html5-img
1 / 43

Chapter 9 - Control in Computerized Environment

Chapter 9 - Control in Computerized Environment. ATG 383 – Spring 2002. Computer Based Controls. General control - any control that relates to more than one system. Application control - a control that relates to one phase of application processing (input, processing, output).

tola
Télécharger la présentation

Chapter 9 - Control in Computerized Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 9 - Control inComputerized Environment ATG 383 – Spring 2002

  2. Computer Based Controls • General control - any control that relates to more than one system. • Application control - a control that relates to one phase of application processing (input, processing, output).

  3. General Controls 12 controls are discussed on pages 286 - 308

  4. 1. Security Plan - What are the threats?

  5. 2a. Segregation of Duties - Systems Operations Users submit input Data control groups logs and reviews. Computer operations processes. Librarian Users receive output Data control groups logs output.

  6. 2b. Segregation of Duties - Systems Development Users request programming changes. Analysts develop specifications. Programmers make changes and test. Librarian maintains programs

  7. 3a. Project Development- Systems Development • Long range plan • Project development plan • Assign responsibility to project manager • Performance evaluations • Post implementation review

  8. 3b. Management of AIS- Systems Operations • Data processing schedule • System performance measurements

  9. 4. Physical Access Controls Goal is to prevent unauthorized people from gaining access • Locked rooms • Security guards and cameras • Identification badges

  10. 5. Logical Access Controls • Identify who are authorized users. • System must assign “rights” to users. • See access control matrix, p. 294.

  11. I will show you some examplesof hacked web sites.

  12. 6. Data Storage Controls • These controls can be used to protect data in addition to physical and logical access controls: • Properly supervised file library. • Labels. • Concurrent update controls.

  13. 6. Data Storage Controls • Record locking - prevents two people from accessing a file at the same time. “A” wants to increase the balance by $20. “B” wants to decrease the balance by $50. Customer’s Balance = $100 Read balance - $100 Read balance - $100 Update - $120 Write balance - $120

  14. 6. Data Storage Controls • Record locking - prevents two people from accessing a file at the same time. “A” wants to increase the balance by $20. “B” wants to decrease the balance by $50. Customer’s Balance = $100 Read balance - $100 Read balance - $100 Update - $120 Update - $50 Customer’s Balance - $120 Write balance - $120 Write balance - $50

  15. 6. Data Storage Controls • Record locking - prevents two people from accessing a file at the same time. “A” wants to increase the balance by $20. “B” wants to decrease the balance by $50. Customer’s Balance = $100 Read balance - $100 Read balance - $100 Update - $120 Update - $50 Customer’s Balance - $50 Write balance - $120 Write balance - $50

  16. 7. Data Transmission Controls • Purpose is to detect errors in transmission and prevent theft of data during transmission

  17. Preventing Theft of Data • Encryption - • scramble plaintext and create cyphertext • transmit cyphertext or save on disk • decrypt cyphertext and return to plaintext • Two types of encryption • Secret key • Public key

  18. Rule for Secret Key Encryption Message Key Cyphertext 0 0 0 0 1 1 1 0 1 1 1 0

  19. Secret Key Encryption • Use same key for coding and decoding. • Therefore, key must be kept secret. Message 00110011 Key 10101100 Cyphertext 10011111 Key 10101100 Plaintext 00110011

  20. Public Key Encryption • Uses two keys. A public key and a private key. • Use one key to encrypt. • Can only use other key to decrypt.

  21. Securing messages • Cyphertext is created using private key. • Since senders is only one who has private key, you know who created the message. • However, this technique allows anyone to read the message.

  22. Public Key Encryption Encrypt with sender's ___________ key. Message Decrypt with sender's ___________ key. Message

  23. Securing messages • Cyphertext is created using public key. • This technique assures receiver is only one who can read message. • However, this technique does not tell you who was the sender.

  24. Public Key Encryption Encrypt with recipient's ___________ key. Message Decrypt with recipient's ___________ key. Message

  25. What is needed • Assurance that message was created by sender. • Assurance that message can only be read by recipient.

  26. Digital Signatures Plain text message Plain text message Encrypt with sender’s private key Decrypt with sender’s public key Encrypt with recipient’s public key Decrypt with recipient’s private key

  27. Detecting Transmission Errors • Send extra data that can be used to check “message” data • Parity checking • add extra bit so that sum of “1” bits is always odd or even • A = 1000001_ • B = 1000010_ • C = 1000011_ • D = 1000100_ Assume even parity

  28. Message Acknowledgement • Add labels & batch numbers to the data • Echoing Start Code Address Batch Number Data Parity Check End Code

  29. 9. Minimize Downtime Two approaches: • Prevent down time with routine checking of hardware. • Make system fault tolerant. • Install redundant hardware. If component fails, system switches to new component. • Example: UPS provides power back-up when electricity is lost.

  30. 10. Disaster Recovery • Plan for duplicating computer operations after a catastrophe occurs. • Data and programs recovery: • Create backup copies (data and applications) and store offsite. • Save several generations of master files and transaction files. • Checkpoint.

  31. Backing up Batch Systems Grandfather master file + Transaction file = Father master file Father master file + Transaction File = Son master file

  32. Hardware Backup Maintain duplicate hardware facilities in remote location • Hot Site - ready to go computer site - brought live in very short time • Cold Site - site that can be brought live in reasonable time

  33. 11. Personal Computers & Networks

  34. 12. Internet Controls http://www.traceroute.org/

  35. Firewalls • Method of controlling access to / from one network to another. • How this works? • Only allows messages to & from approved sites. • Allows messages to & from sites not specifically excluded.

  36. Application Controls Input - Processing - Output

  37. Application Controls • 4 controls listed in text relate to input: • Batch totals, • Source Data Controls, • Input Validation Routines, • On-line Data Entry Controls.

  38. Application Controls - Input • Objectives • Make sure data is successfully transferred from source documents into the system. • Detect obvious errors before the data is processed.

  39. Input Control Example • Look at the sales order on page 422. • How can input errors occur? • What controls can be used to prevent, or detect and correct, these errors?

  40. Application Controls - Processing • Goal is to detect errors during processing • Default values • Edit checks

  41. Application Controls -Output • Goal is to detect errors in output & deliver output to correct person: • Data control group • End user review • Reconciliation • Check Ids • Passwords

  42. Two broad categories of controls

More Related