©1999 addison wesley longman slide 13.1 information system security and control 13

©1999 Addison Wesley Longman Slide 13.1

InformationSystem Securityand Control

13


Table 13.1London Ambulance Service: an Information System Disaster



CUSTOMER

People requiring emergency medical care

Ambulance drivers requiring information about where to pick up patients requiring emergency transportation to a hospital



PRODUCT

Location of next pickup, selected to minimize

delays and communicated immediately



BUSINESS PROCESS

Major steps:•Track the location of all ambulances•Receive telephone notification of an emergency situation requiring an ambulance•Decide which ambulance should respond to the emergency•Notify the ambulance driver•Track the disposition of each call

Rationale:

Treat all of London as a single zone

Automate many of the dispatching decisions



PARTICIPANTS

Dispatching staff

Ambulance drivers

INFORMATION

Location of people having medical emergencies

Location of ambulances

Geography of London

TECHNOLOGY

Telephone

Radio transmittersand receivers

Computer program making dispatching decisions


Table 13.2Common Reasons for Project Failure at Different Project Phases

INITIATION•The reasons for building the system have too little support.•The system seems too expensive.

DEVELOPMENT•It is too difficult to define the requirements.•The system is not technically feasible.•The project is too difficult is too difficult for technical staff assigned.

IMPLEMENTATION•The system requires too great a change from existing work practices.•Potential users dislike the system or resist using it.•Too little effort is put into the implementation.

OPERATION AND MAINTENANCE•System controls are insufficient.•Too little effort goes into supporting effective use.•The system is not updated as business needs change.


Figure 13.1Seven types of risks related to accidents


Figure 13.2Threats related to computer crime


Box 13.1Examples of fraud committed using transaction processing systems

•FORGERY

•IMPERSONATION FRAUD

•DISBURSEMENTS FRAUD

•INVENTORY FRAUD

•PAYROLL FRAUD

•PENSION FRAUD

•CASHIER FRAUD


Figure 13.3Check forgery


Table 13.3Conditions That Increase Vulnerability

THREATS FROM UNINTENTIONAL OCCURRENCES•Operator error

•Hardware malfunction

•Software bugs

•Data errors

•Damage to physical facilities

•Inadequate system performance

•Liability

THREATS FROM INTENTIONAL ACTIONS•Theft

•Vandalism and sabotage


Figure 13.4Value chain for system security and control


Figure 13.5Software change control


Table 13.4Controlling Access to Data, Computers, and Networks

ENFORCE MANUAL DATA HANDLING GUIDELINES•Lock desks•Shred discarded documents and manuals

DEFINE ACCESS PRIVILEGES•Give different individuals different levels of privilege for using the computer•Give different individuals different levels of access to specific data files

ENFORCE ACCESS PRIVILEGESWhat you know•Password•Special personal dataWhat you have•ID card•Key to physical facilityWhere you are•Call-back systemWho you are•Fingerprint or handprint or handprint•Retina pattern•Voice pattern

CONTROL INCOMING DATA NETWORKS AND OTHER MEDIA•Use firewalls•Scan for viruses

MAKE DATA MEANINGLESS TO ANYONE LACKING AUTHORIZATION•Data encryption


Figure 13.7Possible locations for checking data transfers in a corporate network


Figure 13.8Using public key encryption


Figure 13.9Validation checks for a course enrollment transaction

©1999 addison wesley longman slide 13.1 information system security and control 13

Documents

addison wesley longman

sabotage slide

hospital slide

dispatching decisions

check forgery slide

information system security

london ambulance service

maintenance system controls