Title: Unit 5 Online System Controls and Security
1- Unit 5 Online System Controls and Security
- Identify the validation techniques used in
on-line systems - Describe data libraries used in development
projects. - Explain the role of security in Information
Technology
2SDLC ? CONTROLS
- Planning
- Analysis/Design
- Building
- Testing
- Organization, Stakeholders, Charter
- Project Mgmt, Tools, methodology, services
- Committees, Tools, Project, Development, Dbase,
processing, security controls - Testing phases methods
3SDLC ? CONTROLS
- Implementation
- Post-Implementation
- Roll-out controls
- Backup-recovery, ITIL Service support controls,
turnover, review, report, document
4User Interface Design (UI) Every component the
users see, hear, or touch and the
workflow Screens Video segments Windows Au
dio segments Web pages Dialog boxes Printed
reports Message boxes
5- Online Controls
- Transactions processed individually
- Access security controls who enters
- Online data validation
- Exceptional transactions require special password
approval - Immediate correction for online
- Written into a transaction log immediately for
recovery/auditing.
6- Controlling the Processing of Data
- Ensure that
- All transaction are authorized
- All transactions are processed
- All transactions are complete and accurate
-
7Processing Errors Input Errors Missing data,
lost data, late data, duplicate data,
unauthorized data, inaccurate data Processing
Errors Wrong file, Untimely processing,
incomplete processing, duplicate processing,
incorrect logic, unauthorized logic
8- Controlling the Processing of Data
- All transaction are authorized
-
- Relies on systems security
- Identification
- Authentication
- Authorisation
-
9- Controlling the Processing of Data
- All transactions are processed
- rejected transactions are written to a suspense
file - all suspense file items must be deleted or
resubmitted
10Controlling the Processing of Data Name some
ways when programming to control input errors
11- Controlling the Processing of Data
- All transactions are complete and accurate
(Batch/Online) - Admissible characters edit mask e.g. 999V99
- Completeness mandatory fields e.g. x ! NULL
- Field size e.g. edit mask X(15)
- Range check e.g. value must be gt 16 and lt 85 or
Quantity ordered lt Quantity on hand - Self checking digits e.g. SIN, VIN
- Code list e.g. provinces
- Consistency (cross-field edits) e.g. if
province is Ontario then Postal Code must be in a
certain range
12 - Development Controls Classroom activity for
database - For each of the following controls
- Define what each is/what it means (if not
apparent) - What could happen without it?
13 - Database Controls
- Data architecture/corporate data model
- DBA (DataBase Analyst) creates and maintains all
production and user test databases - DBA or Security grants rights to databases/owner
approvals - Backup and recovery of database is treated
separately from systems backup and recovery - Database requires documentation and procedures
for example fallback, recovery and restart - Audit trails/logging of all transactions
- Database mirroring/availability promoted
- Restricted access to programmer tools such as
Zapper tools (bulk production database updates)
14Data Libraries
15- Data Libraries
- Production data and programs
- The companys data treated with the utmost
respect - Accessed by authorized users only
- Production support moves data and programs into
this area
16- Data Libraries
- User test data and programs
- Users data for testing and training purposes
- Can contain a copy of production data
- Accessed by authorized users only
- This is a staging area for programs on their way
to production - Production support moves data and programs into
this area
17- Data Libraries
- Development data and programs
- Developers library of programs in development
- Developers test data for integration testing
- Developers data and programs are usually
- Copied to the developers PC when required
- Used for development and unit testing
18IT SECURITY ANALYST - 996 - 1,199 / weekThe
Central Agencies IIT Cluster seeks an energetic
individual to co-ordinate projects to secure the
cluster's IIT infrastructure guide
ministry/agency business teams performing threat
risk analysis audit user access to ministry
data research, evaluate, recommend practices,
services, technologies for increasing security of
ministry data develop/implement security
policies, controls, practices, procedures, tools
to secure IIT infrastructure promote awareness
of IIT security.Qualifications experience
developing/implementing security controls,
practices, procedures, tools for IIT
infrastructures, performing audits, administering
user access privileges for Netware, Windows 2000,
IBM mainframe environments knowledge of security
policies, best practices excellent
communication, interpersonal, presentation
skills.Apply by Sep 27, 2002 to File File
3135, Ministry of Finance, Human Resources
Branch, 33 King St. W., 2nd Fl., Oshawa, ON L1H
8H5. Fax 905-433-6588.Posted 09/13/2002
www.gojobs.gov.on.ca
19- Access Controls
- What are we safeguarding?
- Data
- Programs
- Resource
-
- What is the risk?
- Destruction
- Modification
- Disclosure
- Accidental or intentional misuse
20- Human-Machine Interface
- e.g. PCs, terminals, ATMs, internet, PDAs, etc
-
- Electronic Interface
- Data sent to external organizations e.g. Payroll
sent to the bank - Data received from external organizations e.g.
Bank statement, Service Provider updates - Data transmitted between internal systems e.g.
Sales orders transferred from the Web hosting
computer to the Order Entry system
21- Security System Controls
- Operating systems security
- Database security system
- Programmatic security
- Network security
- All users and processes must apply for access.
- Management approves access request to specific
resources. - Security sets up account giving required access -
security roles. - All users and processes must be granted
privileged access to required resources - data,
programs, hardware, etc.
22- Access Management
- Access is assigned typically as privileges
- Operating system level execute, read, append,
update, delete, create, etc. to specific
resources - Database level read, append, update, delete,
create, etc. to specific tables, fields - Program level access to specific programs, menu
items, modes within screens e.g. read only,
update - Network level to servers, printers, Lan, email
23- Security
- Security is the safety of people, facilities and
data from natural and man-made threats - Security Requirements controlled access
- Identification
- Authentication
- Authorisation
- Validity
- Auditability
24- Security Requirements access controls
- Identification How you identify yourself to the
system - Authentication How the system verifies you are
who you say you are - AuthorizationHow the system knows what you are
allowed to do - ValidityHow the system ensures it only processes
valid authorized transactions and what responses
it gives - Audit abilityAbility to trace what went on in
the system and who did it
25- Your Turn
- Divide into 5 groups. Each group gets one of
- Identification, Authentication Authorization,
Validity, Auditability -
- Give examples on this control.
- What type of situations can happen if this
control fails - what does it prevent?
26- Security Requirements
- 1. Identification Who are you?
- identify user
- named user/account
- Belong to named group
- security identity badges/access control
- security cameras/pictures
27- Security Requirements
- Authentication You are who you say you are
- verify identity badge, ID card, license with
picture - person-to-machine - user password, magnetic
stripe on card, fingerprint, voice recognition,
etc - electronic dial-up may require callback to
account users phone number - Examples of password control - prompt for changes
regularly, no reuse of former passwords,
restricted minimum size, obscured/encrypted,
disabled after 3 attempts
28- Security Requirements
- Authorisation What are you allowed to do?
- ensure only appropriate users have access
- named transaction/screens menu items user
granted authority to read or update only these - User can be assigned to a group that has assigned
access privileges to specific executables,
transactions types, data row, table, field level.
29- Security Requirements
- Validity allow only valid transactions
- verify access authorization to user on all
transactions - process only valid transactions to this user
based on access rights - Log violations
- Put in corrective actions lock keyboard,
swallow charge card, sound alarm, lock exit doors
30- Security Requirements
- Auditability traceable trail of activity
- provide audit trail of all activity, record of
all transactions, record of changes in access
levels - variance detection/correction
- record/investigate all violation attempts
- detect unusual patterns in use
- exception reports sent to management, security
staff and resource owners