Changing World, Fourth Edition - Simon Fraser … · Systems Analysis and Design in a Changing World, 4th Edition 2 ... Identify automation boundary ... Digital signature encrypts

14Systems Analysis and Design in a Changing World, Fourth Edition

14

Systems Analysis and Design in a Changing World, 4th Edition 2

Learning Objectives

� Discuss examples of system interfaces found in information systems

� Define system inputs and outputs based on the requirements of the application program

� Design printed and on-screen reports appropriate for recipients

14


Learning Objectives (continued)

� Explain the importance of integrity controls

� Identify required integrity controls for inputs, outputs, data, and processing

� Discuss issues related to security that affect the design and operation of information systems

14


Overview

� This chapter focuses on system interfaces, system outputs, and system controls that do not require much human interaction

� Many system interfaces are electronic transmissions or paper outputs to external agents

� System developers need to design and implement integrity and security controls to protect system and its data

� Outside threats from Internet and e-commerce are growing concern

14


Identifying System Interfaces

� System interfaces are broadly defined as inputs or outputs with minimal or no human intervention

� Inputs from other systems (messages, EDI)

� Highly automated input devices such as scanners

� Inputs that are from data in external databases

� Outputs to external databases

� Outputs with minimal HCI

� Outputs to other systems

� Real-time connections (both input and output)

14


Full Range of Inputs and Outputs

14


eXtensible Markup Language (XML)

� Extension of HTML that embeds self-defined data structures in textual messages

� Transaction that contains data fields can be sent with XML codes to define meaning of data fields

� XML provides common system-to-system interface

� XML is simple and readable by people

� Web services is based on XML to send business transactions over Internet

14


System-to-System Interface Based on XML

14


Design of System Inputs

� Identify devices and mechanisms used to enter input

� High-level review of most up-to-date methods to enter data

� Identify all system inputs and develop list of data content for each

� Provide link between design of application software and design of user and system interfaces

� Determine controls and security necessary for each system input

14


Input Devices and Mechanisms

� Capture data as close to original source as possible

� Use electronic devices and automatic entry whenever possible

� Avoid human involvement as much as possible

� Seek information in electronic form to avoid data re-entry

� Validate and correct information at entry point

14


Prevalent Input Devices to Avoid Human Data Entry

� Magnetic card strip readers

� Bar code readers

� Optical character recognition readers and scanners

� Radio-frequency identification tags

� Touch screens and devices

� Electronic pens and writing surfaces

� Digitizers, such as digital cameras and digital audio devices

14


Defining the Details of System Inputs

� Ensure all data inputs are identified and specified correctly

� Can use traditional structured models

� Identify automation boundary

�Use DFD fragments

�Segment by program boundaries

� Examine structure charts

�Analyze each module and data couple

�List individual data fields

14


Automation Boundary on a System-Level DFD

14


Create New Order DFD with an Automation Boundary

14


List of Inputs for Customer Support System

14


Structure Chart for Create New Order(Figure 14-6)

14


Data Flows, Data Couples, and Data Elements Making Up Inputs (Figure 14-7)

14


Using Object-Oriented Models

� Identifying user and system inputs with OO approach has same tasks as traditional approach

� OO diagrams are used instead of DFDs and structure charts

� System sequence diagrams identify each incoming message

� Design class diagrams and sequence diagrams identify and describe input parameters and verify characteristics of inputs

14


Partial System Sequence Diagram for Payroll System Use Cases (Figure 14-8)

14


System Sequence Diagram for Create New Order

14


Input Messages and Data Parameters from RMO System Sequence Diagram (Figure 14-10)

14


Designing System Outputs

� Determine each type of output

� Make list of specific system outputs required based on application design

� Specify any necessary controls to protect information provided in output

� Design and prototype output layout

� Ad hoc reports – designed as needed by user

14


Defining the Details of System Outputs

� Type of reports

� Printed reports

� Electronic displays

� Turnaround documents

� Can use traditional structured models to identify outputs

� Data flows crossing automation boundary

� Data couples and report data requirements on structure chart

14


Table of System Outputs Based on Traditional Structured Approach (Figure 14-11)

14


Using Object-Oriented Models

� Outputs indicated by messages in sequence diagrams

� Originate from internal system objects

� Sent to external actors or another external system

� Output messages based on an individual object are usually part of methods of that class object

� To report on all objects within a class, class-level method is used that works on entire class

14


Table of System Outputs Based on OO Messages (Figure 14-12)

14


Designing Reports, Statements, and Turnaround Documents

� Printed versus electronic

� Types of output reports

� Detailed

� Summary

� Exception

� Executive

� Internal versus external

� Graphical and multimedia presentation

14


RMO Summary Report with Drill Down to the Detailed Report

14


Sample Bar Chart and Pie Chart Reports

14


Formatting Reports

� What is objective of report?

� Who is the intended audience?

� What is media for presentation?

� Avoid information overload

� Format considerations include meaningful headings, date of information, date report produced, page numbers

14


Designing Integrity Controls

� Mechanisms and procedures built into a system to safeguard it and information contained within

� Integrity controls

� Built into application and database system to safeguard information

� Security controls

� Built into operating system and network

14


Objectives of Integrity Controls

� Ensure that only appropriate and correct business transactions occur

� Ensure that transactions are recorded and processed correctly

� Protect and safeguard assets of the organization

� Software

� Hardware

� Information

14


Points of Security and Integrity Controls

14


Input Integrity Controls

� Used with all input mechanisms

� Additional level of verification to help reduce input errors

� Common control techniques

� Field combination controls

� Value limit controls

� Completeness controls

� Data validation controls

14


Database Integrity Controls

� Access controls

� Data encryption

� Transaction controls

� Update controls

� Backup and recovery protection

14


Output Integrity Controls

� Ensure output arrives at proper destination and is correct, accurate, complete, and current

� Destination controls - output is channeled to correct people

� Completeness, accuracy, and correctnesscontrols

� Appropriate information present in output

14


Integrity Controls to Prevent Fraud

� Three conditions are present in fraud cases

� Personal pressure, such as desire to maintain extravagant lifestyle

� Rationalizations, including “I will repay this money” or “I have this coming”

� Opportunity, such as unverified cash receipts

� Control of fraud requires both manual procedures and computer integrity controls

14


Fraud Risks and Prevention Techniques

14


Designing Security Controls

� Security controls protect assets of organization from all threats

� External threats such as hackers, viruses, worms, and message overload attacks

� Security control objectives

� Maintain stable, functioning operating environment for users and application systems (24 x 7)

� Protect information and transactions during transmission outside organization (public carriers)

14


Security for Access to Systems

� Used to control access to any resource managed by operating system or network

� User categories

� Unauthorized user – no authorization to access

� Registered user – authorized to access system

� Privileged user – authorized to administrate system

� Organized so that all resources can be accessed with same unique ID/password combination

14


Users and Access Roles to Computer Systems

14


Managing User Access

� Most common technique is user ID / password

� Authorization – Is user permitted to access?

� Access control list – users with rights to access

� Authentication – Is user who they claim to be?

� Smart card – computer-readable plastic card with embedded security information

� Biometric devices – keystroke patterns, fingerprinting, retinal scans, voice characteristics

14


Data Security

� Data and files themselves must be secure

� Encryption – primary security method

� Altering data so unauthorized users cannot view

� Decryption

� Altering encrypted data back to its original state

� Symmetric key – same key encrypts and decrypts

� Asymmetric key – different key decrypts

� Public key – public encrypts; private decrypts

14


Symmetric Key Encryption

14


Asymmetric Key Encryption

14


Digital Signatures and Certificates

� Encryption of messages enables secure exchange of information between two entities with appropriate keys

� Digital signature encrypts document with private key to verify document author

� Digital certificate is institution’s name and public key that is encrypted and certified by third party

� Certifying authority

� VeriSign or Equifax

14


Using a Digital Certificate

14


Secure Transactions

� Standard set of methods and protocols for authentication, authorization, privacy, integrity

� Secure Sockets Layer (SSL) renamed as Transport Layer Security (TLS) – protocol for secure channel to send messages over Internet

� IP Security (IPSec) – newer standard for transmitting Internet messages securely

� Secure Hypertext Transport Protocol (HTTPS or HTTP-S) – standard for transmitting Web pages securely (encryption, digital signing, certificates)

14


Summary

� System interfaces include all inputs and outputs except those that are part of GUI

� Designing inputs to system is three-step process

� Identify devices/mechanisms used to enter input

� Identify system inputs; develop list of data content

� Determine controls and security necessary for each system input

� Traditional approach to design inputs and outputs

� DFDs, data flow definitions, structure charts

14


Summary (continued)

� OO approach to design inputs and outputs

� Sequence diagrams, class diagrams

� Integrity controls and security designed into system

� Ensure only appropriate and correct business transactions occur

� Ensure transactions are recorded and processed correctly

� Protect and safeguard assets of the organization

� Control access to resources