Chapter 9 - Control in Computerized Environment

1
Chapter 9 - Control inComputerized Environment

• ATG 383 Spring 2002

2
Computer Based Controls

• General control - any control that relates to
  more than one system.
• Application control - a control that relates to
  one phase of application processing (input,
  processing, output).

3
General Controls

• 12 controls are discussed on
• pages 286 - 308

4
1. Security Plan - What are the threats?
5
2a. Segregation of Duties - Systems Operations
Users submit input
Data control groups logs and reviews.
Computer operations processes.
Librarian
Data control groups logs output.
Users receive output
6
2b. Segregation of Duties - Systems Development
Users request programming changes.
Analysts develop specifications.
Programmers make changes and test.
Librarian maintains programs
7
3a. Project Development- Systems Development

• Long range plan
• Project development plan
• Assign responsibility to project manager
• Performance evaluations
• Post implementation review

8
3b. Management of AIS- Systems Operations

• Data processing schedule
• System performance measurements

9
4. Physical Access Controls

• Goal is to prevent unauthorized people from
  gaining access
• Locked rooms
• Security guards and cameras
• Identification badges

10
5. Logical Access Controls

• Identify who are authorized users.
• System must assign rights to users.
• See access control matrix, p. 294.

11
I will show you some examplesof hacked web sites.
12
6. Data Storage Controls

• These controls can be used to protect data in
  addition to physical and logical access controls
• Properly supervised file library.
• Labels.
• Concurrent update controls.

13
6. Data Storage Controls

• Record locking - prevents two people from
  accessing a file at the same time.

A wants to increase the balance by 20.
B wants to decrease the balance by 50.
Customers Balance 100
Read balance - 100
Read balance - 100
Update - 120
Write balance - 120
14
6. Data Storage Controls

• Record locking - prevents two people from
  accessing a file at the same time.

A wants to increase the balance by 20.
B wants to decrease the balance by 50.
Customers Balance 100
Read balance - 100
Read balance - 100
Update - 120
Update - 50
Customers Balance - 120
Write balance - 120
Write balance - 50
15
6. Data Storage Controls

• Record locking - prevents two people from
  accessing a file at the same time.

A wants to increase the balance by 20.
B wants to decrease the balance by 50.
Customers Balance 100
Read balance - 100
Read balance - 100
Update - 120
Update - 50
Customers Balance - 50
Write balance - 120
Write balance - 50
16
7. Data Transmission Controls

• Purpose is to detect errors in transmission and
  prevent theft of data during transmission

17
Preventing Theft of Data

• Encryption -
• scramble plaintext and create cyphertext
• transmit cyphertext or save on disk
• decrypt cyphertext and return to plaintext
• Two types of encryption
• Secret key
• Public key

18
Rule for Secret Key Encryption

• Message Key Cyphertext
• 0 0 0
• 0 1 1
• 1 0 1
• 1 1 0

19
Secret Key Encryption

• Use same key for coding and decoding.
• Therefore, key must be kept secret.
• Message 00110011
• Key 10101100
• Cyphertext 10011111
• Key 10101100
• Plaintext 00110011

20
Public Key Encryption

• Uses two keys. A public key and a private key.
• Use one key to encrypt.
• Can only use other key to decrypt.

21
Securing messages

• Cyphertext is created using private key.
• Since senders is only one who has private key,
  you know who created the message.
• However, this technique allows anyone to read the
  message.

22
Public Key Encryption
Encrypt with sender's ___________ key.
Message
Decrypt with sender's ___________ key.
Message
23
Securing messages

• Cyphertext is created using public key.
• This technique assures receiver is only one who
  can read message.
• However, this technique does not tell you who was
  the sender.

24
Public Key Encryption
Encrypt with recipient's ___________ key.
Message
Decrypt with recipient's ___________ key.
Message
25
What is needed

• Assurance that message was created by sender.
• Assurance that message can only be read by
  recipient.

26
Digital Signatures
Plain text message
Plain text message
Encrypt with senders private key
Decrypt with senders public key
Encrypt with recipients public key
Decrypt with recipients private key
27
Detecting Transmission Errors

• Send extra data that can be used to check
  message data
• Parity checking
• add extra bit so that sum of 1 bits is always
  odd or even
• A 1000001_
• B 1000010_
• C 1000011_
• D 1000100_

Assume even parity
28
Message Acknowledgement

• Add labels batch numbers to the data
• Echoing

Start Code Address Batch Number Data Parity
Check End Code
29
9. Minimize Downtime

• Two approaches
• Prevent down time with routine checking of
  hardware.
• Make system fault tolerant.
• Install redundant hardware. If component fails,
  system switches to new component.
• Example UPS provides power back-up when
  electricity is lost.

30
10. Disaster Recovery

• Plan for duplicating computer operations after a
  catastrophe occurs.
• Data and programs recovery
• Create backup copies (data and applications) and
  store offsite.
• Save several generations of master files and
  transaction files.
• Checkpoint.

31
Backing up Batch Systems

• Grandfather master file
• Transaction file
• Father master file
• Father master file
• Transaction File
• Son master file

32
Hardware Backup

• Maintain duplicate hardware facilities in remote
  location
• Hot Site - ready to go computer site - brought
  live in very short time
• Cold Site - site that can be brought live in
  reasonable time

33
11. Personal Computers Networks
34
12. Internet Controls
http//www.traceroute.org/
35
Firewalls

• Method of controlling access to / from one
  network to another.
• How this works?
• Only allows messages to from approved sites.
• Allows messages to from sites not specifically
  excluded.

36
Application Controls

• Input - Processing - Output

37
Application Controls

• 4 controls listed in text relate to input
• Batch totals,
• Source Data Controls,
• Input Validation Routines,
• On-line Data Entry Controls.

38
Application Controls - Input

• Objectives
• Make sure data is successfully transferred from
  source documents into the system.
• Detect obvious errors before the data is
  processed.

39
Input Control Example

• Look at the sales order on page 422.
• How can input errors occur?
• What controls can be used to prevent, or detect
  and correct, these errors?

40
Application Controls - Processing

• Goal is to detect errors during processing
• Default values
• Edit checks

41
Application Controls -Output

• Goal is to detect errors in output deliver
  output to correct person
• Data control group
• End user review
• Reconciliation
• Check Ids
• Passwords

42
Two broad categories of controls
43
(No Transcript)