Unit 5 Online System Controls and Security - PowerPoint PPT Presentation

1 / 30
About This Presentation

Unit 5 Online System Controls and Security


Identify the validation techniques used in on-line systems ... all suspense file items must be deleted or resubmitted. 10/15/09. Unit 5. 10. IT Management ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 31
Provided by: lynnep


Transcript and Presenter's Notes

Title: Unit 5 Online System Controls and Security

  • Unit 5 Online System Controls and Security
  • Identify the validation techniques used in
    on-line systems
  • Describe data libraries used in development
  • Explain the role of security in Information

  • Planning
  • Analysis/Design
  • Building
  • Testing
  • Organization, Stakeholders, Charter
  • Project Mgmt, Tools, methodology, services
  • Committees, Tools, Project, Development, Dbase,
    processing, security controls
  • Testing phases methods

  • Implementation
  • Post-Implementation
  • Roll-out controls
  • Backup-recovery, ITIL Service support controls,
    turnover, review, report, document

User Interface Design (UI) Every component the
users see, hear, or touch and the
workflow Screens Video segments Windows Au
dio segments Web pages Dialog boxes Printed
reports Message boxes
  • Online Controls
  • Transactions processed individually
  • Access security controls who enters
  • Online data validation
  • Exceptional transactions require special password
  • Immediate correction for online
  • Written into a transaction log immediately for

  • Controlling the Processing of Data
  • Ensure that
  • All transaction are authorized
  • All transactions are processed
  • All transactions are complete and accurate

Processing Errors Input Errors Missing data,
lost data, late data, duplicate data,
unauthorized data, inaccurate data Processing
Errors Wrong file, Untimely processing,
incomplete processing, duplicate processing,
incorrect logic, unauthorized logic  
  • Controlling the Processing of Data
  • All transaction are authorized
  • Relies on systems security
  • Identification
  • Authentication
  • Authorisation

  • Controlling the Processing of Data
  • All transactions are processed
  • rejected transactions are written to a suspense
  • all suspense file items must be deleted or

Controlling the Processing of Data Name some
ways when programming to control input errors
  • Controlling the Processing of Data
  • All transactions are complete and accurate
  • Admissible characters edit mask e.g. 999V99
  • Completeness mandatory fields e.g. x ! NULL
  • Field size e.g. edit mask X(15)
  • Range check e.g. value must be gt 16 and lt 85 or
    Quantity ordered lt Quantity on hand
  • Self checking digits e.g. SIN, VIN
  • Code list e.g. provinces
  • Consistency (cross-field edits) e.g. if
    province is Ontario then Postal Code must be in a
    certain range  

  • Development Controls Classroom activity for
  • For each of the following controls
  • Define what each is/what it means (if not
  • What could happen without it?

  • Database Controls
  • Data architecture/corporate data model
  • DBA (DataBase Analyst) creates and maintains all
    production and user test databases
  • DBA or Security grants rights to databases/owner
  • Backup and recovery of database is treated
    separately from systems backup and recovery
  • Database requires documentation and procedures
    for example fallback, recovery and restart
  • Audit trails/logging of all transactions
  • Database mirroring/availability promoted
  • Restricted access to programmer tools such as
    Zapper tools (bulk production database updates)

Data Libraries
  • Data Libraries
  • Production data and programs
  • The companys data treated with the utmost
  • Accessed by authorized users only
  • Production support moves data and programs into
    this area

  • Data Libraries
  • User test data and programs
  • Users data for testing and training purposes
  • Can contain a copy of production data
  • Accessed by authorized users only
  • This is a staging area for programs on their way
    to production
  • Production support moves data and programs into
    this area

  • Data Libraries
  • Development data and programs
  • Developers library of programs in development
  • Developers test data for integration testing
  • Developers data and programs are usually
  • Copied to the developers PC when required
  • Used for development and unit testing

IT SECURITY ANALYST - 996 - 1,199 / weekThe
Central Agencies IIT Cluster seeks an energetic
individual to co-ordinate projects to secure the
cluster's IIT infrastructure guide
ministry/agency business teams performing threat
risk analysis audit user access to ministry
data research, evaluate, recommend practices,
services, technologies for increasing security of
ministry data develop/implement security
policies, controls, practices, procedures, tools
to secure IIT infrastructure promote awareness
of IIT security.Qualifications experience
developing/implementing security controls,
practices, procedures, tools for IIT
infrastructures, performing audits, administering
user access privileges for Netware, Windows 2000,
IBM mainframe environments knowledge of security
policies, best practices excellent
communication, interpersonal, presentation
skills.Apply by Sep 27, 2002 to File File
3135, Ministry of Finance, Human Resources
Branch, 33 King St. W., 2nd Fl., Oshawa, ON L1H
8H5. Fax 905-433-6588.Posted 09/13/2002
  • Access Controls
  • What are we safeguarding?
  • Data
  • Programs
  • Resource
  • What is the risk? 
  • Destruction
  • Modification
  • Disclosure
  • Accidental or intentional misuse

  • Human-Machine Interface
  • e.g. PCs, terminals, ATMs, internet, PDAs, etc
  • Electronic Interface
  • Data sent to external organizations e.g. Payroll
    sent to the bank
  • Data received from external organizations e.g.
    Bank statement, Service Provider updates
  • Data transmitted between internal systems e.g.
    Sales orders transferred from the Web hosting
    computer to the Order Entry system

  • Security System Controls
  • Operating systems security
  • Database security system
  • Programmatic security
  • Network security
  • All users and processes must apply for access.
  • Management approves access request to specific
  • Security sets up account giving required access -
    security roles.
  • All users and processes must be granted
    privileged access to required resources - data,
    programs, hardware, etc.

  • Access Management
  • Access is assigned typically as privileges
  • Operating system level execute, read, append,
    update, delete, create, etc. to specific
  • Database level read, append, update, delete,
    create, etc. to specific tables, fields
  • Program level access to specific programs, menu
    items, modes within screens e.g. read only,
  • Network level to servers, printers, Lan, email

  • Security
  • Security is the safety of people, facilities and
    data from natural and man-made threats
  • Security Requirements controlled access
  • Identification
  • Authentication
  • Authorisation
  • Validity
  • Auditability

  • Security Requirements access controls
  • Identification How you identify yourself to the
  • Authentication How the system verifies you are
    who you say you are
  • AuthorizationHow the system knows what you are
    allowed to do
  • ValidityHow the system ensures it only processes
    valid authorized transactions and what responses
    it gives
  • Audit abilityAbility to trace what went on in
    the system and who did it

  • Your Turn
  • Divide into 5 groups. Each group gets one of
  • Identification, Authentication Authorization,
    Validity, Auditability
  • Give examples on this control.
  • What type of situations can happen if this
    control fails - what does it prevent?

  • Security Requirements
  • 1. Identification Who are you?
  • identify user
  • named user/account
  • Belong to named group
  • security identity badges/access control
  • security cameras/pictures

  • Security Requirements
  • Authentication You are who you say you are
  • verify identity badge, ID card, license with
  • person-to-machine - user password, magnetic
    stripe on card, fingerprint, voice recognition,
  • electronic dial-up may require callback to
    account users phone number
  • Examples of password control - prompt for changes
    regularly, no reuse of former passwords,
    restricted minimum size, obscured/encrypted,
    disabled after 3 attempts

  • Security Requirements
  • Authorisation What are you allowed to do?
  • ensure only appropriate users have access
  • named transaction/screens menu items user
    granted authority to read or update only these
  • User can be assigned to a group that has assigned
    access privileges to specific executables,
    transactions types, data row, table, field level.

  • Security Requirements
  • Validity allow only valid transactions
  • verify access authorization to user on all
  • process only valid transactions to this user
    based on access rights
  • Log violations
  • Put in corrective actions lock keyboard,
    swallow charge card, sound alarm, lock exit doors

  • Security Requirements
  • Auditability traceable trail of activity
  • provide audit trail of all activity, record of
    all transactions, record of changes in access
  • variance detection/correction
  • record/investigate all violation attempts
  • detect unusual patterns in use
  • exception reports sent to management, security
    staff and resource owners
Write a Comment
User Comments (0)
About PowerShow.com