Chapter 15 Information System Security and Control

Chapter 15
Essentials of Management Information Systems, 6e

Chapter 15 Information System Security and Control
Information System Security

and Control
15.1
2005 by Prentice Hall

Objectives
1. Why are information systems so vulnerable to

destruction, error, abuse, and system quality
problems?
2. What types of controls are available for
information systems?
3. What special measures must be taken to ensure the
reliability, availability and security of electronic
commerce, and digital business processes?
15.2

Objectives
4. What are the most important software quality

assurance techniques?
5. Why are auditing information systems and
safeguarding data quality so important?
15.3

Management Challenges
1. Achieving a sensible balance between too little

control and too much.
.
2. Applying quality assurance standards in large
systems projects.
15.4

System Vulnerability and Abuse

Why Systems Are Vulnerable
15.5
Accessibility to electronic data

Increasingly complex software, hardware
Network access points
Wireless vulnerability
Internet


Threats to Computerized Information Systems
Hardware failure
Software failure
Personnel actions
Terminal access
penetration
Theft of data, services,
equipment
15.6
Fire
Electrical problems
User errors
Unauthorized program
changes
Telecommunication
problems


Telecommunications networks vulnerabilities
Figure 15-1
15.7


Window on Organizations
Credit Card Fraud: Still on the Rise

To what extent are Internet credit card thefts
management and organizational problems, and to
what extent are they technical problems?
Address the technology and management issues
for both the credit card issuers and the retail
companies.
Suggest possible ways to address the problem.
15.8


Why Systems Are Vulnerable
15.9
Hacker
Trojan horse
Denial of service (DoS) attacks
Computer viruses
Worms
Antivirus software


Window on Technology
Smarter Worms and Viruses:

The Worst Is Yet to Come
Why are worms so harmful?
Describe their business and organizational impact.
15.10


Concerns for System Builders and Users
Disaster
Security
Administrative error
Cyberterrorism and Cyberwarfare
15.11


Points in the processing cycle where errors can occur
Figure 15-2
15.12


System Quality Problems: Software and Data
Bugs and Defects

Complete testing not possible
The Maintenance Nightmare

Maintenance costs high due to organizational
change, software complexity, and faulty system
analysis and design
15.13


The cost of errors over the systems development cycle
Figure 15-3
15.14


System Quality Problems: Software and Data
Data Quality Problems

Caused by errors during data input or faulty
information system and database design
15.15

Creating a Control Environment
Controls
Methods, policies, and procedures
Protection of organizations assets
Accuracy and reliability of records
Operational adherence to management standards
15.16


General Controls and Application Controls
General Controls
Govern design, security, use of computer
programs throughout organization
Apply to all computerized applications
Combination of hardware, software, manual
procedures to create overall control environment
15.17


General Controls
Software controls
Hardware controls
Computer operations controls
Data security controls
Implementation
Administrative controls
15.18


Security profiles for a personnel system
Figure 15-4
15.19


Application Controls
Automated and manual procedures that ensure
only authorized data are processed by application
Unique to each computerized application
Classified as (1) input controls, (2) processing
controls, and (3) output controls.
15.20


Application Controls
Control totals:
Edit checks:
Computer matching:
Run control totals:
Report distribution logs:
15.21
Input, processing
Input
Input, processing
Processing, output
Output


Protecting the Digital Firm
High-availability computing
Fault-tolerant computer systems
Disaster recovery planning
Business continuity planning
Load balancing; mirroring; clustering
Recovery-oriented computing
Managed security service providers (MSSPs)
15.22


Internet Security Challenges

Public, accessible network
Abuses have widespread effect
Fixed Internet addresses
Corporate systems extended outside organization
15.23


Internet security challenges
Figure 15-5
15.24


Firewall screening technologies
Static packet filtering

Stateful inspection
Network address translation
Application proxy filtering
Intrusion detection systems

Scanning software
Monitoring software
15.25


Security and Electronic Commerce
Encryption
Authentication
Message integrity
Digital signatures
Digital certificates
Public key infrastructure (PKI)
15.26


Public key encryption
Figure 15-6
15.27


Digital certificates
Figure 15-7
15.28


Security for Wireless Internet Access

Service set identifiers (SSID)
Identify access points in network
Form of password for users radio network interface
card
Broadcast multiple time per second
Easily picked up by sniffer programs, war driving
15.29


Wi-Fi security challenges
Figure 15-8
15.30


Wired Equivalent Privacy (WEP):

Initial security standard
Call for access point and all users to share the same 40bit encrypted password
Wi-Fi Protected Access (WPA) specification

128-bit, non-static encryption key
Data-packet checking
15.31


Developing a Control Structure: Costs and Benefits
Criteria for Determining Control Structure

Importance of data
Cost effectiveness of control technique
Efficiency
Complexity
Expense
Risk assessment: Level of risk if not properly

controlled
Potential frequency of problem
Potential damage
15.32


The Role of Auditing in the Control Process
MIS Audit
Identifies all controls that govern individual
information systems and assesses their
effectiveness
Lists and ranks all control weaknesses and
estimates the probability of their occurrence
15.33


Sample auditors list of control weaknesses
Figure 15-9
15.34

Ensuring System Quality: Software and Data

Software Quality Assurance Methodologies and Tools
Development Methodology
Collection of methods
One or more method for every activity in every
phase of development project
15.35


Structured Methodologies
Used to document, analyze, design information systems

Top-down
Process-oriented
Linear
Includes:
Structured analysis
Structured design
Structured programming
15.36


Structured Analysis
Defines system inputs, processes, outputs

Logical graphic model of information flow
Data flow diagram
Data dictionary
Process specifications
15.37


Data flow diagram for mail-in university registration system
Figure 15-10
15.38


Structured Design
Set of design rules and techniques
Promotes program clarity and simplicity
Design from top-down; main functions and
subfunctions
Structure chart
15.39


High-level structure chart for a payroll system
Figure 15-11
15.40


Structured Programming
Organizes and codes programs to simplify control
paths for easy use and modification
Independent modules with one entry and exit point
Three basic control constructs:
Simple sequence
Selection
Iteration
15.41


Basic program control constructs
Figure 15-12
15.42


Limitations of Traditional Methods

Can be inflexible and time-consuming
Programming depends on completion of analysis
and design phases
Specification changes require changes in analysis
and design documents first
Function-oriented
15.43


Unified Modeling Language (UML)

Industry standard for analysis and design of
object-oriented systems
Represents different views using graphical
diagrams
Underlying model integrates views for consistency
during analysis, design, and implementation
15.44


UML Components
Things:
Structural things
Behavioral things
Grouping things
Annotational things
15.45
Classes, interfaces,
collaborations, use cases, active
classes, components, nodes
Interactions, state machines
Packages
Notes


UML Components
Relationships
Structural
Behavioral
Dependencies, aggregations,
associations, generalizations
Communicates, includes, extends,
generalizes
Diagrams
Structural
Behavioral
15.46
Class, object, component, and deployment

diagrams
Use case, sequence, collaboration, stateschart,
and activity diagrams


A UML use-case diagram
Figure 15-13
15.47


A UML sequence diagram
Figure 15-14
15.48


Computer-Aided Software Engineering (CASE)
Automation of step-by-step methodologies

Reduce repetitive development work
Support documentation creation and revisions
Organize design components; design repository
Support code generation
Require organizational discipline
15.49


Resource Allocation: Assigning costs, time,

personnel to different development phases
Software Metrics: Quantified measurements of
systems performance
Testing: Walkthroughs, debugging
15.50


Data Quality Audits and Data Cleansing
Data Quality Audit

Survey end users for perceptions of data quality
Survey entire data files
Survey samples from data files
Data Cleansing
Correcting errors and inconsistencies in data between
business units
15.51

Chapter 15 Case Study

Could a Missing Hard Drive Create Canadas Biggest Identity Theft?
1. Summarize the ISM security problem and its

impact on ISM and its clients.
2. Describe the control weaknesses of ISM and
those of its clients that made it possible for this
problem to occur. What management,
organization, and technology factors contributed
to those weaknesses?
15.52

Chapter 15 Case Study

Could a Missing Hard Drive Create Canadas Biggest Identity Theft?
3. Was the disappearance of the hard drive a

management problem, an organization problem,
or a technical problem? Explain your answer.
4. If you were responsible for designing security at
ISM and its client companies, what would you
have done differently? How would you have
solved their control problems?
15.53

Chapter 15 Information System Security and Control

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 15 Information System Security and Control

Uploaded by

Copyright:

Available Formats

Chapter 15

Essentials of Management Information Systems, 6e

Information System Security

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

1. Why are information systems so vulnerable to

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

4. What are the most important software quality

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

1. Achieving a sensible balance between too little

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

Accessibility to electronic data

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

Credit Card Fraud: Still on the Rise

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

Smarter Worms and Viruses:

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

Bugs and Defects

The Maintenance Nightmare

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

System Vulnerability and Abuse

Data Quality Problems

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

Creating a Control Environment

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

Creating a Control Environment

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

Creating a Control Environment

2005 by Prentice Hall

Essentials of Management Information Systems, 6e

Creating a Control Environment

2005 by Prentice Hall