Information Systems Security and Control Chapter 13

Why are comp. systems more vulnerable than manual systems to destruction, fraud, error, & misuse? Computer systems tend to be more vulnerable to destruction, error, and fraud than manual systems for the following reasons: Data is stored electronically, where it is not immediately visible or easily audited. Data is concentrated in electronic files. Effects of a disaster such as a hardware malfunction or power outage can be more extensive. An organization's entire record keeping system could be destroyed. There may not be a visible trail to indicate what occurred for every computer process Operation of automated systems requires specialized technical expertise. It may be easy for programmers and computer operators to make unauthorized changes. Data files can be accessed and manipulated directly through terminals in on-line systems.

Name some of the key areas where systems are most vulnerable. Key areas where systems are most vulnerable include: hardware or software failure and errors; unauthorized usage; fire or electrical hazards; user errors; theft of services; data and equipment; program changes; and telecommunications problems.

Name some features of on-line information systems that make them difficult to control. Features of on-line systems that make them difficult to control: There is greater chance of unauthorized access or manipulation of data directly via terminals. Telecommunications links magnify the opportunities for unauthorized access and penetration. Hardware, software, and organizational arrangements are more complex for such systems.

Fault-tolerant computer systems? Fault-tolerant computer systems contain extra hardware, software, and power supply components that can back the system up and keep it running to prevent system failure. They contain extra memory chips, processors, and disk storage devices. They should be used by firms for critical applications with heavy on-line transaction processing requirements.

How can bad software and data quality affect system performance and reliability? The software can fail to perform, perform erratically, or give erroneous results. A control system that fails to perform can mean medical equipment that fails or telephones that do not carry messages. A business system that fails means customers who are under- or over-billed. Or, it could mean that the business orders more inventory than it needs.

Describe two software quality problems The major quality problems are bugs or defects caused by incorrect design. The other problem is maintenance of old programs caused by organizational changes, system design flaws, and software complexity.

What are controls? Controls can be defined as the methods, policies, and procedures that ensure protection of the organization's assets, the accuracy and reliability of its accounting records, and operational adherence to management standards. Many of the controls for CBIS are the same for manual systems. However, special controls must be applied for hardware, software, telecommunications, and technical aspects of operational activities.

What distinguishes general controls and application controls? General controls establish an overall control environment for all of the information systems in an organization. Application controls are specific controls unique to each computerized application. Both general and application controls consist of manual and automated procedures.

Name and describe the principal general controls for computerized systems Principal general controls are: System implementation controls: ensure that the entire systems development process is properly managed. Software controls: prevent unauthorized changes to computer programs and ensure reliability of system software. Physical hardware controls: ensure processing in the event of hardware malfunction or breakdown. Computer operations controls: monitor computer operations and check for errors. Data security controls: prevent unauthorized changes or access to data. Administrative disciplines, standards and procedures: mechanisms for ensuring all other controls are enforced and monitored by management.

List and describe the principal application controls. Batching: establishes totals beforehand for transactions grouped into batches to balance against number of transactions input into the computer. Helps ensure completeness of input. Edits: scrutinize input data for errors before it is processed. Erroneous transactions can be rejected. Help ensure accuracy of input. Computer matching: compares input data with data on master files or suspense files. Helps ensure accuracy and completeness of input and/or updating. Run control totals: reconcile total transactions from each computer process or job to the next. Help ensure completeness of processing

How does MIS auditing enhance the control process? MIS auditing evaluates all of the controls for an information system and assesses their effectiveness. Control weaknesses and their probability of occurrence will be noted. The results of the audit can be used as guidelines for strengthening controls, if required.

What is the function of risk assessment? Risk assessment helps builders and users of information systems determine the effectiveness of their controls. It determines the probability of something going wrong and potential damage/loss to the organization. Controls can be adjusted or added to focus on the areas of greatest risk. An organization does not want to over-control areas where risk is low and under-control areas where risk is high.

Name and describe four software quality assurance techniques The four software quality assurance techniques are: Appropriate systems development methodology —to provide a framework for rigorous discipline in building a system. Resource Allocation—More of the budget should be spent on systems analysis and specification and on testing and implementation Software metrics—the use of objective quantitative measures assess the system’s performance and identify problems. Some metrics are used in the system analysis and design phase. Testing—testing at every stage including the design phase for reliability and bugs

Why are data quality audits essential? Data quality audits are one means of determining whether information systems contain inaccurate, incomplete, or ambiguous data. Since much of the data in automated systems is "invisible," it may not be possible to audit all records in a system. However, auditing a sample of such records can help determine the overall data quality of the system.

What is security? Security refers to all of the policies, procedures, and technical measures that can be applied to prevent unauthorized access, alteration, theft, or physical damage to information systems

List and describe controls that promote security for computer hardware, computer networks, computer software, and computerized data Computer hardware security can be promoted by storing hardware in restricted rooms where it can only be accessed by authorized individuals. Special safeguards against fire, extreme temperature and humidity fluctuations, and electric power disruptions can be installed. Computer networks must be safeguarded against unauthorized use. Terminals should be physically restricted to authorized individuals. Telecommunications lines and control units should also be physically restricted and frequently checked for malfunctions. Authorized users of on-line systems should be assigned secret passwords. However, these safeguards may not be sufficient to prevent authorized users from propagating computer viruses.

List and describe controls that promote security for computer hardware, computer networks, computer software, and computerized data Computer software security can be promoted by program security controls to prevent unauthorized changes to programs in production systems. Software security also is promoted by system software controls that prevent unauthorized access to system software and log all system activities. Computerized data can be subject to data security controls. Passwords can be assigned for specific applications. Data security software can establish security patterns to restrict access to individual files, data fields or groups of records. On-line systems can establish access patterns restricting users to inquiries only or granting them full or limited update capabilities. Data security software often features logs that record users of on-line or batch files. Also, data files can be physically secured in locked rooms where they are released only for authorized processing.

Why must special security measures be taken by businesses linking to the Internet? Special measures must be taken because the purpose of the original design of the Internet was to allow easy access. The networking protocol that forms the foundation of the Internet, TCP/IP, is insecure. If systems are not specially protected against the openness of TCP/IP, and often the openness of UNIX, systems connected to the Internet are vulnerable to hackers and computer viruses.

Describe the role of firewalls and encryption systems in promoting security Firewalls protect internal networks from external networks such as the Internet. They protect internal systems by monitoring packets for the wrong source or destination, or by offering a proxy server with no access to the internal documents and systems, or by restricting the types of messages that get through, for example, e-mail. Further, many authentication controls have been added for Web pages as part of firewalls. Encryption protects by keeping messages or packets hidden from the view of unauthorized readers. Encryption is crucial for ensuring the success of electronic commerce between the organization and its customers, and between the organization and its vendors.