Date post: | 22-Dec-2015 |
Category: |
Documents |
View: | 223 times |
Download: | 3 times |
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.1 © 2005 by Prentice Hall
Information System Securityand Control
Chapter 15
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.2 © 2005 by Prentice Hall
Objectives
1. Why are information systems so vulnerable to destruction, error, abuse, and system quality problems?
2. What types of controls are available for information systems?
3. What special measures must be taken to ensure the reliability, availability and security of electronic commerce, and digital business processes?
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.3 © 2005 by Prentice Hall
Objectives
4. What are the most important software quality assurance techniques?
5. Why are auditing information systems and safeguarding data quality so important?
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.4 © 2005 by Prentice Hall
Management Challenges
1. Achieving a sensible balance between too little control and too much..
2. Applying quality assurance standards in large systems projects.
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.5 © 2005 by Prentice Hall
• Accessibility to electronic data• Increasingly complex software, hardware• Network access points• Wireless vulnerability• Internet
System Vulnerability and Abuse
Why Systems Are Vulnerable
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.6 © 2005 by Prentice Hall
System Vulnerability and Abuse
• Hardware failure• Software failure• Personnel actions• Terminal access
penetration• Theft of data, services,
equipment
• Fire• Electrical problems• User errors• Unauthorized program
changes• Telecommunication
problems
Threats to Computerized Information Systems
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.7 © 2005 by Prentice Hall
System Vulnerability and Abuse
Telecommunications networks vulnerabilities
Figure 15-1
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.8 © 2005 by Prentice Hall
Credit Card Fraud: Still on the Rise
• To what extent are Internet credit card thefts management and organizational problems, and to what extent are they technical problems?
• Address the technology and management issues for both the credit card issuers and the retail companies.
• Suggest possible ways to address the problem.
System Vulnerability and Abuse
Window on Organizations
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.9 © 2005 by Prentice Hall
• Hacker
• Trojan horse
• Denial of service (DoS) attacks
• Computer viruses
• Worms
• Antivirus software
System Vulnerability and Abuse
Why Systems Are Vulnerable
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.10 © 2005 by Prentice Hall
Smarter Worms and Viruses:
The Worst Is Yet to Come
• Why are worms so harmful?
• Describe their business and organizational impact.
System Vulnerability and Abuse
Window on Technology
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.11 © 2005 by Prentice Hall
• Disaster
• Security
• Administrative error
• Cyberterrorism and Cyberwarfare
System Vulnerability and Abuse
Concerns for System Builders and Users
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.12 © 2005 by Prentice Hall
System Vulnerability and Abuse
Points in the processing cycle where errors can occur
Figure 15-2
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.13 © 2005 by Prentice Hall
Bugs and Defects
Complete testing not possible
The Maintenance NightmareMaintenance costs high due to organizational change, software complexity, and faulty system analysis and design
System Vulnerability and Abuse
System Quality Problems: Software and Data
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.14 © 2005 by Prentice Hall
System Vulnerability and Abuse
The cost of errors over the systems development cycle
Figure 15-3
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.15 © 2005 by Prentice Hall
Data Quality ProblemsCaused by errors during data input or faulty information system and database design
System Vulnerability and Abuse
System Quality Problems: Software and Data
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.16 © 2005 by Prentice Hall
Controls
• Methods, policies, and procedures
• Protection of organization’s assets
• Accuracy and reliability of records
• Operational adherence to management standards
Creating a Control Environment
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.17 © 2005 by Prentice Hall
General Controls
• Govern design, security, use of computer programs throughout organization
• Apply to all computerized applications• Combination of hardware, software, manual
procedures to create overall control environment
Creating a Control Environment
General Controls and Application Controls
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.18 © 2005 by Prentice Hall
General Controls
• Software controls• Hardware controls• Computer operations controls• Data security controls• Implementation• Administrative controls
Creating a Control Environment
General Controls and Application Controls
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.19 © 2005 by Prentice Hall
Creating a Control Environment
Security profiles for a personnel system
Figure 15-4
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.20 © 2005 by Prentice Hall
Application Controls
• Automated and manual procedures that ensure only authorized data are processed by application
• Unique to each computerized application• Classified as (1) input controls, (2) processing
controls, and (3) output controls.
Creating a Control Environment
General Controls and Application Controls
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.21 © 2005 by Prentice Hall
Application Controls
Control totals: Input, processing
Edit checks: Input
Computer matching: Input, processing
Run control totals: Processing, output
Report distribution logs: Output
Creating a Control Environment
General Controls and Application Controls
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.22 © 2005 by Prentice Hall
• High-availability computing• Fault-tolerant computer systems• Disaster recovery planning• Business continuity planning• Load balancing; mirroring; clustering• Recovery-oriented computing• Managed security service providers (MSSPs)
Creating a Control Environment
Protecting the Digital Firm
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.23 © 2005 by Prentice Hall
Internet Security Challenges
• Public, accessible network
• Abuses have widespread effect
• Fixed Internet addresses
• Corporate systems extended outside organization
Creating a Control Environment
Protecting the Digital Firm
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.24 © 2005 by Prentice Hall
Creating a Control Environment
Internet security challenges
Figure 15-5
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.25 © 2005 by Prentice Hall
• Firewall screening technologies• Static packet filtering• Stateful inspection• Network address translation• Application proxy filtering
• Intrusion detection systems• Scanning software• Monitoring software
Creating a Control Environment
Protecting the Digital Firm
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.26 © 2005 by Prentice Hall
Security and Electronic Commerce• Encryption• Authentication• Message integrity• Digital signatures• Digital certificates• Public key infrastructure (PKI)
Creating a Control Environment
Protecting the Digital Firm
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.27 © 2005 by Prentice Hall
Creating a Control Environment
Public key encryption
Figure 15-6
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.28 © 2005 by Prentice Hall
Creating a Control Environment
Digital certificates
Figure 15-7
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.29 © 2005 by Prentice Hall
Security for Wireless Internet Access
• Service set identifiers (SSID) – Identify access points in network
– Form of password for user’s radio network interface card
– Broadcast multiple time per second
– Easily picked up by sniffer programs, war driving
Creating a Control Environment
Protecting the Digital Firm
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.30 © 2005 by Prentice Hall
Creating a Control Environment
Wi-Fi security challenges
Figure 15-8
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.31 © 2005 by Prentice Hall
• Wired Equivalent Privacy (WEP):– Initial security standard– Call for access point and all users to share the same 40-
bit encrypted password
• Wi-Fi Protected Access (WPA) specification– 128-bit, non-static encryption key– Data-packet checking
Creating a Control Environment
Protecting the Digital Firm
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.32 © 2005 by Prentice Hall
Criteria for Determining Control Structure
• Importance of data• Cost effectiveness of control technique
– Efficiency– Complexity– Expense
• Risk assessment: Level of risk if not properly controlled– Potential frequency of problem– Potential damage
Creating a Control Environment
Developing a Control Structure: Costs and Benefits
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.33 © 2005 by Prentice Hall
MIS Audit
• Identifies all controls that govern individual information systems and assesses their effectiveness
• Lists and ranks all control weaknesses and estimates the probability of their occurrence
Creating a Control Environment
The Role of Auditing in the Control Process
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.34 © 2005 by Prentice Hall
Creating a Control Environment
Sample auditor’s list of control weaknesses
Figure 15-9
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.35 © 2005 by Prentice Hall
Development Methodology
• Collection of methods
• One or more method for every activity in every phase of development project
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.36 © 2005 by Prentice Hall
Structured Methodologies
• Used to document, analyze, design information systems• Top-down• Process-oriented• Linear• Includes:
– Structured analysis– Structured design– Structured programming
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.37 © 2005 by Prentice Hall
Structured Analysis
• Defines system inputs, processes, outputs• Logical graphic model of information flow• Data flow diagram• Data dictionary• Process specifications
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.38 © 2005 by Prentice Hall
Ensuring System Quality: Software and Data
Data flow diagram for mail-in university registration system
Figure 15-10
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.39 © 2005 by Prentice Hall
Structured Design
• Set of design rules and techniques• Promotes program clarity and simplicity• Design from top-down; main functions and
subfunctions• Structure chart
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.40 © 2005 by Prentice Hall
Ensuring System Quality: Software and Data
High-level structure chart for a payroll system
Figure 15-11
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.41 © 2005 by Prentice Hall
Structured Programming• Organizes and codes programs to simplify control
paths for easy use and modification• Independent modules with one entry and exit point• Three basic control constructs:
– Simple sequence
– Selection
– Iteration
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.42 © 2005 by Prentice Hall
Ensuring System Quality: Software and Data
Basic program control constructs
Figure 15-12
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.43 © 2005 by Prentice Hall
Limitations of Traditional Methods• Can be inflexible and time-consuming• Programming depends on completion of analysis
and design phases• Specification changes require changes in analysis
and design documents first• Function-oriented
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.44 © 2005 by Prentice Hall
Unified Modeling Language (UML)
• Industry standard for analysis and design of object-oriented systems
• Represents different views using graphical diagrams
• Underlying model integrates views for consistency during analysis, design, and implementation
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.45 © 2005 by Prentice Hall
UML Components
• Things:
– Structural things Classes, interfaces, collaborations, use cases,
active classes, components, nodes
– Behavioral things Interactions, state machines
– Grouping things Packages
– Annotational things Notes
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.46 © 2005 by Prentice Hall
UML Components
• Relationships– Structural Dependencies, aggregations,
associations, generalizations– Behavioral Communicates, includes, extends,
generalizes
• Diagrams– Structural Class, object, component, and
deployment diagrams– Behavioral Use case, sequence, collaboration, stateschart,
and activity diagrams
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.47 © 2005 by Prentice Hall
Ensuring System Quality: Software and Data
A UML use-case diagram
Figure 15-13
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.48 © 2005 by Prentice Hall
Ensuring System Quality: Software and Data
A UML sequence diagram
Figure 15-14
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.49 © 2005 by Prentice Hall
Computer-Aided Software Engineering (CASE)
• Automation of step-by-step methodologies
• Reduce repetitive development work
• Support documentation creation and revisions
• Organize design components; design repository
• Support code generation
• Require organizational discipline
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.50 © 2005 by Prentice Hall
• Resource Allocation: Assigning costs, time, personnel to different development phases
• Software Metrics: Quantified measurements of systems performance
• Testing: Walkthroughs, debugging
Ensuring System Quality: Software and Data
Software Quality Assurance Methodologies and Tools
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.51 © 2005 by Prentice Hall
• Data Quality Audit– Survey end users for perceptions of data quality
– Survey entire data files
– Survey samples from data files
• Data Cleansing– Correcting errors and inconsistencies in data between
business units
Ensuring System Quality: Software and Data
Data Quality Audits and Data Cleansing
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.52 © 2005 by Prentice Hall
1. Summarize the ISM security problem and its impact on ISM and its clients.
2. Describe the control weaknesses of ISM and those of its clients that made it possible for this problem to occur. What management, organization, and technology factors contributed to those weaknesses?
Chapter 15 Case Study
Could a Missing Hard Drive Create Canada’s Biggest Identity Theft?
Essentials of Management Information Systems, 6eEssentials of Management Information Systems, 6eChapter 15 Information System Security and ControlChapter 15 Information System Security and Control
15.53 © 2005 by Prentice Hall
3. Was the disappearance of the hard drive a management problem, an organization problem, or a technical problem? Explain your answer.
4. If you were responsible for designing security at ISM and its client companies, what would you have done differently? How would you have solved their control problems?
Chapter 15 Case Study
Could a Missing Hard Drive Create Canada’s Biggest Identity Theft?