SECURITY , CONTROL AND REPORTING

Security refers to the polices, procedures and

technical measures used to prevent unauthorized

access, alteration, theft, or physical damage to

information systems.

Information security means protecting information and

information systems from unauthorized access, use,

disclosure, disruption, modification or destruction.

Need for SecurityMaintaining information

confidentiality.Ensure the integrity and reliability

of data resources.Ensure the uninterrupted

availability of data resources.

Threats to Information Systems Categories

of threatsAccidents and Malfunctions Computer

CrimeOperator ErrorHardware

Malfunctions

Software Bugs

Data ErrorsAccidental

disclosure of information

Damage to physical facilities

Inadequate system performance

Liability for system failure

Hacking

Cyber theft

Unauthorized use at work

Piracy

Computer viruses and

worms

IS Vulnerability A security risk may be classified as a

vulnerability. System vulnerability is a weakness which

allows an attacker to reduces system information assurance.

Vulnerability is the intersection of 3 elements

System weakness Attacker access leads to flaw. Attacker capability to exploit the data base.

Causes of system vulnerabilityVarious system vulnerability are caused by •HackersThrough variety of tricks, access the data flowing over networks.Steel valuable data during transmission.Alter messages without authorization.

Radiation.

• Internet and other networks are vulnerable to disruptions from radiation.

• Intruders can launch denial of services attacks or to disrupt the operation of websites.

• It destroy or alter the corporate data stored in databases or files.

Malfunctioning.

• The major cause for the computer software to fail are:• Errors In Programming, • Improper Installation, or• Unauthorized changes• Other natural disasters can also disrupt computer systems• Power failures• Floods.• Fires.

Information on the network

Domestic or offshore partnering with another company adds to system vulnerability if valuable information resides on networks and computer outside the organizations control.

Internet vulnerabilities Vulnerability has also increased from widespread use of e-mail and

IM.

E-Mail

Employees may use e-mail messages to transmit valuable trade

secrets, financial data or confidential customer information to

unauthorized recipients.

Instant Messaging (IM)

Consumer do not use a secure layer for text messages, so they can

be intercepted and read by outsiders during transmission over the

public internet.

Disaster management DMP is a plan of action to recover from the impact on

the information systems. The objective of DMP is : not only to start the system again but start properly

from a stage when it is stopped with all data integrity maintained after recovery to

ensure that quality of output is not defective due to loss of data, incomplete data or incorrect data.

DMP ProcessStep 1 : Identify the critical business processes.

Step2: Access the business risk. (probability of risk occurrence, risk exposure, time of exposure)

Step3 : Enlist the impact target of the damage for attention to manage and recover.

Step4 : Identify the life saving data, files, software applications, packages, hardware, servers, and database linked to these process.

Step 5 : Segregate need into 2 classes

(i) Switch to manual process.(ii) Work at offsite with data backup

created at offsite location.Step 6 : prepare a plan of bridging

pre - and post- disaster scenario so that community of data and information is maintained.

Step 7 : Ensure all risks are suitably covered by appropriate insurance policies.

Step 8 : Authority, rights for decisions and actions in the event of disaster should be clear in DMP.

Step 9 : Test the DMP plan once a year in simulated live model event.

Threats and controls for disaster management.

1. Threats to facilities and structure

i) Earthquakes, fires, explosions, floods and other events.

ii) Power failures iii) Theftiv) Unauthorized use of IT structure.v) Damage by disgruntled employees.

Controls

Design buildings for the natural threats. Store sensitive data, applications, offsite in a

different building. Provide security training to employees. Provide dedicated power lines with UPS. Screen employees and usual visitors and get the

appropriate secrecy bonds signed from them. Use biometric access controls and IDs.

Threats to communication systemIncorrect input due to communication break down.Intrusion by unauthorized persons and damage to communication system.Insertion of viruses.Defective network operations.

controlsFirewalls.Error deduction and correction methodsUser IDs, passwords and PINs.Encryption and decryption of key inputs/ outputs.

Threats to database and DBMS Corruption of data Theft of data. Unauthorized access. Data inconsistency.Controls: Use of antivirus software Backup copies Restricted authority to update and delete Limited, authorized access to database. Dedicated to DB administrator.

TestingWhen a system is developed, it is hoped

that it performs properly.However, some errors always occur.The main purpose of testing information

systems is to find the errors and correct them.

A successful test is one which finds error.

Objectives of testing To ensure that during operation the system

will perform as per specifications. To make sure that the system meets your

requirements during operation. To see that when correct inputs are fed to

the system so that the outputs are also correct. To make sure that during operations, incorrect

input , processing and outputs will be detected.

Classification of information system tests The test should include both manual operations and

computerized operations.

Information system testing are :

comprehensive evaluation of the programs

Manual procedures

Computer operations and controls

1.Unit Testing• It is a method by which individual units of

source code are tested to determine if they are fit for use.

2.Integration Testing• It is systematic technique for constructing

the program structure while at the same time conducting tests to uncover errors associated with interfacing.

Types of integration testingBig bang integration testing•All components or modules is integrated simultaneously, after which everything is tested as a whole.Top down integration testing•It takes place from top to bottom, following the control flow or architectural structure.•Bottom up

Testing takes place from the bottom of the control flow upward. Components or systems are substituted by drivers.

Mixed Integration testing

It is also called as sandwiched testing.

It follows a combination of top- down and bottom – up testing approaches.

Top- down approach can start only after the top- levels modules have been coded and unit tested.

Bottom – up testing can start only

after the bottom – up modules are

ready.

Mixed approach overcomes this

shortcomings as in it, testing can

start as and when modules

became unavailable.

3.Validation Testing After integration testing, software is assembled as a

package where interfacing errors have been uncovered and corrected, and then validation testing begins.

Validation succeeds when software functions as expected by the customers.

• The types of validation testing are• Alpha testing• Beta testing

4.System testing

• The behavior of whole system/product is tested as defined by the scope of the development project or product.

• It is the final test to verify that the system to be delivered meets the specifications and its purpose.

• Test – carried out by specialist’s testers.• It investigate both functional and non-

functional requirement of the testing.

Error Detection

Software errors are inescapable and they are easily permeable into programs.

The first is to prevent the introduction of errors and the second is to deduct the errors or bugs hidden in the codes.

Software error analysis includes the techniques, used to locate, Analyze, and Estimate errors and data relating to errors.

Static Testing Dynamic Testing

Testing done without executing the program

Testing done by executing the program

This testing does verification processDynamic testing does validation

process 

Static testing is about prevention of defects

Dynamic testing is about finding and fixing the defects

Static testing gives assessment of code and documentation

Dynamic testing gives bugs/bottlenecks in the software

system.

Cost of finding defects and fixing is less

Cost of finding and fixing defects is high

Return on investment will be high as this process involved at early stage

Return on investment will be low as this process involves after the

development phase

More reviews  comments are highly recommended for good quality

More defects are highly recommended for good quality.

 

Formal Analysis

Formal methods involve rigorous mathematical techniques to specify or analyze the software requirement specification, design, or code.

Error Detection in phases of Lifecycle

Requirements Design ImplementationTest Installation and CheckoutOperation and Maintenance

Controls Controls are constraints and other restrictions imposed

on a user or a system and they can be used to secure

system against the risk or to reduce caused to

systems, application and data.

Controls are implementation not only for access but

also to implement policies and ensure that nonsensical

data is not entered in to corporate database.

Types of controls

General controls

Application controls

Physical

Biometric Access

Data Security

communication

Administrative

Others

Input

Processing

Output

Storage

Software AuditThe general definition of an audit is an evaluation of a

person, organization, system, process, enterprise, project or

product.

A software audit is the process of checking each computer

in the organization and listing the software packages

installed.

The purpose of software audit is to detect and rectify any

anomalies between the software register and software

installed on the system.

Objectives of software auditOrganizations standards, processes, systems,

and plans are adequate to enable the organization

To meet its policies, requirements, and objectives.

During the execution of its wok activities.Objectives are actually being met.Resources and non- human resources are being

effectively utilized.

Audit Roles and Responsibilities

Client Auditor Management Lead auditorAuditorsAuditee management.

Audit processInitiationPlanningPreparationExecutionReportingCorrective action and follow up

Ethics in IT

Ethics is a study of the principles and practices,

which guides to decide whether the action

taken is morally right or wrong.

Ethics is about values and human behavior.

The values and human behavior is primarily

regulated by various legal provisions and can

be enforced through courts.

Technology Ethics

Ethics of technology referred into

two basic subdivisions.

Ethics in the development of

new technology.

Technological growth.

Ethics to overcome vulnerability

Vulnerability assessment. It is a periodic process that works on a system to

identify, track, and manage the repair of

vulnerabilities on the system.

It does a health check of the system.

• It is essential security process and best practice

for the well – being of the system.

Vulnerability scanning.

It identifies weakness in the

network, the type of weaknesses,

and where they are, it is up to the

security team to fix the identified

loopholes.

Ethical Guidelines

Proportionality

Informed consent

Justice

Minimized risk.

User interfaceAn interface is the common boundary between

the user and the computer system application – the point where the computer and the individual interact.

System model template

Input processin

g

Process and control

Maintenance and

testing

Output processing

User interface processing

A user interface is a part of the system that allows user to input data, to command the operations and to receive outputs from the system.

Purpose of interfaceInterface tells the system what actions

to takeFacilitates the use of systemAvoid users errors.

Types of interfaceNatural language interface

It is designed to understand the user’s own

language.

• These interfaces attempt to interpret what the user

means, and often they present back to the user a

list of interpretations from which they choose.

Eg. Microsoft’s office Assistant.

Question answer interfaceQuestion answer interface are very

popular in web-based applications.For eg. A car reservation system

may ask a series of questions to define what type of car and rental agreement requires.

MENU DRIVEN INTERFACE

The oldest and commonly employed dialogue strategy is menu selection.

Different types of menus cater to novice and expert users.

Menu- driven strategies require that the user select an action from a menu of alternatives.

FORM FILL INTERFACEIf interface has to gather a lot of

information from user, then it often helps if anyone provides a form to fill in.

Most form fill interfaces allow for easy movement around the form and for some fields to be let blank.

Command Language Interface

Instead of menus or in addition to menus, some applications are designed using a dialogue based on command language interface.(instruction driven interface)

Graphical user interfaceA GUI is primary mechanism that enables

the user to interact with a collection of elements, called screen objects that are visible to the user and used by him/her to perform tasks. They are executed by

Direct manipulationIndirect manipulation

Reporting

Report is a business document that contain only predefined data.

Good report design requires effort and attention in detail.

To produce a well-designed report, the analyst must consider design features such as report headers and footers, column headings and alignment , column spacing, field order, and grouping of detail lines.

Characteristics of Reports

Reports should be attractive and easy to understand.

Report must include the information that a user needs.

Report with too little information is of no value.

Too much information can make a report confusing and difficult to understand.

Types of reports•Detail reports

•Exception report

•Summary report