PRESENTED BY PRASHANT VERMA ANUJ KUMAR ROHIT TOPPO KRISHNAMURARI

Information System Controls

Effective controls provide information system security, that is the accuracy, integrity, and safety of information activities and resources. Controls can minimize errors, fraud, and destruction in the

internetworked information systems that interconnect todays end users and organizations. Effective controls also provide quality assurance for information.

TYPES OF CONTROL
Three major types of controls must be developed to ensure the quality and security of information systems. These control categories are:Managing information systems performance and security Input, Processing, Output and Storage control Standard Procedures, Documentation Authorization requirement, Auditing Physical Protection, Network Security, Encryption, Firewalls, Biometric controls
3

1.

Information System Control

2. Procedural Control
3. Facility Control

Information System Controls

Information system controls are methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities. Input Controls Processing Control Hardware controls Software controls Output Controls Storage Controls
4

Procedural Controls
Procedural control are methods that specify how an organizations computer and network resources should be operated for maximum security. They help to ensure the Accuracy and integrity of computer arid network operations and systems development activities. Standard Procedures and Documentation Authorization Requirements Audit Trail: One popular tracking tool is the Audit Trail Audit trail information helps uncover undesirable act, from innocent mistakes to permitted fraud . The information helps determine who authorized and/or made the entries, the date and time of the transactions, and other identifying data that are essential in correcting mistakes or recovering losses.
5

Facility Control
Facility controls are methods that protect an organizations computing and network facilities and their contents from loss or destruction. Computer networks and computer centers are subject to such hazards an accident, natural disasters, sabotage, vandalism, unauthorized use, destruction, and theft of resources.

 Network Security

Facility Controls (continued)

Programs that monitor the use of computer systems and networks and protect them from unauthorized use, fraud and destruction. Encryption
AUTHENTICATION CODING MESSAGE Most widely used method uses a pair of public and private

keys unique to each individual

 Firewalls

Facility Controls (continued)

which purpose is to block access to computing resources.
Provides a filter and safe transfer point Screens all network traffic for proper passwords or other security codes

Physical Protection Controls It provide maximum Security and protection for an organizations computer and network resources requires many types of controls. For Examples: Electric lock door, Burglar alarms, security police, closed circuit TV and other detection systems.
8

Facility Controls (continued)

Biometric Security
Measure physical traits that make each individual

unique

Voice Fingerprints Hand geometry Signature dynamics Keystroke analysis Retina scanning Face recognition and Genetic pattern analysis

 Business Ethics

Ethical Responsibility
Basic categories of ethical issues of Employee privacy, security of company records and Workplace safety.

Ethical and Social Dimensions of IT

It emphasizes that the use of IT in business has major impacts on society, and thus raises serious ethical considerations in areas such as privacy, crime, health, working conditions, individuality, and employment through IT.

10

Ethical Responsibility
Aspects of ethical and societal dimensions of IT

11

Employment
The impact of IT on employment is a major ethical

concern and is directly related to the use of computer to achieve automation It create new job and productivity it has created a host of sale and maintainance of computer hardware and software, and for other Information security

12

Privacy Issues
IT makes it technically and economically feasible to

collect, store, integrate, interchange, and retrieve data and information quickly and easily.
Benefit increases efficiency and effectiveness

But, may also have a negative effect on individuals right

to privacy

13

Health Issues
The use of IT in the work place raises a variety of health issues. Job stress Muscle damage Eye strain Radiation exposure Accidents Some solutions
Ergonomics (human factors engineering)

Goal is to design healthy work environments

14

Computer Crime

It posses serious threats to the integrity, safety, and quality of most business information systems.

Computer Crime Laws

Association of Information Technology Professionals

(AITP) has worked with federal and state agencies to develop computer crime laws. In tits model Computer Crime Act, the AITP defines computer crime as including:
The unauthorized use, access, modification, and destruction

of hardware, software, data, or network resources Unauthorized release of information Unauthorized copying of software

15

IndividualityIT concern its negative effect on the A frequent criticism of

individuality of people. Computer based systems can be ergonomically engineering to accommodate human factors that minimize depersonalization and regimentation.

Working Conditions
IT can be said to upgrade the quality of work because it can

upgrade the quality of working condition and the content of work activities. IT has eliminated monotonous or obnoxious tasks in the office and the factory that formerly had to be performed by people.
16

Relates to the protection of asset against loss , damage or

disclosure of information. It should include logical and technical safeguard like user identifiers , password firewalls etc. Basic objective is the protection of the interests of those who rely on information from harm resulting from failure of Availability Confidentiality Integrity

PRINCIPLES OF INFORMATION SECURITY

Accountability principle Someone should be made accountable for relevant aspects of information security. It will create an obligation on the person for information security maintenance. 2. Awareness principle The awareness of risks and information security measures must be disseminated ie ; awareness of concerned people about the security measures and their operations .
1.

PRINCIPLES.
3. Multidisciplinary principle

The information security must be addressed taking into account both tchnological and nontechnological issues. 4. Integration principle Information security measures should be well integrated and coordinated . Different policies procedures and practices related to I.S.M should be integrated and coordinated.

PRINCIPLES.
5. Timeliness principle

The security procedures must provide for monitoring and timely response. Organization must establish procedures to monitor and respond to real or attempted breaches in security in a timely manner in proportion to risk involved.

PRINCIPLES.
6. Reassessment principle

Various measures and their operations related to information security should be reassessed periodically The information system and their security needs change rapidly.

PRINCIPLES.
7

Cost effectiveness principleInformation security measures must be cost effective. Cost of information security must be in relation to the value of organization. Societal factors principleEthics must be promoted keeping in view the rights and interest of others . Fair presentation of data and information to legitimate users.

COMPUTER VIRUSES
According to medical science Virus is referred to a pathogenic agent not visible by ordinary microscope , that transmits infection from one person to other. According to computer science A virus is a rogue software program that is difficult to detect and spread rapidly through computer system ,destroying data or disrupting processing and memory system

VIRUSES
It results into

loss of productivity , interference lockups corrupted files , lost data , unreliable application , corrupted e-mails etc

Files generally affected by

viruses

An .exe or .com file The .ovl (overlay) program file The boot sector of a disc A device driver program

Functions
It develops a program that replicates itself numerous

times in the main memory of the computer system , destroying whatever data is resident there. It can be spread through computer networks specially through internet or through infected diskettes procured from outside.

One of the major problem in setting disputes including computer frauds and other information security violation activities is the absence of commensurate cyber laws. In INDIA has been proposed in 2000 which is known as it act 2000.

INFORMATION TECHNOLOGY ACT

IT act has provided has provided legal recognition to

elctronic records and digital signatures which are provided legal right and obligation through internet and electronic communication.

OBJECTIVE OF IT ACT
To give legal recognition to digital signature
for authntication of any information. To facilitate filling documents with govt. dept. To ficalitate electronic storage of data.

According sec. 2 electronic record means data record or data generated image or sent stored or sent in an electronic form or micro film. Section 3 provide the condition s subject to which an record may be authenticated by means of affixing digital signature.

Electronic governance
According to sec. 4 to 10 electronic governance

includes how electronic records are maintained and authenticated with digital signature. The major provisions relating to electronic governance are as: (1) Legal recognition of electronic records. (2) Foundation of electronic records.

Power to central government to make rule

According to sec. 10 central government have power to make

rules related to digital signature. The rules that may include may be prescribed include: (1) The type of digital signature (2) The manner or procedure which facilitate identification of the person affixing the digital signature. (3)control process and procedure to create adequate integrity, security, and confidently of electronic records or payments; (4) Any other matter which is necessary to give legal effect to digital signatures.

DUTIES OF SUBSCRIBERS.
According to IT provision act the duties of subscriber

are as fellows: (1) On acceptance of the digital signature certificate, the subscriber shall generate a key pair using a secured system. (2) the subscriber shall exercise all reasonable care to retain control of their private key corresponding to public key.

COMPUTER OFFENCE
Section 65 to 78 with computer offences and provides penal

provisions for the these offences. Penal provisions exists for the folling types of offences: (1) tempering with documents. (2) Hacking with computer system. (3) Publication of obscene information. (4) Misrepresentation. (5) Breach of confidentiality. (6) Publishing false signature.

POSITIVE AND NEGATIVE ASPECTS OF IT ACT

Various provisions of the IT ACT 2000 are quite relevant for

dealing with the problems arising out of computer based information systems.These provisions have provided legal frame work for tackling the following issues related to ecommerce: (1) Requirement of document in writing. (2) Requirement of signature. (3) Requirement of legal recognition for electronic messages records and documents to be admitted in evidence in a court of law.

Continued
Besides facilitating e commerce the provision of the act specially

provide for punishment for computer crimes and compensation for loss arising due to computer fraud. For example the act has not addressed the following issues: (1) Protection of domain names. (2) infringement of copy right law. (3) Jurisdictional aspect of electronic contracts like jurisdiction of courts of law, income tax authority etc. (4) Taxation of goods and services through traded through ecommerce. (5) requirements of stamp duty on electronic contracts.