14.1 © 2002 by Prentice Hall c h a p t e r 14 INFORMATION SYSTEMS SECURITY & CONTROL

14.2 © 2002 by Prentice Hall LEARNING OBJECTIVES DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMSDEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMS COMPARE GENERAL AND APPLICATION CONTROLSCOMPARE GENERAL AND APPLICATION CONTROLS*

14.3 © 2002 by Prentice Hall LEARNING OBJECTIVES DESCRIBE MEASURES TO ENSURE RELIABILITY, AVAILABILITY, SECURITY OF E-COMMERCE, DIGITAL BUSINESS PROCESSESDESCRIBE MEASURES TO ENSURE RELIABILITY, AVAILABILITY, SECURITY OF E-COMMERCE, DIGITAL BUSINESS PROCESSES*

14.4 © 2002 by Prentice Hall LEARNING OBJECTIVES DESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE TECHNIQUESDESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE TECHNIQUES DEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS & SAFEGUARDING DATA QUALITYDEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS & SAFEGUARDING DATA QUALITY*

14.5 © 2002 by Prentice Hall MANAGEMENT CHALLENGES SYSTEM VULNERABILITY & ABUSESYSTEM VULNERABILITY & ABUSE CREATING A CONTROL ENVIRONMENTCREATING A CONTROL ENVIRONMENT ENSURING SYSTEM QUALITYENSURING SYSTEM QUALITY*

14.6 © 2002 by Prentice Hall SYSTEM VULNERABILITY & ABUSE WHY SYSTEMS ARE VULNERABLEWHY SYSTEMS ARE VULNERABLE HACKERS & VIRUSESHACKERS & VIRUSES CONCERNS FOR BUILDERS & USERSCONCERNS FOR BUILDERS & USERS SYSTEM QUALITY PROBLEMSSYSTEM QUALITY PROBLEMS*

14.7 © 2002 by Prentice Hall THREATS TO INFORMATION SYSTEMS HARDWARE FAILURE, FIRE SOFTWARE FAILURE, ELECTRICAL PROBLEMS PERSONNEL ACTIONS, USER ERRORS ACCESS PENETRATION, PROGRAM CHANGES THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMS *

14.8 © 2002 by Prentice Hall WHY SYSTEMS ARE VULNERABLE SYSTEM COMPLEXITYSYSTEM COMPLEXITY COMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITEDCOMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITED EXTENSIVE EFFECT OF DISASTEREXTENSIVE EFFECT OF DISASTER UNAUTHORIZED ACCESS POSSIBLEUNAUTHORIZED ACCESS POSSIBLE*

14.9 © 2002 by Prentice Hall RADIATION: Allows recorders, bugs to tap systemRADIATION: Allows recorders, bugs to tap system CROSSTALK: Can garble dataCROSSTALK: Can garble data HARDWARE: Improper connections, failure of protection circuitsHARDWARE: Improper connections, failure of protection circuits SOFTWARE: Failure of protection features, access control, bounds controlSOFTWARE: Failure of protection features, access control, bounds control FILES: Subject to theft, copying, unauthorized accessFILES: Subject to theft, copying, unauthorized access* VULNERABILITIES VULNERABILITIES

14.10 © 2002 by Prentice Hall VULNERABILITIES VULNERABILITIES USER: Identification, authentication, subtle software modificationUSER: Identification, authentication, subtle software modification PROGRAMMER: Disables protective features; reveals protective measuresPROGRAMMER: Disables protective features; reveals protective measures MAINTENANCE STAFF: Disables hardware devices; uses stand-alone utilitiesMAINTENANCE STAFF: Disables hardware devices; uses stand-alone utilities OPERATOR: Doesn’t notify supervisor, reveals protective measuresOPERATOR: Doesn’t notify supervisor, reveals protective measures*

14.11 © 2002 by Prentice Hall HACKER: Person gains access to computer for profit, criminal mischief, personal pleasureHACKER: Person gains access to computer for profit, criminal mischief, personal pleasure COMPUTER VIRUS: Rogue program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memoryCOMPUTER VIRUS: Rogue program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memory* HACKERS & COMPUTER VIRUSES

14.12 © 2002 by Prentice Hall COMMON COMPUTER VIRUSES CONCEPT, MELISSA: Word documents, . Deletes filesCONCEPT, MELISSA: Word documents, . Deletes files FORM: Makes clicking sound, corrupts dataFORM: Makes clicking sound, corrupts data EXPLORE.EXE: Attached to , tries to to others, destroys filesEXPLORE.EXE: Attached to , tries to to others, destroys files MONKEY: Windows won’t runMONKEY: Windows won’t run CHERNOBYL: Erases hard drive, ROM BIOSCHERNOBYL: Erases hard drive, ROM BIOS JUNKIE: Infects files, boot sector, memory conflictsJUNKIE: Infects files, boot sector, memory conflicts*

14.13 © 2002 by Prentice Hall ANTIVIRUS SOFTWARE SOFTWARE TO DETECTSOFTWARE TO DETECT ELIMINATE VIRUSESELIMINATE VIRUSES ADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILESADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILES*

14.14 © 2002 by Prentice Hall CONCERNS FOR BUILDERS & USERS DISASTER BREACH OF SECURITY ERRORS*

14.15 © 2002 by Prentice Hall LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY FAULT-TOLERANT COMPUTER SYSTEMS: Backup systems to prevent system failure (particularly On- line Transaction Processing)FAULT-TOLERANT COMPUTER SYSTEMS: Backup systems to prevent system failure (particularly On- line Transaction Processing)* DISASTER

14.16 © 2002 by Prentice Hall SECURITY POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS*

14.17 © 2002 by Prentice Hall DATA PREPARATIONDATA PREPARATION TRANSMISSIONTRANSMISSION CONVERSIONCONVERSION FORM COMPLETIONFORM COMPLETION ON-LINE DATA ENTRYON-LINE DATA ENTRY KEYPUNCHING; SCANNING; OTHER INPUTSKEYPUNCHING; SCANNING; OTHER INPUTS* WHERE ERRORS OCCUR

14.18 © 2002 by Prentice Hall WHERE ERRORS OCCUR VALIDATIONVALIDATION PROCESSING / FILE MAINTENANCEPROCESSING / FILE MAINTENANCE OUTPUTOUTPUT TRANSMISSIONTRANSMISSION DISTRIBUTIONDISTRIBUTION*

14.19 © 2002 by Prentice Hall SYSTEM QUALITY PROBLEMS SOFTWARE & DATASOFTWARE & DATA BUGS: Program code defects or errorsBUGS: Program code defects or errors MAINTENANCE: Modifying a system in production use; can take up to 50% of analysts’ timeMAINTENANCE: Modifying a system in production use; can take up to 50% of analysts’ time DATA QUALITY PROBLEMS: Finding, correcting errors; costly; tediousDATA QUALITY PROBLEMS: Finding, correcting errors; costly; tedious*

14.20 © 2002 by Prentice Hall COSTS ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE

14.21 © 2002 by Prentice Hall CREATING A CONTROL ENVIRONMENT CONTROLS: Methods, policies, procedures to protect assets; accuracy & reliability of records; adherence to management standards CONTROLS: Methods, policies, procedures to protect assets; accuracy & reliability of records; adherence to management standards GENERAL CONTROLSGENERAL CONTROLS APPLICATION CONTROLSAPPLICATION CONTROLS*

14.22 © 2002 by Prentice Hall IMPLEMENTATION: Audit system development to assure proper control, managementIMPLEMENTATION: Audit system development to assure proper control, management SOFTWARE: Ensure security, reliability of softwareSOFTWARE: Ensure security, reliability of software PHYSICAL HARDWARE: Ensure physical security, performance of computer hardwarePHYSICAL HARDWARE: Ensure physical security, performance of computer hardware* GENERAL CONTROLS

14.23 © 2002 by Prentice Hall COMPUTER OPERATIONS: Ensure procedures consistently, correctly applied to data storage, processingCOMPUTER OPERATIONS: Ensure procedures consistently, correctly applied to data storage, processing DATA SECURITY: Ensure data disks, tapes protected from wrongful access, change, destructionDATA SECURITY: Ensure data disks, tapes protected from wrongful access, change, destruction ADMINISTRATIVE: Ensure controls properly executed, enforcedADMINISTRATIVE: Ensure controls properly executed, enforced –SEGREGATION OF FUNCTIONS: Divide responsibility from tasks * GENERAL CONTROLS

14.24 © 2002 by Prentice Hall APPLICATION CONTROLS INPUTINPUT PROCESSINGPROCESSING OUTPUTOUTPUT*

14.25 © 2002 by Prentice Hall INPUT CONTROLS INPUT AUTHORIZATION: Record, monitor source documentsINPUT AUTHORIZATION: Record, monitor source documents DATA CONVERSION: Transcribe data properly from one form to anotherDATA CONVERSION: Transcribe data properly from one form to another BATCH CONTROL TOTALS: Count transactions prior to and after processingBATCH CONTROL TOTALS: Count transactions prior to and after processing EDIT CHECKS: Verify input data, correct errorsEDIT CHECKS: Verify input data, correct errors*

14.26 © 2002 by Prentice Hall PROCESSING CONTROLS ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING RUN CONTROL TOTALS: Generate control totals before & after processingRUN CONTROL TOTALS: Generate control totals before & after processing COMPUTER MATCHING: Match input data to master filesCOMPUTER MATCHING: Match input data to master files*

14.27 © 2002 by Prentice Hall OUTPUT CONTROLS ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED BALANCE INPUT, PROCESSING, OUTPUT TOTALSBALANCE INPUT, PROCESSING, OUTPUT TOTALS REVIEW PROCESSING LOGSREVIEW PROCESSING LOGS ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTSENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS*

14.28 © 2002 by Prentice Hall ENCRYPTION: Coding & scrambling messages to deny unauthorized accessENCRYPTION: Coding & scrambling messages to deny unauthorized access AUTHENTICATION: Ability to identify another partyAUTHENTICATION: Ability to identify another party –MESSAGE INTEGRITY –DIGITAL SIGNATURE –DIGITAL CERTIFICATE * SECURITY AND THE INTERNET

14.29 © 2002 by Prentice Hall SENDER SCRAMBLED MESSAG E RECIPIENT Encrypt with public key Decrypt with private key PUBLIC KEY ENCRYPTION SECURITY AND THE INTERNET

14.30 © 2002 by Prentice Hall DIGITAL WALLET: Software stores credit card, electronic cash, owner ID, address for e-commerce transactionsDIGITAL WALLET: Software stores credit card, electronic cash, owner ID, address for e-commerce transactions SECURE ELECTRONIC TRANSACTION : Standard for securing credit card transactions on InternetSECURE ELECTRONIC TRANSACTION : Standard for securing credit card transactions on Internet* SECURITY AND THE INTERNET

14.31 © 2002 by Prentice Hall CREDIT CARD-SET: Protocol for payment securityCREDIT CARD-SET: Protocol for payment security ELECTRONIC CASH: Digital currencyELECTRONIC CASH: Digital currency ELECTRONIC CHECK: Encrypted digital signatureELECTRONIC CHECK: Encrypted digital signature SMART CARD: Chip stores e-cashSMART CARD: Chip stores e-cash ELECTRONIC BILL PAYMENT: Electronic funds transferELECTRONIC BILL PAYMENT: Electronic funds transfer* ELECTRONIC PAYMENT SYSTEMS SECURITY AND THE INTERNET

14.32 © 2002 by Prentice Hall DEVELOPING A CONTROL STRUCTURE COSTS: Can be expensive to build; complicated to useCOSTS: Can be expensive to build; complicated to use BENEFITS: Reduces expensive errors, loss of time, resources, good willBENEFITS: Reduces expensive errors, loss of time, resources, good will RISK ASSESSMENT: Determine frequency of occurrence of problem, cost, damage if it were to occur RISK ASSESSMENT: Determine frequency of occurrence of problem, cost, damage if it were to occur*

14.33 © 2002 by Prentice Hall SYSTEM BUILDING APPROACHES STRUCTURED METHODOLOGIESSTRUCTURED METHODOLOGIES COMPUTER AIDED SOFTWARE ENGINEERING (CASE)COMPUTER AIDED SOFTWARE ENGINEERING (CASE) SOFTWARE REENGINEERINGSOFTWARE REENGINEERING*

14.34 © 2002 by Prentice Hall STRUCTURED METHODOLOGIES TOP DOWN, STEP BY STEP, EACH STEP BUILDS ON PREVIOUS STRUCTURED ANALYSISSTRUCTURED ANALYSIS STRUCTURED DESIGNSTRUCTURED DESIGN STRUCTURED PROGRAMMINGSTRUCTURED PROGRAMMING FLOWCHARTSFLOWCHARTS*

14.35 © 2002 by Prentice Hall STRUCTURED ANALYSIS STRUCTURED ANALYSIS DEFINES SYSTEM INPUTS, PROCESSES, OUTPUTSDEFINES SYSTEM INPUTS, PROCESSES, OUTPUTS PARTITIONS SYSTEM INTO SUBSYSTEMS OR MODULESPARTITIONS SYSTEM INTO SUBSYSTEMS OR MODULES LOGICAL, GRAPHICAL MODEL OF INFORMATION FLOWLOGICAL, GRAPHICAL MODEL OF INFORMATION FLOW DATA FLOW DIAGRAM: Graphical display of component processes, flow of dataDATA FLOW DIAGRAM: Graphical display of component processes, flow of data*

14.36 © 2002 by Prentice Hall SYMBOLS FOR DATA FLOW DIAGRAMS (DFD): DATA FLOW PROCESS SOURCE OR SINK FILE

14.37 © 2002 by Prentice Hall  GENERATE BILL CUSTOMER GENERATE BALANCE GENERATE REPORT MANAGER PAYMENT FILE CUSTOMER FILE DATA FLOW DIAGRAM:

14.38 © 2002 by Prentice Hall DATA DICTIONARY: Controlled definitions of descriptions of all data, such as variable names & types of dataDATA DICTIONARY: Controlled definitions of descriptions of all data, such as variable names & types of data PROCESS SPECIFICATIONS: Describes logic of processes at module levelPROCESS SPECIFICATIONS: Describes logic of processes at module level* STRUCTURED ANALYSIS STRUCTURED ANALYSIS

14.39 © 2002 by Prentice Hall STRUCTURED DESIGN DESIGN RULES / TECHNIQUES TO DESIGN SYSTEM, TOP DOWN IN HIERARCHICAL FASHION DESIGN RULES / TECHNIQUES TO DESIGN SYSTEM, TOP DOWN IN HIERARCHICAL FASHION STRUCTURE CHARTSTRUCTURE CHART STRUCTURED PROGRAMMINGSTRUCTURED PROGRAMMING MODULEMODULE SEQUENCE CONSTRUCTSEQUENCE CONSTRUCT SELECTION CONSTRUCTSELECTION CONSTRUCT*

14.40 © 2002 by Prentice Hall HIGH LEVEL STRUCTURE CHART: CALCULATE GROSS PAY CALCULATE NET PAY CALCULATE PAY PROCESS PAYROLL UPDATE MASTER FILE GET VALID INPUTS WRITE OUTPUTS GET INPUTS VALIDATE INPUTS WRITE OUTPUTS (WHITE BOXES ARE MODULES)

14.41 © 2002 by Prentice Hall STRUCTURED PROGRAMMING: DISCIPLINE TO ORGANIZE, CODE PROGRAMSDISCIPLINE TO ORGANIZE, CODE PROGRAMS SIMPLIFIES CONTROL PATHSSIMPLIFIES CONTROL PATHS EASY TO UNDERSTAND, MODIFYEASY TO UNDERSTAND, MODIFY MODULE HAS ONE INPUT, ONE OUTPUTMODULE HAS ONE INPUT, ONE OUTPUT*

14.42 © 2002 by Prentice Hall STRUCTURED PROGRAMMING: MODULE: Logical unit of program. performs specific task(s)MODULE: Logical unit of program. performs specific task(s) SEQUENCE CONSTRUCT: Sequential steps or actions in program logic; streamlines flowSEQUENCE CONSTRUCT: Sequential steps or actions in program logic; streamlines flow SELECTION CONSTRUCT: IF condition R is True THEN action C ELSE action DSELECTION CONSTRUCT: IF condition R is True THEN action C ELSE action D ITERATION CONSTRUCT: WHILE Condition is True DO action EITERATION CONSTRUCT: WHILE Condition is True DO action E*

14.43 © 2002 by Prentice Hall PROGRAM FLOWCHART SYMBOLS:

14.44 © 2002 by Prentice Hall PROGRAM FLOWCHART: 1 END REPORT MORE? 2 PRINT 1 2 START READ >$10,000 <$10,000 PROCESS A PROCESS B

14.45 © 2002 by Prentice Hall PROGRAM FLOWCHART: PROCESS A PROCESS B SEQUENCE PROCESS E S TRUE ITERATION PROCESS CPROCESS D R TRUE SELECTION

14.46 © 2002 by Prentice Hall SYSTEM FLOWCHART SYMBOLS:

14.47 © 2002 by Prentice Hall LOAD & VALIDATE COMPARE & UPDATE VALID TRANS- ACTIONS PAYROLL SYSTEM TIME CARDS HUMAN RESOURCES DATA PAYROLL MASTER UPDATED PAYROLL MASTER DIRECT DEPOSITS GENERAL LEDGER PAYROLL REPORTS & CHECKS PAYROLL MASTER SYSTEM FLOWCHART:

14.48 © 2002 by Prentice Hall COMPUTER AIDED SOFTWARE ENGINEERING (CASE) AUTOMATION OF SOFTWARE METHODOLOGIESAUTOMATION OF SOFTWARE METHODOLOGIES PRODUCES CHARTS; DIAGRAMS; SCREEN & REPORT GENERATORS; DATA DICTIONARIES; PROGRESS REPORTS; ANALYSIS; CHECKING TOOLS; CODE; DOCUMENTATIONPRODUCES CHARTS; DIAGRAMS; SCREEN & REPORT GENERATORS; DATA DICTIONARIES; PROGRESS REPORTS; ANALYSIS; CHECKING TOOLS; CODE; DOCUMENTATION* CASE

14.49 © 2002 by Prentice Hall INCREASES PRODUCTIVITY & QUALITY: ENFORCES DEVELOPMENT DISCIPLINEENFORCES DEVELOPMENT DISCIPLINE IMPROVES COMMUNICATIONIMPROVES COMMUNICATION DESIGN REPOSITORY FOR OBJECTSDESIGN REPOSITORY FOR OBJECTS AUTOMATES TEDIOUS TASKSAUTOMATES TEDIOUS TASKS AUTOMATES TESTING & CONTROLAUTOMATES TESTING & CONTROL REQUIRES ORGANIZATIONAL DISCIPLINEREQUIRES ORGANIZATIONAL DISCIPLINE* COMPUTER AIDED SOFTWARE ENGINEERING (CASE) CASE

14.50 © 2002 by Prentice Hall MIS AUDIT IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS SOFTWARE METRICS: Objective measurements to assess systemSOFTWARE METRICS: Objective measurements to assess system TESTING: Early, regular controlled efforts to detect, reduce errorsTESTING: Early, regular controlled efforts to detect, reduce errors –WALKTHROUGH –DEBUGGING DATA QUALITY AUDIT: Survey samples of files for accuracy, completenessDATA QUALITY AUDIT: Survey samples of files for accuracy, completeness*

14.51 © 2002 by Prentice Hall c h a p t e r 14 INFORMATION SYSTEMS SECURITY & CONTROL