures? Format
How should information be presented to
individuals to best support the activity?
Through paper reports? On-line screens? Embedded
in an operational system? How should information
be formatted simple lists? cross-tab reports?
charts/graphs? Functionality In addition to
viewing information, do individuals require the
need to explore the information (slice, drill,
etc)? Do they need to build algorithms or
calculations based on the information provided?
What else do they need their BI environment to do
for them?
32
Designing Integrity Controls

• Mechanisms and procedures built into a system to
  safeguard it and information contained within
• Integrity controls
• Built into application and database system to
  safeguard information
• Security controls
• Built into operating system and network
• Protect system

33
Scenario

• You are a security analyst for a company that
  plans to build a new order processing system to
  be used internally and available directly to
  customers via the web.
• Youve been assigned the task of identifying all
  points of vulnerability
• List all points of vulnerability and identify
  what you see as the top 3 risks, from a security
  perspective.

34
Objectives of Integrity Controls

• Ensure that only appropriate and correct business
  transactions occur
• Ensure that transactions are recorded and
  processed correctly
• Protect and safeguard assets of the organization
• Software
• Hardware
• Information

35
Points of Security and Integrity Controls
Also, physical security meaning?
36
Physical security/integrity considerations

• Access to server rooms
• Power backup (UPS)
• Backup sites

37
Input Integrity Controls

• Used with all input mechanisms
• Additional level of verification to help reduce
  input errors
• Common control techniques
• Field combination controls
• Value limit controls
• Completeness controls
• Data validation controls

38
Database Integrity Controls

• Access controls
• User views, user profiles, etc.
• Data encryption
• Transaction controls
• Fraud
• Error recovery
• Update controls
• Transaction management
• Backup and recovery protection

39
Output Integrity Controls

• Ensure output arrives at proper destination and
  is correct, accurate, complete, and current
• Destination controls - output is channeled to
  correct people
• Cover sheets, etc.
• Electronic routingemail
• Completeness, accuracy, and correctness controls
• Appropriate information present in output

40
Integrity Controls to Prevent Fraud

• Three conditions are present in fraud cases
• Personal pressure, such as desire to maintain
  extravagant lifestyle
• Rationalizations, including I will repay this
  money or I have this coming
• Opportunity, such as unverified cash receipts
• Control of fraud requires both manual procedures
  and computer integrity controls

41
Fraud Risks and Prevention Techniques
42
Designing Security Controls

• Security controls protect assets of organization
  from all threats
• External threats such as hackers, viruses, worms,
  and message overload attacks
• Security control objectives (in addition to
  integrity controls)
• Maintain stable, functioning operating
  environment for users and application systems (24
  x 7)
• Protect information and transactions during
  transmission outside organization (public
  carriers)

43
Security for Access to Systems

• Used to control access to any resource managed by
  operating system or network
• User categories
• Unauthorized user no authorization to access
• Registered user authorized to access system
• Privileged user authorized to administrate
  system
• Organized so that all resources can be accessed
  with same unique ID/password combination

44
Users and Access Roles to Computer Systems
45
Managing User Access

• Most common technique is user ID / password
• Authorization Is user permitted to access?
• Access control list users with rights to access
• Authentication Is user who they claim to be?
• Other techniques
• Smart card computer-readable plastic card with
  embedded security information
• Biometric devices keystroke patterns,
  fingerprinting, retinal scans, voice
  characteristics

46
Data Security

• Data and files themselves must be secure
• Encryption primary security method
• Altering data so unauthorized users cannot view
• Decryption
• Altering encrypted data back to its original
  state
• Symmetric key same key encrypts and decrypts
• Asymmetric key different key decrypts
• Public key public encrypts private decrypts