16.1 16.2 learning objectives demonstrate why info systems are vulnerable to destruction, error,...
TRANSCRIPT
16.1
16.2
LEARNING OBJECTIVESLEARNING OBJECTIVES
• DEMONSTRATE WHY INFO SYSTEMS DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL ERROR, ABUSE, QUALITY CONTROL PROBLEMSPROBLEMS
• COMPARE GENERAL AND APPLICATION COMPARE GENERAL AND APPLICATION CONTROLSCONTROLS
• SELECT FACTORS FOR DEVELOPING SELECT FACTORS FOR DEVELOPING CONTROLSCONTROLS
**
16.3
LEARNING OBJECTIVESLEARNING OBJECTIVES
• DESCRIBE IMPORTANT SOFTWARE DESCRIBE IMPORTANT SOFTWARE QUALITY- ASSURANCE QUALITY- ASSURANCE TECHNIQUESTECHNIQUES
• DEMONSTRATE IMPORTANCE OF DEMONSTRATE IMPORTANCE OF AUDITING INFO SYSTEMS & AUDITING INFO SYSTEMS & SAFEGUARDING DATA SAFEGUARDING DATA QUALITYQUALITY
**
16.4
MANAGEMENT CHALLENGESMANAGEMENT CHALLENGES
• SYSTEM VULNERABILITY & ABUSESYSTEM VULNERABILITY & ABUSE
• CREATING A CONTROL CREATING A CONTROL ENVIRONMENTENVIRONMENT
• ENSURING SYSTEM QUALITYENSURING SYSTEM QUALITY
**
16.5
SYSTEM VULNERABILITY & SYSTEM VULNERABILITY & ABUSEABUSE
• WHY SYSTEMS ARE VULNERABLEWHY SYSTEMS ARE VULNERABLE
• HACKERS & VIRUSESHACKERS & VIRUSES
• CONCERNS FOR BUILDERS & CONCERNS FOR BUILDERS & USERSUSERS
• SYSTEM QUALITY PROBLEMSSYSTEM QUALITY PROBLEMS
**
16.6
THREATS TO INFORMATION THREATS TO INFORMATION SYSTEMS SYSTEMS
HARDWARE FAILURE, FIREHARDWARE FAILURE, FIRE
SOFTWARE FAILURE, ELECTRICAL SOFTWARE FAILURE, ELECTRICAL PROBLEMSPROBLEMS
PERSONNEL ACTIONS, USER ERRORSPERSONNEL ACTIONS, USER ERRORS
ACCESS PENETRATION, PROGRAM ACCESS PENETRATION, PROGRAM CHANGESCHANGES
THEFT OF DATA, SERVICES, EQUIPMENT THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMSTELECOMMUNICATIONS PROBLEMS
**
16.7
WHY SYSTEMS ARE WHY SYSTEMS ARE VULNERABLEVULNERABLE
• SYSTEM COMPLEXITYSYSTEM COMPLEXITY
• COMPUTERIZED PROCEDURES NOT COMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITEDALWAYS READ OR AUDITED
• EXTENSIVE EFFECT OF DISASTEREXTENSIVE EFFECT OF DISASTER
• UNAUTHORIZED ACCESS POSSIBLEUNAUTHORIZED ACCESS POSSIBLE
**
16.8
• RADIATION:RADIATION: Allows recorders, bugs to tap systemAllows recorders, bugs to tap system• CROSSTALK:CROSSTALK: Can garble dataCan garble data
• HARDWARE:HARDWARE: Improper connections, Improper connections, failure of failure of protection circuitsprotection circuits
• SOFTWARE:SOFTWARE: Failure of protection features,Failure of protection features, access control, access control, bounds controlbounds control
• FILES:FILES: Subject to Subject to theft, copying,theft, copying, unauthorized unauthorized accessaccess
**
VULNERABILITIESVULNERABILITIES
16.9
VULNERABILITIESVULNERABILITIES
• USER:USER: Identification, authentication, Identification, authentication, subtle software modificationsubtle software modification
• PROGRAMMER:PROGRAMMER: Disables protective Disables protective features; reveals protective measuresfeatures; reveals protective measures
• MAINTENANCE STAFF:MAINTENANCE STAFF: Disables hardware Disables hardware devices; uses stand-alone utilitiesdevices; uses stand-alone utilities
• OPERATOR:OPERATOR: Doesn’t notify supervisor, Doesn’t notify supervisor, reveals protective measuresreveals protective measures
**
16.10
• HACKER:HACKER: Person gains access to Person gains access to computer for profit, criminal computer for profit, criminal mischief, personal pleasuremischief, personal pleasure
• COMPUTER VIRUS:COMPUTER VIRUS: Rouge program; Rouge program; difficult to detect; spreads rapidly; difficult to detect; spreads rapidly; destroys data; disrupts processing & destroys data; disrupts processing & memorymemory
**
HACKERS & COMPUTER HACKERS & COMPUTER VIRUSESVIRUSES
16.11
COMMON COMPUTER VIRUSESCOMMON COMPUTER VIRUSES
• CONCEPT:CONCEPT: Word documents, e-mail. Deletes files Word documents, e-mail. Deletes files• FORM: Makes clicking sound, corrupts dataFORM: Makes clicking sound, corrupts data• ONE_HALF:ONE_HALF: Corrupts hard drive, flashes its name Corrupts hard drive, flashes its name
on screenon screen• MONKEY:MONKEY: Windows won’t run Windows won’t run• JUNKIE:JUNKIE: Infects files, boot sector, memory Infects files, boot sector, memory
conflictsconflicts• RIPPER:RIPPER: Randomly corrupts hard drive files Randomly corrupts hard drive files
**
16.12
ANTIVIRUS SOFTWAREANTIVIRUS SOFTWARE
• SOFTWARE TO DETECTSOFTWARE TO DETECT• ELIMINATE VIRUSESELIMINATE VIRUSES• ADVANCED VERSIONS RUN IN ADVANCED VERSIONS RUN IN
MEMORY TO PROTECT MEMORY TO PROTECT PROCESSING, GUARD AGAINST PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON VIRUSES ON DISKS, AND ON INCOMING NETWORK FILESINCOMING NETWORK FILES
**
16.13
CONCERNS FOR CONCERNS FOR BUILDERS & USERSBUILDERS & USERS
DISASTERDISASTER
BREACH OF SECURITYBREACH OF SECURITY
ERRORSERRORS**
16.14
• LOSS OF HARDWARE,LOSS OF HARDWARE, SOFTWARE, SOFTWARE, DATA BY FIRE, DATA BY FIRE, POWER FAILURE, POWER FAILURE, FLOOD OR OTHER CALAMITYFLOOD OR OTHER CALAMITY
FAULT-TOLERANT COMPUTER FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing)(Particularly On-line Transaction Processing)
**
DISASTERDISASTER
16.15
SECURITYSECURITY POLICIES, PROCEDURES, POLICIES, PROCEDURES, TECHNICAL MEASURES TO TECHNICAL MEASURES TO
PREVENT UNAUTHORIZED ACCESS, PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL ALTERATION, THEFT, PHYSICAL
DAMAGE TO INFORMATION DAMAGE TO INFORMATION SYSTEMSSYSTEMS
**
16.16
• DATA PREPARATIONDATA PREPARATION• TRANSMISSIONTRANSMISSION• CONVERSIONCONVERSION• FORM COMPLETIONFORM COMPLETION• ON-LINE DATA ENTRYON-LINE DATA ENTRY• KEYPUNCHING; SCANNING; OTHER KEYPUNCHING; SCANNING; OTHER
INPUTSINPUTS
**
WHERE ERRORS OCCURWHERE ERRORS OCCUR
16.17
WHERE ERRORS OCCURWHERE ERRORS OCCUR
• VALIDATION VALIDATION
• PROCESSING / FILE MAINTENANCEPROCESSING / FILE MAINTENANCE
• OUTPUTOUTPUT
• TRANSMISSIONTRANSMISSION
• DISTRIBUTIONDISTRIBUTION
**
16.18
SYSTEM QUALITY PROBLEMSSYSTEM QUALITY PROBLEMS
• SOFTWARE & DATASOFTWARE & DATA• BUGS:BUGS: Program code defects or errorsProgram code defects or errors• MAINTENANCE:MAINTENANCE: Modifying a system in Modifying a system in
production use; can take up to 50% of production use; can take up to 50% of analysts’ timeanalysts’ time
• DATA QUALITY PROBLEMS:DATA QUALITY PROBLEMS: Finding, Finding, correcting errors; costly; tediouscorrecting errors; costly; tedious
**
16.19
COST OF ERRORS DURING COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLESYSTEMS DEVELOPMENT CYCLE
1.001.00
2.002.00
3.003.00
4.004.00
5.005.00
6.006.00
CO
ST
SC
OS
TS
ANALYSIS PROGRAMMING POSTIMPLEMENTATION ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION & DESIGN CONVERSION
16.20
CREATING A CONTROL CREATING A CONTROL ENVIRONMENTENVIRONMENT
CONTROLS:CONTROLS: METHODS, POLICIES, METHODS, POLICIES, PROCEDURES TO PROTECT PROCEDURES TO PROTECT ASSETS; ACCURACY & RELIABILITY ASSETS; ACCURACY & RELIABILITY OF RECORDS; ADHERENCE TO OF RECORDS; ADHERENCE TO MANAGEMENT STANDARDSMANAGEMENT STANDARDS
• GENERALGENERAL• APPLICATIONAPPLICATION
**
16.21
• IMPLEMENTATION:IMPLEMENTATION: Audit system Audit system development to assure proper control, development to assure proper control, managementmanagement
• SOFTWARE:SOFTWARE: Ensure security, reliability of Ensure security, reliability of softwaresoftware
• PHYSICAL HARDWARE:PHYSICAL HARDWARE: Ensure physical Ensure physical security, performance of security, performance of computer computer hardwarehardware
**
GENERAL CONTROLSGENERAL CONTROLS
16.22
• COMPUTER OPERATIONS:COMPUTER OPERATIONS: Ensure procedures Ensure procedures consistently, correctly applied to data storage, consistently, correctly applied to data storage, processingprocessing
• DATA SECURITY:DATA SECURITY: Ensure data disks, tapes Ensure data disks, tapes protected from wrongful access, change, protected from wrongful access, change, destructiondestruction
• ADMINISTRATIVE:ADMINISTRATIVE: Ensure controls properly Ensure controls properly executed, enforcedexecuted, enforced
SEGREGATION OF FUNCTIONS: SEGREGATION OF FUNCTIONS: Divide Divide responsibility from tasksresponsibility from tasks
**
GENERAL CONTROLSGENERAL CONTROLS
16.23
APPLICATION CONTROLSAPPLICATION CONTROLS
• INPUTINPUT
• PROCESSINGPROCESSING
• OUTPUTOUTPUT
**
16.24
INPUT CONTROLSINPUT CONTROLS
• INPUT AUTHORIZATION:INPUT AUTHORIZATION: Record, monitor Record, monitor source documentssource documents
• DATA CONVERSION:DATA CONVERSION: Transcribe data Transcribe data properly from one form to anotherproperly from one form to another
• BATCH CONTROL TOTALS:BATCH CONTROL TOTALS: Count Count transactions prior to and after processingtransactions prior to and after processing
• EDIT CHECKS:EDIT CHECKS: Verify input data, correct Verify input data, correct errorserrors
**
16.25
PROCESSING CONTROLSPROCESSING CONTROLS
ESTABLISH THAT DATA IS COMPLETE, ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSINGACCURATE DURING PROCESSING
• RUN CONTROL TOTALS:RUN CONTROL TOTALS: Generate control Generate control totals before & after processingtotals before & after processing
• COMPUTER MATCHING:COMPUTER MATCHING: Match input data Match input data to master filesto master files
**
16.26
OUTPUT CONTROLSOUTPUT CONTROLS
ESTABLISH THAT RESULTS ARE ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY ACCURATE, COMPLETE, PROPERLY DISTRIBUTED DISTRIBUTED
• BALANCE INPUT, PROCESSING, OUTPUT BALANCE INPUT, PROCESSING, OUTPUT TOTALSTOTALS
• REVIEW PROCESSING LOGSREVIEW PROCESSING LOGS• ENSURE ONLY AUTHORIZED RECIPIENTS ENSURE ONLY AUTHORIZED RECIPIENTS
GET RESULTSGET RESULTS
**
16.27
SECURITY AND THE SECURITY AND THE INTERNETINTERNET
• ENCRYPTION: ENCRYPTION: Coding & scrambling Coding & scrambling messages to deny unauthorized accessmessages to deny unauthorized access
• AUTHENTICATION:AUTHENTICATION: Ability to identify Ability to identify another partyanother party– MESSAGE INTEGRITYMESSAGE INTEGRITY– DIGITAL SIGNATUREDIGITAL SIGNATURE– DIGITAL CERTIFICATEDIGITAL CERTIFICATE
**
16.28
SECURITY AND THE SECURITY AND THE INTERNETINTERNET
• SECURE ELECTRONIC TRANSACTIONSECURE ELECTRONIC TRANSACTION:: Standard for securing credit card Standard for securing credit card transactions on Internettransactions on Internet
• ELECTRONIC CASH:ELECTRONIC CASH: Currency Currency represented in electronic form, represented in electronic form, preserving user anonymitypreserving user anonymity
**
16.29
DEVELOPING A CONTROL DEVELOPING A CONTROL STRUCTURESTRUCTURE
• COSTS:COSTS: Can be expensive to build; Can be expensive to build; complicated to usecomplicated to use
• BENEFITS:BENEFITS: Reduces expensive errors, Reduces expensive errors, loss of time, resources, good willloss of time, resources, good will
RISK ASSESSMENT:RISK ASSESSMENT: Determine Determine frequency of occurrence of problem, frequency of occurrence of problem, cost, damage if it were to occurcost, damage if it were to occur
**
16.30
MIS AUDITMIS AUDIT
IDENTIFIES CONTROLS OF INFORMATION IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESSSYSTEMS, ASSESSES THEIR EFFECTIVENESS
• TESTING:TESTING: Early, regular controlled efforts Early, regular controlled efforts to detect, reduce errorsto detect, reduce errors– WALKTHROUGHWALKTHROUGH– DEBUGGINGDEBUGGING
• DATA QUALITY AUDIT:DATA QUALITY AUDIT: Survey samples of Survey samples of files for accuracy, completenessfiles for accuracy, completeness
**
16.31
Connect to the INTERNETConnect to the INTERNET
PRESS LEFT MOUSE BUTTON ON ICON TO CONNECT TO LAUDON & LAUDON WEB SITE FOR MORE INFORMATION IN THIS
CHAPTER
16.32