Download presentation
Presentation is loading. Please wait.
1
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls Internet & eCommerce controls –Firewalls –Encryption –Authentication Assessments & Audits
2
Systems Vulnerabilities Ex: DDoS attacks in February 2000 Why worry? –Financial impact of downtime is staggering: Type of LossBrokerage siteAuction site (8 hrs)(22 hrs) Direct revenues loss$204,000$341,652 Compensatory loss$0$943,521 Lost future revenues$4,810,320$1,024,955 Worker downtime loss$117,729$46,097 Delay-to-market$60,000$358,734 Total impact$5,220,159$2,773,416
3
How are systems vulnerable? If destroyed –Systems cannot be replicated manually –Systems are not easily understood or audited –Systems’ records can be permanently lost Hardware: fire, earthquake, etc. Software: electrical problems, bugs Personnel actions: user errors, maliciousness Access: program changes, data changes Data & services: telecommunication failures
4
So what if it’s vulnerable? Use a risk assessment to decide if the costs of protecting against the vulnerability outweigh the potential losses from it. Ex. Online Order Processing Risk Assessment ExposureProb. (%)Loss range / avg. ($) Exp. ann. loss($) Power failure30%$5,000 – 200,000 $102,500 $30,750 Embezzlement5%$1,000 – 50,000 $25,500 $1,275 User error98%$200 - 40,000 $20,100 $19,698
5
Example of vulnerabilities: hackers Hackers –“A person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure.” –Create computer viruses, DDoS attacks, etc.
6
Examples of vulnerabilities: viruses “Rogue software programs that are difficult to detect and spread rapidly, destroying data or disrupting processing & memory systems.” Chernobyl (CIH) virusChernobyl (CIH) Badtrans.B virusBadtrans.B Nimda virusNimda Antivirus software is a necessity. –Virus definitions MUST BE UPDATED FREQUENTLY (min. every 2 weeks).
7
Concerns for systems builders Disaster –Build backup facilities –Build fault-tolerant systems Have extra hardware, software, power, processing capability in case something fails –Contract with a disaster recovery firm Security –“Policies procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to IS.” Errors: prevention
8
Systems quality issues: software Software bugs –“Program code defects or errors.” –Main Sources: decision code, poor design specs. Maintenance –50% of ITS staff time is spent “maintaining” existing systems. –Why? Organizational changes Software complexity Faulty systems analysis discovered too late
9
Systems quality issue: data quality Most common source of IS failure “Bad data”: –Input improperly or incorrectly –Faulty processing or database design FBI’s computerized criminal-records system –Estimated that 54% of records are wrong, incomplete, or ambiguous.
10
Controls: Guards against Errors “All of the methods, policies, and procedures that ensure protection of the organization’s assets, accuracy and reliability of its records, and operational adherence to management standards.” Two types of IS controls: –General controls –Application Controls
11
General controls “Overall controls that establish a framework for controlling the design, security, and use of computer programs in the organization.” Implementation controls Software controls Hardware controls Computer operations controls Data security controls Administrative controls
12
General controls Implementation controls –“The audit of the systems development process at various points to make sure that it is properly controlled and managed” –Controlling the systems development process
13
General controls Software controls –“Controls to ensure the security and reliability of software.” –Control access and use of computer programs.
14
General controls Hardware controls –“Controls to ensure the physical security and correct performance of computer hardware.” –Physical security: locking doors to computer rooms Ensuring correct humidity & temperature of computer rooms Etc.
15
General controls Computer operations controls –“Procedures to ensure that programmed procedures are consistently and correctly applied to data storage and processing.” –Examples: Backing up and recovering files Controlling setup of computer processing jobs Etc.
16
General controls Data security controls –“Controls to ensure that data files on either disk or tape are not subject to unauthorized access, change, or destruction.” –Keeping data safe & secure Restricting physical access to terminals to authorized users System passwords Additional password sets for specific data or applications
17
General controls Administrative controls –“Formalized standards, rules, procedures, and disciplines to ensure that the organization’s controls are properly executed and enforced.” –Making sure that the people do what they’re supposed to do. –Examples: Segregation of functions: –No one position has total access to, responsibility for, or control of data Written policies & procedures for controlling IS operations
18
Application controls “Specific controls within each separate computer application, such as payroll or order processing.” Input controls –Check data coming into system. –Control totals count # of transactions or fields before processing –Edit checks can fix errors in inputs before processing Processing controls Output controls
19
Application controls Input controls Processing controls –Establish that data are complete & accurate during processing –Run control totals reconcile the input control totals with the totals of items that have updated a file. –Computer matching highlights unmatched items between what was input and what was processed. –Edit checks can highlight errors before processing is finalized. Output controls
20
Application controls Input controls Processing controls Output controls –Ensure that results of processing are accurate, complete, and properly distributed.
21
Internet & eCommerce controls Threats are greater because of greater access to systems by anonymous outsiders. Firewalls: proxy & stateful inspection Encryption Authentication: digital signatures, digital certificates
22
Internet controls: Firewalls Prevent access by unauthorized users to a private network from the outside, usually the Internet. Proxy firewalls –Accept data from outside, then pass a copy (not the original files) along to the internal destination. –Can work similarly going from inside to outside. Stateful inspection firewalls –Checks each type of packet that comes in, and lets it pass if it is an approved type.
23
Internet controls: Encryption Coding and scrambling of messages to prevent unauthorized access to or understanding of the data being transmitted. Public key encryption: uses two “keys”, one public, one private. Sender Recipient Scrambled message Public key Private key
24
Internet controls: Authentication Digital signatures –Not fully developed yet, some governmental approval –Unique digital code attached to message to identify user, like a signature Digital certificates –Uses a third party (ex. Verisign) to guarantee identity of userVerisign
25
Do your controls work well? Use an MIS audit. –“Identifies all the controls that govern individual information systems and assesses their effectiveness.” The audit: –Lists and ranks all the control weaknesses, –Estimates the probability of occurrence, and –Assesses financial & organizational impact of each threat.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.