Unit 5 Online System Controls and Security

1

• Unit 5 Online System Controls and Security
• Identify the validation techniques used in
  on-line systems
• Describe data libraries used in development
  projects.
• Explain the role of security in Information
  Technology

2
SDLC ? CONTROLS

• Planning
• Analysis/Design
• Building
• Testing

• Organization, Stakeholders, Charter
• Project Mgmt, Tools, methodology, services
• Committees, Tools, Project, Development, Dbase,
  processing, security controls
• Testing phases methods

3
SDLC ? CONTROLS

• Implementation
• Post-Implementation

• Roll-out controls
• Backup-recovery, ITIL Service support controls,
  turnover, review, report, document

4
User Interface Design (UI) Every component the
users see, hear, or touch and the
workflow Screens Video segments Windows Au
dio segments Web pages Dialog boxes Printed
reports Message boxes
5

• Online Controls
• Transactions processed individually
• Access security controls who enters
• Online data validation
• Exceptional transactions require special password
  approval
• Immediate correction for online
• Written into a transaction log immediately for
  recovery/auditing.

6

• Controlling the Processing of Data
• Ensure that
• All transaction are authorized
• All transactions are processed
• All transactions are complete and accurate
•  

7
Processing Errors Input Errors Missing data,
lost data, late data, duplicate data,
unauthorized data, inaccurate data Processing
Errors Wrong file, Untimely processing,
incomplete processing, duplicate processing,
incorrect logic, unauthorized logic  
8

• Controlling the Processing of Data
• All transaction are authorized
•  
• Relies on systems security
• Identification
• Authentication
• Authorisation
•  

9

• Controlling the Processing of Data
• All transactions are processed
• rejected transactions are written to a suspense
  file
• all suspense file items must be deleted or
  resubmitted

10
Controlling the Processing of Data Name some
ways when programming to control input errors
11

• Controlling the Processing of Data
• All transactions are complete and accurate
  (Batch/Online)
• Admissible characters edit mask e.g. 999V99
• Completeness mandatory fields e.g. x ! NULL
• Field size e.g. edit mask X(15)
• Range check e.g. value must be gt 16 and lt 85 or
  Quantity ordered lt Quantity on hand
• Self checking digits e.g. SIN, VIN
• Code list e.g. provinces
• Consistency (cross-field edits) e.g. if
  province is Ontario then Postal Code must be in a
  certain range  

12
 
 

• Development Controls Classroom activity for
  database
• For each of the following controls
• Define what each is/what it means (if not
  apparent)
• What could happen without it?

13
 
 

• Database Controls
• Data architecture/corporate data model
• DBA (DataBase Analyst) creates and maintains all
  production and user test databases
• DBA or Security grants rights to databases/owner
  approvals
• Backup and recovery of database is treated
  separately from systems backup and recovery
• Database requires documentation and procedures
  for example fallback, recovery and restart
• Audit trails/logging of all transactions
• Database mirroring/availability promoted
• Restricted access to programmer tools such as
  Zapper tools (bulk production database updates)

14
Data Libraries
15

• Data Libraries
• Production data and programs
• The companys data treated with the utmost
  respect
• Accessed by authorized users only
• Production support moves data and programs into
  this area

16

• Data Libraries
• User test data and programs
• Users data for testing and training purposes
• Can contain a copy of production data
• Accessed by authorized users only
• This is a staging area for programs on their way
  to production
• Production support moves data and programs into
  this area

17

• Data Libraries
• Development data and programs
• Developers library of programs in development
• Developers test data for integration testing
• Developers data and programs are usually
• Copied to the developers PC when required
• Used for development and unit testing

18
IT SECURITY ANALYST - 996 - 1,199 / weekThe
Central Agencies IIT Cluster seeks an energetic
individual to co-ordinate projects to secure the
cluster's IIT infrastructure guide
ministry/agency business teams performing threat
risk analysis audit user access to ministry
data research, evaluate, recommend practices,
services, technologies for increasing security of
ministry data develop/implement security
policies, controls, practices, procedures, tools
to secure IIT infrastructure promote awareness
of IIT security.Qualifications experience
developing/implementing security controls,
practices, procedures, tools for IIT
infrastructures, performing audits, administering
user access privileges for Netware, Windows 2000,
IBM mainframe environments knowledge of security
policies, best practices excellent
communication, interpersonal, presentation
skills.Apply by Sep 27, 2002 to File File
3135, Ministry of Finance, Human Resources
Branch, 33 King St. W., 2nd Fl., Oshawa, ON L1H
8H5. Fax 905-433-6588.Posted 09/13/2002
www.gojobs.gov.on.ca
19

• Access Controls
• What are we safeguarding?
• Data
• Programs
• Resource
•  
• What is the risk? 
• Destruction
• Modification
• Disclosure
• Accidental or intentional misuse

20

• Human-Machine Interface
• e.g. PCs, terminals, ATMs, internet, PDAs, etc
•  
• Electronic Interface
• Data sent to external organizations e.g. Payroll
  sent to the bank
• Data received from external organizations e.g.
  Bank statement, Service Provider updates
• Data transmitted between internal systems e.g.
  Sales orders transferred from the Web hosting
  computer to the Order Entry system

21

• Security System Controls
• Operating systems security
• Database security system
• Programmatic security
• Network security
• All users and processes must apply for access.
• Management approves access request to specific
  resources.
• Security sets up account giving required access -
  security roles.
• All users and processes must be granted
  privileged access to required resources - data,
  programs, hardware, etc.

22

• Access Management
• Access is assigned typically as privileges
• Operating system level execute, read, append,
  update, delete, create, etc. to specific
  resources
• Database level read, append, update, delete,
  create, etc. to specific tables, fields
• Program level access to specific programs, menu
  items, modes within screens e.g. read only,
  update
• Network level to servers, printers, Lan, email

23

• Security
• Security is the safety of people, facilities and
  data from natural and man-made threats
• Security Requirements controlled access
• Identification
• Authentication
• Authorisation
• Validity
• Auditability

24

• Security Requirements access controls
• Identification How you identify yourself to the
  system
• Authentication How the system verifies you are
  who you say you are
• AuthorizationHow the system knows what you are
  allowed to do
• ValidityHow the system ensures it only processes
  valid authorized transactions and what responses
  it gives
• Audit abilityAbility to trace what went on in
  the system and who did it

25

• Your Turn
• Divide into 5 groups. Each group gets one of
• Identification, Authentication Authorization,
  Validity, Auditability
• Give examples on this control.
• What type of situations can happen if this
  control fails - what does it prevent?

26

• Security Requirements
• 1. Identification Who are you?
• identify user
• named user/account
• Belong to named group
• security identity badges/access control
• security cameras/pictures

27

• Security Requirements
• Authentication You are who you say you are
• verify identity badge, ID card, license with
  picture
• person-to-machine - user password, magnetic
  stripe on card, fingerprint, voice recognition,
  etc
• electronic dial-up may require callback to
  account users phone number
• Examples of password control - prompt for changes
  regularly, no reuse of former passwords,
  restricted minimum size, obscured/encrypted,
  disabled after 3 attempts

28

• Security Requirements
• Authorisation What are you allowed to do?
• ensure only appropriate users have access
• named transaction/screens menu items user
  granted authority to read or update only these
• User can be assigned to a group that has assigned
  access privileges to specific executables,
  transactions types, data row, table, field level.

29

• Security Requirements
• Validity allow only valid transactions
• verify access authorization to user on all
  transactions
• process only valid transactions to this user
  based on access rights
• Log violations
• Put in corrective actions lock keyboard,
  swallow charge card, sound alarm, lock exit doors

30

• Security Requirements
• Auditability traceable trail of activity
• provide audit trail of all activity, record of
  all transactions, record of changes in access
  levels
• variance detection/correction
• record/investigate all violation attempts
• detect unusual patterns in use
• exception reports sent to management, security
  staff and resource owners