SESSION 14 INFORMATION SYSTEMS SECURITY AND CONTROL

Advances in telecommunications and computer softwareAdvances in telecommunications and computer software Unauthorized access, abuse, or fraudUnauthorized access, abuse, or fraud HackersHackers Denial of service attackDenial of service attack Computer virusComputer virus SYSTEM VULNERABILITY AND ABUSE

Disaster Destroys computer hardware, programs, data files, and other equipmentDestroys computer hardware, programs, data files, and other equipmentSecurity Prevents unauthorized access, alteration, theft, or physical damagePrevents unauthorized access, alteration, theft, or physical damage Concerns for System Builders and Users

Errors Cause computers to disrupt or destroy organization’s record-keeping and operationsCause computers to disrupt or destroy organization’s record-keeping and operations Concerns for System Builders and Users

Bugs Program code defects or errorsProgram code defects or errors Maintenance Nightmare Maintenance costs high due to organizational change, software complexity, and faulty system analysis and designMaintenance costs high due to organizational change, software complexity, and faulty system analysis and design System Quality Problems: Software and Data

The Cost of Errors over the Systems Development Cycle Figure 15-3 System Quality Problems: Software and Data

Data Quality Problems Caused due to errors during data input or faulty information system and database designCaused due to errors during data input or faulty information system and database design System Quality Problems: Software and Data

Controls Methods, policies, and proceduresMethods, policies, and procedures Ensures protection of organization’s assetsEnsures protection of organization’s assets Ensures accuracy and reliability of records, and operational adherence to management standardsEnsures accuracy and reliability of records, and operational adherence to management standards CREATING A CONTROL ENVIRONMENT Overview

General controls Establish framework for controlling design, security, and use of computer programsEstablish framework for controlling design, security, and use of computer programs Include software, hardware, computer operations, data security, implementation, and administrative controlsInclude software, hardware, computer operations, data security, implementation, and administrative controls General Controls and Application Controls CREATING A CONTROL ENVIRONMENT

Security Profiles for a Personnel System Figure 15-4 CREATING A CONTROL ENVIRONMENT

Application controls Unique to each computerized applicationUnique to each computerized application Ensure that only authorized data are completely and accurately processed by that applicationEnsure that only authorized data are completely and accurately processed by that application Include input, processing, and output controlsInclude input, processing, and output controls General Controls and Application Controls CREATING A CONTROL ENVIRONMENT

On-line transaction processing: Transactions entered online are immediately processed by computerOn-line transaction processing: Transactions entered online are immediately processed by computer Fault-tolerant computer systems: Contain extra hardware, software, and power supply componentsthat can back the system up and keep it running to prevent system failureFault-tolerant computer systems: Contain extra hardware, software, and power supply components that can back the system up and keep it running to prevent system failure Protecting the Digital Firm

High-availability computing: Tools and technologies enabling system to recover from a crashHigh-availability computing: Tools and technologies enabling system to recover from a crash Disaster recovery plan: Plan for running business in event of computer outageDisaster recovery plan: Plan for running business in event of computer outage Load balancing: Distributes large number of requests for access among multiple serversLoad balancing: Distributes large number of requests for access among multiple servers Protecting the Digital Firm

Mirroring: Duplicating all processes and transactions of server on backup server to prevent any interruptionMirroring: Duplicating all processes and transactions of server on backup server to prevent any interruption Clustering: Linking two computers together so that a second computer can act as a backup to the primary computer or speed up processingClustering: Linking two computers together so that a second computer can act as a backup to the primary computer or speed up processing Protecting the Digital Firm

Figure 15-5 Internet Security Challenges

Firewalls Prevent unauthorized users from accessing private networksPrevent unauthorized users from accessing private networks Two types: proxies and stateful inspectionTwo types: proxies and stateful inspection Intrusion Detection System Monitors vulnerable points in network to detect and deter unauthorized intrudersMonitors vulnerable points in network to detect and deter unauthorized intruders Internet Security Challenges

Encryption: Coding and scrambling of messages to prevent their being accessed without authorizationEncryption: Coding and scrambling of messages to prevent their being accessed without authorization Authentication: Ability of each party in a transaction to ascertain identity of other partyAuthentication: Ability of each party in a transaction to ascertain identity of other party Message integrity: Ability to ascertain that transmitted message has not been copied or alteredMessage integrity: Ability to ascertain that transmitted message has not been copied or altered Security and Electronic Commerce

Public Key Encryption Figure 15-6

Digital signature: Digital code attached to electronically transmitted message to uniquely identify contents and senderDigital signature: Digital code attached to electronically transmitted message to uniquely identify contents and sender Digital certificate: Attachment to electronic message to verify the sender and to provide receiver with means to encode replyDigital certificate: Attachment to electronic message to verify the sender and to provide receiver with means to encode reply Security and Electronic Commerce

Digital Certificates Figure 15-7

Criteria for determining control structure Importance of dataImportance of data Efficiency, complexity, and expense of each control techniqueEfficiency, complexity, and expense of each control technique Level of risk if a specific activity or process is not properly controlledLevel of risk if a specific activity or process is not properly controlled Developing a Control Structure: Costs and Benefits

MIS audit Identifies all controls that govern individual information systems and assesses their effectivenessIdentifies all controls that govern individual information systems and assesses their effectiveness The Role of Auditing in the Control Process

Data quality audit Survey and/or sample of filesSurvey and/or sample of files Determines accuracy and completeness of dataDetermines accuracy and completeness of data Data cleansing Correcting errors and inconsistencies in data to increase accuracyCorrecting errors and inconsistencies in data to increase accuracy Data Quality Audit and Data Cleansing