Title: Laudon
116. INFORMATION SYSTEMS SECURITY CONTROL
2LEARNING OBJECTIVES
- DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO
DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL
PROBLEMS - COMPARE GENERAL AND APPLICATION CONTROLS
- SELECT FACTORS FOR DEVELOPING CONTROLS
3LEARNING OBJECTIVES
- DESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE
TECHNIQUES - DEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS
SAFEGUARDING DATA QUALITY
4MANAGEMENT CHALLENGES
- SYSTEM VULNERABILITY ABUSE
- CREATING A CONTROL ENVIRONMENT
- ENSURING SYSTEM QUALITY
5SYSTEM VULNERABILITY ABUSE
- WHY SYSTEMS ARE VULNERABLE
- HACKERS VIRUSES
- CONCERNS FOR BUILDERS USERS
- SYSTEM QUALITY PROBLEMS
6THREATS TO INFORMATION SYSTEMS
- HARDWARE FAILURE, FIRE
- SOFTWARE FAILURE, ELECTRICAL PROBLEMS
- PERSONNEL ACTIONS, USER ERRORS
- ACCESS PENETRATION, PROGRAM CHANGES
- THEFT OF DATA, SERVICES, EQUIPMENT
TELECOMMUNICATIONS PROBLEMS
7WHY SYSTEMS ARE VULNERABLE
- SYSTEM COMPLEXITY
- COMPUTERIZED PROCEDURES NOT ALWAYS READ OR
AUDITED - EXTENSIVE EFFECT OF DISASTER
- UNAUTHORIZED ACCESS POSSIBLE
8 VULNERABILITIES
- RADIATION Allows recorders, bugs to tap system
- CROSSTALK Can garble data
- HARDWARE Improper connections, failure of
protection circuits - SOFTWARE Failure of protection features, access
control, bounds control - FILES Subject to theft, copying, unauthorized
access
9 VULNERABILITIES
- USER Identification, authentication, subtle
software modification - PROGRAMMER Disables protective features reveals
protective measures - MAINTENANCE STAFF Disables hardware devices
uses stand-alone utilities - OPERATOR Doesnt notify supervisor, reveals
protective measures
10HACKERS COMPUTER VIRUSES
- HACKER Person gains access to computer for
profit, criminal mischief, personal pleasure - COMPUTER VIRUS Rouge program difficult to
detect spreads rapidly destroys data disrupts
processing memory
11COMMON COMPUTER VIRUSES
- CONCEPT Word documents, e-mail. Deletes files
- FORM Makes clicking sound, corrupts data
- ONE_HALF Corrupts hard drive, flashes its name
on screen - MONKEY Windows wont run
- JUNKIE Infects files, boot sector, memory
conflicts - RIPPER Randomly corrupts hard drive files
12ANTIVIRUS SOFTWARE
- SOFTWARE TO DETECT
- ELIMINATE VIRUSES
- ADVANCED VERSIONS RUN IN MEMORY TO PROTECT
PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND
ON INCOMING NETWORK FILES
13CONCERNS FOR BUILDERS USERS
- DISASTER
- BREACH OF SECURITY
- ERRORS
14DISASTER
- LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER
FAILURE, FLOOD OR OTHER CALAMITY - FAULT-TOLERANT COMPUTER SYSTEMS BACKUP
SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly
On-line Transaction Processing)
15SECURITY
- POLICIES, PROCEDURES, TECHNICAL MEASURES TO
PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT,
PHYSICAL DAMAGE TO INFORMATION SYSTEMS
16WHERE ERRORS OCCUR
- DATA PREPARATION
- TRANSMISSION
- CONVERSION
- FORM COMPLETION
- ON-LINE DATA ENTRY
- KEYPUNCHING SCANNING OTHER INPUTS
17WHERE ERRORS OCCUR
- VALIDATION
- PROCESSING / FILE MAINTENANCE
- OUTPUT
- TRANSMISSION
- DISTRIBUTION
18SYSTEM QUALITY PROBLEMS
- SOFTWARE DATA
- BUGS Program code defects or errors
- MAINTENANCE Modifying a system in production
use can take up to 50 of analysts time - DATA QUALITY PROBLEMS Finding, correcting
errors costly tedious
19COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE
6.00
5.00
4.00
3.00
COSTS
2.00
1.00
ANALYSIS PROGRAMMING POSTIMPLEMENTATION
DESIGN
CONVERSION
20CREATING A CONTROL ENVIRONMENT
- CONTROLS METHODS, POLICIES, PROCEDURES TO
PROTECT ASSETS ACCURACY RELIABILITY OF
RECORDS ADHERENCE TO MANAGEMENT STANDARDS - GENERAL
- APPLICATION
21GENERAL CONTROLS
- IMPLEMENTATION Audit system development to
assure proper control, management - SOFTWARE Ensure security, reliability of
software - PHYSICAL HARDWARE Ensure physical security,
performance of computer hardware
22GENERAL CONTROLS
- COMPUTER OPERATIONS Ensure procedures
consistently, correctly applied to data storage,
processing - DATA SECURITY Ensure data disks, tapes protected
from wrongful access, change, destruction - ADMINISTRATIVE Ensure controls properly
executed, enforced - SEGREGATION OF FUNCTIONS Divide
responsibility from tasks
23APPLICATION CONTROLS
24INPUT CONTROLS
- INPUT AUTHORIZATION Record, monitor source
documents - DATA CONVERSION Transcribe data properly from
one form to another - BATCH CONTROL TOTALS Count transactions prior to
and after processing - EDIT CHECKS Verify input data, correct errors
25PROCESSING CONTROLS
- ESTABLISH THAT DATA IS COMPLETE, ACCURATE
DURING PROCESSING - RUN CONTROL TOTALS Generate control totals
before after processing - COMPUTER MATCHING Match input data to master
files
26OUTPUT CONTROLS
- ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE,
PROPERLY DISTRIBUTED - BALANCE INPUT, PROCESSING, OUTPUT TOTALS
- REVIEW PROCESSING LOGS
- ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS
27SECURITY AND THE INTERNET
- ENCRYPTION Coding scrambling messages to deny
unauthorized access - AUTHENTICATION Ability to identify another party
- MESSAGE INTEGRITY
- DIGITAL SIGNATURE
- DIGITAL CERTIFICATE
28SECURITY AND THE INTERNET
- SECURE ELECTRONIC TRANSACTION Standard for
securing credit card transactions on Internet - ELECTRONIC CASH Currency represented in
electronic form, preserving user anonymity
29DEVELOPING A CONTROL STRUCTURE
- COSTS Can be expensive to build complicated to
use - BENEFITS Reduces expensive errors, loss of time,
resources, good will - RISK ASSESSMENT Determine frequency of
occurrence of problem, cost, damage if it were to
occur
30MIS AUDIT
- IDENTIFIES CONTROLS OF INFORMATION SYSTEMS,
ASSESSES THEIR EFFECTIVENESS - TESTING Early, regular controlled efforts to
detect, reduce errors - WALKTHROUGH
- DEBUGGING
- DATA QUALITY AUDIT Survey samples of files for
accuracy, completeness
31Connect to the INTERNET
PRESS LEFT MOUSE BUTTON ON ICON TO CONNECT TO
LAUDON LAUDON WEB SITE FOR MORE INFORMATION IN
THIS CHAPTER
3216. INFORMATION SYSTEMS SECURITY CONTROL