Chapter 12 - Designing Systems Controls

A) Introduction

threats to an IS:

• human error from errors of commission and omission and lack of training
• destructive and fraudulent software
• output interception by unauthorized people
• corruption of and / or loss of databases
• technology platform failure
• unauthorized access

Controls: Preventive, Detective, Corrective

B) Controlling the Integrity of the Data Entered in the System

INPUT CONTROLS

Code Controls - code errors (extra character, truncation, transcription, single and double transposition)

• Check digits - ISBN #s

Input Validation Controls

• > Field Checks (missing data or blanks, alpha vs. numeric, range, check digit, size)
• > Record Checks (reasonableness, sign, size, sequence)
• > File Checks (external label, header & trailer internal labels)
  

Input Identification Controls

• use tables to authenticate each transaction

Batch Controls (Fig. 12.4)

• ensure all source documents processed once and only once
• audit trail is created from input to final output

Audit Trail Controls

• necessary for audit purposes as well as backup and recovery

C) Guard against Unreliable Software

• Viruses & Worms
• Logic Bombs
• Trojan Horses
• Salami Techniques

D) Controlling the Integrity of the Systems Output

levels of sensitivity: TOP-SECRET, RESTRICTED, PUBLIC

Real-Time Systems Output Controls (Fig. 12.7)

Telecommunication Controls:

• Encryption - Single-key Data Encryption Standard (DES)
• Double-key Public Key (Fig. 12.8-9)

Spoofing

Terminal Controls:

access controls, screen savers, position of terminals

Floppy Disk Controls:

diskless workstations

Batch System Output Controls (Fig. 12-10) -

separate responsibilities

E) Protecting the Database

• IBM's DB2 Security Model - DB2 controls access to DB2 objects (views)
• Concurrency controls - locking, conflict detection and resolution (deadlock)
• Encryption Techniques

Database Backup and Recovery - Grandfather-Father-Son

> Offsite Backup

• Remote secure storage facility
• Televaulting

> Onsite Backup

• Disk-Mirroring

F) Protecting the Hardware Technology

Mainframe Data Center Controls

physical location, construction, filtration, air con, backup water, emanation protection (Transient EMP Emanations Standard (TEMPEST)), fire suppression systems, UPSs

Personal Computer Controls

environmental controls, physical controls, database controls

G) Creating a Disaster Recovery Plan

• Prevention -plan how to avoid a disaster
• Contention - how to react if disaster occurs
• Contigency
  • Step 1: Identify Critical Functions
  • Step 2: Select Contigency Options: company-owned backup facility, reciprocal agreement, hot site vs. cold site, mobile data center
• Recovery
• Test Plan

H) Controlling Access to Data

ids & passwords, smart cards, biometric controls

Exercises: look over 1-34; turn in 12.41, 12.43, 12.45