Chapter 14

INFORMATION
SYSTEMS
SECURITY AND
CONTROL
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

OBJECTIVES

• Why are information systems so vulnerable to

destruction, error, abuse, and system quality
problems?

• What types of controls are available for

information systems?

• What special measures must be taken to ensure

the reliability, availability and security of electronic
commerce and digital business processes?
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

OBJECTIVES

• What are the most important software quality

assurance techniques?

• Why are auditing information systems and

safeguarding data quality so important?
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

MANAGEMENT CHALLENGES

• Designing systems that are neither over-controlled nor

under-controlled

• Applying quality assurance standards in large systems

projects
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

SYSTEM VULNERABILITY AND ABUSE

Why Systems are Vulnerable

• Advances in telecommunications and computer
software

• Unauthorized access, abuse, or fraud

• Hackers

• Denial of service attack

• Computer virus
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

SYSTEM VULNERABILITY AND ABUSE

Telecommunication Network Vulnerabilities

Figure 14-1
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

SYSTEM VULNERABILITY AND ABUSE

Concerns for System Builders and Users

Disaster

• Destroys computer hardware, programs,

data files, and other equipment

Security

• Prevents unauthorized access, alteration,

theft, or physical damage
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

SYSTEM VULNERABILITY AND ABUSE

Concerns for System Builders and Users

Errors

• Cause computers to disrupt or destroy

organization’s record-keeping and
operations
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

SYSTEM VULNERABILITY AND ABUSE

System Quality Problems: Software and Data

Bugs

• Program code defects or errors

Maintenance Nightmare

• Maintenance costs high due to organizational

change, software complexity, and faulty
system analysis and design
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

SYSTEM VULNERABILITY AND ABUSE

Points in the Processing Cycle where Errors can Occur

Figure 14-2
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

SYSTEM VULNERABILITY AND ABUSE

System Quality Problems: Software and Data

Data Quality Problems

• Caused due to errors during data input or

faulty information system and database
design
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

SYSTEM VULNERABILITY AND ABUSE

The Cost of Errors over the Systems Development Cycle

Figure 14-3
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Overview

Controls

• Methods, policies, and procedures

• Ensures protection of organization’s assets

• Ensures accuracy and reliability of records,

and operational adherence to management
standards
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

General Controls and Application Controls

General controls

• Establish framework for controlling design,

security, and use of computer programs

• Include software, hardware, computer

operations, data security, implementation,
and administrative controls
Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Security Profiles for a Personnel System

Figure 14-4
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

General Controls and Application Controls

Application controls

• Unique to each computerized application

• Include input, processing, and output

controls
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Protecting the Digital Firm

• On-line transaction processing:

Transactions entered online are
immediately processed by computer

• Fault-tolerant computer systems:

Contain extra hardware, software, and
power supply components
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Protecting the Digital Firm

• High-availability computing: Tools and

technologies enabling system to recover from
a crash

• Disaster recovery plan: Runs business in

event of computer outage

• Load balancing: Distributes large number of

requests for access among multiple servers
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Protecting the Digital Firm

• Mirroring: Duplicating all processes and

transactions of server on backup server to
prevent any interruption

• Clustering: Linking two computers

together so that a second computer can
act as a backup to the primary computer
or speed up processing
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Internet Security Challenges

Firewalls

• Prevent unauthorized users from accessing

private networks

• Two types: proxies and stateful inspection

Intrusion Detection System

• Monitors vulnerable points in network to detect
and deter unauthorized intruders
Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Internet Security Challenges

Figure 14-5
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Security and Electronic Commerce

• Encryption: Coding and scrambling of

messages to prevent their access without
authorization

• Authentication: Ability of each party in a

transaction to ascertain identity of other party

• Message integrity: Ability to ascertain that

transmitted message has not been copied or
altered
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Security and Electronic Commerce

• Digital signature: Digital code attached

to electronically transmitted message to
uniquely identify contents and sender

• Digital certificate: Attachment to

electronic message to verify the sender
and to provide receiver with means to
encode reply
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Security and Electronic Commerce

• Secure Electronic Transaction (SET):

Standard for securing credit card
transactions over Internet and other
networks
Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Public Key Encryption

Figure 14-6
Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Digital Certificates

Figure 14-7
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

Developing a Control Structure: Costs and Benefits

Criteria for determining control

structure

• Importance of data

• Efficiency, complexity, and expense of each

control technique

• Level of risk if a specific activity or process is not

properly controlled
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

CREATING A CONTROL ENVIRONMENT

The Role of Auditing in the Control Process

MIS audit

• Identifies all controls that govern

individual information systems and
assesses their effectiveness
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Sample Auditor’s List of Control Weaknesses

Figure 14-8
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Software Quality Assurance Methodologies and Tools

• Development methodology: Collection

of methods, for every activity within every
phase of development project

• Structured: Refers to fact that

techniques are carefully drawn up, step-
by-step, with each step building on a
previous one
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Software Quality Assurance Methodologies and Tools

• Structured analysis: Method for

defining system inputs, processes, and
outputs, for partitioning systems into
subsystems or modules

• Data Flow Diagram (DFD): Graphically

illustrates system’s component processes
and flow of data
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Data Flow Diagram for Mail-in University Registration System

Figure 14-9
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Software Quality Assurance Methodologies and Tools

• Structured design: Encompasses set of

design rules and techniques for designing
systems

• Structured programming: Organizing and

coding programs that simplify control paths

• System flowchart: Graphic design tool

depicting physical media and sequence of
processing steps
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

High-Level Structure Chart For a Payroll System

Figure 14-10
Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Basic Program Control Constructs

Figure 14-11
Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

System Flow-Chart for a Payroll System

Figure 14-12
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Limitation of Traditional Methods

• Inflexible

• Time-consuming
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Computer-Aided Software Engineering (CASE)

• Automation of step-by-step methodologies

for software and systems development

• Reduces repetitive work

• Enforces standard development

methodology and design discipline

• Improves communication between users

and technical specialists
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Computer-Aided Software Engineering (CASE)

• Organizes and correlates design

components

• Automates tedious and error-prone

portion of analysis and design, code
generation, testing, and control rollout
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Resource Allocation During Systems Development

Resource allocation

• Determines how costs, time, and

personnel are assigned to different
phases of systems development project
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Software Metrics

• Objective assessment of software used in

the system in form of quantified
measurements
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Testing

• Walkthrough: Review of specification or

design document by small group of people

• Debugging: Process of discovering and

eliminating errors and defects in program
code
 Essentials of Management Information Systems
Chapter 14 Information Systems Security and Control

ENSURING SYSTEM QUALITY

Data Quality Audit and Data Cleansing

Data quality audit

• Survey and/or sample of files

• Determines accuracy and completeness of data

Data cleansing

• Correcting errors and inconsistencies in data to

increase accuracy
Chapter 14

INFORMATION
SYSTEMS
SECURITY AND
CONTROL