View
223
Download
1
Category
Tags:
Preview:
Citation preview
14. CONTROLLING
INFORMATION
SYSTEMS
14. CONTROLLING
INFORMATION
SYSTEMS
14.1
THREATS TO INFORMATION SYSTEMS
THREATS TO INFORMATION SYSTEMS
HARDWARE FAILURE, FIREHARDWARE FAILURE, FIRE
SOFTWARE FAILURE, ELECTRICAL PROBLEMSSOFTWARE FAILURE, ELECTRICAL PROBLEMS
PERSONNEL ACTIONS, USER ERRORSPERSONNEL ACTIONS, USER ERRORS
ACCESS PENETRATION, PROGRAM CHANGESACCESS PENETRATION, PROGRAM CHANGES
THEFT OF DATA, SERVICES, EQUIPMENTTHEFT OF DATA, SERVICES, EQUIPMENT
TELECOMMUNICATIONS PROBLEMSTELECOMMUNICATIONS PROBLEMS
**
14.2
WHY SYSTEMS ARE VULNERABLEWHY SYSTEMS ARE VULNERABLE
• SYSTEM COMPLEXITYSYSTEM COMPLEXITY
• COMPUTERIZED PROCEDURES NOT COMPUTERIZED PROCEDURES NOT ALWAYS READ OALWAYS READ ORR AUDITEDAUDITED
• EXTENSIVE EFFEEXTENSIVE EFFECTCT OF DISASTEROF DISASTER
• UNAUTHORIZED UNAUTHORIZED ACCESS POSSIBLEACCESS POSSIBLE
**
14.3
VULNERABILITIESVULNERABILITIES
• RADIATION: Allows Recorders, Bugs to Tap SystemRADIATION: Allows Recorders, Bugs to Tap System• CROSSTALK: Can GCROSSTALK: Can Garble Dataarble Data
• HARDWARE: ImpropHARDWARE: Improperer Connections, Connections, Failure of Failure of ProtectiProtectionon CircuitsCircuits
• SOFTWARE: Failure SOFTWARE: Failure ofof Protection Features, Protection Features, Access Access Control, BouControl, Boundsnds ControlControl
• FILES: Subject to ThFILES: Subject to Theft,eft, Copying, Copying, Unauthorized Unauthorized AccessAccess
**
14.4
VULNERABILITIESVULNERABILITIES
• USER: Identification, Authentication, Subtle USER: Identification, Authentication, Subtle Software ModificationSoftware Modification
• PROGRAMMER: DisaPROGRAMMER: Disablesbles ProtectiveProtective Features; Reveals PrFeatures; Reveals Protectiveotective MeasuresMeasures
• MAINTENANCE STAFMAINTENANCE STAFF:F: DisablesDisables Hardware Hardware Devices; UDevices; Usesses Stand-aloneStand-alone Utilities Utilities
• OPERATOR: Doesn’t OPERATOR: Doesn’t Notify Supervisor, Notify Supervisor, Reveals Protective MReveals Protective Measureseasures
**
14.5
HACKERS & COMPUTER VIRUSES
HACKERS & COMPUTER VIRUSES
• HACKER: Person Gains Access to HACKER: Person Gains Access to Computer for Profit, Criminal Computer for Profit, Criminal Mischief, Personal PleasureMischief, Personal Pleasure
• COMPUTER VIRUS: Rouge Program; COMPUTER VIRUS: Rouge Program; Difficult to Detect; Spreads Rapidly; Difficult to Detect; Spreads Rapidly; Destroys Data; Disrupts Processing Destroys Data; Disrupts Processing & Memory& Memory
**14.6
ANTIVIRUS SOFTWAREANTIVIRUS SOFTWARE
• SOFTWARE TO DETECTSOFTWARE TO DETECT• ELIMINATE VIRUSESELIMINATE VIRUSES• ADVANCED VERSIONS RUN IN ADVANCED VERSIONS RUN IN
MEMORY TO PROTECT MEMORY TO PROTECT PROCESSING, GUARD AGAINST PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON VIRUSES ON DISKS, AND ON INCOMING NETWORK FILESINCOMING NETWORK FILES
**14.7
EFFECTS OF VIRUSESEFFECTS OF VIRUSES
62
41
38
30
24
23
20
9
4
3
0 10 20 30 40 50 60 70
LOSS OF PRODUCTIVITYLOSS OF PRODUCTIVITY
INTERFERENCE, LOCKUPINTERFERENCE, LOCKUP
CORRUPTED FILESCORRUPTED FILES
LOST DATALOST DATA
UNRELIABLE UNRELIABLE APPLICATIONSAPPLICATIONS
SYSTEM CRASHSYSTEM CRASH
LOSS OF CONFIDENCELOSS OF CONFIDENCE
LOST E-MAILLOST E-MAIL
CORRUPTED E-MAILCORRUPTED E-MAIL
THREAT OF JOB LOSSTHREAT OF JOB LOSS
PER CENT EFFECTEDPER CENT EFFECTED
BASED ON 600,000 MULTIPLE EFFECTS REPORTS
Source: Computerworld (1993)
14.8
CONCERNS FOR BUILDERS & USERS
CONCERNS FOR BUILDERS & USERS
DISASTERDISASTER
BREACH OF SECURITYBREACH OF SECURITY
ERRORSERRORS**
14.9
DISASTERDISASTER
• LOSS OF HARDWARE, SOFTWARE, LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITYFLOOD OR OTHER CALAMITY
FAULT-TOLERANT COMPUTER FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE PREVENT SYSTEM FAILURE (Particularly On-line Transaction (Particularly On-line Transaction Processing)Processing)
**14.10
SECURITYSECURITY
POLICIES, PROCEDURES, POLICIES, PROCEDURES, TECHNICAL MEASURES TO TECHNICAL MEASURES TO
PREVENT UNAUTHORIZED ACCESS, PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL ALTERATION, THEFT, PHYSICAL
DAMAGE TO INFORMATION DAMAGE TO INFORMATION SYSTEMSSYSTEMS
**
14.11
WHERE ERRORS OCCURWHERE ERRORS OCCUR
• DATA PREPARATIONDATA PREPARATION• TRANSMISSIONTRANSMISSION• CONVERSIONCONVERSION• FORM COMPLETIONFORM COMPLETION• ON-LINE DATA ENTRYON-LINE DATA ENTRY• KEYPUNCHING; SCANNING; OTHER KEYPUNCHING; SCANNING; OTHER
INPUTSINPUTS
**14.12
WHERE ERRORS OCCURWHERE ERRORS OCCUR
• VALIDATION VALIDATION
• PROCESSING / FILE MAINTENANCEPROCESSING / FILE MAINTENANCE
• OUTPUTOUTPUT
• TRANSMISSIONTRANSMISSION
• DISTRIBUTIONDISTRIBUTION
**
14.13
SYSTEM QUALITY PROBLEMSSYSTEM QUALITY PROBLEMS
• SOFTWARE & DATASOFTWARE & DATA• BUGS: Program Code Defects or ErrorsBUGS: Program Code Defects or Errors• MAINTENANCE: Modifying a System in MAINTENANCE: Modifying a System in
Production Use; Can take up to 85% of Production Use; Can take up to 85% of Analysts’ TimeAnalysts’ Time
• DATA QUALITY PROBLEMS: Finding, DATA QUALITY PROBLEMS: Finding, Correcting Errors; Costly; TediousCorrecting Errors; Costly; Tedious
**
14.14
COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE
COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE
1.001.00
2.002.00
3.003.00
4.004.00
5.005.00
6.006.00
CO
ST
SC
OS
TS
ANALYSIS PROGRAMMING POSTIMPLEMENTATION ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION & DESIGN CONVERSION
14.15
CREATING A CONTROL ENVIRONMENT
CREATING A CONTROL ENVIRONMENT
CONTROLS: Methods, Policies, CONTROLS: Methods, Policies, Procedures to Protect Assets; Procedures to Protect Assets; Accuracy & Reliability of Records; Accuracy & Reliability of Records; Adherence to Management StandardsAdherence to Management Standards
• GENERALGENERAL• APPLICATIONAPPLICATION
**
14.16
GENERAL CONTROLSGENERAL CONTROLS• IMPLEMENTATION: Audit System Development IMPLEMENTATION: Audit System Development
to Assure Proper Control, Managementto Assure Proper Control, Management• SOFTWARE: Ensure Security, Reliability of SOFTWARE: Ensure Security, Reliability of
SoftwareSoftware• PROGRAM SECURITY: Prevent Unauthorized PROGRAM SECURITY: Prevent Unauthorized
Changes to ProgramsChanges to Programs• HARDWARE: Ensure Physical Security, HARDWARE: Ensure Physical Security,
Performance of Computer HardwarePerformance of Computer Hardware
**
14.17
GENERAL CONTROLSGENERAL CONTROLS• COMPUTER OPERATIONS: Ensure Procedures COMPUTER OPERATIONS: Ensure Procedures
Consistently, Correctly Applied to Data Storage, Consistently, Correctly Applied to Data Storage, ProcessingProcessing
• DATA SECURITY: Ensure Data Disks, Tapes DATA SECURITY: Ensure Data Disks, Tapes Protected from Wrongful Access, Change, Protected from Wrongful Access, Change, DestructionDestruction
• ADMINISTRATIVE: Ensure Controls Properly ADMINISTRATIVE: Ensure Controls Properly Executed, EnforcedExecuted, Enforced
• SEGREGATION OF FUNCTIONS: Divide Tasks to SEGREGATION OF FUNCTIONS: Divide Tasks to Minimize RisksMinimize Risks
**
14.18
APPLICATION CONTROLSAPPLICATION CONTROLS
• INPUTINPUT
• PROCESSINGPROCESSING
• OUTPUTOUTPUT
**
14.19
INPUT CONTROLSINPUT CONTROLS
• INPUT AUTHORIZATION: Record, Monitor INPUT AUTHORIZATION: Record, Monitor Source DocumentsSource Documents
• DATA CONVERSION: Transcribe Data DATA CONVERSION: Transcribe Data Properly from one Form to AnotherProperly from one Form to Another
• BATCH CONTROL TOTALS: Count BATCH CONTROL TOTALS: Count Transactions Prior to and After ProcessingTransactions Prior to and After Processing
• EDIT CHECKS: Verify Input Data, Correct EDIT CHECKS: Verify Input Data, Correct ErrorsErrors
**
14.20
PROCESSING CONTROLSPROCESSING CONTROLS
ESTABLISH THAT DATA IS COMPLETE, ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSINGACCURATE DURING PROCESSING
• RUN CONTROL TOTALS: Generate RUN CONTROL TOTALS: Generate Control Totals Before & After ProcessingControl Totals Before & After Processing
• COMPUTER MATCHING: Match Input Data COMPUTER MATCHING: Match Input Data to Master Filesto Master Files
**
14.21
OUTPUT CONTROLSOUTPUT CONTROLS
ESTABLISH THAT RESULTS ARE ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY ACCURATE, COMPLETE, PROPERLY DISTRIBUTED DISTRIBUTED
• BALANCE INPUT, PROCESSING, OUTPUT BALANCE INPUT, PROCESSING, OUTPUT TOTALSTOTALS
• REVIEW PROCESSING LOGSREVIEW PROCESSING LOGS• ENSURE ONLY AUTHORIZED RECIPIENTS ENSURE ONLY AUTHORIZED RECIPIENTS
GET RESULTSGET RESULTS
**14.22
DEVELOPING A CONTROL STRUCTURE
DEVELOPING A CONTROL STRUCTURE
• COSTS: Can be Expensive to Build; COSTS: Can be Expensive to Build; Complicated to UseComplicated to Use
• BENEFITS: Reduces Expensive Errors, BENEFITS: Reduces Expensive Errors, Loss of Time, Resources, Good WillLoss of Time, Resources, Good Will
RISK ASSESSMENT: Determine RISK ASSESSMENT: Determine Frequency of Occurrence of Problem, Frequency of Occurrence of Problem, Cost, Damage if it Were to OccurCost, Damage if it Were to Occur
**
14.23
MIS AUDITMIS AUDIT
IDENTIFIES CONTROLS OF INFORMATION IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR SYSTEMS, ASSESSES THEIR EFFECTIVENESSEFFECTIVENESS
• TRACE FLOW OF SAMPLE TRANSACTIONS; TRACE FLOW OF SAMPLE TRANSACTIONS; NOTE HOW CONTROLS WORKNOTE HOW CONTROLS WORK
• LIST, RANK WEAKNESSESLIST, RANK WEAKNESSES• ESTIMATE PROBABILITIES, IMPACTESTIMATE PROBABILITIES, IMPACT• REPORT TO MANAGEMENTREPORT TO MANAGEMENT
**
14.24
SOFTWARE QUALITY ASSURANCESOFTWARE QUALITY ASSURANCE
• USE PROVEN DEVELOPMENT METHODOLOGIESUSE PROVEN DEVELOPMENT METHODOLOGIES• RESOURCES ALLOCATION: How are Costs, Time, RESOURCES ALLOCATION: How are Costs, Time,
People Assigned During Development?People Assigned During Development?• SOFTWARE METRICS: Quantifiable System SOFTWARE METRICS: Quantifiable System
Measurements for Objective Software AssessmentMeasurements for Objective Software Assessment• TESTING: Walkthrough of Design Documentation, TESTING: Walkthrough of Design Documentation,
Debugging to Discover, Eliminate Defects, Data Debugging to Discover, Eliminate Defects, Data Quality Audit to Sample, Measure Accuracy, Quality Audit to Sample, Measure Accuracy, Completeness of DataCompleteness of Data
**
14.25
MANAGEMENT CHALLENGESMANAGEMENT CHALLENGES
• LARGE MULTI-USER NETWORKS LARGE MULTI-USER NETWORKS DIFFICULT TO SECUREDIFFICULT TO SECURE
• BALANCE DEGREE OF CONTROL, MAIN BALANCE DEGREE OF CONTROL, MAIN THREAT IS EXTERNALTHREAT IS EXTERNAL
• APPLY QUALITY ASSURANCE APPLY QUALITY ASSURANCE STANDARDSSTANDARDS
**
14.26
Recommended