Chapter 15 Design System Interfaces, Controls, and Security

1
Chapter 15 Design System Interfaces, Controls,
and Security

• Systems Analysis and Design in a Changing World,
  5th Edition

2
Learning Objectives

• Discuss examples of system interfaces found in
  information systems
• Define system inputs and outputs based on the
  requirements of the application program
• Design printed and on-screen reports appropriate
  for recipients
• Explain the importance of integrity controls
• Identify required integrity controls for inputs,
  outputs, data, and processing
• Discuss issues related to security that affect
  the design and operation of information systems

3
Overview

• This chapter focuses on system interfaces, system
  outputs, and system controls that do not require
  much human interaction
• Many system interfaces are electronic
  transmissions or paper outputs to external agents
• System developers need to design and implement
  integrity and security controls to protect system
  and its data
• Outside threats from Internet and e-commerce are
  growing concern

4
Identifying System Interfaces

• System interfaces are broadly defined as inputs
  or outputs with minimal or no human intervention
• Inputs from other systems (messages, EDI)?
• Highly automated input devices such as scanners
• Inputs that are from data in external databases
• Outputs to external databases
• Outputs with minimal HCI
• Outputs to other systems
• Real-time connections (both input and output)?

5
Full Range of Inputs and Outputs
Figure 15-1
6
eXtensible Markup Language (XML)?

• Extension of HTML that embeds self-defined data
  structures in textual messages
• Transaction that contains data fields can be sent
  with XML codes to define meaning of data fields
• XML provides common system-to-system interface
• XML is simple and readable by people
• Web services is based on XML to send business
  transactions over Internet

7
System-to-System Interface Based on XML
Figure 15-2
8
Design of System Inputs

• Identify devices and mechanisms used to enter
  input
• High-level review of most up-to-date methods to
  enter data
• Identify all system inputs and develop list of
  data content for each
• Provide link between design of application
  software and design of user and system interfaces
• Determine controls and security necessary for
  each system input

9
Input Devices and Mechanisms

• Capture data as close to original source as
  possible
• Use electronic devices and automatic entry
  whenever possible
• Avoid human involvement as much as possible
• Seek information in electronic form to avoid data
  re-entry
• Validate and correct information at entry point

10
Prevalent Input Devices to Avoid Human Data Entry

• Magnetic card strip readers
• Bar code readers
• Optical character recognition readers and
  scanners
• Radio-frequency identification tags
• Touch screens and devices
• Electronic pens and writing surfaces
• Digitizers, such as digital cameras and digital
  audio devices

11
Defining the Details of System Inputs

• Ensure all data inputs are identified and
  specified correctly
• Can use traditional structured models
• Identify automation boundary
• Use DFD fragments
• Segment by program boundaries
• Examine structure charts
• Analyze each module and data couple
• List individual data fields

12
Automation Boundary on a System-Level DFD
Figure 15-3
13
Create New Order DFD with an Automation Boundary
Figure 15-4
14
List of Inputs for Customer Support System
Figure 15-5
15
Structure Chart for Create New Order
Figure 15-6
16
Data Flows, Data Couples, and Data Elements
Making Up Inputs
Figure 15-7
17
Using Object-Oriented Models

• Identifying user and system inputs with OO
  approach has same tasks as traditional approach
• OO diagrams are used instead of DFDs and
  structure charts
• System sequence diagrams identify each incoming
  message
• Design class diagrams and sequence diagrams
  identify and describe input parameters and verify
  characteristics of inputs

18
Partial System Sequence Diagram for Payroll
System Use Cases
Figure 15-8
19
System Sequence Diagram for Create New Order
Figure 15-9
20
Input Messages and Data Parameters from RMO
System Sequence Diagram
Figure 15-10
21
Designing System Outputs

• Determine each type of output
• Make list of specific system outputs required
  based on application design
• Specify any necessary controls to protect
  information provided in output
• Design and prototype output layout
• Ad hoc reports designed as needed by user

22
Defining the Details of System Outputs

• Type of reports
• Printed reports
• Electronic displays
• Turnaround documents
• Can use traditional structured models to identify
  outputs
• Data flows crossing automation boundary
• Data couples and report data requirements on
  structure chart

23
Table of System Outputs Based on Traditional
Structured Approach
Figure 15-11
24
Using Object-Oriented Models

• Outputs indicated by messages in sequence
  diagrams
• Originate from internal system objects
• Sent to external actors or another external
  system
• Output messages based on an individual object are
  usually part of methods of that class object
• To report on all objects within a class,
  class-level method is used that works on entire
  class

25
Table of System Outputs Based on OO Messages
Figure 15-12
26
Designing Reports, Statements, and Turnaround
Documents

• Printed versus electronic
• Types of output reports
• Detailed
• Summary
• Exception
• Executive
• Internal versus external
• Graphical and multimedia presentation

27
RMO Summary Report with Drill Down to the
Detailed Report
Figure 15-16
28
Sample Bar Chart and Pie Chart Reports
Figure 15-17
29
Formatting Reports

• What is objective of report?
• Who is the intended audience?
• What is media for presentation?
• Avoid information overload
• Format considerations include meaningful
  headings, date of information, date report
  produced, page numbers

30
Designing Integrity Controls

• Mechanisms and procedures built into a system to
  safeguard it and information contained within
• Integrity controls
• Built into application and database system to
  safeguard information
• Security controls
• Built into operating system and network

31
Objectives of Integrity Controls

• Ensure that only appropriate and correct business
  transactions occur
• Ensure that transactions are recorded and
  processed correctly
• Protect and safeguard assets of the organization
• Software
• Hardware
• Information

32
Points of Security and Integrity Controls
Figure 15-18
33
Input Integrity Controls

• Used with all input mechanisms
• Additional level of verification to help reduce
  input errors
• Common control techniques
• Field combination controls
• Value limit controls
• Completeness controls
• Data validation controls

34
Database Integrity Controls

• Access controls
• Data encryption
• Transaction controls
• Update controls
• Backup and recovery protection

35
Output Integrity Controls

• Ensure output arrives at proper destination and
  is correct, accurate, complete, and current
• Destination controls - output is channeled to
  correct people
• Completeness, accuracy, and correctness controls
• Appropriate information present in output

36
Integrity Controls to Prevent Fraud

• Three conditions are present in fraud cases
• Personal pressure, such as desire to maintain
  extravagant lifestyle
• Rationalizations, including I will repay this
  money or I have this coming
• Opportunity, such as unverified cash receipts
• Control of fraud requires both manual procedures
  and computer integrity controls

37
Fraud Risks and Prevention Techniques
Figure 15-19
38
Designing Security Controls

• Security controls protect assets of organization
  from all threats
• External threats such as hackers, viruses, worms,
  and message overload attacks
• Security control objectives
• Maintain stable, functioning operating
  environment for users and application systems (24
  x 7)?
• Protect information and transactions during
  transmission outside organization (public
  carriers)?

39
Security for Access to Systems

• Used to control access to any resource managed by
  operating system or network
• User categories
• Unauthorized user no authorization to access
• Registered user authorized to access system
• Privileged user authorized to administrate
  system
• Organized so that all resources can be accessed
  with same unique ID/password combination

40
Users and Access Roles to Computer Systems
Figure 15-20
41
Managing User Access

• Most common technique is user ID / password
• Authorization Is user permitted to access?
• Access control list users with rights to access
• Authentication Is user who they claim to be?
• Smart card computer-readable plastic card with
  embedded security information
• Biometric devices keystroke patterns,
  fingerprinting, retinal scans, voice
  characteristics

42
Data Security

• Data and files themselves must be secure
• Encryption primary security method
• Altering data so unauthorized users cannot view
• Decryption
• Altering encrypted data back to its original
  state
• Symmetric key same key encrypts and decrypts
• Asymmetric key different key decrypts
• Public key public encrypts private decrypts

43
Symmetric Key Encryption
Figure 15-22
44
Asymmetric Key Encryption
Figure 15-23
45
Digital Signatures and Certificates

• Encryption of messages enables secure exchange of
  information between two entities with appropriate
  keys
• Digital signature encrypts document with private
  key to verify document author
• Digital certificate is institutions name and
  public key that is encrypted and certified by
  third party
• Certifying authority
• VeriSign or Equifax

46
Using a Digital Certificate
Figure 15-24
47
Secure Transactions

• Standard set of methods and protocols for
  authentication, authorization, privacy, integrity
• Secure Sockets Layer (SSL) renamed as Transport
  Layer Security (TLS) protocol for secure
  channel to send messages over Internet
• IP Security (IPSec) newer standard for
  transmitting Internet messages securely
• Secure Hypertext Transport Protocol (HTTPS or
  HTTP-S) standard for transmitting Web pages
  securely (encryption, digital signing,
  certificates)?

48
Summary

• System interfaces include all inputs and outputs
  except those that are part of GUI
• Designing inputs to system is three-step process
• Identify devices/mechanisms used to enter input
• Identify system inputs develop list of data
  content
• Determine controls and security necessary for
  each system input
• Traditional approach to design inputs and outputs
• DFDs, data flow definitions, structure charts

49
Summary (contd)?

• OO approach to design inputs and outputs
• Sequence diagrams, class diagrams
• Integrity controls and security designed into
  system
• Ensure only appropriate and correct business
  transactions occur
• Ensure transactions are recorded and processed
  correctly
• Protect and safeguard assets of the organization
• Control access to resources