Chapter 5.docx

8 Pages
Unlock Document

Ryerson University
Information Technology Management
ITM 350
Franklyn Prescod

Chapter 5 – Security and Controls Introduction  Error is an unintentional act or omission that leads to undesirable consequences  Fraud is an intentional act that relies on deception to misappropriate assets or obtain other benefits  Malicious acts intentionally lead to the destruction of facilities, hardware, software or data  Disasters are acts of nature such as floods, storms, tornadoes, earthquakes, fires, power failures or other events that can lead to destruction of assets & disruption of business activities What Are The Key Risks Faced by Ebusinesses?  New services o Internal risks associated with new services include lack of standards, regulations & rules & support systems o External risks associated with new services are natural hazards, legal issues & environmental issues  New business models o New business models face unique risks not encountered by traditional offline business models o Include revenue leakage, poor image & inability to foster trust & confidence on the part of business partners  New processes o More on pg 89  New technology o Ebusiness use leading-edge technology that may have issues associated with scalability, security & availability  New fulfillment processes o The online fulfillment process has brought expectations of instant deliveries resulting in real-time procurement requirements  Outsourcing IT activities o More on pg 90  Companies also face the risks of malicious attacks done by employees & parties external to the company such as fraudsters, hackers & vandals, most common ones are o On pg 90  Threat is a condition or force that increases the risk of error, fraud, malicious acts or disaster  Viruses are computer programs that are inserted into computer systems on an unauthorized basis, unknown to the system owner or user & with an intent to take some action on that computer that can be mischievous or malicious Controls  Controls are preventive, detective & corrective measures that are designed to reduce the risk of error, fraud, malicious acts or disaster to an acceptable level General Controls  General controls are not unique to a particular application or applications & includes several categories o Security management  The policies & procedures that management adopts & implements to guide the security program of the enterprise fall under the security management category o General access controls  Physical access controls are measures taken by an enterprise to safeguard the physical safety of a resource by restricting access to it  Logical access controls are controls that are included in software to permit access by authorized personnel in accordance with the privileges granted to them & to prevent access by unauthorized personnel (ex. user ID, passwords)  Biometrics are access controls that rely on physical characteristics such as signatures, fingerprints, palmprints, voice recognition & retina scans to authenticate the identity of a user before permitting access  Refer to figure 5.1 on pg 93  Refer to figure 5.2 about Firewalls on pg 94  Intrusion detection system (IDS) monitors devices & processes for security threats & can alert security personnel of the occurrence of unusual activity as it occurs (shown in figure 5.3 on pg 95)  Difference between firewall & IDS is that  An IDS has an extensive database of attack signatures or patterns which allows it to detect intrusions dynamically  Firewalls either permit or block connections based on a comparatively small # of criteria & do not track related activity patterns o System acquisition or development controls  Control during the acquisition or development process is normally accomplished by setting up different directories on which to carry out the installation, programming, testing & implementation phases (more on pg 97)  Refer to figure 5.4 o System maintenance and change controls  After programs r developed & implemented, they must go through system maintenance and also go thru controls similar to development controls since the same risks & threats exist o Operations controls  Control over the operations of a computer system include the operation of servers, scheduling of jobs & maintenance of system infrastructure  Includes activities like review of system logs, monitoring system activity & review of exception reports on system activity o Business continuity controls  System must be always available in companies  Downtime can be costly & even disastrous  Business continuity plan is a plan that ensures that a business can continue to operate after a disaster or other event occurs that could otherwise disable the computer systems for a lengthy period of time  Disaster recovery plan is a detailed plan of action that allows an IS to be recovered after a disaster has made it inoperable, it must address a certain # of points (on pg 98) Applications Controls  All applications that a business uses consist of 3 basic areas o Input  Check digit controls perform a calculation on a set of digits, such as an employee ID number and then add the result of that calculation to the number  Input masks is a means to establish formats for input areas in a screen that allow certain numbers of characters &/or digits to be entered o Processing  Processing controls help to ensure that only properly tested & approved processes are used in applications  Some processing controls include  Log monitoring to ensure that all processing steps were completed  Process status checking to ensure that all program steps were executed without error or interruption  Control totals are totals based on counts of records, monetary values or hashes that are used to reconcile inputs & outputs & thereby control completeness & accuracy of processing  Hash is a total based on a field that is not expected to change (ex. total of all employee # fields in a file) & is therefore useful for ensuring that no unauthorized additions, changes or deletions have occurred in a file of records containing that field  Time stamping is the process of adding a tag containing the time that a record is created, modified or moved  Used to control the timeliness of data processing & the currency of information o Output  Output controls include controls over the distribution of reports, including access to online reports  If reports r paper form, controls determine which printer was used, where it is located & who has access to it  If reports r online, controls determine who can view the repots  Control over Communications o A major communications control is encryption o Encryption is 1 of the most important control tools used in ebusiness to protect the confidentiality of information (refer to figure 5.5) o Message digests is a unique # calculated from the content of a message that can then be added to the message & checked by recalculating the # to ensure that the message has not been tampered with o Digital signatures are an encrypted message digest that can only be decrypted by a key that authenticates the sender’s identity o Encryption  It is the conversion of data into a form called cipher which is very difficult to read without possession of a key
More Less

Related notes for ITM 350

Log In


Don't have an account?

Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.