information systems

16.2

LEARNING OBJECTIVESLEARNING OBJECTIVES

• DEMONSTRATE WHY INFO SYSTEMS DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL ERROR, ABUSE, QUALITY CONTROL PROBLEMSPROBLEMS

• COMPARE GENERAL AND APPLICATION COMPARE GENERAL AND APPLICATION CONTROLSCONTROLS

• SELECT FACTORS FOR DEVELOPING SELECT FACTORS FOR DEVELOPING CONTROLSCONTROLS

**

16.3

CONTENTSCONTENTS

• SYSTEM VULNERABILITY & ABUSESYSTEM VULNERABILITY & ABUSE

• CREATING A CONTROL CREATING A CONTROL ENVIRONMENTENVIRONMENT

**

16.4

SYSTEM VULNERABILITY & SYSTEM VULNERABILITY & ABUSEABUSE

• WHY SYSTEMS ARE VULNERABLEWHY SYSTEMS ARE VULNERABLE

• HACKERS & VIRUSESHACKERS & VIRUSES

• CONCERNS FOR BUILDERS & CONCERNS FOR BUILDERS & USERSUSERS

• SYSTEM QUALITY PROBLEMSSYSTEM QUALITY PROBLEMS

**

16.5

THREATS TO INFORMATION THREATS TO INFORMATION SYSTEMS SYSTEMS

HARDWARE FAILURE, FIREHARDWARE FAILURE, FIRE

SOFTWARE FAILURE, ELECTRICAL SOFTWARE FAILURE, ELECTRICAL PROBLEMSPROBLEMS

PERSONNEL ACTIONS, USER ERRORSPERSONNEL ACTIONS, USER ERRORS

ACCESS PENETRATION, PROGRAM ACCESS PENETRATION, PROGRAM CHANGESCHANGES

THEFT OF DATA, SERVICES, EQUIPMENT THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMSTELECOMMUNICATIONS PROBLEMS

**

16.6

WHY SYSTEMS ARE WHY SYSTEMS ARE VULNERABLEVULNERABLE

• SYSTEM COMPLEXITY (PERFECTION)SYSTEM COMPLEXITY (PERFECTION)

• COMPUTERIZED PROCEDURES APPEAR TO COMPUTERIZED PROCEDURES APPEAR TO BE INVISIBLE AND ARE NOT EASILY BE INVISIBLE AND ARE NOT EASILY UNDERSTOOD OR AUDITEDUNDERSTOOD OR AUDITED

• EXTENSIVE EFFECT OF DISASTER (ALL EXTENSIVE EFFECT OF DISASTER (ALL RECORDS CAN BE DESTROYED AND LOST RECORDS CAN BE DESTROYED AND LOST FOREVER)FOREVER)

• UNAUTHORIZED ACCESS POSSIBLEUNAUTHORIZED ACCESS POSSIBLE

**

16.7

• COMMUNICATION LINES:COMMUNICATION LINES: Intercept data through Intercept data through tapping or interfering communication linestapping or interfering communication lines

• HARDWARE:HARDWARE: Improper connections, failure of Improper connections, failure of protection circuitsprotection circuits

• SOFTWARE:SOFTWARE: Failure of protection features, Failure of protection features, access controlaccess control

• FILES:FILES: Subject to theft, copying, unauthorized Subject to theft, copying, unauthorized accessaccess

**

VULNERABILITIESVULNERABILITIES

16.8

VULNERABILITIESVULNERABILITIES

• USER:USER: Identification, authentication, Identification, authentication, appropriate use of softwareappropriate use of software

• PROGRAMMER:PROGRAMMER: Disables protective Disables protective features; reveals protective measuresfeatures; reveals protective measures

• MAINTENANCE STAFF:MAINTENANCE STAFF: Disables hardware Disables hardware devices and protective measuresdevices and protective measures

• OPERATOR:OPERATOR: Doesn’t notify supervisor, Doesn’t notify supervisor, reveals protective measuresreveals protective measures

**

16.9

• HACKER:HACKER: Person gains access to Person gains access to computer for profit, criminal computer for profit, criminal mischief or personal pleasuremischief or personal pleasure

• COMPUTER VIRUS:COMPUTER VIRUS: Computer Computer program; difficult to detect; spreads program; difficult to detect; spreads rapidly; destroys data; disrupts rapidly; destroys data; disrupts processing & memoryprocessing & memory

**

HACKERS & COMPUTER HACKERS & COMPUTER VIRUSESVIRUSES

16.10

COMMON COMPUTER VIRUSESCOMMON COMPUTER VIRUSES

• CONCEPT:CONCEPT: Word documents, e-mail. Deletes files Word documents, e-mail. Deletes files• FORM:FORM: Makes clicking sound, corrupts data Makes clicking sound, corrupts data• ONE_HALF:ONE_HALF: Corrupts hard drive, flashes its name Corrupts hard drive, flashes its name

on screenon screen• MONKEY:MONKEY: Windows won’t run Windows won’t run• JUNKIE:JUNKIE: Infects files, boot sector, memory Infects files, boot sector, memory

conflictsconflicts• RIPPER:RIPPER: Randomly corrupts hard drive files Randomly corrupts hard drive files

**

16.11

ANTIVIRUS SOFTWAREANTIVIRUS SOFTWARE

• SOFTWARE TO DETECT SOFTWARE TO DETECT AND ELIMINATE VIRUSESAND ELIMINATE VIRUSES

• ADVANCED VERSIONS RUN IN ADVANCED VERSIONS RUN IN MEMORY TO PROTECT MEMORY TO PROTECT PROCESSING, GUARD AGAINST PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON VIRUSES ON DISKS, AND ON INCOMING NETWORK FILESINCOMING NETWORK FILES

**

16.12

CONCERNS FOR CONCERNS FOR BUILDERS & USERSBUILDERS & USERS

DISASTERDISASTER

BREACH OF SECURITYBREACH OF SECURITY

ERRORSERRORS**

16.13

• LOSS OF HARDWARE,LOSS OF HARDWARE, SOFTWARE, SOFTWARE, DATA BY FIRE, DATA BY FIRE, POWER FAILURE, POWER FAILURE, FLOOD OR OTHER CALAMITYFLOOD OR OTHER CALAMITY

FAULT-TOLERANT COMPUTER FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing)(Particularly On-line Transaction Processing)

**

DISASTERDISASTER

16.14

SECURITYSECURITY POLICIES, PROCEDURES, POLICIES, PROCEDURES, TECHNICAL MEASURES TO TECHNICAL MEASURES TO

PREVENT UNAUTHORIZED ACCESS, PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL ALTERATION, THEFT, PHYSICAL

DAMAGE TO INFORMATION DAMAGE TO INFORMATION SYSTEMSSYSTEMS

**

16.15

• DATA PREPARATIONDATA PREPARATION• TRANSMISSIONTRANSMISSION• CONVERSIONCONVERSION• FORM COMPLETIONFORM COMPLETION• ON-LINE DATA ENTRYON-LINE DATA ENTRY• KEYPUNCHING; SCANNING; OTHER KEYPUNCHING; SCANNING; OTHER

INPUTSINPUTS

**

WHERE ERRORS OCCUR WHERE ERRORS OCCUR DURING PROCESSINGDURING PROCESSING

16.16

WHERE ERRORS OCCUR WHERE ERRORS OCCUR DURING PROCESSINGDURING PROCESSING

• VALIDATION VALIDATION

• PROCESSING / FILE MAINTENANCEPROCESSING / FILE MAINTENANCE

• OUTPUTOUTPUT

• TRANSMISSIONTRANSMISSION

• DISTRIBUTIONDISTRIBUTION

**

16.17

SYSTEM QUALITY PROBLEMSSYSTEM QUALITY PROBLEMS

• BUGS:BUGS: Program code defects or errorsProgram code defects or errors• MAINTENANCE:MAINTENANCE: Modifying a system in Modifying a system in

production use; can take up to 50% of production use; can take up to 50% of information systems staff timeinformation systems staff time

• DATA QUALITY PROBLEMS:DATA QUALITY PROBLEMS: Finding, Finding, correcting errors; costly; tediouscorrecting errors; costly; tedious

**

16.18

COST OF ERRORS DURING COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLESYSTEMS DEVELOPMENT CYCLE

CO

ST

SC

OS

TS

ANALYSIS PROGRAMMING POSTIMPLEMENTATION ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION & DESIGN CONVERSION

16.19

CREATING A CONTROL CREATING A CONTROL ENVIRONMENTENVIRONMENT

CONTROLS:CONTROLS: METHODS, POLICIES, METHODS, POLICIES, PROCEDURES TO PROTECT PROCEDURES TO PROTECT ASSETS; ACCURACY & RELIABILITY ASSETS; ACCURACY & RELIABILITY OF RECORDS; ADHERENCE TO OF RECORDS; ADHERENCE TO MANAGEMENT STANDARDSMANAGEMENT STANDARDS

• GENERALGENERAL• APPLICATIONAPPLICATION

**

16.20

• IMPLEMENTATION:IMPLEMENTATION: Audit system Audit system development to assure proper control and development to assure proper control and managementmanagement

• SOFTWARE:SOFTWARE: Ensure security (access) and Ensure security (access) and reliability of softwarereliability of software

• PHYSICAL HARDWARE:PHYSICAL HARDWARE: Ensure physical Ensure physical security and performance of security and performance of computer hardwarecomputer hardware

**

GENERAL CONTROLSGENERAL CONTROLS

16.21

• COMPUTER OPERATIONS:COMPUTER OPERATIONS: Ensure procedures are Ensure procedures are consistently and correctly applied to data storage consistently and correctly applied to data storage and processingand processing

• DATA SECURITY:DATA SECURITY: Ensure data disks and tapes are Ensure data disks and tapes are protected from unauthorized access, change or protected from unauthorized access, change or destructiondestruction

• ADMINISTRATIVE:ADMINISTRATIVE: Ensure controls are properly Ensure controls are properly executed and enforcedexecuted and enforced

SEGREGATION OF FUNCTIONS: SEGREGATION OF FUNCTIONS: Divide Divide responsibility from tasksresponsibility from tasks

**

GENERAL CONTROLSGENERAL CONTROLS

16.22

APPLICATION CONTROLSAPPLICATION CONTROLS

• INPUTINPUT

• PROCESSINGPROCESSING

• OUTPUTOUTPUT

**

16.23

INPUT CONTROLSINPUT CONTROLS

• INPUT AUTHORIZATION:INPUT AUTHORIZATION: Record and Record and monitor source documentsmonitor source documents

• BATCH CONTROL TOTALS:BATCH CONTROL TOTALS: Count Count transactions prior to and after processingtransactions prior to and after processing

• EDIT CHECKS:EDIT CHECKS: Verify input data, correct Verify input data, correct errorserrors

**

16.24

EDIT CHECKSEDIT CHECKS

• REASONABLENESS CHECKSREASONABLENESS CHECKS• FORMAT CHECKSFORMAT CHECKS• EXISTENCE CHECKSEXISTENCE CHECKS• DEPENDENCY CHECKSDEPENDENCY CHECKS

**

16.25

PROCESSING CONTROLSPROCESSING CONTROLS

ESTABLISH THAT DATA IS COMPLETE ESTABLISH THAT DATA IS COMPLETE AND ACCURATE DURING PROCESSINGAND ACCURATE DURING PROCESSING

• RUN CONTROL TOTALS:RUN CONTROL TOTALS: Generate control Generate control totals before & after processingtotals before & after processing

• COMPUTER MATCHING:COMPUTER MATCHING: Match input data Match input data to master filesto master files

**

16.26

OUTPUT CONTROLSOUTPUT CONTROLS

ESTABLISH THAT RESULTS ARE ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE AND PROPERLY ACCURATE, COMPLETE AND PROPERLY DISTRIBUTED DISTRIBUTED

• BALANCE OUTPUT TOTALS WITH INPUT BALANCE OUTPUT TOTALS WITH INPUT AND PROCESSING TOTALSAND PROCESSING TOTALS

• REVIEW PROCESSING LOGSREVIEW PROCESSING LOGS• ENSURE ONLY AUTHORIZED RECIPIENTS ENSURE ONLY AUTHORIZED RECIPIENTS

GET RESULTSGET RESULTS

**

16.27

SECURITY AND THE SECURITY AND THE INTERNETINTERNET

• ENCRYPTION: ENCRYPTION: Coding & scrambling Coding & scrambling messages to deny unauthorized accessmessages to deny unauthorized access

• AUTHENTICATION:AUTHENTICATION: Ability to identify Ability to identify another partyanother party– MESSAGE INTEGRITYMESSAGE INTEGRITY– DIGITAL SIGNATUREDIGITAL SIGNATURE– DIGITAL CERTIFICATEDIGITAL CERTIFICATE

**

16.28

SECURITY AND THE SECURITY AND THE INTERNETINTERNET

• SECURE ELECTRONIC TRANSACTIONSECURE ELECTRONIC TRANSACTION:: Standard for securing credit card Standard for securing credit card transactions on Internettransactions on Internet

• ELECTRONIC CASH:ELECTRONIC CASH: Currency Currency represented in electronic form, represented in electronic form, preserving user anonymitypreserving user anonymity

**

16.29

DEVELOPING A CONTROL DEVELOPING A CONTROL STRUCTURESTRUCTURE

• COSTS:COSTS: Can be expensive to build; Can be expensive to build; complicated to usecomplicated to use

• BENEFITS:BENEFITS: Reduces expensive errors, Reduces expensive errors, loss of time, resources, good willloss of time, resources, good will

RISK ASSESSMENT:RISK ASSESSMENT: Determine Determine frequency of occurrence of problem, frequency of occurrence of problem, cost, damage if it were to occurcost, damage if it were to occur

**

16.30

MIS AUDITMIS AUDIT

IDENTIFIES CONTROLS OF INFORMATION IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESSSYSTEMS, ASSESSES THEIR EFFECTIVENESS

• TESTING:TESTING: Early, regular controlled efforts Early, regular controlled efforts to detect, reduce errorsto detect, reduce errors– WALKTHROUGHWALKTHROUGH– DEBUGGINGDEBUGGING

• DATA QUALITY AUDIT:DATA QUALITY AUDIT: Survey samples of Survey samples of files for accuracy, completenessfiles for accuracy, completeness

**

information systems

Technology

system quality

reveals protective

system vulnerability

unauthorized

hackers amp

control environment

edit checks

information