1

Information SystemsCS-507

Lecture 34

2

Types of Controls• Access Controls – Controlling who can access

the system.• Input Controls – Controls over how the data is

input to the system.• Communication Controls – Controls over the

transfer of data over networks.• Processing Controls – Controlling the

processing of data• Database Controls – Securing the most

important asset of the organization• Output controls – Controlling the privacy of the

data.

3

Objectives of the Access Controls

• The user should be given access to the nature and kind of resources he is entitled to access.

4

Why Access Controls?• Widespread deployment of distributed systems

has resulted in many users being disbursed physically. e.g. through

– Web based systems– Local Area Networks– Wide Area Networks

• The rapid growth of E-Commerce systems has resulted in substantial work being undertaken to identify and authenticate the parties.

5

Cryptography

• “The conversion of data into a secret code for transmission over a public network.”

6

EncryptionThe process of converting data into codes (cryptograms)

EncryptionOriginal DataCipher-text /

Encrypted data

7

Decryption

The process of decoding the code to arrive at data actually encrypted

DecryptionCipher-text / Encrypted data

Original Data

8

• Clear text – it is the data to be encrypted.

• Cipher text – it is the code created out of data after encryption

• The original text, or "plaintext," is converted into a coded equivalent called "cipher text" via an encryption process.

EncryptionClear TextCipher-text /

Encrypted data

9

Identification & Authentication

• What a user remembers – name, birth date, password

• What a user possesses – badge, plastic card

• What a user is – personal characteristics

10

Biometrics

• “Biometrics can be defined as study of automated methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.”

11

Scope of Biometrics

• Finger print

• Hand print

• Voice Print

• Facial profiling – measuring distance between various points on face

• Iris/retinal recognition – eye patterns

12

Other Types of Controls• In addition to the aforesaid access controls,

there may be – Input controls – controls over correct data entry– Communications controls – controls over

transporting data safely through local area networks (LAN’s) or wide area networks (WAN’s).

– Processing controls – Controls over the integrity of processing instructions being executed by the operating system and application softwares.

13

– Database controls – implemented to maintain the integrity of the database.

– Output controls – controls over providing right content to the users.

• The construction of effective security system should take into account the design and implementation of all the above controls.

14

• Operating system – an operating system connecting to a website is at the same time activating concealed link to transfer specified or all information.

• Application software – a software designed to compute interest at month end may contain unauthorized instruction to transfer pennies or cents or paisas to a particular account.

15

• Calculations are accurate and any rounding up or down is adequately explained and carried out

• Data is processed correctly as expected

• Control totals reconcile and processing errors are logged, researched and corrected timely

• Sufficient audit trail to trace from source to output and vice versa