LESSON 8: INFORMATION SYSTEMS SECURITY AND CONTROL

Overview
After completing this chapter, you will be able to:
• Describe why information systems are so vulnerable to destruction, error, abuse and
system quality problems
• Compare general controls and application controls for information systems
• Select the factors that must be considered when developing the controls of information
systems
• Describe the most important software quality-assurance techniques
• Describe the importance of auditing information systems and safeguarding data quality
8.1 System Vulnerability and Abuse
The development, implementation and maintenance of information systems constitute a
large and growing part of the cost of doing business, protecting these resources is a
primarily concern. The increasing reliance on information systems, combined with their
connection to the “outside world” in the form of the Internet, makes security corporate
information systems increasingly challenging. The role of computer controls and security
is to protect systems against these and many other mishaps, as well as to help organizations
ensure that their information systems operations complies with the law and with
expectation of employees and customers for privacy. The major goals of information
security are:
• To reduce the risk of systems and organizations ceasing operations.
• To maintain information confidentiality.
• To ensure the integrity and reliability of data resources.
• To ensure the availability of data resources.
• To ensure compliance with national security laws and privacy policies and laws.

8.1.1 Why Systems are vulnerable?

The threats to computerized information system can stem from technology, organizational
and environmental factors. The threats can be view from two main aspect, risk to hardware
and risk to application and data.

1
Risk to hardware involves physical damage to computers, peripheral equipment and
communication media. The major causes of such damage are natural disasters, blackouts
and brownout and vandalism.
Natural disasters that pose a risk to information systems (ISs) include fire, floods,
earthquakes, tornadoes and lightning, which can destroy hardware, software or both,
causing total or partial paralysis of systems or communication lines. Flood water short-
circuits and burns delicate components such as microchips. Lightning and voltage surges
cause tiny wires to melt and destroy circuitry. Obviously, all data and programs stored in
memory chips in a computer are lost when this happens. Water from floods and the heat
created when circuits are shorted may also ruin the surface of storage media such as
magnetic tapes or disks, thereby destroying data. In addition, wildlife and human error
occasionally destroy communication lines. The easiest way to protect against loss of data
caused by natural disasters is to automatically duplicate all data periodically and store
duplicate copy in a site many miles away from the office.
Blackouts and brownouts happened when power is disrupted from the computer which
results in computers and its peripheral devices cannot functions. The change in power
supply can have very damaging effects on computer processes and storage. Blackouts are
incidents of a total loss of electrical power, meanwhile in brownouts, the voltage of the
power decreases or there are very short interruptions in the flow of power. Power failure
may not only disrupt operations but also cause irreparable damage to hardware. Occasional
surges in voltage are equally harmful because their impact on equipment is similar to that
of lightning. The popular way of handling brownouts is to connect a voltage regulator
between computers and the electric network. A voltage regulator boosts or decreases
voltage to smooth out drops or surges and guarantees maintenance of voltage within an
acceptable tolerance. To ensure against interruptions in power supply, organization use
uninterruptible power supply (UPS) systems which provide an alternative power supply
for a short time, as soon as a power net fails.
Vandalism occurs when human beings deliberately destroy computer systems. It is difficult
to defend computers against vandalism. In the work place, the best measure against
vandalism is to allow access only to those who have real need for the system. Sensitive
equipment, such as servers, should be locked in a special room.
Risk to applications and data are theft of information, data alteration and destruction,
computer viruses, programs that support unauthorized access and non-malicious mishaps.
9.1.2 Concerns for System Builders and Users
2
The heightened vulnerability of automated data has created special concerns for the
builders and users of information systems. These concerns include:
• Disaster. Fault-tolerant computer systems contains extra hardware, software and power
supply components that can back a system up and keep it running to prevent system
failure. Fault-tolerant technology is used by firms for critical applications with heavy
on-line transaction processing requirements. In on-line transaction processing,
transactions entered on-line are immediately processes by the computer. Multitudinous
changes to databases, reporting or requests for information occurs each instant. Most
of the firms will contract their backup facilities with disaster recovery firms.
• Security. Refer to the policies, procedures and technical measures used to prevent
unauthorized access, alteration, theft or physical damage to information systems.
• Errors. Computers can also serve as instruments of error, severely disrupting or
destroying an organization’s record keeping and operations.
In addition to disasters, viruses and security breaches, defective software and data pose a
constant threat to information systems, causing untold losses in productivity. Bugs and
defects hides within the codes of software are the major problems faced by most of the
firms. Bugs are the segment of program codes, which causes defects or errors. The main
source of bugs is the complexity of decision-making code. Zero defects cannot be achieved
in large programs because complete testing is not possible. Another reason that systems
are unreliable is that computer software traditionally difficult to be maintained.
Maintenance is the most expensive phase of the systems development process due to
organizational changes, which affects information requirements. Besides that, the
complexity of the program code and faulty system analysis and design also contributes to
the difficulties in maintenance. Another common source to information systems failure is
poor data quality (data that are inaccurate, untimely or inconsistent with other sources).
Bad data can lead to bad decisions, product recalls and even financial losses.

8.2. Creating a Control Environment

To minimize all the happening of information systems failure, special policies and
procedures must be incorporated into the design and implementation of information
systems. The combination of manual and automated measures the safeguard information
systems and ensure that they perform according to management standards is termed
control. Controls are constraints and other measures imposed on a user or a system and
3
can be used to secure systems against the risks or to reduce damage caused to systems,
applications and data. Control consists of all the methods, policies and procedures that
ensure protection of the organization’s assets, accuracy and reliability of its records and
operational adherence to management standards. Computer systems are controlled by a
combination of general controls and application controls.

8.2.1 General controls:

General controls are those that control the design, security and use of the computer
programs and the security of data files in general throughout the organization. It is a
combination of system software and manual procedures and applies to all applications area.
General controls include the following:
• Controls over the system implementation process, which audit the systems
development process at various points to make sure that it is properly controlled and
managed.
• Software control, which controls to ensure the security and reliability of software and
also prevents unauthorized access of software programs.
• Physical hardware controls, which controls to ensure the physical security and correct
performance of computer hardware.
• Computer operations controls, which are the procedures to ensure that programmed
procedures, are consistently and correctly applied to data storage and processing.
• Data security controls, which controls to ensure that data files on either disk or tape
are not subject to unauthorized access, change or destruction.
• Administrative disciplines, standards and procedures, which is a formalized standards,
rules, procedures and disciplines to ensure that the organization’s controls are properly
executed and enforced. The most important administrative controls are segregation of
functions where the principle of internal control to divide responsibilities and assign
tasks among people so their job functions do not overlap, to minimize the risk of errors
and fraudulent manipulation of the organization’s assets. Written policies and
procedures will establish formal standards for controlling information systems
operation. Supervision of personnel involved in control procedures that ensures that
the controls for an information system are performing as intended.

4
Weakness in each of these general controls can have a widespread effect on programmed
procedures and data throughout the organization. The following table summarizes the
effect of weakness in general controls:
Weakness Impact
Implementation controls  New systems or systems that have been
modified will have error of fail to function as
required.
Software control (program security)  Unauthorized changes can be made in
processing.
 The organization may not be sure of which
programs or systems have been changed.
Software control (system software)  These controls may not have a direct effect
on individual applications.
 Other general controls depend heavily on
system software, so a weakness in this area
impairs the other general controls.
Hardware control  Hardware may have serious malfunctions or
may break down altogether, introducing
numerous errors or destroying computerized
records.
Computer operation control  Random errors may occur in a system.
 Most processing will be correct, but
occasionally it may not be.
Data file security control  Unauthorized changes can be made in data
stored in computer systems or unauthorized
individuals can access sensitive information.
Administrative control  All of the other control may not be properly
executed or enforced.

8.2.2 Application Controls

Application controls are specific controls within each separate computer application. They
include automated and manual procedures that ensure that only authorized data are
completely and accurately processed by that application. The controls of each application

5
should encompass the whole sequence of processing. Application controls can be
classified as:
• Input controls. The procedures to check data for accuracy and completeness when they
enter the system. There are specific input controls for input authorization, data
conversion, data editing and error handling. Control total is a type of input control that
requires counting transactions or quantity fields prior to processing for comparison and
reconciliation after processing. Edit checks includes routines performed to verify input
data and correct errors prior to processing. Some important edit techniques are like
reasonableness check, format check, existence check and dependency check.
• Processing controls. The routines for establishing that data are complete and accurate
during updating. The major processing controls are run control totals, computer
matching and programmed edit checks. Run control totals are the procedures for
controlling completeness of computer updating by generating control totals that
reconcile total before and after processing. Computer matching is the processing
control that matches input data to information held on master files.
• Output controls. Measures that ensure the results of computer processing are accurate,
complete and properly distributed. Typical output controls includes the following:
▪ Balancing output totals with input and processing totals.
▪ Reviews of the computer processing logs to determine that all of the correct
computer jobs executed properly for processing
▪ Formal procedures and documentation specifying authorized recipients of
output reports, checks or other critical documents.