Managing Information

Systems
Information Systems Security and Control
Part 2
Dr. Stephania Loizidou Himona
ACSC 345

Objectives
Demonstrate that Information System
vulnerabilities can be controlled
Demonstrate the ways in which Information
Systems can be controlled in an
organisation
Demonstrate some of the technologies that
can be used to control Information Systems
vulnerabilities
Dr. S. Loizidou - AC

Controlling Information Systems

Recall there are numerous threats to
Information Systems
Hardware failures
Software failures
Upgrade issues
Disasters
Malicious intent

Dr. S. Loizidou - AC

Controlling Information Systems

To minimise likelihood of threats, must
control the environment in which Information
Systems are developed and deployed
Controls put in place to:
Manually control environment of Information
Systems
Automatically add controls to Information
Systems

Dr. S. Loizidou - AC

Controlling Information Systems

Implemented through
Policies
Procedures
Standards

Control must be thought about through all

stages of Information Systems analysis,
construction, deployment operations and
maintenance
Dr. S. Loizidou - AC

Controlling Information Systems

What sort of controls can be put in place?

Dr. S. Loizidou - AC

Controls
General controls
Controls for design, security and use of
Information Systems throughout the
organisation

Application controls
Specific controls for each application
User functionality specific

Dr. S. Loizidou - AC

General Controls
Implementation controls
Audit system development
Ensure properly managed and controlled
Ensure user involvement
Ensure procedures and standards are in use

Software controls
Authorised access to systems

Dr. S. Loizidou - AC

General Controls
Hardware controls
Physically secure hardware
Monitor for and fix malfunction
Environmental systems and protection
Backup of disk-based data

Dr. S. Loizidou - AC

General Controls
Computer operations controls
Day-to-day operations of Information Systems
Procedures
System set-up
Job processing
Backup and recovery procedures

Dr. S. Loizidou - AC

10

General Controls
Data security controls
Prevent unauthorised access, change or
destruction
When data is in use or being stored
Physical access to terminals
Password protection
Data level access controls

Dr. S. Loizidou - AC

11

General Controls
Administrative controls
Ensure organisational policies, procedures and
standards and enforced
Segregation of functions to reduce errors and
fraud
Supervision of personal to ensure policies and
procedures are being adhered to

Dr. S. Loizidou - AC

12

Application Controls
Input controls
Data is accurate and consistent on entry
Direct keying of data, double entry or automated
input
Data conversion, editing and error handling
Field validation on entry
Input authorisation and auditing
Checks on totals to catch errors
Dr. S. Loizidou - AC

13

Application Controls
Processing controls
Data is accurate and complete on processing
Checks on totals to catch errors
Compare to master records to catch errors
Field validation on update

Dr. S. Loizidou - AC

14

Application Controls
Output controls
Data is accurate, complete and properly
distributed on output
Checks on totals to catch errors
Review processing logs
Track recipients of data

Dr. S. Loizidou - AC

15

Protecting Information Systems

What sorts of technology can we use to
implement Information Systems controls?

Dr. S. Loizidou - AC

16

Protecting Information Systems

Information Systems, especially TPS,
require high degrees of availability
Technology is available to ensure systems
are available and contain accurate
information

Dr. S. Loizidou - AC

17

High Availability Computing

Systems available for most of the time
(some downtime allowed)
Recover quickly from crash / downtime
Redundant servers and clustering
Mirroring of data and networked storage
Load balancing
Scalable and robust infrastructure
Disaster recovery planning
Dr. S. Loizidou - AC

18

Fault Tolerant Computing

Systems available all the time (no downtime
allowed)
Specialist hardware
HP NonStop (Tandem), Stratos

Detect and correct faults in hardware and

software to keep processing

Dr. S. Loizidou - AC

19

Network Security
Permanent (open) network connectivity:
Internet, Extranet, wireless
Firewall: proxy or stateful inspection
Firewalls must be managed and part of security
policy
Encryption: public key, SSL of S-HTTP
Authentication and integrity
Digital signatures and certificates
Dr. S. Loizidou - AC

20

Developing Control
Lots of threats to Information Systems
Lots of controls required
Decision on which controls to use based
upon likelihood of threat and cost
Risk assessment

Likely frequency of threat

Cost of damage
Cost of implementation
Dr. S. Loizidou - AC

21

HOMEWORK

Dr. S. Loizidou - AC

22

HOMEWORK

Dr. S. Loizidou - AC

23