Download
1 / 32
320 likes | 465 Vues
This learning module explores the vulnerabilities inherent in information systems and the necessity for effective control measures to safeguard against destruction, error, and abuse. It highlights essential software quality assurance techniques and addresses management challenges related to system vulnerabilities. It outlines important security policies, procedures, and technical measures needed to protect data integrity and prevent unauthorized access. Moreover, it discusses the impact of common threats, such as hackers and viruses, and the importance of maintaining a robust quality control environment.
E N D
16. INFORMATION SYSTEMS SECURITY & CONTROL
LEARNING OBJECTIVES • DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMS • COMPARE GENERAL AND APPLICATION CONTROLS • SELECT FACTORS FOR DEVELOPING CONTROLS *
LEARNING OBJECTIVES • DESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE TECHNIQUES • DEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS & SAFEGUARDING DATA QUALITY *
MANAGEMENT CHALLENGES • SYSTEM VULNERABILITY & ABUSE • CREATING A CONTROL ENVIRONMENT • ENSURING SYSTEM QUALITY *
SYSTEM VULNERABILITY & ABUSE • WHY SYSTEMS ARE VULNERABLE • HACKERS & VIRUSES • CONCERNS FOR BUILDERS & USERS • SYSTEM QUALITY PROBLEMS *
THREATS TO INFORMATION SYSTEMS HARDWARE FAILURE, FIRE SOFTWARE FAILURE, ELECTRICAL PROBLEMS PERSONNEL ACTIONS, USER ERRORS ACCESS PENETRATION, PROGRAM CHANGES THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMS *
WHY SYSTEMS ARE VULNERABLE • SYSTEM COMPLEXITY • COMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITED • EXTENSIVE EFFECT OF DISASTER • UNAUTHORIZED ACCESS POSSIBLE *
VULNERABILITIES • RADIATION:Allows recorders, bugs to tap system • CROSSTALK:Can garble data • HARDWARE:Improper connections, failure of protection circuits • SOFTWARE:Failure of protection features,access control, bounds control • FILES:Subject to theft, copying,unauthorized access *
VULNERABILITIES • USER:Identification, authentication, subtle software modification • PROGRAMMER:Disables protective features; reveals protective measures • MAINTENANCE STAFF: Disables hardware devices; uses stand-alone utilities • OPERATOR: Doesn’t notify supervisor, reveals protective measures *
HACKERS & COMPUTER VIRUSES • HACKER:Person gains access to computer for profit, criminal mischief, personal pleasure • COMPUTER VIRUS:Rouge program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memory *
COMMON COMPUTER VIRUSES • CONCEPT: Word documents, e-mail. Deletes files • FORM: Makes clicking sound, corrupts data • ONE_HALF: Corrupts hard drive, flashes its name on screen • MONKEY: Windows won’t run • JUNKIE: Infects files, boot sector, memory conflicts • RIPPER: Randomly corrupts hard drive files *
ANTIVIRUS SOFTWARE • SOFTWARE TO DETECT • ELIMINATE VIRUSES • ADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILES *
CONCERNS FOR BUILDERS & USERS DISASTER BREACH OF SECURITY ERRORS *
DISASTER • LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing) *
SECURITY POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS *
WHERE ERRORS OCCUR • DATA PREPARATION • TRANSMISSION • CONVERSION • FORM COMPLETION • ON-LINE DATA ENTRY • KEYPUNCHING; SCANNING; OTHER INPUTS *
WHERE ERRORS OCCUR • VALIDATION • PROCESSING / FILE MAINTENANCE • OUTPUT • TRANSMISSION • DISTRIBUTION *
SYSTEM QUALITY PROBLEMS • SOFTWARE & DATA • BUGS:Program code defects or errors • MAINTENANCE:Modifying a system in production use; can take up to 50% of analysts’ time • DATA QUALITY PROBLEMS:Finding, correcting errors; costly; tedious *
COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE 6.00 5.00 4.00 3.00 COSTS 2.00 1.00 ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION
CREATING A CONTROL ENVIRONMENT CONTROLS:METHODS, POLICIES, PROCEDURES TO PROTECT ASSETS; ACCURACY & RELIABILITY OF RECORDS; ADHERENCE TO MANAGEMENT STANDARDS • GENERAL • APPLICATION *
GENERAL CONTROLS • IMPLEMENTATION:Audit system development to assure proper control, management • SOFTWARE:Ensure security, reliability of software • PHYSICAL HARDWARE:Ensure physical security, performance of computer hardware *
GENERAL CONTROLS • COMPUTER OPERATIONS:Ensure procedures consistently, correctly applied to data storage, processing • DATA SECURITY:Ensure data disks, tapes protected from wrongful access, change, destruction • ADMINISTRATIVE:Ensure controls properly executed, enforced SEGREGATION OF FUNCTIONS: Divide responsibility from tasks *
APPLICATION CONTROLS • INPUT • PROCESSING • OUTPUT *
INPUT CONTROLS • INPUT AUTHORIZATION:Record, monitor source documents • DATA CONVERSION:Transcribe data properly from one form to another • BATCH CONTROL TOTALS:Count transactions prior to and after processing • EDIT CHECKS:Verify input data, correct errors *
PROCESSING CONTROLS ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING • RUN CONTROL TOTALS:Generate control totals before & after processing • COMPUTER MATCHING:Match input data to master files *
OUTPUT CONTROLS ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED • BALANCE INPUT, PROCESSING, OUTPUT TOTALS • REVIEW PROCESSING LOGS • ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS *
SECURITY AND THE INTERNET • ENCRYPTION: Coding & scrambling messages to deny unauthorized access • AUTHENTICATION: Ability to identify another party • MESSAGE INTEGRITY • DIGITAL SIGNATURE • DIGITAL CERTIFICATE *
SECURITY AND THE INTERNET • SECURE ELECTRONIC TRANSACTION:Standard for securing credit card transactions on Internet • ELECTRONIC CASH:Currency represented in electronic form, preserving user anonymity *
DEVELOPING A CONTROL STRUCTURE • COSTS:Can be expensive to build; complicated to use • BENEFITS:Reduces expensive errors, loss of time, resources, good will RISK ASSESSMENT:Determine frequency of occurrence of problem, cost, damage if it were to occur *
MIS AUDIT IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS • TESTING: Early, regular controlled efforts to detect, reduce errors • WALKTHROUGH • DEBUGGING • DATA QUALITY AUDIT: Survey samples of files for accuracy, completeness *
Connect to the INTERNET PRESS LEFT MOUSE BUTTON ON ICON TO CONNECT TO LAUDON & LAUDON WEB SITE FOR MORE INFORMATION IN THIS CHAPTER
16. INFORMATION SYSTEMS SECURITY & CONTROL
