15 chapter 15 design system interfaces, controls, and security systems analysis and design in a...
TRANSCRIPT
15
Chapter 15 Design System Interfaces, Controls, and Security
Systems Analysis and Design in a Changing World, 5th Edition
15
2
Learning Objectives
Discuss examples of system interfaces found in information systems
Define system inputs and outputs based on the requirements of the application program
Design printed and on-screen reports appropriate for recipients
Explain the importance of integrity controls Identify required integrity controls for inputs, outputs, data,
and processing Discuss issues related to security that affect the design
and operation of information systems
15
3
Overview This chapter focuses on system interfaces, system
outputs, and system controls that do not require much human interaction
Many system interfaces are electronic transmissions or paper outputs to external agents
System developers need to design and implement integrity and security controls to protect system and its data
Outside threats from Internet and e-commerce are growing concern
15
4
Identifying System Interfaces
System interfaces are broadly defined as inputs or outputs with minimal or no human intervention Inputs from other systems (messages, EDI) Highly automated input devices such as scanners Inputs that are from data in external databases Outputs to external databases Outputs with minimal HCI Outputs to other systems Real-time connections (both input and output)
15
6
eXtensible Markup Language (XML)
Extension of HTML that embeds self-defined data structures in textual messages
Transaction that contains data fields can be sent with XML codes to define meaning of data fields
XML provides common system-to-system interface XML is simple and readable by people Web services is based on XML to send business
transactions over Internet
15
8
Design of System Inputs
Identify devices and mechanisms used to enter input High-level review of most up-to-date methods to enter
data Identify all system inputs and develop list of data
content for each Provide link between design of application software
and design of user and system interfaces Determine controls and security necessary for each
system input
15
9
Input Devices and Mechanisms
Capture data as close to original source as possible Use electronic devices and automatic entry whenever
possible Avoid human involvement as much as possible Seek information in electronic form to avoid data re-
entry Validate and correct information at entry point
15
10
Prevalent Input Devices to Avoid Human Data Entry
Magnetic card strip readers Bar code readers Optical character recognition readers and scanners Radio-frequency identification tags Touch screens and devices Electronic pens and writing surfaces Digitizers, such as digital cameras and digital audio
devices
15
11
Defining the Details of System Inputs
Ensure all data inputs are identified and specified correctly
Can use traditional structured models Identify automation boundary
Use DFD fragments Segment by program boundaries
Examine structure charts Analyze each module and data couple List individual data fields
15
17
Using Object-Oriented Models
Identifying user and system inputs with OO approach has same tasks as traditional approach
OO diagrams are used instead of DFDs and structure charts
System sequence diagrams identify each incoming message
Design class diagrams and sequence diagrams identify and describe input parameters and verify characteristics of inputs
15
21
Designing System Outputs
Determine each type of output Make list of specific system outputs required based
on application design Specify any necessary controls to protect information
provided in output Design and prototype output layout Ad hoc reports – designed as needed by user
15
22
Defining the Details of System Outputs
Type of reports Printed reports Electronic displays Turnaround documents
Can use traditional structured models to identify outputs Data flows crossing automation boundary Data couples and report data requirements on
structure chart
15
24
Using Object-Oriented Models
Outputs indicated by messages in sequence diagrams Originate from internal system objects Sent to external actors or another external system
Output messages based on an individual object are usually part of methods of that class object
To report on all objects within a class, class-level method is used that works on entire class
15
26
Designing Reports, Statements, and Turnaround Documents
Printed versus electronic Types of output reports
Detailed Summary Exception Executive
Internal versus external Graphical and multimedia presentation
15
29
Formatting Reports
What is objective of report? Who is the intended audience? What is media for presentation? Avoid information overload Format considerations include meaningful headings,
date of information, date report produced, page numbers
15
30
Designing Integrity Controls
Mechanisms and procedures built into a system to safeguard it and information contained within
Integrity controls Built into application and database system to
safeguard information Security controls
Built into operating system and network
15
31
Objectives of Integrity Controls
Ensure that only appropriate and correct business transactions occur
Ensure that transactions are recorded and processed correctly
Protect and safeguard assets of the organization Software Hardware Information
15
33
Input Integrity Controls
Used with all input mechanisms Additional level of verification to help reduce input
errors Common control techniques
Field combination controls Value limit controls Completeness controls Data validation controls
15
34
Database Integrity Controls
Access controls Data encryption Transaction controls Update controls Backup and recovery protection
15
35
Output Integrity Controls
Ensure output arrives at proper destination and is correct, accurate, complete, and current
Destination controls - output is channeled to correct people
Completeness, accuracy, and correctness controls Appropriate information present in output
15
36
Integrity Controls to Prevent Fraud
Three conditions are present in fraud cases Personal pressure, such as desire to maintain
extravagant lifestyle Rationalizations, including “I will repay this money” or “I
have this coming” Opportunity, such as unverified cash receipts
Control of fraud requires both manual procedures and computer integrity controls
15
38
Designing Security Controls
Security controls protect assets of organization from all threats External threats such as hackers, viruses, worms, and
message overload attacks Security control objectives
Maintain stable, functioning operating environment for users and application systems (24 x 7)
Protect information and transactions during transmission outside organization (public carriers)
15
39
Security for Access to Systems
Used to control access to any resource managed by operating system or network
User categories Unauthorized user – no authorization to access Registered user – authorized to access system Privileged user – authorized to administrate system
Organized so that all resources can be accessed with same unique ID/password combination
15
41
Managing User Access
Most common technique is user ID / password Authorization – Is user permitted to access? Access control list – users with rights to access Authentication – Is user who they claim to be? Smart card – computer-readable plastic card with
embedded security information Biometric devices – keystroke patterns, fingerprinting,
retinal scans, voice characteristics
15
42
Data Security
Data and files themselves must be secure Encryption – primary security method
Altering data so unauthorized users cannot view Decryption
Altering encrypted data back to its original state Symmetric key – same key encrypts and decrypts Asymmetric key – different key decrypts Public key – public encrypts; private decrypts
15
45
Digital Signatures and Certificates
Encryption of messages enables secure exchange of information between two entities with appropriate keys
Digital signature encrypts document with private key to verify document author
Digital certificate is institution’s name and public key that is encrypted and certified by third party
Certifying authority VeriSign or Equifax
15
47
Secure Transactions
Standard set of methods and protocols for authentication, authorization, privacy, integrity
Secure Sockets Layer (SSL) renamed as Transport Layer Security (TLS) – protocol for secure channel to send messages over Internet
IP Security (IPSec) – newer standard for transmitting Internet messages securely
Secure Hypertext Transport Protocol (HTTPS or HTTP-S) – standard for transmitting Web pages securely (encryption, digital signing, certificates)
15
48
Summary
System interfaces include all inputs and outputs except those that are part of GUI
Designing inputs to system is three-step process Identify devices/mechanisms used to enter input Identify system inputs; develop list of data content Determine controls and security necessary for each
system input Traditional approach to design inputs and outputs
DFDs, data flow definitions, structure charts
15
49
Summary (cont’d)
OO approach to design inputs and outputs Sequence diagrams, class diagrams
Integrity controls and security designed into system Ensure only appropriate and correct business
transactions occur Ensure transactions are recorded and processed
correctly Protect and safeguard assets of the organization Control access to resources