information system security and control n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Information System Security and Control PowerPoint Presentation
Download Presentation
Information System Security and Control

Loading in 2 Seconds...

play fullscreen
1 / 53

Information System Security and Control - PowerPoint PPT Presentation


  • 134 Views
  • Uploaded on

Chapter 15. Information System Security and Control. Objectives. Why are information systems so vulnerable to destruction, error, abuse, and system quality problems? What types of controls are available for information systems?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Information System Security and Control' - alika


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
objectives
Objectives
  • Why are information systems so vulnerable to destruction, error, abuse, and system quality problems?
  • What types of controls are available for information systems?
  • What special measures must be taken to ensure the reliability, availability and security of electronic commerce, and digital business processes?
objectives1
Objectives
  • What are the most important software quality assurance techniques?
  • Why are auditing information systems and safeguarding data quality so important?
management challenges
Management Challenges
  • Achieving a sensible balance between too little control and too much..
  • Applying quality assurance standards in large systems projects.
system vulnerability and abuse
System Vulnerability and Abuse

Why Systems Are Vulnerable

  • Accessibility to electronic data
  • Increasingly complex software, hardware
  • Network access points
  • Wireless vulnerability
  • Internet
system vulnerability and abuse1
Hardware failure

Software failure

Personnel actions

Terminal access penetration

Theft of data, services, equipment

Fire

Electrical problems

User errors

Unauthorized program changes

Telecommunication problems

System Vulnerability and Abuse

Threats to Computerized Information Systems

system vulnerability and abuse2
System Vulnerability and Abuse

Telecommunications networks vulnerabilities

Figure 15-1

system vulnerability and abuse3
System Vulnerability and Abuse

Window on Organizations

Credit Card Fraud: Still on the Rise

  • To what extent are Internet credit card thefts management and organizational problems, and to what extent are they technical problems?
  • Address the technology and management issues for both the credit card issuers and the retail companies.
  • Suggest possible ways to address the problem.
system vulnerability and abuse4
System Vulnerability and Abuse

Why Systems Are Vulnerable

  • Hacker
  • Trojan horse
  • Denial of service (DoS) attacks
  • Computer viruses
  • Worms
  • Antivirus software
system vulnerability and abuse5
System Vulnerability and Abuse

Window on Technology

Smarter Worms and Viruses:

The Worst Is Yet to Come

  • Why are worms so harmful?
  • Describe their business and organizational impact.
system vulnerability and abuse6
System Vulnerability and Abuse

Concerns for System Builders and Users

  • Disaster
  • Security
  • Administrative error
  • Cyberterrorism and Cyberwarfare
system vulnerability and abuse7
System Vulnerability and Abuse

Points in the processing cycle where errors can occur

Figure 15-2

system vulnerability and abuse8
System Vulnerability and Abuse

System Quality Problems: Software and Data

Bugs and Defects

Complete testing not possible

The Maintenance Nightmare

Maintenance costs high due to organizational change, software complexity, and faulty system analysis and design

system vulnerability and abuse9
System Vulnerability and Abuse

The cost of errors over the systems development cycle

Figure 15-3

system vulnerability and abuse10
System Vulnerability and Abuse

System Quality Problems: Software and Data

Data Quality Problems

Caused by errors during data input or faulty information system and database design

creating a control environment
Creating a Control Environment

Controls

  • Methods, policies, and procedures
  • Protection of organization’s assets
  • Accuracy and reliability of records
  • Operational adherence to management standards
creating a control environment1
Creating a Control Environment

General Controls and Application Controls

General Controls

  • Govern design, security, use of computer programs throughout organization
  • Apply to all computerized applications
  • Combination of hardware, software, manual procedures to create overall control environment
creating a control environment2
Creating a Control Environment

General Controls and Application Controls

General Controls

  • Software controls
  • Hardware controls
  • Computer operations controls
  • Data security controls
  • Implementation
  • Administrative controls
creating a control environment3
Creating a Control Environment

Security profiles for a personnel system

Figure 15-4

creating a control environment4
Creating a Control Environment

General Controls and Application Controls

Application Controls

  • Automated and manual procedures that ensure only authorized data are processed by application
  • Unique to each computerized application
  • Classified as (1) input controls, (2) processing controls, and (3) output controls.
creating a control environment5
Creating a Control Environment

General Controls and Application Controls

Application Controls

Control totals: Input, processing

Edit checks: Input

Computer matching: Input, processing

Run control totals: Processing, output

Report distribution logs: Output

creating a control environment6
Creating a Control Environment

Protecting the Digital Firm

  • High-availability computing
  • Fault-tolerant computer systems
  • Disaster recovery planning
  • Business continuity planning
  • Load balancing; mirroring; clustering
  • Recovery-oriented computing
  • Managed security service providers (MSSPs)
creating a control environment7
Creating a Control Environment

Protecting the Digital Firm

Internet Security Challenges

  • Public, accessible network
  • Abuses have widespread effect
  • Fixed Internet addresses
  • Corporate systems extended outside organization
creating a control environment8
Creating a Control Environment

Internet security challenges

Figure 15-5

creating a control environment9
Creating a Control Environment

Protecting the Digital Firm

  • Firewall screening technologies
      • Static packet filtering
      • Stateful inspection
      • Network address translation
      • Application proxy filtering
  • Intrusion detection systems
      • Scanning software
      • Monitoring software
creating a control environment10
Creating a Control Environment

Protecting the Digital Firm

Security and Electronic Commerce

  • Encryption
  • Authentication
  • Message integrity
  • Digital signatures
  • Digital certificates
  • Public key infrastructure (PKI)
creating a control environment11
Creating a Control Environment

Public key encryption

Figure 15-6

creating a control environment12
Creating a Control Environment

Digital certificates

Figure 15-7

creating a control environment13
Creating a Control Environment

Protecting the Digital Firm

Security for Wireless Internet Access

  • Service set identifiers (SSID)
    • Identify access points in network
    • Form of password for user’s radio network interface card
    • Broadcast multiple time per second
    • Easily picked up by sniffer programs, war driving
creating a control environment14
Creating a Control Environment

Wi-Fi security challenges

Figure 15-8

creating a control environment15
Creating a Control Environment

Protecting the Digital Firm

  • Wired Equivalent Privacy (WEP):
    • Initial security standard
    • Call for access point and all users to share the same 40-bit encrypted password
  • Wi-Fi Protected Access (WPA) specification
    • 128-bit, non-static encryption key
    • Data-packet checking
creating a control environment16
Creating a Control Environment

Developing a Control Structure: Costs and Benefits

Criteria for Determining Control Structure

  • Importance of data
  • Cost effectiveness of control technique
    • Efficiency
    • Complexity
    • Expense
  • Risk assessment: Level of risk if not properly controlled
    • Potential frequency of problem
    • Potential damage
creating a control environment17
Creating a Control Environment

The Role of Auditing in the Control Process

MIS Audit

  • Identifies all controls that govern individual information systems and assesses their effectiveness
  • Lists and ranks all control weaknesses and estimates the probability of their occurrence
creating a control environment18
Creating a Control Environment

Sample auditor’s list of control weaknesses

Figure 15-9

ensuring system quality software and data
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

Development Methodology

  • Collection of methods
  • One or more method for every activity in every phase of development project
ensuring system quality software and data1
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

Structured Methodologies

  • Used to document, analyze, design information systems
  • Top-down
  • Process-oriented
  • Linear
  • Includes:
    • Structured analysis
    • Structured design
    • Structured programming
ensuring system quality software and data2
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

Structured Analysis

  • Defines system inputs, processes, outputs
  • Logical graphic model of information flow
  • Data flow diagram
  • Data dictionary
  • Process specifications
ensuring system quality software and data3
Ensuring System Quality: Software and Data

Data flow diagram for mail-in university registration system

Figure 15-10

ensuring system quality software and data4
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

Structured Design

  • Set of design rules and techniques
  • Promotes program clarity and simplicity
  • Design from top-down; main functions and subfunctions
  • Structure chart
ensuring system quality software and data5
Ensuring System Quality: Software and Data

High-level structure chart for a payroll system

Figure 15-11

ensuring system quality software and data6
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

Structured Programming

  • Organizes and codes programs to simplify control paths for easy use and modification
  • Independent modules with one entry and exit point
  • Three basic control constructs:
    • Simple sequence
    • Selection
    • Iteration
ensuring system quality software and data7
Ensuring System Quality: Software and Data

Basic program control constructs

Figure 15-12

ensuring system quality software and data8
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

Limitations of Traditional Methods

  • Can be inflexible and time-consuming
  • Programming depends on completion of analysis and design phases
  • Specification changes require changes in analysis and design documents first
  • Function-oriented
ensuring system quality software and data9
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

Unified Modeling Language (UML)

  • Industry standard for analysis and design of object-oriented systems
  • Represents different views using graphical diagrams
  • Underlying model integrates views for consistency during analysis, design, and implementation
ensuring system quality software and data10
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

UML Components

  • Things:
    • Structural things Classes, interfaces, collaborations, use cases, active classes, components, nodes
    • Behavioral things Interactions, state machines
    • Grouping things Packages
    • Annotational things Notes
ensuring system quality software and data11
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

UML Components

  • Relationships
    • Structural Dependencies, aggregations, associations, generalizations
    • Behavioral Communicates, includes, extends, generalizes
  • Diagrams
    • Structural Class, object, component, and deployment diagrams
    • Behavioral Use case, sequence, collaboration, stateschart, and activity diagrams
ensuring system quality software and data12
Ensuring System Quality: Software and Data

A UML use-case diagram

Figure 15-13

ensuring system quality software and data13
Ensuring System Quality: Software and Data

A UML sequence diagram

Figure 15-14

ensuring system quality software and data14
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

Computer-Aided Software Engineering (CASE)

  • Automation of step-by-step methodologies
  • Reduce repetitive development work
  • Support documentation creation and revisions
  • Organize design components; design repository
  • Support code generation
  • Require organizational discipline
ensuring system quality software and data15
Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools

  • Resource Allocation: Assigning costs, time, personnel to different development phases
  • Software Metrics: Quantified measurements of systems performance
  • Testing: Walkthroughs, debugging
ensuring system quality software and data16
Ensuring System Quality: Software and Data

Data Quality Audits and Data Cleansing

  • Data Quality Audit
    • Survey end users for perceptions of data quality
    • Survey entire data files
    • Survey samples from data files
  • Data Cleansing
    • Correcting errors and inconsistencies in data between business units
chapter 15 case study
Chapter 15 Case Study

Could a Missing Hard Drive Create Canada’s Biggest Identity Theft?

  • Summarize the ISM security problem and its impact on ISM and its clients.
  • Describe the control weaknesses of ISM and those of its clients that made it possible for this problem to occur. What management, organization, and technology factors contributed to those weaknesses?
chapter 15 case study1
Chapter 15 Case Study

Could a Missing Hard Drive Create Canada’s Biggest Identity Theft?

  • Was the disappearance of the hard drive a management problem, an organization problem, or a technical problem? Explain your answer.
  • If you were responsible for designing security at ISM and its client companies, what would you have done differently? How would you have solved their control problems?