Upload
dr-othman-alsalloum
View
702
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
16.1
16.2
LEARNING OBJECTIVESLEARNING OBJECTIVES
• DEMONSTRATE WHY INFO SYSTEMS DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL ERROR, ABUSE, QUALITY CONTROL PROBLEMSPROBLEMS
• COMPARE GENERAL AND APPLICATION COMPARE GENERAL AND APPLICATION CONTROLSCONTROLS
• SELECT FACTORS FOR DEVELOPING SELECT FACTORS FOR DEVELOPING CONTROLSCONTROLS
**
16.3
CONTENTSCONTENTS
• SYSTEM VULNERABILITY & ABUSESYSTEM VULNERABILITY & ABUSE
• CREATING A CONTROL CREATING A CONTROL ENVIRONMENTENVIRONMENT
**
16.4
SYSTEM VULNERABILITY & SYSTEM VULNERABILITY & ABUSEABUSE
• WHY SYSTEMS ARE VULNERABLEWHY SYSTEMS ARE VULNERABLE
• HACKERS & VIRUSESHACKERS & VIRUSES
• CONCERNS FOR BUILDERS & CONCERNS FOR BUILDERS & USERSUSERS
• SYSTEM QUALITY PROBLEMSSYSTEM QUALITY PROBLEMS
**
16.5
THREATS TO INFORMATION THREATS TO INFORMATION SYSTEMS SYSTEMS
HARDWARE FAILURE, FIREHARDWARE FAILURE, FIRE
SOFTWARE FAILURE, ELECTRICAL SOFTWARE FAILURE, ELECTRICAL PROBLEMSPROBLEMS
PERSONNEL ACTIONS, USER ERRORSPERSONNEL ACTIONS, USER ERRORS
ACCESS PENETRATION, PROGRAM ACCESS PENETRATION, PROGRAM CHANGESCHANGES
THEFT OF DATA, SERVICES, EQUIPMENT THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMSTELECOMMUNICATIONS PROBLEMS
**
16.6
WHY SYSTEMS ARE WHY SYSTEMS ARE VULNERABLEVULNERABLE
• SYSTEM COMPLEXITY (PERFECTION)SYSTEM COMPLEXITY (PERFECTION)
• COMPUTERIZED PROCEDURES APPEAR TO COMPUTERIZED PROCEDURES APPEAR TO BE INVISIBLE AND ARE NOT EASILY BE INVISIBLE AND ARE NOT EASILY UNDERSTOOD OR AUDITEDUNDERSTOOD OR AUDITED
• EXTENSIVE EFFECT OF DISASTER (ALL EXTENSIVE EFFECT OF DISASTER (ALL RECORDS CAN BE DESTROYED AND LOST RECORDS CAN BE DESTROYED AND LOST FOREVER)FOREVER)
• UNAUTHORIZED ACCESS POSSIBLEUNAUTHORIZED ACCESS POSSIBLE
**
16.7
• COMMUNICATION LINES:COMMUNICATION LINES: Intercept data through Intercept data through tapping or interfering communication linestapping or interfering communication lines
• HARDWARE:HARDWARE: Improper connections, failure of Improper connections, failure of protection circuitsprotection circuits
• SOFTWARE:SOFTWARE: Failure of protection features, Failure of protection features, access controlaccess control
• FILES:FILES: Subject to theft, copying, unauthorized Subject to theft, copying, unauthorized accessaccess
**
VULNERABILITIESVULNERABILITIES
16.8
VULNERABILITIESVULNERABILITIES
• USER:USER: Identification, authentication, Identification, authentication, appropriate use of softwareappropriate use of software
• PROGRAMMER:PROGRAMMER: Disables protective Disables protective features; reveals protective measuresfeatures; reveals protective measures
• MAINTENANCE STAFF:MAINTENANCE STAFF: Disables hardware Disables hardware devices and protective measuresdevices and protective measures
• OPERATOR:OPERATOR: Doesn’t notify supervisor, Doesn’t notify supervisor, reveals protective measuresreveals protective measures
**
16.9
• HACKER:HACKER: Person gains access to Person gains access to computer for profit, criminal computer for profit, criminal mischief or personal pleasuremischief or personal pleasure
• COMPUTER VIRUS:COMPUTER VIRUS: Computer Computer program; difficult to detect; spreads program; difficult to detect; spreads rapidly; destroys data; disrupts rapidly; destroys data; disrupts processing & memoryprocessing & memory
**
HACKERS & COMPUTER HACKERS & COMPUTER VIRUSESVIRUSES
16.10
COMMON COMPUTER VIRUSESCOMMON COMPUTER VIRUSES
• CONCEPT:CONCEPT: Word documents, e-mail. Deletes files Word documents, e-mail. Deletes files• FORM:FORM: Makes clicking sound, corrupts data Makes clicking sound, corrupts data• ONE_HALF:ONE_HALF: Corrupts hard drive, flashes its name Corrupts hard drive, flashes its name
on screenon screen• MONKEY:MONKEY: Windows won’t run Windows won’t run• JUNKIE:JUNKIE: Infects files, boot sector, memory Infects files, boot sector, memory
conflictsconflicts• RIPPER:RIPPER: Randomly corrupts hard drive files Randomly corrupts hard drive files
**
16.11
ANTIVIRUS SOFTWAREANTIVIRUS SOFTWARE
• SOFTWARE TO DETECT SOFTWARE TO DETECT AND ELIMINATE VIRUSESAND ELIMINATE VIRUSES
• ADVANCED VERSIONS RUN IN ADVANCED VERSIONS RUN IN MEMORY TO PROTECT MEMORY TO PROTECT PROCESSING, GUARD AGAINST PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON VIRUSES ON DISKS, AND ON INCOMING NETWORK FILESINCOMING NETWORK FILES
**
16.12
CONCERNS FOR CONCERNS FOR BUILDERS & USERSBUILDERS & USERS
DISASTERDISASTER
BREACH OF SECURITYBREACH OF SECURITY
ERRORSERRORS**
16.13
• LOSS OF HARDWARE,LOSS OF HARDWARE, SOFTWARE, SOFTWARE, DATA BY FIRE, DATA BY FIRE, POWER FAILURE, POWER FAILURE, FLOOD OR OTHER CALAMITYFLOOD OR OTHER CALAMITY
FAULT-TOLERANT COMPUTER FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing)(Particularly On-line Transaction Processing)
**
DISASTERDISASTER
16.14
SECURITYSECURITY POLICIES, PROCEDURES, POLICIES, PROCEDURES, TECHNICAL MEASURES TO TECHNICAL MEASURES TO
PREVENT UNAUTHORIZED ACCESS, PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL ALTERATION, THEFT, PHYSICAL
DAMAGE TO INFORMATION DAMAGE TO INFORMATION SYSTEMSSYSTEMS
**
16.15
• DATA PREPARATIONDATA PREPARATION• TRANSMISSIONTRANSMISSION• CONVERSIONCONVERSION• FORM COMPLETIONFORM COMPLETION• ON-LINE DATA ENTRYON-LINE DATA ENTRY• KEYPUNCHING; SCANNING; OTHER KEYPUNCHING; SCANNING; OTHER
INPUTSINPUTS
**
WHERE ERRORS OCCUR WHERE ERRORS OCCUR DURING PROCESSINGDURING PROCESSING
16.16
WHERE ERRORS OCCUR WHERE ERRORS OCCUR DURING PROCESSINGDURING PROCESSING
• VALIDATION VALIDATION
• PROCESSING / FILE MAINTENANCEPROCESSING / FILE MAINTENANCE
• OUTPUTOUTPUT
• TRANSMISSIONTRANSMISSION
• DISTRIBUTIONDISTRIBUTION
**
16.17
SYSTEM QUALITY PROBLEMSSYSTEM QUALITY PROBLEMS
• BUGS:BUGS: Program code defects or errorsProgram code defects or errors• MAINTENANCE:MAINTENANCE: Modifying a system in Modifying a system in
production use; can take up to 50% of production use; can take up to 50% of information systems staff timeinformation systems staff time
• DATA QUALITY PROBLEMS:DATA QUALITY PROBLEMS: Finding, Finding, correcting errors; costly; tediouscorrecting errors; costly; tedious
**
16.18
COST OF ERRORS DURING COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLESYSTEMS DEVELOPMENT CYCLE
CO
ST
SC
OS
TS
ANALYSIS PROGRAMMING POSTIMPLEMENTATION ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION & DESIGN CONVERSION
16.19
CREATING A CONTROL CREATING A CONTROL ENVIRONMENTENVIRONMENT
CONTROLS:CONTROLS: METHODS, POLICIES, METHODS, POLICIES, PROCEDURES TO PROTECT PROCEDURES TO PROTECT ASSETS; ACCURACY & RELIABILITY ASSETS; ACCURACY & RELIABILITY OF RECORDS; ADHERENCE TO OF RECORDS; ADHERENCE TO MANAGEMENT STANDARDSMANAGEMENT STANDARDS
• GENERALGENERAL• APPLICATIONAPPLICATION
**
16.20
• IMPLEMENTATION:IMPLEMENTATION: Audit system Audit system development to assure proper control and development to assure proper control and managementmanagement
• SOFTWARE:SOFTWARE: Ensure security (access) and Ensure security (access) and reliability of softwarereliability of software
• PHYSICAL HARDWARE:PHYSICAL HARDWARE: Ensure physical Ensure physical security and performance of security and performance of computer hardwarecomputer hardware
**
GENERAL CONTROLSGENERAL CONTROLS
16.21
• COMPUTER OPERATIONS:COMPUTER OPERATIONS: Ensure procedures are Ensure procedures are consistently and correctly applied to data storage consistently and correctly applied to data storage and processingand processing
• DATA SECURITY:DATA SECURITY: Ensure data disks and tapes are Ensure data disks and tapes are protected from unauthorized access, change or protected from unauthorized access, change or destructiondestruction
• ADMINISTRATIVE:ADMINISTRATIVE: Ensure controls are properly Ensure controls are properly executed and enforcedexecuted and enforced
SEGREGATION OF FUNCTIONS: SEGREGATION OF FUNCTIONS: Divide Divide responsibility from tasksresponsibility from tasks
**
GENERAL CONTROLSGENERAL CONTROLS
16.22
APPLICATION CONTROLSAPPLICATION CONTROLS
• INPUTINPUT
• PROCESSINGPROCESSING
• OUTPUTOUTPUT
**
16.23
INPUT CONTROLSINPUT CONTROLS
• INPUT AUTHORIZATION:INPUT AUTHORIZATION: Record and Record and monitor source documentsmonitor source documents
• BATCH CONTROL TOTALS:BATCH CONTROL TOTALS: Count Count transactions prior to and after processingtransactions prior to and after processing
• EDIT CHECKS:EDIT CHECKS: Verify input data, correct Verify input data, correct errorserrors
**
16.24
EDIT CHECKSEDIT CHECKS
• REASONABLENESS CHECKSREASONABLENESS CHECKS• FORMAT CHECKSFORMAT CHECKS• EXISTENCE CHECKSEXISTENCE CHECKS• DEPENDENCY CHECKSDEPENDENCY CHECKS
**
16.25
PROCESSING CONTROLSPROCESSING CONTROLS
ESTABLISH THAT DATA IS COMPLETE ESTABLISH THAT DATA IS COMPLETE AND ACCURATE DURING PROCESSINGAND ACCURATE DURING PROCESSING
• RUN CONTROL TOTALS:RUN CONTROL TOTALS: Generate control Generate control totals before & after processingtotals before & after processing
• COMPUTER MATCHING:COMPUTER MATCHING: Match input data Match input data to master filesto master files
**
16.26
OUTPUT CONTROLSOUTPUT CONTROLS
ESTABLISH THAT RESULTS ARE ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE AND PROPERLY ACCURATE, COMPLETE AND PROPERLY DISTRIBUTED DISTRIBUTED
• BALANCE OUTPUT TOTALS WITH INPUT BALANCE OUTPUT TOTALS WITH INPUT AND PROCESSING TOTALSAND PROCESSING TOTALS
• REVIEW PROCESSING LOGSREVIEW PROCESSING LOGS• ENSURE ONLY AUTHORIZED RECIPIENTS ENSURE ONLY AUTHORIZED RECIPIENTS
GET RESULTSGET RESULTS
**
16.27
SECURITY AND THE SECURITY AND THE INTERNETINTERNET
• ENCRYPTION: ENCRYPTION: Coding & scrambling Coding & scrambling messages to deny unauthorized accessmessages to deny unauthorized access
• AUTHENTICATION:AUTHENTICATION: Ability to identify Ability to identify another partyanother party– MESSAGE INTEGRITYMESSAGE INTEGRITY– DIGITAL SIGNATUREDIGITAL SIGNATURE– DIGITAL CERTIFICATEDIGITAL CERTIFICATE
**
16.28
SECURITY AND THE SECURITY AND THE INTERNETINTERNET
• SECURE ELECTRONIC TRANSACTIONSECURE ELECTRONIC TRANSACTION:: Standard for securing credit card Standard for securing credit card transactions on Internettransactions on Internet
• ELECTRONIC CASH:ELECTRONIC CASH: Currency Currency represented in electronic form, represented in electronic form, preserving user anonymitypreserving user anonymity
**
16.29
DEVELOPING A CONTROL DEVELOPING A CONTROL STRUCTURESTRUCTURE
• COSTS:COSTS: Can be expensive to build; Can be expensive to build; complicated to usecomplicated to use
• BENEFITS:BENEFITS: Reduces expensive errors, Reduces expensive errors, loss of time, resources, good willloss of time, resources, good will
RISK ASSESSMENT:RISK ASSESSMENT: Determine Determine frequency of occurrence of problem, frequency of occurrence of problem, cost, damage if it were to occurcost, damage if it were to occur
**
16.30
MIS AUDITMIS AUDIT
IDENTIFIES CONTROLS OF INFORMATION IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESSSYSTEMS, ASSESSES THEIR EFFECTIVENESS
• TESTING:TESTING: Early, regular controlled efforts Early, regular controlled efforts to detect, reduce errorsto detect, reduce errors– WALKTHROUGHWALKTHROUGH– DEBUGGINGDEBUGGING
• DATA QUALITY AUDIT:DATA QUALITY AUDIT: Survey samples of Survey samples of files for accuracy, completenessfiles for accuracy, completeness
**
16.31