2. 16.1

3. 16.2 LEARNING OBJECTIVES DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMSDEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMS COMPARE GENERAL AND APPLICATION CONTROLSCOMPARE GENERAL AND APPLICATION CONTROLS SELECT FACTORS FOR DEVELOPING CONTROLSSELECT FACTORS FOR DEVELOPING CONTROLS*

4. 16.3 LEARNING OBJECTIVES DESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE TECHNIQUESDESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE TECHNIQUES DEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS & SAFEGUARDING DATA QUALITYDEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS & SAFEGUARDING DATA QUALITY*

5. 16.4 MANAGEMENT CHALLENGES SYSTEM VULNERABILITY & ABUSESYSTEM VULNERABILITY & ABUSE CREATING A CONTROL ENVIRONMENTCREATING A CONTROL ENVIRONMENT ENSURING SYSTEM QUALITYENSURING SYSTEM QUALITY*

6. 16.5 SYSTEM VULNERABILITY & ABUSE WHY SYSTEMS ARE VULNERABLEWHY SYSTEMS ARE VULNERABLE HACKERS & VIRUSESHACKERS & VIRUSES CONCERNS FOR BUILDERS & USERSCONCERNS FOR BUILDERS & USERS SYSTEM QUALITY PROBLEMSSYSTEM QUALITY PROBLEMS*

7. 16.6 THREATS TO INFORMATION SYSTEMS HARDWARE FAILURE, FIRE SOFTWARE FAILURE, ELECTRICAL PROBLEMS PERSONNEL ACTIONS, USER ERRORS ACCESS PENETRATION, PROGRAM CHANGES THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMS *

8. 16.7 WHY SYSTEMS ARE VULNERABLE SYSTEM COMPLEXITYSYSTEM COMPLEXITY COMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITEDCOMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITED EXTENSIVE EFFECT OF DISASTEREXTENSIVE EFFECT OF DISASTER UNAUTHORIZED ACCESS POSSIBLEUNAUTHORIZED ACCESS POSSIBLE*

9. 16.8 RADIATION: Allows recorders, bugs to tap systemRADIATION: Allows recorders, bugs to tap system CROSSTALK: Can garble dataCROSSTALK: Can garble data HARDWARE: Improper connections, failure of protection circuitsHARDWARE: Improper connections, failure of protection circuits SOFTWARE: Failure of protection features, access control, bounds controlSOFTWARE: Failure of protection features, access control, bounds control FILES: Subject to theft, copying, unauthorized accessFILES: Subject to theft, copying, unauthorized access* VULNERABILITIES VULNERABILITIES

10. 16.9 VULNERABILITIES VULNERABILITIES USER: Identification, authentication, subtle software modificationUSER: Identification, authentication, subtle software modification PROGRAMMER: Disables protective features; reveals protective measuresPROGRAMMER: Disables protective features; reveals protective measures MAINTENANCE STAFF: Disables hardware devices; uses stand-alone utilitiesMAINTENANCE STAFF: Disables hardware devices; uses stand-alone utilities OPERATOR: Doesn’t notify supervisor, reveals protective measuresOPERATOR: Doesn’t notify supervisor, reveals protective measures*

11. 16.10 HACKER: Person gains access to computer for profit, criminal mischief, personal pleasureHACKER: Person gains access to computer for profit, criminal mischief, personal pleasure COMPUTER VIRUS: Rouge program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memoryCOMPUTER VIRUS: Rouge program; difficult to detect; spreads rapidly; destroys data; disrupts processing & memory* HACKERS & COMPUTER VIRUSES

12. 16.11 COMMON COMPUTER VIRUSES CONCEPT: Word documents, e-mail. Deletes filesCONCEPT: Word documents, e-mail. Deletes files FORM: Makes clicking sound, corrupts dataFORM: Makes clicking sound, corrupts data ONE_HALF: Corrupts hard drive, flashes its name on screenONE_HALF: Corrupts hard drive, flashes its name on screen MONKEY: Windows won’t runMONKEY: Windows won’t run JUNKIE: Infects files, boot sector, memory conflictsJUNKIE: Infects files, boot sector, memory conflicts RIPPER: Randomly corrupts hard drive filesRIPPER: Randomly corrupts hard drive files*

13. 16.12 ANTIVIRUS SOFTWARE SOFTWARE TO DETECTSOFTWARE TO DETECT ELIMINATE VIRUSESELIMINATE VIRUSES ADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILESADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILES*

14. 16.13 CONCERNS FOR BUILDERS & USERS DISASTER BREACH OF SECURITY ERRORS*

15. 16.14 LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITYLOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing) FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing)* DISASTER

16. 16.15 SECURITY POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS*

17. 16.16 DATA PREPARATIONDATA PREPARATION TRANSMISSIONTRANSMISSION CONVERSIONCONVERSION FORM COMPLETIONFORM COMPLETION ON-LINE DATA ENTRYON-LINE DATA ENTRY KEYPUNCHING; SCANNING; OTHER INPUTSKEYPUNCHING; SCANNING; OTHER INPUTS* WHERE ERRORS OCCUR

18. 16.17 WHERE ERRORS OCCUR VALIDATIONVALIDATION PROCESSING / FILE MAINTENANCEPROCESSING / FILE MAINTENANCE OUTPUTOUTPUT TRANSMISSIONTRANSMISSION DISTRIBUTIONDISTRIBUTION*

19. 16.18 SYSTEM QUALITY PROBLEMS SOFTWARE & DATASOFTWARE & DATA BUGS: Program code defects or errorsBUGS: Program code defects or errors MAINTENANCE: Modifying a system in production use; can take up to 50% of analysts’ timeMAINTENANCE: Modifying a system in production use; can take up to 50% of analysts’ time DATA QUALITY PROBLEMS: Finding, correcting errors; costly; tediousDATA QUALITY PROBLEMS: Finding, correcting errors; costly; tedious*

20. 16.19 COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE 1.00 2.00 3.00 4.00 5.00 6.00 COSTS ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION

21. 16.20 CREATING A CONTROL ENVIRONMENT CONTROLS: METHODS, POLICIES, PROCEDURES TO PROTECT ASSETS; ACCURACY & RELIABILITY OF RECORDS; ADHERENCE TO MANAGEMENT STANDARDS CONTROLS: METHODS, POLICIES, PROCEDURES TO PROTECT ASSETS; ACCURACY & RELIABILITY OF RECORDS; ADHERENCE TO MANAGEMENT STANDARDS GENERALGENERAL APPLICATIONAPPLICATION*

22. 16.21 IMPLEMENTATION: Audit system development to assure proper control, managementIMPLEMENTATION: Audit system development to assure proper control, management SOFTWARE: Ensure security, reliability of softwareSOFTWARE: Ensure security, reliability of software PHYSICAL HARDWARE: Ensure physical security, performance of computer hardwarePHYSICAL HARDWARE: Ensure physical security, performance of computer hardware* GENERAL CONTROLS

23. 16.22 COMPUTER OPERATIONS: Ensure procedures consistently, correctly applied to data storage, processingCOMPUTER OPERATIONS: Ensure procedures consistently, correctly applied to data storage, processing DATA SECURITY: Ensure data disks, tapes protected from wrongful access, change, destructionDATA SECURITY: Ensure data disks, tapes protected from wrongful access, change, destruction ADMINISTRATIVE: Ensure controls properly executed, enforcedADMINISTRATIVE: Ensure controls properly executed, enforced SEGREGATION OF FUNCTIONS: Divide responsibility from tasks SEGREGATION OF FUNCTIONS: Divide responsibility from tasks* GENERAL CONTROLS

24. 16.23 APPLICATION CONTROLS INPUTINPUT PROCESSINGPROCESSING OUTPUTOUTPUT*

25. 16.24 INPUT CONTROLS INPUT AUTHORIZATION: Record, monitor source documentsINPUT AUTHORIZATION: Record, monitor source documents DATA CONVERSION: Transcribe data properly from one form to anotherDATA CONVERSION: Transcribe data properly from one form to another BATCH CONTROL TOTALS: Count transactions prior to and after processingBATCH CONTROL TOTALS: Count transactions prior to and after processing EDIT CHECKS: Verify input data, correct errorsEDIT CHECKS: Verify input data, correct errors*

26. 16.25 PROCESSING CONTROLS ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING RUN CONTROL TOTALS: Generate control totals before & after processingRUN CONTROL TOTALS: Generate control totals before & after processing COMPUTER MATCHING: Match input data to master filesCOMPUTER MATCHING: Match input data to master files*

27. 16.26 OUTPUT CONTROLS ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED BALANCE INPUT, PROCESSING, OUTPUT TOTALSBALANCE INPUT, PROCESSING, OUTPUT TOTALS REVIEW PROCESSING LOGSREVIEW PROCESSING LOGS ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTSENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS*

28. 16.27 SECURITY AND THE INTERNET ENCRYPTION: Coding & scrambling messages to deny unauthorized accessENCRYPTION: Coding & scrambling messages to deny unauthorized access AUTHENTICATION: Ability to identify another partyAUTHENTICATION: Ability to identify another party –MESSAGE INTEGRITY –DIGITAL SIGNATURE –DIGITAL CERTIFICATE *

29. 16.28 SECURITY AND THE INTERNET SECURE ELECTRONIC TRANSACTION : Standard for securing credit card transactions on InternetSECURE ELECTRONIC TRANSACTION : Standard for securing credit card transactions on Internet ELECTRONIC CASH: Currency represented in electronic form, preserving user anonymityELECTRONIC CASH: Currency represented in electronic form, preserving user anonymity*

30. 16.29 DEVELOPING A CONTROL STRUCTURE COSTS: Can be expensive to build; complicated to useCOSTS: Can be expensive to build; complicated to use BENEFITS: Reduces expensive errors, loss of time, resources, good willBENEFITS: Reduces expensive errors, loss of time, resources, good will RISK ASSESSMENT: Determine frequency of occurrence of problem, cost, damage if it were to occur RISK ASSESSMENT: Determine frequency of occurrence of problem, cost, damage if it were to occur*

31. 16.30 MIS AUDIT IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS TESTING: Early, regular controlled efforts to detect, reduce errorsTESTING: Early, regular controlled efforts to detect, reduce errors –WALKTHROUGH –DEBUGGING DATA QUALITY AUDIT: Survey samples of files for accuracy, completenessDATA QUALITY AUDIT: Survey samples of files for accuracy, completeness*

32. 16.31 Connect to the INTERNET PRESS LEFT MOUSE BUTTON ON ICON TO CONNECT TO LAUDON & LAUDON WEB SITE FOR MORE INFORMATION IN THIS CHAPTER

33. 16.32