System Analysis and Design Jess Role 2004@ Prentice Hall
Chapter 12Chapter 12 Designing System Interfaces, Designing System Interfaces,
Controls, and SecurityControls, and Security
Chapter 15Chapter 15
Systems Analysis and Design in a Systems Analysis and Design in a Changing World, 3Changing World, 3rdrd Edition Edition
System Analysis and Design Jess Role 2004@ Prentice Hall
Identifying System Identifying System InterfacesInterfaces
Systems interfaces are broadly defined as Systems interfaces are broadly defined as inputs or outputs with minimal or no inputs or outputs with minimal or no human interventionhuman intervention Inputs from other systems (messages, EDI)Inputs from other systems (messages, EDI) Highly automated input devices such as Highly automated input devices such as
scannersscanners Inputs that are from data in external Inputs that are from data in external
databasesdatabases Outputs that are to external databasesOutputs that are to external databases Outputs with minimal HCIOutputs with minimal HCI Outputs to other systemsOutputs to other systems Real-time connections (both input and output)Real-time connections (both input and output)
System Analysis and Design Jess Role 2004@ Prentice Hall
Full Range of Inputs and Full Range of Inputs and OutputsOutputs
System Analysis and Design Jess Role 2004@ Prentice Hall
eXtensible Markup eXtensible Markup Language (XML)Language (XML)
Extension of HTML that embeds self-Extension of HTML that embeds self-defined data structures within textual defined data structures within textual messagesmessages
Transaction that contains data fields can Transaction that contains data fields can be sent with XML codes to define be sent with XML codes to define meaning of data fieldsmeaning of data fields
XML provides common system-to-system XML provides common system-to-system interfaceinterface
XML is simple and readable by peopleXML is simple and readable by people Web services is based on XML to send Web services is based on XML to send
business transactions over Internetbusiness transactions over Internet
System Analysis and Design Jess Role 2004@ Prentice Hall
System-to-System System-to-System Interface Based on XMLInterface Based on XML
System Analysis and Design Jess Role 2004@ Prentice Hall
Design of System InputsDesign of System Inputs Identify devices and mechanisms used to Identify devices and mechanisms used to
enter inputenter input High-level review of most up-to-date methods to High-level review of most up-to-date methods to
enter dataenter data Identify all system inputs and develop list of Identify all system inputs and develop list of
data content with eachdata content with each Provides link between design of application Provides link between design of application
software and design of user and system interfacessoftware and design of user and system interfaces Determine controls and security necessary for Determine controls and security necessary for
each system inputeach system input
System Analysis and Design Jess Role 2004@ Prentice Hall
Input Devices and Input Devices and MechanismsMechanisms
Capture data as close to origination source Capture data as close to origination source as possibleas possible
Use electronic devices and automatic entry Use electronic devices and automatic entry whenever possiblewhenever possible
Avoid human involvement as much as Avoid human involvement as much as possiblepossible
Seek information in electronic form to avoid Seek information in electronic form to avoid data reentrydata reentry
Validate and correct information at entry pointValidate and correct information at entry point
System Analysis and Design Jess Role 2004@ Prentice Hall
Prevalent Input Devices Prevalent Input Devices to Avoid Human Data to Avoid Human Data EntryEntry
Magnetic card strip readersMagnetic card strip readers Bar-code readersBar-code readers Optical character recognition readers and Optical character recognition readers and
scannersscanners Touch screens and devices Touch screens and devices Electronic pens and writing surfacesElectronic pens and writing surfaces Digitizers, such as digital cameras and Digitizers, such as digital cameras and
digital audio devicesdigital audio devices
System Analysis and Design Jess Role 2004@ Prentice Hall
Defining the Details of Defining the Details of System InputsSystem Inputs
Ensure all data inputs are identified and Ensure all data inputs are identified and specified correctlyspecified correctly
Can use traditional structured modelsCan use traditional structured models Identify automation boundaryIdentify automation boundary
Use DFD fragmentsUse DFD fragments Segment by program boundariesSegment by program boundaries
Examine Structure ChartsExamine Structure Charts Analyze each module and data coupleAnalyze each module and data couple List individual data fieldsList individual data fields
System Analysis and Design Jess Role 2004@ Prentice Hall
Automation Boundary on Automation Boundary on a a System-level DFDSystem-level DFD
System Analysis and Design Jess Role 2004@ Prentice Hall
Create New Order DFD with an Create New Order DFD with an Automation BoundaryAutomation Boundary
System Analysis and Design Jess Role 2004@ Prentice Hall
List of Inputs for List of Inputs for Customer Support Customer Support SystemSystem
System Analysis and Design Jess Role 2004@ Prentice Hall
Structure Chart for Structure Chart for Create New OrderCreate New Order
System Analysis and Design Jess Role 2004@ Prentice Hall
Data Flows, Data Data Flows, Data Couples, and Data Couples, and Data
Elements Making up Elements Making up InputsInputs
System Analysis and Design Jess Role 2004@ Prentice Hall
Using Object-Oriented Using Object-Oriented ModelsModels
Identifying user and system inputs with OO Identifying user and system inputs with OO approach has same tasks as traditional approach has same tasks as traditional approachapproach
OO diagrams are used instead of DFDs and OO diagrams are used instead of DFDs and structure chartsstructure charts
System sequence diagrams identify each System sequence diagrams identify each incoming messageincoming message
Design class diagrams identify and describe Design class diagrams identify and describe input parameters and contain pseudocode input parameters and contain pseudocode to verify characteristics of inputsto verify characteristics of inputs
System Analysis and Design Jess Role 2004@ Prentice Hall
Partial System Sequence Partial System Sequence Diagram for Diagram for
Payroll System Use CasesPayroll System Use Cases
System Analysis and Design Jess Role 2004@ Prentice Hall
System Sequence System Sequence Diagram for Diagram for Create New Create New OrderOrder
System Analysis and Design Jess Role 2004@ Prentice Hall
Input Messages and Data Input Messages and Data Parameters from RMO System Parameters from RMO System
Sequence DiagramSequence Diagram
System Analysis and Design Jess Role 2004@ Prentice Hall
Designing System Designing System OutputsOutputs
Determine each type of outputDetermine each type of output
Make list of specific system outputs Make list of specific system outputs required based on application designrequired based on application design
Specify any necessary controls to protect Specify any necessary controls to protect information provided in outputinformation provided in output
Design and prototype output layoutDesign and prototype output layout
Ad hoc reportsAd hoc reports – designed as needed by – designed as needed by useruser
System Analysis and Design Jess Role 2004@ Prentice Hall
Defining the Details of Defining the Details of System OutputsSystem Outputs
Type of reportsType of reports Printed reportsPrinted reports Electronic displaysElectronic displays Turnaround documentsTurnaround documents
May use traditional structured models to May use traditional structured models to identify outputsidentify outputs Data flows crossing automation boundaryData flows crossing automation boundary Data couples and report data requirements Data couples and report data requirements
on structure chart on structure chart
System Analysis and Design Jess Role 2004@ Prentice Hall
Table of System Outputs Based Table of System Outputs Based on Traditional Structured on Traditional Structured
ApproachApproach
System Analysis and Design Jess Role 2004@ Prentice Hall
Using Object-Oriented Using Object-Oriented ModelsModels Outputs indicated by messages in sequence Outputs indicated by messages in sequence
diagrams diagrams Originate from internal system objects Originate from internal system objects Sent to external actors or another external Sent to external actors or another external
systemsystem
Output messages based on an individual Output messages based on an individual object are usually part of methods of that object are usually part of methods of that class objectclass object
To report on all objects within a class, class-To report on all objects within a class, class-level method is used that works on entire level method is used that works on entire classclass
System Analysis and Design Jess Role 2004@ Prentice Hall
Table of System Outputs Table of System Outputs Based on OO MessagesBased on OO Messages
System Analysis and Design Jess Role 2004@ Prentice Hall
Designing Reports, Designing Reports, Statements, and Statements, and Turnaround DocumentsTurnaround Documents
Printed versus electronicPrinted versus electronic Type of output reportsType of output reports
Detailed Detailed SummarySummary Exception Exception ExecutiveExecutive
Internal versus external Internal versus external Graphical and multimedia presentationGraphical and multimedia presentation
System Analysis and Design Jess Role 2004@ Prentice Hall
RMO Summary Report with RMO Summary Report with Drill Down to the Detailed Drill Down to the Detailed
ReportReport
System Analysis and Design Jess Role 2004@ Prentice Hall
Sample Bar Chart and Pie Sample Bar Chart and Pie Chart ReportsChart Reports
System Analysis and Design Jess Role 2004@ Prentice Hall
Formatting ReportsFormatting Reports
What is objective of report?What is objective of report?
Who is the intended audience?Who is the intended audience?
What is media for presentation?What is media for presentation?
Avoid information overloadAvoid information overload
Format considerations such as meaningful Format considerations such as meaningful headings, date of information, date report headings, date of information, date report produced, page numbersproduced, page numbers
System Analysis and Design Jess Role 2004@ Prentice Hall
Designing Integrity Designing Integrity ControlsControls
Mechanisms and procedures built into a Mechanisms and procedures built into a system to safeguard it and information system to safeguard it and information contained withincontained within
Integrity controlsIntegrity controls Built into application and database system to Built into application and database system to
safeguard informationsafeguard information
Security controlsSecurity controls Built into operating system and networkBuilt into operating system and network
System Analysis and Design Jess Role 2004@ Prentice Hall
Objectives of Integrity Objectives of Integrity ControlsControls
Ensure that only appropriate and correct Ensure that only appropriate and correct business transactions occurbusiness transactions occur
Ensure that transactions are recorded and Ensure that transactions are recorded and processed correctlyprocessed correctly
Protect and safeguard assets of the Protect and safeguard assets of the organizationorganization SoftwareSoftware HardwareHardware InformationInformation
System Analysis and Design Jess Role 2004@ Prentice Hall
Points of Security and Points of Security and Integrity ControlsIntegrity Controls
System Analysis and Design Jess Role 2004@ Prentice Hall
Input Integrity ControlsInput Integrity Controls
Used with all input mechanismsUsed with all input mechanisms Additional level of Additional level of verificationverification to help to help
reduce input errorsreduce input errors Common control techniquesCommon control techniques
Field combination controlsField combination controls Value limit controlsValue limit controls Completeness controlsCompleteness controls Data validation controls Data validation controls
System Analysis and Design Jess Role 2004@ Prentice Hall
Database Integrity Database Integrity ControlsControls
Access controlAccess control
Data encryptionData encryption
Transaction controlTransaction control
Update controlUpdate control
Backup and recovery protectionBackup and recovery protection
System Analysis and Design Jess Role 2004@ Prentice Hall
Output Integrity ControlsOutput Integrity Controls Ensures output arrives at proper destination Ensures output arrives at proper destination
and is correct, accurate, complete, and and is correct, accurate, complete, and currentcurrent
Destination controlsDestination controls - output is channeled to - output is channeled to correct peoplecorrect people
CompletenessCompleteness, , accuracyaccuracy, and , and correctnesscorrectness controlscontrols
Appropriate information present on outputAppropriate information present on output
System Analysis and Design Jess Role 2004@ Prentice Hall
Integrity Controls to Integrity Controls to Prevent FraudPrevent Fraud
Three conditions are present in fraud casesThree conditions are present in fraud cases
Personal pressure, such as desire to maintain Personal pressure, such as desire to maintain extravagant lifestyleextravagant lifestyle
Rationalization, such as person’s thoughts that Rationalization, such as person’s thoughts that “I will repay this money”“I will repay this money”
Opportunity, such as unverified cash receiptsOpportunity, such as unverified cash receipts
Control of fraud requires both manual Control of fraud requires both manual procedures and computer integrity controlsprocedures and computer integrity controls
System Analysis and Design Jess Role 2004@ Prentice Hall
Fraud Risks and Fraud Risks and Prevention TechniquesPrevention Techniques
System Analysis and Design Jess Role 2004@ Prentice Hall
Designing Security Designing Security ControlsControls
Security controlsSecurity controls protect assets of protect assets of organization from all threatsorganization from all threats External threats such as hackers, viruses, worms, External threats such as hackers, viruses, worms,
and message overload attacksand message overload attacks
Security control objectivesSecurity control objectives Maintain stable, functioning operating Maintain stable, functioning operating
environment for users and application systems environment for users and application systems (24 x 7)(24 x 7)
Protect information and transactions during Protect information and transactions during transmission outside organization (public carriers)transmission outside organization (public carriers)
System Analysis and Design Jess Role 2004@ Prentice Hall
Security for Access to Security for Access to SystemsSystems
Used to control access to any resource Used to control access to any resource managed by operating system or networkmanaged by operating system or network
User categoriesUser categories Unauthorized user Unauthorized user – no authorization to access– no authorization to access Registered userRegistered user – authorized to access system – authorized to access system Privileged userPrivileged user – authorized to administrate – authorized to administrate
systemsystem Organized so that all resources can be Organized so that all resources can be
accessed with same unique ID/password accessed with same unique ID/password combinationcombination
System Analysis and Design Jess Role 2004@ Prentice Hall
Users and Access Roles to Users and Access Roles to Computer SystemsComputer Systems
System Analysis and Design Jess Role 2004@ Prentice Hall
Managing User AccessManaging User Access Most common technique is user ID / passwordMost common technique is user ID / password Authorization – Is user permitted to access?Authorization – Is user permitted to access? Access control list – users with rights to Access control list – users with rights to
accessaccess Authentication – Is user who they claim to be?Authentication – Is user who they claim to be? Smart card – computer readable plastic card Smart card – computer readable plastic card
with embedded security informationwith embedded security information Biometric devices – keystroke patterns, Biometric devices – keystroke patterns,
fingerprint, retinal scans, voice characteristicsfingerprint, retinal scans, voice characteristics
System Analysis and Design Jess Role 2004@ Prentice Hall
Data SecurityData Security Data and files themselves must be secureData and files themselves must be secure EncryptionEncryption – primary security method – primary security method
Altering data so unauthorized users cannot viewAltering data so unauthorized users cannot view Decryption Decryption
Altering encrypted data back to original stateAltering encrypted data back to original state Symmetric keySymmetric key – same key encrypts and – same key encrypts and
decryptsdecrypts Asymmetric keyAsymmetric key – different key decrypts – different key decrypts Public keyPublic key – public encrypts, private – public encrypts, private
decryptsdecrypts
System Analysis and Design Jess Role 2004@ Prentice Hall
Symmetric Key Symmetric Key Encryption Encryption
System Analysis and Design Jess Role 2004@ Prentice Hall
Asymmetric Key Asymmetric Key Encryption Encryption
System Analysis and Design Jess Role 2004@ Prentice Hall
Digital signatures and Digital signatures and certificates certificates
Encryption of messages enables secure Encryption of messages enables secure exchange of information between two entities exchange of information between two entities with appropriate keys with appropriate keys
Digital signatureDigital signature encrypts document with encrypts document with private key to verify document authorprivate key to verify document author
Digital certificateDigital certificate is institution’s name and is institution’s name and public key that is encrypted and certified by public key that is encrypted and certified by third partythird party
Certifying authorityCertifying authority Verisign or EquifaxVerisign or Equifax
System Analysis and Design Jess Role 2004@ Prentice Hall
Using a Digital CertificateUsing a Digital Certificate
System Analysis and Design Jess Role 2004@ Prentice Hall
Secure TransactionsSecure Transactions Standard set of methods and protocols for Standard set of methods and protocols for
authentication, authorization, privacy, integrityauthentication, authorization, privacy, integrity Secure Sockets Layer (SSL) renamed as Secure Sockets Layer (SSL) renamed as
Transport Layer Security (TLS) – protocol for Transport Layer Security (TLS) – protocol for secure channel to send messages over Internetsecure channel to send messages over Internet
IP Security (IPSec) – newer standard for secure IP Security (IPSec) – newer standard for secure Internet message transmissionInternet message transmission
Secure Hypertext Transport Protocol (HTTPS or Secure Hypertext Transport Protocol (HTTPS or HTTP-S) – standard for transmitting Web pages HTTP-S) – standard for transmitting Web pages securely (encryption, digital signing, certificates)securely (encryption, digital signing, certificates)
System Analysis and Design Jess Role 2004@ Prentice Hall
SummarySummary System interfaces all inputs/outputs except System interfaces all inputs/outputs except
(GUI)(GUI) Designing inputs to system is three-step Designing inputs to system is three-step
processprocess Identify devices/mechanisms used to enter inputIdentify devices/mechanisms used to enter input Identify system inputs, develop list of data contentIdentify system inputs, develop list of data content Determine controls and security necessary for Determine controls and security necessary for
each system inputeach system input
Traditional approach to design inputs and Traditional approach to design inputs and outputsoutputs DFDs, data flow definitions, structure chartsDFDs, data flow definitions, structure charts
System Analysis and Design Jess Role 2004@ Prentice Hall
Summary (Summary (continuedcontinued))
OO approach to design inputs and outputsOO approach to design inputs and outputs Sequence diagrams, class diagrams, DFDsSequence diagrams, class diagrams, DFDs
Integrity controls and security designed into Integrity controls and security designed into systemsystem Only appropriate and correct business transactions Only appropriate and correct business transactions
occuroccur Transactions are recorded and processed correctlyTransactions are recorded and processed correctly Protect and safeguard assets of the organization Protect and safeguard assets of the organization Control access to resourcesControl access to resources