15

Chapter 15 Design System Interfaces, Controls, and Security

Systems Analysis and Design in a Changing World, 5th Edition

15

2

Learning Objectives

Discuss examples of system interfaces found in information systems

Define system inputs and outputs based on the requirements of the application program

Design printed and on-screen reports appropriate for recipients

Explain the importance of integrity controls Identify required integrity controls for inputs, outputs, data,

and processing Discuss issues related to security that affect the design

and operation of information systems

15

3

Overview This chapter focuses on system interfaces, system

outputs, and system controls that do not require much human interaction

Many system interfaces are electronic transmissions or paper outputs to external agents

System developers need to design and implement integrity and security controls to protect system and its data

Outside threats from Internet and e-commerce are growing concern

15

4

Identifying System Interfaces

System interfaces are broadly defined as inputs or outputs with minimal or no human intervention Inputs from other systems (messages, EDI) Highly automated input devices such as scanners Inputs that are from data in external databases Outputs to external databases Outputs with minimal HCI Outputs to other systems Real-time connections (both input and output)

15

5

Full Range of Inputs and Outputs

Figure 15-1

15

6

eXtensible Markup Language (XML)

Extension of HTML that embeds self-defined data structures in textual messages

Transaction that contains data fields can be sent with XML codes to define meaning of data fields

XML provides common system-to-system interface XML is simple and readable by people Web services is based on XML to send business

transactions over Internet

15

7

System-to-System Interface Based on XML

Figure 15-2

15

8

Design of System Inputs

Identify devices and mechanisms used to enter input High-level review of most up-to-date methods to enter

data Identify all system inputs and develop list of data

content for each Provide link between design of application software

and design of user and system interfaces Determine controls and security necessary for each

system input

15

9

Input Devices and Mechanisms

Capture data as close to original source as possible Use electronic devices and automatic entry whenever

possible Avoid human involvement as much as possible Seek information in electronic form to avoid data re-

entry Validate and correct information at entry point

15

10

Prevalent Input Devices to Avoid Human Data Entry

Magnetic card strip readers Bar code readers Optical character recognition readers and scanners Radio-frequency identification tags Touch screens and devices Electronic pens and writing surfaces Digitizers, such as digital cameras and digital audio

devices

15

11

Defining the Details of System Inputs

Ensure all data inputs are identified and specified correctly

Can use traditional structured models Identify automation boundary

Use DFD fragments Segment by program boundaries

Examine structure charts Analyze each module and data couple List individual data fields

15

12

Automation Boundary on a System-Level DFD

Figure 15-3

15

13

Create New Order DFD with an Automation Boundary

Figure 15-4

15

14

List of Inputs for Customer Support System

Figure 15-5

15

15

Structure Chart for Create New Order

Figure 15-6

15

16

Data Flows, Data Couples, and Data Elements Making Up Inputs

Figure 15-7

15

17

Using Object-Oriented Models

Identifying user and system inputs with OO approach has same tasks as traditional approach

OO diagrams are used instead of DFDs and structure charts

System sequence diagrams identify each incoming message

Design class diagrams and sequence diagrams identify and describe input parameters and verify characteristics of inputs

15

18

Partial System Sequence Diagram for

Payroll System Use Cases

Figure 15-8

15

19

System Sequence Diagram for Create New Order

Figure 15-9

15

20

Input Messages and Data Parameters from RMO System Sequence Diagram

Figure 15-10

15

21

Designing System Outputs

Determine each type of output Make list of specific system outputs required based

on application design Specify any necessary controls to protect information

provided in output Design and prototype output layout Ad hoc reports – designed as needed by user

15

22

Defining the Details of System Outputs

Type of reports Printed reports Electronic displays Turnaround documents

Can use traditional structured models to identify outputs Data flows crossing automation boundary Data couples and report data requirements on

structure chart

15

23

Table of System Outputs Based on Traditional Structured Approach

Figure 15-11

15

24

Using Object-Oriented Models

Outputs indicated by messages in sequence diagrams Originate from internal system objects Sent to external actors or another external system

Output messages based on an individual object are usually part of methods of that class object

To report on all objects within a class, class-level method is used that works on entire class

15

25

Table of System Outputs Based on OO Messages

Figure 15-12

15

26

Designing Reports, Statements, and Turnaround Documents

Printed versus electronic Types of output reports

Detailed Summary Exception Executive

Internal versus external Graphical and multimedia presentation

15

27

RMO Summary Report with Drill Down to the Detailed Report

Figure 15-16

15

28

Sample Bar Chart and Pie Chart Reports

Figure 15-17

15

29

Formatting Reports

What is objective of report? Who is the intended audience? What is media for presentation? Avoid information overload Format considerations include meaningful headings,

date of information, date report produced, page numbers

15

30

Designing Integrity Controls

Mechanisms and procedures built into a system to safeguard it and information contained within

Integrity controls Built into application and database system to

safeguard information Security controls

Built into operating system and network

15

31

Objectives of Integrity Controls

Ensure that only appropriate and correct business transactions occur

Ensure that transactions are recorded and processed correctly

Protect and safeguard assets of the organization Software Hardware Information

15

32

Points of Security and Integrity Controls

Figure 15-18

15

33

Input Integrity Controls

Used with all input mechanisms Additional level of verification to help reduce input

errors Common control techniques

Field combination controls Value limit controls Completeness controls Data validation controls

15

34

Database Integrity Controls

Access controls Data encryption Transaction controls Update controls Backup and recovery protection

15

35

Output Integrity Controls

Ensure output arrives at proper destination and is correct, accurate, complete, and current

Destination controls - output is channeled to correct people

Completeness, accuracy, and correctness controls Appropriate information present in output

15

36

Integrity Controls to Prevent Fraud

Three conditions are present in fraud cases Personal pressure, such as desire to maintain

extravagant lifestyle Rationalizations, including “I will repay this money” or “I

have this coming” Opportunity, such as unverified cash receipts

Control of fraud requires both manual procedures and computer integrity controls

15

37

Fraud Risks and Prevention Techniques

Figure 15-19

15

38

Designing Security Controls

Security controls protect assets of organization from all threats External threats such as hackers, viruses, worms, and

message overload attacks Security control objectives

Maintain stable, functioning operating environment for users and application systems (24 x 7)

Protect information and transactions during transmission outside organization (public carriers)

15

39

Security for Access to Systems

Used to control access to any resource managed by operating system or network

User categories Unauthorized user – no authorization to access Registered user – authorized to access system Privileged user – authorized to administrate system

Organized so that all resources can be accessed with same unique ID/password combination

15

40

Users and Access Roles to Computer Systems

Figure 15-20

15

41

Managing User Access

Most common technique is user ID / password Authorization – Is user permitted to access? Access control list – users with rights to access Authentication – Is user who they claim to be? Smart card – computer-readable plastic card with

embedded security information Biometric devices – keystroke patterns, fingerprinting,

retinal scans, voice characteristics

15

42

Data Security

Data and files themselves must be secure Encryption – primary security method

Altering data so unauthorized users cannot view Decryption

Altering encrypted data back to its original state Symmetric key – same key encrypts and decrypts Asymmetric key – different key decrypts Public key – public encrypts; private decrypts

15

43

Symmetric Key Encryption

Figure 15-22

15

44

Asymmetric Key Encryption

Figure 15-23

15

45

Digital Signatures and Certificates

Encryption of messages enables secure exchange of information between two entities with appropriate keys

Digital signature encrypts document with private key to verify document author

Digital certificate is institution’s name and public key that is encrypted and certified by third party

Certifying authority VeriSign or Equifax

15

46

Using a Digital Certificate

Figure 15-24

15

47

Secure Transactions

Standard set of methods and protocols for authentication, authorization, privacy, integrity

Secure Sockets Layer (SSL) renamed as Transport Layer Security (TLS) – protocol for secure channel to send messages over Internet

IP Security (IPSec) – newer standard for transmitting Internet messages securely

Secure Hypertext Transport Protocol (HTTPS or HTTP-S) – standard for transmitting Web pages securely (encryption, digital signing, certificates)

15

48

Summary

System interfaces include all inputs and outputs except those that are part of GUI

Designing inputs to system is three-step process Identify devices/mechanisms used to enter input Identify system inputs; develop list of data content Determine controls and security necessary for each

system input Traditional approach to design inputs and outputs

DFDs, data flow definitions, structure charts

15

49

Summary (cont’d)

OO approach to design inputs and outputs Sequence diagrams, class diagrams

Integrity controls and security designed into system Ensure only appropriate and correct business

transactions occur Ensure transactions are recorded and processed

correctly Protect and safeguard assets of the organization Control access to resources