Title: Chapter 15: Designing System Interfaces, Controls, and Security
1Chapter 15 Designing System Interfaces,
Controls, and Security
- Systems Analysis and Design in a Changing World,
3rd Edition
2Learning Objectives
- Discuss examples of system interfaces found in
information systems - Define system inputs and outputs based on the
requirements of the application program - Design printed and on-screen reports appropriate
for recipients
3Learning Objectives (continued)
- Explain the importance of integrity controls
- Identify required integrity controls for inputs,
outputs, data, and processing - Discuss issues related to security that affect
the design and operation of information systems
4Overview
- This chapter focuses on systems interfaces,
systems output, and systems controls that do not
require much human interaction - Many system interfaces are electronic
transmissions or paper outputs to external agents - System developers need to design and implement
integrity and security controls to protect system
and its data - Outside threats from Internet and e-commerce are
growing concern
5Identifying System Interfaces
- Systems interfaces are broadly defined as inputs
or outputs with minimal or no human intervention - Inputs from other systems (messages, EDI)
- Highly automated input devices such as scanners
- Inputs that are from data in external databases
- Outputs that are to external databases
- Outputs with minimal HCI
- Outputs to other systems
- Real-time connections (both input and output)
6Full Range of Inputs and Outputs
7eXtensible Markup Language (XML)
- Extension of HTML that embeds self-defined data
structures within textual messages - Transaction that contains data fields can be sent
with XML codes to define meaning of data fields - XML provides common system-to-system interface
- XML is simple and readable by people
- Web services is based on XML to send business
transactions over Internet
8System-to-System Interface Based on XML
9Design of System Inputs
- Identify devices and mechanisms used to enter
input - High-level review of most up-to-date methods to
enter data - Identify all system inputs and develop list of
data content with each - Provides link between design of application
software and design of user and system interfaces - Determine controls and security necessary for
each system input
10Input Devices and Mechanisms
- Capture data as close to origination source as
possible - Use electronic devices and automatic entry
whenever possible - Avoid human involvement as much as possible
- Seek information in electronic form to avoid data
reentry - Validate and correct information at entry point
11Prevalent Input Devices to Avoid Human Data Entry
- Magnetic card strip readers
- Bar-code readers
- Optical character recognition readers and
scanners - Touch screens and devices
- Electronic pens and writing surfaces
- Digitizers, such as digital cameras and digital
audio devices
12Defining the Details of System Inputs
- Ensure all data inputs are identified and
specified correctly - Can use traditional structured models
- Identify automation boundary
- Use DFD fragments
- Segment by program boundaries
- Examine Structure Charts
- Analyze each module and data couple
- List individual data fields
13Automation Boundary on a System-level DFD
14Create New Order DFD with an Automation Boundary
15List of Inputs for Customer Support System
16Structure Chart for Create New Order
17Data Flows, Data Couples, and Data Elements
Making up Inputs
18Using Object-Oriented Models
- Identifying user and system inputs with OO
approach has same tasks as traditional approach - OO diagrams are used instead of DFDs and
structure charts - System sequence diagrams identify each incoming
message - Design class diagrams identify and describe input
parameters and contain pseudocode to verify
characteristics of inputs
19Partial System Sequence Diagram for Payroll
System Use Cases
20System Sequence Diagram for Create New Order
21Input Messages and Data Parameters from RMO
System Sequence Diagram
22Designing System Outputs
- Determine each type of output
- Make list of specific system outputs required
based on application design - Specify any necessary controls to protect
information provided in output - Design and prototype output layout
- Ad hoc reports designed as needed by user
23Defining the Details of System Outputs
- Type of reports
- Printed reports
- Electronic displays
- Turnaround documents
- May use traditional structured models to identify
outputs - Data flows crossing automation boundary
- Data couples and report data requirements on
structure chart
24Table of System Outputs Based on Traditional
Structured Approach
25Using Object-Oriented Models
- Outputs indicated by messages in sequence
diagrams - Originate from internal system objects
- Sent to external actors or another external
system - Output messages based on an individual object are
usually part of methods of that class object - To report on all objects within a class,
class-level method is used that works on entire
class
26Table of System Outputs Based on OO Messages
27Designing Reports, Statements, and Turnaround
Documents
- Printed versus electronic
- Type of output reports
- Detailed
- Summary
- Exception
- Executive
- Internal versus external
- Graphical and multimedia presentation
28RMO Summary Report with Drill Down to the
Detailed Report
29Sample Bar Chart and Pie Chart Reports
30Formatting Reports
- What is objective of report?
- Who is the intended audience?
- What is media for presentation?
- Avoid information overload
- Format considerations such as meaningful
headings, date of information, date report
produced, page numbers
31Designing Integrity Controls
- Mechanisms and procedures built into a system to
safeguard it and information contained within - Integrity controls
- Built into application and database system to
safeguard information - Security controls
- Built into operating system and network
32Objectives of Integrity Controls
- Ensure that only appropriate and correct business
transactions occur - Ensure that transactions are recorded and
processed correctly - Protect and safeguard assets of the organization
- Software
- Hardware
- Information
33Points of Security and Integrity Controls
34Input Integrity Controls
- Used with all input mechanisms
- Additional level of verification to help reduce
input errors - Common control techniques
- Field combination controls
- Value limit controls
- Completeness controls
- Data validation controls
35Database Integrity Controls
- Access control
- Data encryption
- Transaction control
- Update control
- Backup and recovery protection
36Output Integrity Controls
- Ensures output arrives at proper destination and
is correct, accurate, complete, and current - Destination controls - output is channeled to
correct people - Completeness, accuracy, and correctness controls
- Appropriate information present on output
37Integrity Controls to Prevent Fraud
- Three conditions are present in fraud cases
- Personal pressure, such as desire to maintain
extravagant lifestyle - Rationalization, such as persons thoughts that
I will repay this money - Opportunity, such as unverified cash receipts
- Control of fraud requires both manual procedures
and computer integrity controls
38Fraud Risks and Prevention Techniques
39Designing Security Controls
- Security controls protect assets of organization
from all threats - External threats such as hackers, viruses, worms,
and message overload attacks - Security control objectives
- Maintain stable, functioning operating
environment for users and application systems (24
x 7) - Protect information and transactions during
transmission outside organization (public
carriers)
40Security for Access to Systems
- Used to control access to any resource managed by
operating system or network - User categories
- Unauthorized user no authorization to access
- Registered user authorized to access system
- Privileged user authorized to administrate
system - Organized so that all resources can be accessed
with same unique ID/password combination
41Users and Access Roles to Computer Systems
42Managing User Access
- Most common technique is user ID / password
- Authorization Is user permitted to access?
- Access control list users with rights to access
- Authentication Is user who they claim to be?
- Smart card computer readable plastic card with
embedded security information - Biometric devices keystroke patterns,
fingerprint, retinal scans, voice characteristics
43Data Security
- Data and files themselves must be secure
- Encryption primary security method
- Altering data so unauthorized users cannot view
- Decryption
- Altering encrypted data back to original state
- Symmetric key same key encrypts and decrypts
- Asymmetric key different key decrypts
- Public key public encrypts, private decrypts
44Symmetric Key Encryption
45Asymmetric Key Encryption
46Digital signatures and certificates
- Encryption of messages enables secure exchange of
information between two entities with appropriate
keys - Digital signature encrypts document with private
key to verify document author - Digital certificate is institutions name and
public key that is encrypted and certified by
third party - Certifying authority
- Verisign or Equifax
47Using a Digital Certificate
48Secure Transactions
- Standard set of methods and protocols for
authentication, authorization, privacy, integrity - Secure Sockets Layer (SSL) renamed as Transport
Layer Security (TLS) protocol for secure
channel to send messages over Internet - IP Security (IPSec) newer standard for secure
Internet message transmission - Secure Hypertext Transport Protocol (HTTPS or
HTTP-S) standard for transmitting Web pages
securely (encryption, digital signing,
certificates)
49Summary
- System interfaces all inputs/outputs except (GUI)
- Designing inputs to system is three-step process
- Identify devices/mechanisms used to enter input
- Identify system inputs, develop list of data
content - Determine controls and security necessary for
each system input - Traditional approach to design inputs and outputs
- DFDs, data flow definitions, structure charts
50Summary (continued)
- OO approach to design inputs and outputs
- Sequence diagrams, class diagrams, DFDs
- Integrity controls and security designed into
system - Only appropriate and correct business
transactions occur - Transactions are recorded and processed correctly
- Protect and safeguard assets of the organization
- Control access to resources