Learning ObjectivesLearning Objectives

• Demonstrate why info systems are Demonstrate why info systems are vulnerablevulnerable to destruction, error, to destruction, error, abuse, quality control problemsabuse, quality control problems

• Compare general and application Compare general and application controlscontrols

• Select factors for developing Select factors for developing controlscontrols

**

Learning ObjectivesLearning Objectives

• Describe important software quality-Describe important software quality-assurance techniquesassurance techniques

• Demonstrate importance of auditing Demonstrate importance of auditing info systems & safeguarding data info systems & safeguarding data qualityquality

**

System Vulnerability & AbuseSystem Vulnerability & Abuse

• Why systems are vulnerableWhy systems are vulnerable

• Hackers & virusesHackers & viruses

• Concerns for builders & usersConcerns for builders & users

• System quality problemsSystem quality problems

**

Threats to Information SystemsThreats to Information Systems

• Hardware failure, fireHardware failure, fire• Software failure, electrical problemsSoftware failure, electrical problems• Personnel actions, user errorsPersonnel actions, user errors• Access penetration, program Access penetration, program

changeschanges• Theft of data, services, equipmentTheft of data, services, equipment• Telecommunications problemsTelecommunications problems

**

System VulnerabilitySystem Vulnerability

• System complexitySystem complexity

• Computerized procedures not always Computerized procedures not always read read or auditedor audited

• Extensive Extensive effect of disastereffect of disaster

• Unauthorized access possibleUnauthorized access possible

**

VulnerabilitiesVulnerabilities• RADIATION:RADIATION: Allows recorders, bugs to tap Allows recorders, bugs to tap

systemsystem• CROSSTALK:CROSSTALK: Can garble dataCan garble data• HARDWARE:HARDWARE: Improper connections, Improper connections, failure failure

of protection circuitsof protection circuits• SOFTWARE:SOFTWARE: Failure of protection features,Failure of protection features,

access control, access control, bounds controlbounds control• FILES:FILES: Subject to Subject to theft, copying,theft, copying,

unauthorized accessunauthorized access**

VULNERABILITIESVULNERABILITIES

• USER: Identification, authentication, USER: Identification, authentication, subtle software modificationsubtle software modification

• PROGRAMMER: Disables protective PROGRAMMER: Disables protective features; reveals protective measuresfeatures; reveals protective measures

• MAINTENANCE STAFF: Disables hardware MAINTENANCE STAFF: Disables hardware devices; uses stand-alone utilitiesdevices; uses stand-alone utilities

• OPERATOR: Doesn’t Notify supervisor, OPERATOR: Doesn’t Notify supervisor, reveals protective measuresreveals protective measures

**

• HACKER:HACKER: Person gains access to Person gains access to computer for profit, criminal computer for profit, criminal mischief, personal pleasuremischief, personal pleasure

• COMPUTER VIRUS:COMPUTER VIRUS: Rouge program; Rouge program; difficult to detect; spreads rapidly; difficult to detect; spreads rapidly; destroys data; disrupts processing & destroys data; disrupts processing & memorymemory

**

HACKERS & COMPUTER HACKERS & COMPUTER VIRUSESVIRUSES

Antivirus SoftwareAntivirus Software• Software to detectSoftware to detect

• Eliminate virusesEliminate viruses

• Advanced versions run in memory to Advanced versions run in memory to protect processing, guard against protect processing, guard against viruses on disks, and on incoming viruses on disks, and on incoming network filesnetwork files

**

Concerns For Builders & UsersConcerns For Builders & Users

• DisasterDisaster

• Breach of securityBreach of security

• ErrorsErrors**

DisasterDisaster• Loss of hardware, software, data by Loss of hardware, software, data by

fire, power failure, flood or other fire, power failure, flood or other calamitycalamity

• Fault-tolerant computer systems: Fault-tolerant computer systems: backup systems to prevent system backup systems to prevent system failure (particularly on-line failure (particularly on-line transaction processing)transaction processing)

**

SecuritySecurity

Policies, procedures, technical Policies, procedures, technical measures to prevent unauthorized measures to prevent unauthorized access, alteration, theft, physical access, alteration, theft, physical damage to information systemsdamage to information systems

**

System Quality ProblemsSystem Quality Problems

Software & dataSoftware & data• Bugs:Bugs: program code defects or errorsprogram code defects or errors• Maintenance:Maintenance: modifying a system in modifying a system in

production use; Can take up to 85% of production use; Can take up to 85% of analysts’ timeanalysts’ time

• Data quality problems:Data quality problems: finding, correcting finding, correcting errors; costly; tedious (do it right the first errors; costly; tedious (do it right the first time!)time!)

**

Cost Of Errors During Systems Cost Of Errors During Systems Development CycleDevelopment Cycle

1.001.00

2.002.00

3.003.00

4.004.00

5.005.00

6.006.00

CO

ST

SC

OS

TS

ProgrammingProgramming

ConversionConversion

POST-POST-

ImplementationImplementation

Analysis Analysis

& design & design

Creating A Control Creating A Control EnvironmentEnvironment

Controls:Controls: methods, policies, methods, policies, procedures to protect assets; procedures to protect assets; Accuracy & reliability of records; Accuracy & reliability of records; Adherence to management Adherence to management standardsstandards

• GeneralGeneral• ApplicationApplication

**

General ControlsGeneral Controls• ImplementationImplementation: : audit system development audit system development

to assure proper control, managementto assure proper control, management• Software:Software: ensure security, reliability of ensure security, reliability of

softwaresoftware• Program security:Program security: prevent unauthorized prevent unauthorized

changes to programschanges to programs• Hardware:Hardware: ensure physical security, ensure physical security,

performance of computer hardwareperformance of computer hardware

**

• Computer operations:Computer operations: ensure procedures ensure procedures consistently, correctly applied to data consistently, correctly applied to data storage, processingstorage, processing

• Data security:Data security: ensure data disks, tapes ensure data disks, tapes protected from wrongful access, change, protected from wrongful access, change, destructiondestruction

• Administrative:Administrative: ensure controls properly ensure controls properly executed, enforcedexecuted, enforced

• Segregation of functions:Segregation of functions: divide tasks to divide tasks to minimize risksminimize risks

**

General controlsGeneral controls

Application ControlsApplication Controls

• InputInput

• ProcessingProcessing

• OutputOutput

**

Input ControlsInput Controls

• Input authorization:Input authorization: record, monitor record, monitor source documentssource documents

• Data conversion:Data conversion: transcribe data properly transcribe data properly from one form to anotherfrom one form to another

• Batch control totals:Batch control totals: count transactions count transactions prior to and after processingprior to and after processing

• Edit checks:Edit checks: verify input data, correct verify input data, correct errorserrors

**

Developing A Control Developing A Control StructureStructure

• Costs:Costs: Can be expensive to build; Can be expensive to build; complicated to usecomplicated to use

• Benefits:Benefits: Reduces expensive errors, Reduces expensive errors, loss of time, resources, good willloss of time, resources, good will

• Risk assessment:Risk assessment: Determine Determine frequency of occurrence of problem, frequency of occurrence of problem, cost, damage if it were to occurcost, damage if it were to occur

**