Chapter 15
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Information System Security
and Control
15.1
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Objectives
1. Why are information systems so vulnerable to
destruction, error, abuse, and system quality
problems?
2. What types of controls are available for
information systems?
3. What special measures must be taken to ensure
the reliability, availability and security of
electronic commerce, and digital business
processes?
15.2
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Objectives
4. What are the most important software quality
assurance techniques?
5. Why are auditing information systems and
safeguarding data quality so important?
15.3
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Management Challenges
1. Achieving a sensible balance between too little
control and too much.
.
2. Applying quality assurance standards in large
systems projects.
15.4
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
Why Systems Are Vulnerable
•
•
•
•
•
15.5
Accessibility to electronic data
Increasingly complex software, hardware
Network access points
Wireless vulnerability
Internet
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
Threats to Computerized Information Systems
•
•
•
•
Hardware failure
Software failure
Personnel actions
Terminal access
penetration
• Theft of data, services,
equipment
15.6
•
•
•
•
Fire
Electrical problems
User errors
Unauthorized program
changes
• Telecommunication
problems
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
Telecommunications networks vulnerabilities
Figure 15-1
15.7
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
Window on Organizations
Credit Card Fraud: Still on the Rise
• To what extent are Internet credit card thefts
management and organizational problems, and to
what extent are they technical problems?
• Address the technology and management issues
for both the credit card issuers and the retail
companies.
• Suggest possible ways to address the problem.
15.8
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
Why Systems Are Vulnerable
•
•
•
•
•
•
15.9
Hacker
Trojan horse
Denial of service (DoS) attacks
Computer viruses
Worms
Antivirus software
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
Window on Technology
Smarter Worms and Viruses:
The Worst Is Yet to Come
• Why are worms so harmful?
• Describe their business and organizational impact.
15.10
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
Concerns for System Builders and Users
• Disaster
• Security
• Administrative error
• Cyberterrorism and Cyberwarfare
15.11
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
Points in the processing cycle where errors can occur
Figure 15-2
15.12
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
System Quality Problems: Software and Data
Bugs and Defects
Complete testing not possible
The Maintenance Nightmare
Maintenance costs high due to organizational
change, software complexity, and faulty system
analysis and design
15.13
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
The cost of errors over the systems development cycle
Figure 15-3
15.14
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
System Vulnerability and Abuse
System Quality Problems: Software and Data
Data Quality Problems
Caused by errors during data input or faulty
information system and database design
15.15
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
Controls
• Methods, policies, and procedures
• Protection of organization’s assets
• Accuracy and reliability of records
• Operational adherence to management standards
15.16
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
General Controls and Application Controls
General Controls
• Govern design, security, use of computer
programs throughout organization
• Apply to all computerized applications
• Combination of hardware, software, manual
procedures to create overall control environment
15.17
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
General Controls and Application Controls
General Controls
•
•
•
•
•
•
Software controls
Hardware controls
Computer operations controls
Data security controls
Implementation
Administrative controls
15.18
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
Security profiles for a personnel system
Figure 15-4
15.19
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
General Controls and Application Controls
Application Controls
• Automated and manual procedures that ensure
only authorized data are processed by application
• Unique to each computerized application
• Classified as (1) input controls, (2) processing
controls, and (3) output controls.
15.20
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
General Controls and Application Controls
Application Controls
Control totals:
Edit checks:
Computer matching:
Run control totals:
Report distribution logs:
15.21
Input, processing
Input
Input, processing
Processing, output
Output
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
Protecting the Digital Firm
•
•
•
•
•
•
•
High-availability computing
Fault-tolerant computer systems
Disaster recovery planning
Business continuity planning
Load balancing; mirroring; clustering
Recovery-oriented computing
Managed security service providers (MSSPs)
15.22
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
Protecting the Digital Firm
Internet Security Challenges
• Public, accessible network
• Abuses have widespread effect
• Fixed Internet addresses
• Corporate systems extended outside organization
15.23
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
Internet security challenges
Figure 15-5
15.24
© 2005 by Prentice Hall
Essentials of Management Information Systems, 6e
Chapter 15 Information System Security and Control
Creating a Control Environment
Protecting the Digital Firm
• Firewall screening technologies
•
•
•
•
Static packet filtering
Stateful inspection
Network address translation
Application proxy filtering
• Intrusion detection systems
• Scanning software
• Monitoring software
15.25
© 2005 by Prentice Hall