chapter 12 designing system interfaces, controls, and security chapter 15 systems analysis and...

System Analysis and Design Jess Role 2004@ Prentice Hall

Chapter 12Chapter 12 Designing System Interfaces, Designing System Interfaces,

Controls, and SecurityControls, and Security

Chapter 15Chapter 15

Systems Analysis and Design in a Systems Analysis and Design in a Changing World, 3Changing World, 3rdrd Edition Edition


Identifying System Identifying System InterfacesInterfaces

Systems interfaces are broadly defined as Systems interfaces are broadly defined as inputs or outputs with minimal or no inputs or outputs with minimal or no human interventionhuman intervention Inputs from other systems (messages, EDI)Inputs from other systems (messages, EDI) Highly automated input devices such as Highly automated input devices such as

scannersscanners Inputs that are from data in external Inputs that are from data in external

databasesdatabases Outputs that are to external databasesOutputs that are to external databases Outputs with minimal HCIOutputs with minimal HCI Outputs to other systemsOutputs to other systems Real-time connections (both input and output)Real-time connections (both input and output)


Full Range of Inputs and Full Range of Inputs and OutputsOutputs


eXtensible Markup eXtensible Markup Language (XML)Language (XML)

Extension of HTML that embeds self-Extension of HTML that embeds self-defined data structures within textual defined data structures within textual messagesmessages

Transaction that contains data fields can Transaction that contains data fields can be sent with XML codes to define be sent with XML codes to define meaning of data fieldsmeaning of data fields

XML provides common system-to-system XML provides common system-to-system interfaceinterface

XML is simple and readable by peopleXML is simple and readable by people Web services is based on XML to send Web services is based on XML to send

business transactions over Internetbusiness transactions over Internet


System-to-System System-to-System Interface Based on XMLInterface Based on XML


Design of System InputsDesign of System Inputs Identify devices and mechanisms used to Identify devices and mechanisms used to

enter inputenter input High-level review of most up-to-date methods to High-level review of most up-to-date methods to

enter dataenter data Identify all system inputs and develop list of Identify all system inputs and develop list of

data content with eachdata content with each Provides link between design of application Provides link between design of application

software and design of user and system interfacessoftware and design of user and system interfaces Determine controls and security necessary for Determine controls and security necessary for

each system inputeach system input


Input Devices and Input Devices and MechanismsMechanisms

Capture data as close to origination source Capture data as close to origination source as possibleas possible

Use electronic devices and automatic entry Use electronic devices and automatic entry whenever possiblewhenever possible

Avoid human involvement as much as Avoid human involvement as much as possiblepossible

Seek information in electronic form to avoid Seek information in electronic form to avoid data reentrydata reentry

Validate and correct information at entry pointValidate and correct information at entry point


Prevalent Input Devices Prevalent Input Devices to Avoid Human Data to Avoid Human Data EntryEntry

Magnetic card strip readersMagnetic card strip readers Bar-code readersBar-code readers Optical character recognition readers and Optical character recognition readers and

scannersscanners Touch screens and devices Touch screens and devices Electronic pens and writing surfacesElectronic pens and writing surfaces Digitizers, such as digital cameras and Digitizers, such as digital cameras and

digital audio devicesdigital audio devices


Defining the Details of Defining the Details of System InputsSystem Inputs

Ensure all data inputs are identified and Ensure all data inputs are identified and specified correctlyspecified correctly

Can use traditional structured modelsCan use traditional structured models Identify automation boundaryIdentify automation boundary

Use DFD fragmentsUse DFD fragments Segment by program boundariesSegment by program boundaries

Examine Structure ChartsExamine Structure Charts Analyze each module and data coupleAnalyze each module and data couple List individual data fieldsList individual data fields


Automation Boundary on Automation Boundary on a a System-level DFDSystem-level DFD


Create New Order DFD with an Create New Order DFD with an Automation BoundaryAutomation Boundary


List of Inputs for List of Inputs for Customer Support Customer Support SystemSystem


Structure Chart for Structure Chart for Create New OrderCreate New Order


Data Flows, Data Data Flows, Data Couples, and Data Couples, and Data

Elements Making up Elements Making up InputsInputs


Using Object-Oriented Using Object-Oriented ModelsModels

Identifying user and system inputs with OO Identifying user and system inputs with OO approach has same tasks as traditional approach has same tasks as traditional approachapproach

OO diagrams are used instead of DFDs and OO diagrams are used instead of DFDs and structure chartsstructure charts

System sequence diagrams identify each System sequence diagrams identify each incoming messageincoming message

Design class diagrams identify and describe Design class diagrams identify and describe input parameters and contain pseudocode input parameters and contain pseudocode to verify characteristics of inputsto verify characteristics of inputs


Partial System Sequence Partial System Sequence Diagram for Diagram for

Payroll System Use CasesPayroll System Use Cases


System Sequence System Sequence Diagram for Diagram for Create New Create New OrderOrder


Input Messages and Data Input Messages and Data Parameters from RMO System Parameters from RMO System

Sequence DiagramSequence Diagram


Designing System Designing System OutputsOutputs

Determine each type of outputDetermine each type of output

Make list of specific system outputs Make list of specific system outputs required based on application designrequired based on application design

Specify any necessary controls to protect Specify any necessary controls to protect information provided in outputinformation provided in output

Design and prototype output layoutDesign and prototype output layout

Ad hoc reportsAd hoc reports – designed as needed by – designed as needed by useruser


Defining the Details of Defining the Details of System OutputsSystem Outputs

Type of reportsType of reports Printed reportsPrinted reports Electronic displaysElectronic displays Turnaround documentsTurnaround documents

May use traditional structured models to May use traditional structured models to identify outputsidentify outputs Data flows crossing automation boundaryData flows crossing automation boundary Data couples and report data requirements Data couples and report data requirements

on structure chart on structure chart


Table of System Outputs Based Table of System Outputs Based on Traditional Structured on Traditional Structured

ApproachApproach


Using Object-Oriented Using Object-Oriented ModelsModels Outputs indicated by messages in sequence Outputs indicated by messages in sequence

diagrams diagrams Originate from internal system objects Originate from internal system objects Sent to external actors or another external Sent to external actors or another external

systemsystem

Output messages based on an individual Output messages based on an individual object are usually part of methods of that object are usually part of methods of that class objectclass object

To report on all objects within a class, class-To report on all objects within a class, class-level method is used that works on entire level method is used that works on entire classclass


Table of System Outputs Table of System Outputs Based on OO MessagesBased on OO Messages


Designing Reports, Designing Reports, Statements, and Statements, and Turnaround DocumentsTurnaround Documents

Printed versus electronicPrinted versus electronic Type of output reportsType of output reports

Detailed Detailed SummarySummary Exception Exception ExecutiveExecutive

Internal versus external Internal versus external Graphical and multimedia presentationGraphical and multimedia presentation


RMO Summary Report with RMO Summary Report with Drill Down to the Detailed Drill Down to the Detailed

ReportReport


Sample Bar Chart and Pie Sample Bar Chart and Pie Chart ReportsChart Reports


Formatting ReportsFormatting Reports

What is objective of report?What is objective of report?

Who is the intended audience?Who is the intended audience?

What is media for presentation?What is media for presentation?

Avoid information overloadAvoid information overload

Format considerations such as meaningful Format considerations such as meaningful headings, date of information, date report headings, date of information, date report produced, page numbersproduced, page numbers


Designing Integrity Designing Integrity ControlsControls

Mechanisms and procedures built into a Mechanisms and procedures built into a system to safeguard it and information system to safeguard it and information contained withincontained within

Integrity controlsIntegrity controls Built into application and database system to Built into application and database system to

safeguard informationsafeguard information

Security controlsSecurity controls Built into operating system and networkBuilt into operating system and network


Objectives of Integrity Objectives of Integrity ControlsControls

Ensure that only appropriate and correct Ensure that only appropriate and correct business transactions occurbusiness transactions occur

Ensure that transactions are recorded and Ensure that transactions are recorded and processed correctlyprocessed correctly

Protect and safeguard assets of the Protect and safeguard assets of the organizationorganization SoftwareSoftware HardwareHardware InformationInformation


Points of Security and Points of Security and Integrity ControlsIntegrity Controls


Input Integrity ControlsInput Integrity Controls

Used with all input mechanismsUsed with all input mechanisms Additional level of Additional level of verificationverification to help to help

reduce input errorsreduce input errors Common control techniquesCommon control techniques

Field combination controlsField combination controls Value limit controlsValue limit controls Completeness controlsCompleteness controls Data validation controls Data validation controls


Database Integrity Database Integrity ControlsControls

Access controlAccess control

Data encryptionData encryption

Transaction controlTransaction control

Update controlUpdate control

Backup and recovery protectionBackup and recovery protection


Output Integrity ControlsOutput Integrity Controls Ensures output arrives at proper destination Ensures output arrives at proper destination

and is correct, accurate, complete, and and is correct, accurate, complete, and currentcurrent

Destination controlsDestination controls - output is channeled to - output is channeled to correct peoplecorrect people

CompletenessCompleteness, , accuracyaccuracy, and , and correctnesscorrectness controlscontrols

Appropriate information present on outputAppropriate information present on output


Integrity Controls to Integrity Controls to Prevent FraudPrevent Fraud

Three conditions are present in fraud casesThree conditions are present in fraud cases

Personal pressure, such as desire to maintain Personal pressure, such as desire to maintain extravagant lifestyleextravagant lifestyle

Rationalization, such as person’s thoughts that Rationalization, such as person’s thoughts that “I will repay this money”“I will repay this money”

Opportunity, such as unverified cash receiptsOpportunity, such as unverified cash receipts

Control of fraud requires both manual Control of fraud requires both manual procedures and computer integrity controlsprocedures and computer integrity controls


Fraud Risks and Fraud Risks and Prevention TechniquesPrevention Techniques


Designing Security Designing Security ControlsControls

Security controlsSecurity controls protect assets of protect assets of organization from all threatsorganization from all threats External threats such as hackers, viruses, worms, External threats such as hackers, viruses, worms,

and message overload attacksand message overload attacks

Security control objectivesSecurity control objectives Maintain stable, functioning operating Maintain stable, functioning operating

environment for users and application systems environment for users and application systems (24 x 7)(24 x 7)

Protect information and transactions during Protect information and transactions during transmission outside organization (public carriers)transmission outside organization (public carriers)


Security for Access to Security for Access to SystemsSystems

Used to control access to any resource Used to control access to any resource managed by operating system or networkmanaged by operating system or network

User categoriesUser categories Unauthorized user Unauthorized user – no authorization to access– no authorization to access Registered userRegistered user – authorized to access system – authorized to access system Privileged userPrivileged user – authorized to administrate – authorized to administrate

systemsystem Organized so that all resources can be Organized so that all resources can be

accessed with same unique ID/password accessed with same unique ID/password combinationcombination


Users and Access Roles to Users and Access Roles to Computer SystemsComputer Systems


Managing User AccessManaging User Access Most common technique is user ID / passwordMost common technique is user ID / password Authorization – Is user permitted to access?Authorization – Is user permitted to access? Access control list – users with rights to Access control list – users with rights to

accessaccess Authentication – Is user who they claim to be?Authentication – Is user who they claim to be? Smart card – computer readable plastic card Smart card – computer readable plastic card

with embedded security informationwith embedded security information Biometric devices – keystroke patterns, Biometric devices – keystroke patterns,

fingerprint, retinal scans, voice characteristicsfingerprint, retinal scans, voice characteristics


Data SecurityData Security Data and files themselves must be secureData and files themselves must be secure EncryptionEncryption – primary security method – primary security method

Altering data so unauthorized users cannot viewAltering data so unauthorized users cannot view Decryption Decryption

Altering encrypted data back to original stateAltering encrypted data back to original state Symmetric keySymmetric key – same key encrypts and – same key encrypts and

decryptsdecrypts Asymmetric keyAsymmetric key – different key decrypts – different key decrypts Public keyPublic key – public encrypts, private – public encrypts, private

decryptsdecrypts


Symmetric Key Symmetric Key Encryption Encryption


Asymmetric Key Asymmetric Key Encryption Encryption


Digital signatures and Digital signatures and certificates certificates

Encryption of messages enables secure Encryption of messages enables secure exchange of information between two entities exchange of information between two entities with appropriate keys with appropriate keys

Digital signatureDigital signature encrypts document with encrypts document with private key to verify document authorprivate key to verify document author

Digital certificateDigital certificate is institution’s name and is institution’s name and public key that is encrypted and certified by public key that is encrypted and certified by third partythird party

Certifying authorityCertifying authority Verisign or EquifaxVerisign or Equifax


Using a Digital CertificateUsing a Digital Certificate


Secure TransactionsSecure Transactions Standard set of methods and protocols for Standard set of methods and protocols for

authentication, authorization, privacy, integrityauthentication, authorization, privacy, integrity Secure Sockets Layer (SSL) renamed as Secure Sockets Layer (SSL) renamed as

Transport Layer Security (TLS) – protocol for Transport Layer Security (TLS) – protocol for secure channel to send messages over Internetsecure channel to send messages over Internet

IP Security (IPSec) – newer standard for secure IP Security (IPSec) – newer standard for secure Internet message transmissionInternet message transmission

Secure Hypertext Transport Protocol (HTTPS or Secure Hypertext Transport Protocol (HTTPS or HTTP-S) – standard for transmitting Web pages HTTP-S) – standard for transmitting Web pages securely (encryption, digital signing, certificates)securely (encryption, digital signing, certificates)


SummarySummary System interfaces all inputs/outputs except System interfaces all inputs/outputs except

(GUI)(GUI) Designing inputs to system is three-step Designing inputs to system is three-step

processprocess Identify devices/mechanisms used to enter inputIdentify devices/mechanisms used to enter input Identify system inputs, develop list of data contentIdentify system inputs, develop list of data content Determine controls and security necessary for Determine controls and security necessary for

each system inputeach system input

Traditional approach to design inputs and Traditional approach to design inputs and outputsoutputs DFDs, data flow definitions, structure chartsDFDs, data flow definitions, structure charts


Summary (Summary (continuedcontinued))

OO approach to design inputs and outputsOO approach to design inputs and outputs Sequence diagrams, class diagrams, DFDsSequence diagrams, class diagrams, DFDs

Integrity controls and security designed into Integrity controls and security designed into systemsystem Only appropriate and correct business transactions Only appropriate and correct business transactions

occuroccur Transactions are recorded and processed correctlyTransactions are recorded and processed correctly Protect and safeguard assets of the organization Protect and safeguard assets of the organization Control access to resourcesControl access to resources

chapter 12 designing system interfaces, controls, and security chapter 15 systems analysis and...

Documents

system input slide

data inputs

xml slide

design of system inputs

details of system inputs

systemlevel dfd slide

common system

output slide