INFORMATION SYSTEMS SECURITY & CONTROL 14 INFORMATION SYSTEMS SECURITY & CONTROL

LEARNING OBJECTIVES DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMS COMPARE GENERAL AND APPLICATION CONTROLS *

LEARNING OBJECTIVES DESCRIBE MEASURES TO ENSURE RELIABILITY, AVAILABILITY, SECURITY OF E-COMMERCE, DIGITAL BUSINESS PROCESSES *

LEARNING OBJECTIVES DESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE TECHNIQUES DEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS & SAFEGUARDING DATA QUALITY *

MANAGEMENT CHALLENGES SYSTEM VULNERABILITY & ABUSE CREATING A CONTROL ENVIRONMENT ENSURING SYSTEM QUALITY *

SYSTEM VULNERABILITY & ABUSE WHY SYSTEMS ARE VULNERABLE HACKERS & VIRUSES CONCERNS FOR BUILDERS & USERS SYSTEM QUALITY PROBLEMS *

THREATS TO INFORMATION SYSTEMS HARDWARE FAILURE, FIRE SOFTWARE FAILURE, ELECTRICAL PROBLEMS PERSONNEL ACTIONS, USER ERRORS ACCESS PENETRATION, PROGRAM CHANGES THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMS *

WHY SYSTEMS ARE VULNERABLE SYSTEM COMPLEXITY COMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITED EXTENSIVE EFFECT OF DISASTER UNAUTHORIZED ACCESS POSSIBLE *

VULNERABILITIES RADIATION: Allows recorders, bugs to tap system CROSSTALK: Can garble data HARDWARE: Improper connections, failure of protection circuits SOFTWARE: Failure of protection features, access control, bounds control FILES: Subject to theft, copying, unauthorized access *

VULNERABILITIES USER: Identification, authentication, subtle software modification PROGRAMMER: Disables protective features; reveals protective measures MAINTENANCE STAFF: Disables hardware devices; uses stand-alone utilities OPERATOR: Doesn’t notify supervisor, reveals protective measures *

HACKERS & COMPUTER VIRUSES HACKER: Person gains access to computer for profit, criminal mischief, personal pleasure COMPUTER VIRUS: Rogue program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memory *

COMMON COMPUTER VIRUSES CONCEPT, MELISSA: Word documents, e-mail. Deletes files FORM: Makes clicking sound, corrupts data EXPLORE.EXE: Attached to e-mail, tries to e-mail to others, destroys files MONKEY: Windows won’t run CHERNOBYL: Erases hard drive, ROM BIOS JUNKIE: Infects files, boot sector, memory conflicts *

ANTIVIRUS SOFTWARE SOFTWARE TO DETECT ELIMINATE VIRUSES ADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILES *

CONCERNS FOR BUILDERS & USERS DISASTER BREACH OF SECURITY ERRORS *

DISASTER LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY FAULT-TOLERANT COMPUTER SYSTEMS: Backup systems to prevent system failure (particularly On-line Transaction Processing) *

SECURITY POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS *

WHERE ERRORS OCCUR DATA PREPARATION TRANSMISSION CONVERSION FORM COMPLETION ON-LINE DATA ENTRY KEYPUNCHING; SCANNING; OTHER INPUTS *

WHERE ERRORS OCCUR VALIDATION PROCESSING / FILE MAINTENANCE OUTPUT TRANSMISSION DISTRIBUTION *

SYSTEM QUALITY PROBLEMS SOFTWARE & DATA BUGS: Program code defects or errors MAINTENANCE: Modifying a system in production use; can take up to 50% of analysts’ time DATA QUALITY PROBLEMS: Finding, correcting errors; costly; tedious *

COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE 1.00 2.00 3.00 4.00 5.00 6.00 COSTS ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION

CREATING A CONTROL ENVIRONMENT CONTROLS: Methods, policies, procedures to protect assets; accuracy & reliability of records; adherence to management standards GENERAL CONTROLS APPLICATION CONTROLS *

GENERAL CONTROLS IMPLEMENTATION: Audit system development to assure proper control, management SOFTWARE: Ensure security, reliability of software PHYSICAL HARDWARE: Ensure physical security, performance of computer hardware *

GENERAL CONTROLS COMPUTER OPERATIONS: Ensure procedures consistently, correctly applied to data storage, processing DATA SECURITY: Ensure data disks, tapes protected from wrongful access, change, destruction ADMINISTRATIVE: Ensure controls properly executed, enforced SEGREGATION OF FUNCTIONS: Divide responsibility from tasks *

APPLICATION CONTROLS INPUT PROCESSING OUTPUT *

INPUT CONTROLS INPUT AUTHORIZATION: Record, monitor source documents DATA CONVERSION: Transcribe data properly from one form to another BATCH CONTROL TOTALS: Count transactions prior to and after processing EDIT CHECKS: Verify input data, correct errors *

PROCESSING CONTROLS ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING RUN CONTROL TOTALS: Generate control totals before & after processing COMPUTER MATCHING: Match input data to master files *

OUTPUT CONTROLS ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED BALANCE INPUT, PROCESSING, OUTPUT TOTALS REVIEW PROCESSING LOGS ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS *

SECURITY AND THE INTERNET ENCRYPTION: Coding & scrambling messages to deny unauthorized access AUTHENTICATION: Ability to identify another party MESSAGE INTEGRITY DIGITAL SIGNATURE DIGITAL CERTIFICATE *

Encrypt with public key Decrypt with private key SECURITY AND THE INTERNET PUBLIC KEY ENCRYPTION SENDER SCRAMBLED MESSAGE RECIPIENT Encrypt with public key Decrypt with private key

SECURITY AND THE INTERNET DIGITAL WALLET: Software stores credit card, electronic cash, owner ID, address for e-commerce transactions SECURE ELECTRONIC TRANSACTION: Standard for securing credit card transactions on Internet *

SECURITY AND THE INTERNET ELECTRONIC PAYMENT SYSTEMS CREDIT CARD-SET: Protocol for payment security ELECTRONIC CASH: Digital currency ELECTRONIC CHECK: Encrypted digital signature SMART CARD: Chip stores e-cash ELECTRONIC BILL PAYMENT: Electronic funds transfer *

DEVELOPING A CONTROL STRUCTURE COSTS: Can be expensive to build; complicated to use BENEFITS: Reduces expensive errors, loss of time, resources, good will RISK ASSESSMENT: Determine frequency of occurrence of problem, cost, damage if it were to occur *

SYSTEM BUILDING APPROACHES STRUCTURED METHODOLOGIES COMPUTER AIDED SOFTWARE ENGINEERING (CASE) SOFTWARE REENGINEERING *

STRUCTURED METHODOLOGIES TOP DOWN, STEP BY STEP, EACH STEP BUILDS ON PREVIOUS STRUCTURED ANALYSIS STRUCTURED DESIGN STRUCTURED PROGRAMMING FLOWCHARTS *

STRUCTURED ANALYSIS DEFINES SYSTEM INPUTS, PROCESSES, OUTPUTS PARTITIONS SYSTEM INTO SUBSYSTEMS OR MODULES LOGICAL, GRAPHICAL MODEL OF INFORMATION FLOW DATA FLOW DIAGRAM: Graphical display of component processes, flow of data *

SYMBOLS FOR DATA FLOW DIAGRAMS (DFD): PROCESS SOURCE OR SINK FILE

 DATA FLOW DIAGRAM: BALANCE GENERATE BILL PAYMENT FILE REPORT CUSTOMER BALANCE REPORT MANAGER PAYMENT FILE

STRUCTURED ANALYSIS DATA DICTIONARY: Controlled definitions of descriptions of all data, such as variable names & types of data PROCESS SPECIFICATIONS: Describes logic of processes at module level *

STRUCTURED DESIGN DESIGN RULES / TECHNIQUES TO DESIGN SYSTEM, TOP DOWN IN HIERARCHICAL FASHION STRUCTURE CHART STRUCTURED PROGRAMMING MODULE SEQUENCE CONSTRUCT SELECTION CONSTRUCT *

HIGH LEVEL STRUCTURE CHART: HIGH LEVEL STRUCTURE CHART: CALCULATE GROSS PAY NET PAY PAY PROCESS PAYROLL UPDATE MASTER FILE GET VALID INPUTS WRITE OUTPUTS GET VALIDATE (WHITE BOXES ARE MODULES)

STRUCTURED PROGRAMMING: DISCIPLINE TO ORGANIZE, CODE PROGRAMS SIMPLIFIES CONTROL PATHS EASY TO UNDERSTAND, MODIFY MODULE HAS ONE INPUT, ONE OUTPUT *

STRUCTURED PROGRAMMING: MODULE: Logical unit of program. performs specific task(s) SEQUENCE CONSTRUCT: Sequential steps or actions in program logic; streamlines flow SELECTION CONSTRUCT: IF condition R is True THEN action C ELSE action D ITERATION CONSTRUCT: WHILE Condition is True DO action E *

PROGRAM FLOWCHART SYMBOLS:

PROGRAM FLOWCHART: 2 2 1 1 START READ >$10,000 <$10,000 MORE? PRINT >$10,000 REPORT PROCESS A <$10,000 2 MORE? PROCESS B 1 END

PROGRAM FLOWCHART: SEQUENCE SELECTION ITERATION PROCESS A PROCESS B PROCESS C PROCESS D R TRUE SELECTION PROCESS E S TRUE ITERATION

SYSTEM FLOWCHART SYMBOLS:

UPDATED PAYROLL MASTER PAYROLL REPORTS & CHECKS SYSTEM FLOWCHART: LOAD & VALIDATE COMPARE & UPDATE VALID TRANS- ACTIONS PAYROLL SYSTEM TIME CARDS HUMAN RESOURCES DATA PAYROLL MASTER UPDATED PAYROLL MASTER DIRECT DEPOSITS GENERAL LEDGER PAYROLL REPORTS & CHECKS

COMPUTER AIDED SOFTWARE ENGINEERING (CASE) AUTOMATION OF SOFTWARE METHODOLOGIES PRODUCES CHARTS; DIAGRAMS; SCREEN & REPORT GENERATORS; DATA DICTIONARIES; PROGRESS REPORTS; ANALYSIS; CHECKING TOOLS; CODE; DOCUMENTATION * CASE

COMPUTER AIDED SOFTWARE ENGINEERING (CASE) INCREASES PRODUCTIVITY & QUALITY: ENFORCES DEVELOPMENT DISCIPLINE IMPROVES COMMUNICATION DESIGN REPOSITORY FOR OBJECTS AUTOMATES TEDIOUS TASKS AUTOMATES TESTING & CONTROL REQUIRES ORGANIZATIONAL DISCIPLINE * CASE

MIS AUDIT IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS SOFTWARE METRICS: Objective measurements to assess system TESTING: Early, regular controlled efforts to detect, reduce errors WALKTHROUGH DEBUGGING DATA QUALITY AUDIT: Survey samples of files for accuracy, completeness *

INFORMATION SYSTEMS SECURITY & CONTROL 14 INFORMATION SYSTEMS SECURITY & CONTROL