Information System Security and Control - PowerPoint PPT Presentation

About This Presentation
Title:

Information System Security and Control

Description:

Chapter 15 Information System Security and Control Objectives Why are information systems so vulnerable to destruction, error, abuse, and system quality problems? – PowerPoint PPT presentation

Number of Views:3444
Avg rating:3.0/5.0
Slides: 54
Provided by: Lind1163
Category:

less

Transcript and Presenter's Notes

Title: Information System Security and Control


1
Information System Securityand Control
Chapter 15
2
Objectives
  • Why are information systems so vulnerable to
    destruction, error, abuse, and system quality
    problems?
  • What types of controls are available for
    information systems?
  • What special measures must be taken to ensure the
    reliability, availability and security of
    electronic commerce, and digital business
    processes?

3
Objectives
  • What are the most important software quality
    assurance techniques?
  • Why are auditing information systems and
    safeguarding data quality so important?

4
Management Challenges
  • Achieving a sensible balance between too little
    control and too much..
  • Applying quality assurance standards in large
    systems projects.

5
System Vulnerability and Abuse
Why Systems Are Vulnerable
  • Accessibility to electronic data
  • Increasingly complex software, hardware
  • Network access points
  • Wireless vulnerability
  • Internet

6
System Vulnerability and Abuse
Threats to Computerized Information Systems
  • Hardware failure
  • Software failure
  • Personnel actions
  • Terminal access penetration
  • Theft of data, services, equipment
  • Fire
  • Electrical problems
  • User errors
  • Unauthorized program changes
  • Telecommunication problems

7
System Vulnerability and Abuse
Telecommunications networks vulnerabilities
Figure 15-1
8
System Vulnerability and Abuse
Window on Organizations
  • Credit Card Fraud Still on the Rise
  • To what extent are Internet credit card thefts
    management and organizational problems, and to
    what extent are they technical problems?
  • Address the technology and management issues for
    both the credit card issuers and the retail
    companies.
  • Suggest possible ways to address the problem.

9
System Vulnerability and Abuse
Why Systems Are Vulnerable
  • Hacker
  • Trojan horse
  • Denial of service (DoS) attacks
  • Computer viruses
  • Worms
  • Antivirus software

10
System Vulnerability and Abuse
Window on Technology
  • Smarter Worms and Viruses
  • The Worst Is Yet to Come
  • Why are worms so harmful?
  • Describe their business and organizational
    impact.

11
System Vulnerability and Abuse
Concerns for System Builders and Users
  • Disaster
  • Security
  • Administrative error
  • Cyberterrorism and Cyberwarfare

12
System Vulnerability and Abuse
Points in the processing cycle where errors can
occur
Figure 15-2
13
System Vulnerability and Abuse
System Quality Problems Software and Data
  • Bugs and Defects
  • Complete testing not possible
  • The Maintenance Nightmare
  • Maintenance costs high due to organizational
    change, software complexity, and faulty system
    analysis and design

14
System Vulnerability and Abuse
The cost of errors over the systems development
cycle
Figure 15-3
15
System Vulnerability and Abuse
System Quality Problems Software and Data
  • Data Quality Problems
  • Caused by errors during data input or faulty
    information system and database design

16
Creating a Control Environment
  • Controls
  • Methods, policies, and procedures
  • Protection of organizations assets
  • Accuracy and reliability of records
  • Operational adherence to management standards

17
Creating a Control Environment
General Controls and Application Controls
  • General Controls
  • Govern design, security, use of computer programs
    throughout organization
  • Apply to all computerized applications
  • Combination of hardware, software, manual
    procedures to create overall control environment

18
Creating a Control Environment
General Controls and Application Controls
  • General Controls
  • Software controls
  • Hardware controls
  • Computer operations controls
  • Data security controls
  • Implementation
  • Administrative controls

19
Creating a Control Environment
Security profiles for a personnel system
Figure 15-4
20
Creating a Control Environment
General Controls and Application Controls
  • Application Controls
  • Automated and manual procedures that ensure only
    authorized data are processed by application
  • Unique to each computerized application
  • Classified as (1) input controls, (2) processing
    controls, and (3) output controls.

21
Creating a Control Environment
General Controls and Application Controls
  • Application Controls
  • Control totals Input, processing
  • Edit checks Input
  • Computer matching Input, processing
  • Run control totals Processing, output
  • Report distribution logs Output

22
Creating a Control Environment
Protecting the Digital Firm
  • High-availability computing
  • Fault-tolerant computer systems
  • Disaster recovery planning
  • Business continuity planning
  • Load balancing mirroring clustering
  • Recovery-oriented computing
  • Managed security service providers (MSSPs)

23
Creating a Control Environment
Protecting the Digital Firm
  • Internet Security Challenges
  • Public, accessible network
  • Abuses have widespread effect
  • Fixed Internet addresses
  • Corporate systems extended outside organization

24
Creating a Control Environment
Internet security challenges
Figure 15-5
25
Creating a Control Environment
Protecting the Digital Firm
  • Firewall screening technologies
  • Static packet filtering
  • Stateful inspection
  • Network address translation
  • Application proxy filtering
  • Intrusion detection systems
  • Scanning software
  • Monitoring software

26
Creating a Control Environment
Protecting the Digital Firm
  • Security and Electronic Commerce
  • Encryption
  • Authentication
  • Message integrity
  • Digital signatures
  • Digital certificates
  • Public key infrastructure (PKI)

27
Creating a Control Environment
Public key encryption
Figure 15-6
28
Creating a Control Environment
Digital certificates
Figure 15-7
29
Creating a Control Environment
Protecting the Digital Firm
  • Security for Wireless Internet Access
  • Service set identifiers (SSID)
  • Identify access points in network
  • Form of password for users radio network
    interface card
  • Broadcast multiple time per second
  • Easily picked up by sniffer programs, war driving

30
Creating a Control Environment
Wi-Fi security challenges
Figure 15-8
31
Creating a Control Environment
Protecting the Digital Firm
  • Wired Equivalent Privacy (WEP)
  • Initial security standard
  • Call for access point and all users to share the
    same 40-bit encrypted password
  • Wi-Fi Protected Access (WPA) specification
  • 128-bit, non-static encryption key
  • Data-packet checking

32
Creating a Control Environment
Developing a Control Structure Costs and Benefits
  • Criteria for Determining Control Structure
  • Importance of data
  • Cost effectiveness of control technique
  • Efficiency
  • Complexity
  • Expense
  • Risk assessment Level of risk if not properly
    controlled
  • Potential frequency of problem
  • Potential damage

33
Creating a Control Environment
The Role of Auditing in the Control Process
  • MIS Audit
  • Identifies all controls that govern individual
    information systems and assesses their
    effectiveness
  • Lists and ranks all control weaknesses and
    estimates the probability of their occurrence

34
Creating a Control Environment
Sample auditors list of control weaknesses
Figure 15-9
35
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • Development Methodology
  • Collection of methods
  • One or more method for every activity in every
    phase of development project

36
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • Structured Methodologies
  • Used to document, analyze, design information
    systems
  • Top-down
  • Process-oriented
  • Linear
  • Includes
  • Structured analysis
  • Structured design
  • Structured programming

37
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • Structured Analysis
  • Defines system inputs, processes, outputs
  • Logical graphic model of information flow
  • Data flow diagram
  • Data dictionary
  • Process specifications

38
Ensuring System Quality Software and Data
Data flow diagram for mail-in university
registration system
Figure 15-10
39
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • Structured Design
  • Set of design rules and techniques
  • Promotes program clarity and simplicity
  • Design from top-down main functions and
    subfunctions
  • Structure chart

40
Ensuring System Quality Software and Data
High-level structure chart for a payroll system
Figure 15-11
41
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • Structured Programming
  • Organizes and codes programs to simplify control
    paths for easy use and modification
  • Independent modules with one entry and exit point
  • Three basic control constructs
  • Simple sequence
  • Selection
  • Iteration

42
Ensuring System Quality Software and Data
Basic program control constructs
Figure 15-12
43
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • Limitations of Traditional Methods
  • Can be inflexible and time-consuming
  • Programming depends on completion of analysis and
    design phases
  • Specification changes require changes in analysis
    and design documents first
  • Function-oriented

44
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • Unified Modeling Language (UML)
  • Industry standard for analysis and design of
    object-oriented systems
  • Represents different views using graphical
    diagrams
  • Underlying model integrates views for consistency
    during analysis, design, and implementation

45
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • UML Components
  • Things
  • Structural things Classes, interfaces,
    collaborations, use cases, active
    classes, components, nodes
  • Behavioral things Interactions, state machines
  • Grouping things Packages
  • Annotational things Notes

46
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • UML Components
  • Relationships
  • Structural Dependencies, aggregations,
    associations, generalizations
  • Behavioral Communicates, includes, extends,
    generalizes
  • Diagrams
  • Structural Class, object, component, and
    deployment diagrams
  • Behavioral Use case, sequence, collaboration,
    stateschart, and activity diagrams

47
Ensuring System Quality Software and Data
A UML use-case diagram
Figure 15-13
48
Ensuring System Quality Software and Data
A UML sequence diagram
Figure 15-14
49
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • Computer-Aided Software Engineering (CASE)
  • Automation of step-by-step methodologies
  • Reduce repetitive development work
  • Support documentation creation and revisions
  • Organize design components design repository
  • Support code generation
  • Require organizational discipline

50
Ensuring System Quality Software and Data
Software Quality Assurance Methodologies and Tools
  • Resource Allocation Assigning costs, time,
    personnel to different development phases
  • Software Metrics Quantified measurements of
    systems performance
  • Testing Walkthroughs, debugging

51
Ensuring System Quality Software and Data
Data Quality Audits and Data Cleansing
  • Data Quality Audit
  • Survey end users for perceptions of data quality
  • Survey entire data files
  • Survey samples from data files
  • Data Cleansing
  • Correcting errors and inconsistencies in data
    between business units

52
Chapter 15 Case Study
Could a Missing Hard Drive Create Canadas
Biggest Identity Theft?
  • Summarize the ISM security problem and its impact
    on ISM and its clients.
  • Describe the control weaknesses of ISM and those
    of its clients that made it possible for this
    problem to occur. What management, organization,
    and technology factors contributed to those
    weaknesses?

53
Chapter 15 Case Study
Could a Missing Hard Drive Create Canadas
Biggest Identity Theft?
  • Was the disappearance of the hard drive a
    management problem, an organization problem, or a
    technical problem? Explain your answer.
  • If you were responsible for designing security at
    ISM and its client companies, what would you have
    done differently? How would you have solved their
    control problems?
Write a Comment
User Comments (0)
About PowerShow.com