1 / 53

Information System Security and Control

Chapter 15. Information System Security and Control. Objectives. Why are information systems so vulnerable to destruction, error, abuse, and system quality problems? What types of controls are available for information systems?

alika
Télécharger la présentation

Information System Security and Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 15 Information System Securityand Control

  2. Objectives • Why are information systems so vulnerable to destruction, error, abuse, and system quality problems? • What types of controls are available for information systems? • What special measures must be taken to ensure the reliability, availability and security of electronic commerce, and digital business processes?

  3. Objectives • What are the most important software quality assurance techniques? • Why are auditing information systems and safeguarding data quality so important?

  4. Management Challenges • Achieving a sensible balance between too little control and too much.. • Applying quality assurance standards in large systems projects.

  5. System Vulnerability and Abuse Why Systems Are Vulnerable • Accessibility to electronic data • Increasingly complex software, hardware • Network access points • Wireless vulnerability • Internet

  6. Hardware failure Software failure Personnel actions Terminal access penetration Theft of data, services, equipment Fire Electrical problems User errors Unauthorized program changes Telecommunication problems System Vulnerability and Abuse Threats to Computerized Information Systems

  7. System Vulnerability and Abuse Telecommunications networks vulnerabilities Figure 15-1

  8. System Vulnerability and Abuse Window on Organizations Credit Card Fraud: Still on the Rise • To what extent are Internet credit card thefts management and organizational problems, and to what extent are they technical problems? • Address the technology and management issues for both the credit card issuers and the retail companies. • Suggest possible ways to address the problem.

  9. System Vulnerability and Abuse Why Systems Are Vulnerable • Hacker • Trojan horse • Denial of service (DoS) attacks • Computer viruses • Worms • Antivirus software

  10. System Vulnerability and Abuse Window on Technology Smarter Worms and Viruses: The Worst Is Yet to Come • Why are worms so harmful? • Describe their business and organizational impact.

  11. System Vulnerability and Abuse Concerns for System Builders and Users • Disaster • Security • Administrative error • Cyberterrorism and Cyberwarfare

  12. System Vulnerability and Abuse Points in the processing cycle where errors can occur Figure 15-2

  13. System Vulnerability and Abuse System Quality Problems: Software and Data Bugs and Defects Complete testing not possible The Maintenance Nightmare Maintenance costs high due to organizational change, software complexity, and faulty system analysis and design

  14. System Vulnerability and Abuse The cost of errors over the systems development cycle Figure 15-3

  15. System Vulnerability and Abuse System Quality Problems: Software and Data Data Quality Problems Caused by errors during data input or faulty information system and database design

  16. Creating a Control Environment Controls • Methods, policies, and procedures • Protection of organization’s assets • Accuracy and reliability of records • Operational adherence to management standards

  17. Creating a Control Environment General Controls and Application Controls General Controls • Govern design, security, use of computer programs throughout organization • Apply to all computerized applications • Combination of hardware, software, manual procedures to create overall control environment

  18. Creating a Control Environment General Controls and Application Controls General Controls • Software controls • Hardware controls • Computer operations controls • Data security controls • Implementation • Administrative controls

  19. Creating a Control Environment Security profiles for a personnel system Figure 15-4

  20. Creating a Control Environment General Controls and Application Controls Application Controls • Automated and manual procedures that ensure only authorized data are processed by application • Unique to each computerized application • Classified as (1) input controls, (2) processing controls, and (3) output controls.

  21. Creating a Control Environment General Controls and Application Controls Application Controls Control totals: Input, processing Edit checks: Input Computer matching: Input, processing Run control totals: Processing, output Report distribution logs: Output

  22. Creating a Control Environment Protecting the Digital Firm • High-availability computing • Fault-tolerant computer systems • Disaster recovery planning • Business continuity planning • Load balancing; mirroring; clustering • Recovery-oriented computing • Managed security service providers (MSSPs)

  23. Creating a Control Environment Protecting the Digital Firm Internet Security Challenges • Public, accessible network • Abuses have widespread effect • Fixed Internet addresses • Corporate systems extended outside organization

  24. Creating a Control Environment Internet security challenges Figure 15-5

  25. Creating a Control Environment Protecting the Digital Firm • Firewall screening technologies • Static packet filtering • Stateful inspection • Network address translation • Application proxy filtering • Intrusion detection systems • Scanning software • Monitoring software

  26. Creating a Control Environment Protecting the Digital Firm Security and Electronic Commerce • Encryption • Authentication • Message integrity • Digital signatures • Digital certificates • Public key infrastructure (PKI)

  27. Creating a Control Environment Public key encryption Figure 15-6

  28. Creating a Control Environment Digital certificates Figure 15-7

  29. Creating a Control Environment Protecting the Digital Firm Security for Wireless Internet Access • Service set identifiers (SSID) • Identify access points in network • Form of password for user’s radio network interface card • Broadcast multiple time per second • Easily picked up by sniffer programs, war driving

  30. Creating a Control Environment Wi-Fi security challenges Figure 15-8

  31. Creating a Control Environment Protecting the Digital Firm • Wired Equivalent Privacy (WEP): • Initial security standard • Call for access point and all users to share the same 40-bit encrypted password • Wi-Fi Protected Access (WPA) specification • 128-bit, non-static encryption key • Data-packet checking

  32. Creating a Control Environment Developing a Control Structure: Costs and Benefits Criteria for Determining Control Structure • Importance of data • Cost effectiveness of control technique • Efficiency • Complexity • Expense • Risk assessment: Level of risk if not properly controlled • Potential frequency of problem • Potential damage

  33. Creating a Control Environment The Role of Auditing in the Control Process MIS Audit • Identifies all controls that govern individual information systems and assesses their effectiveness • Lists and ranks all control weaknesses and estimates the probability of their occurrence

  34. Creating a Control Environment Sample auditor’s list of control weaknesses Figure 15-9

  35. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools Development Methodology • Collection of methods • One or more method for every activity in every phase of development project

  36. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools Structured Methodologies • Used to document, analyze, design information systems • Top-down • Process-oriented • Linear • Includes: • Structured analysis • Structured design • Structured programming

  37. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools Structured Analysis • Defines system inputs, processes, outputs • Logical graphic model of information flow • Data flow diagram • Data dictionary • Process specifications

  38. Ensuring System Quality: Software and Data Data flow diagram for mail-in university registration system Figure 15-10

  39. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools Structured Design • Set of design rules and techniques • Promotes program clarity and simplicity • Design from top-down; main functions and subfunctions • Structure chart

  40. Ensuring System Quality: Software and Data High-level structure chart for a payroll system Figure 15-11

  41. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools Structured Programming • Organizes and codes programs to simplify control paths for easy use and modification • Independent modules with one entry and exit point • Three basic control constructs: • Simple sequence • Selection • Iteration

  42. Ensuring System Quality: Software and Data Basic program control constructs Figure 15-12

  43. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools Limitations of Traditional Methods • Can be inflexible and time-consuming • Programming depends on completion of analysis and design phases • Specification changes require changes in analysis and design documents first • Function-oriented

  44. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools Unified Modeling Language (UML) • Industry standard for analysis and design of object-oriented systems • Represents different views using graphical diagrams • Underlying model integrates views for consistency during analysis, design, and implementation

  45. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools UML Components • Things: • Structural things Classes, interfaces, collaborations, use cases, active classes, components, nodes • Behavioral things Interactions, state machines • Grouping things Packages • Annotational things Notes

  46. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools UML Components • Relationships • Structural Dependencies, aggregations, associations, generalizations • Behavioral Communicates, includes, extends, generalizes • Diagrams • Structural Class, object, component, and deployment diagrams • Behavioral Use case, sequence, collaboration, stateschart, and activity diagrams

  47. Ensuring System Quality: Software and Data A UML use-case diagram Figure 15-13

  48. Ensuring System Quality: Software and Data A UML sequence diagram Figure 15-14

  49. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools Computer-Aided Software Engineering (CASE) • Automation of step-by-step methodologies • Reduce repetitive development work • Support documentation creation and revisions • Organize design components; design repository • Support code generation • Require organizational discipline

  50. Ensuring System Quality: Software and Data Software Quality Assurance Methodologies and Tools • Resource Allocation: Assigning costs, time, personnel to different development phases • Software Metrics: Quantified measurements of systems performance • Testing: Walkthroughs, debugging

More Related