Chapter 3 - Information System and Its Components
Chapter 3 - Information System and Its Components
CONTROL
(Decision Makers,
Auto Control) FEEDBACK
User
(c) Secondary Memory: CPU refers to the main memory for execution of
programs, but these main memories are volatile in nature and hence
cannot be used to store data on a permanent basis in addition to being
small in storage capacity. The secondary memories are available in
bigger sizes; thus programs and data can be stored on secondary
memories.
(d) Virtual Memory: Virtual Memory is in fact not a separate device but an
imaginary memory area supported by some operating systems (for
example, Windows) in conjunction with the hardware. If a computer
lacks in required size of the Random-Access Memory (RAM) needed to
run a program or operation, Windows uses virtual memory to
compensate. Virtual memory combines computer’s RAM with
temporary space on the hard disk. When RAM runs low, virtual memory
moves data from RAM to a space called a paging file. Moving data to
and from the paging file frees up RAM to complete its work. Thus,
Virtual memory is an allocation of hard disk space to help RAM and
depicted in the Fig. 3.3.2.
Secondary
Memory
(iv) Output Devices: Output devices are devices through which system
responds. Visual output devices like, a display device visually conveys text,
graphics, and video information. Eg Monitor and Printer.
Some types of output are :
• Textual output comprises of characters that are used to create words,
sentences, and paragraphs.
• Graphical outputs are digital representations of non-text information
such as drawings, charts, photographs, and animation.
• Tactile output such as raised line drawings may be useful for some
individuals who are blind.
• Audio output is any music, speech, or any other sound.
• Video output consists of images played back at speeds to provide the
appearance of full motion.
II. Software
Software is defined as a set of instructions that tell the hardware what to do.
Software is created through the process of programming. Without software, the
hardware would not be functional. Software can be broadly divided into two
categories: Operating Systems Software and Application Software as shown in
the Fig. 3.3.3. Operating systems manage the hardware and create the interface
between the hardware and the user. Application software is the category of
programs that do some processing/task for the user.
FIELD
Root
Parent of Room
Children of Root
Parents of equipment
Children of Room
Parents of Repair
Children of Equipment
Preventive
Detective
Corrective
Environmental
Physical Access
Logical Access
Managerial
Application
Both automatic and manual fire alarms may be placed at strategic locations
and a control panel may be installed to clearly indicate this.
Besides the control panel, master switches may be installed for power and
automatic fire suppression system. Different fire suppression techniques like
Dry-pipe sprinkling systems, water based systems, halon etc., depending
upon the situation may be used.
Manual fire extinguishers can be placed at strategic locations.
Fireproof Walls; Floors and Ceilings surrounding the Computer Room and
Fire Resistant Office Materials such as waste-baskets, curtains, desks, and
cabinets should be used.
Fire exits should be clearly marked. When a fire alarm is activated, a signal
may be sent automatically to permanently manned station.
All staff members should know how to use the system. The procedures to be
followed during an emergency should be properly documented are Fire
Alarms, Extinguishers, Sprinklers, Instructions / Fire Brigade Nos., Smoke
detectors, and Carbon dioxide based fire extinguishers.
Less Wood and plastic should be in computer rooms.
Use a gas based fire suppression system.
To reduce the risk of firing, the location of the computer room should be
strategically planned and should not be in the basement or ground floor of
a multi-storey building.
Regular Inspection by Fire Department should be conducted.
Fire suppression systems should be supplemented and not replaced by
smoke detectors.
Documented and Tested Emergency Evacuation Plans: Relocation plans
should emphasize human safety, but should not leave information
processing facilities physically unsecured. Procedures should exist for a
controlled shutdown of the computer in an emergency. In all circumstances
saving human life should be given paramount importance.
Smoke Detectors: Smoke detectors are positioned at places above and
below the ceiling tiles. Upon activation, these detectors should produce an
audible alarm and must be linked to a monitored station (for example, a fire
station).
Wiring Placed in Electrical Panels and Conduit: Electrical fires are always
a risk. To reduce the risk of such a fire occurring and spreading, wiring should
be placed in the fire-resistant panels and conduit. This conduit generally lies
under the fire-resistant raised floor in the computer room.
II. Electrical Exposures: These include risk of damages that may be caused
due electrical faults. These include non-availability of electricity, spikes
(temporary very high voltages), fluctuations of voltage and other such risk.
Table 3.4.2(B): Controls for Electrical Exposure
The risk of damage due to power spikes can be reduced using Electrical Surge
Protectors that are typically built into the Un-interruptible Power System
(UPS).
Un-interruptible Power System (UPS)/Generator: In case of a power failure,
the UPS provides the back up by providing electrical power from the battery
to the computer for a certain span of time. Depending on the sophistication
of the UPS, electrical power supply could continue to flow for days or for just
a few minutes to permit an orderly computer shutdown.
Voltage regulators and circuit breakers protect the hardware from temporary
increase or decrease of power.
Emergency Power-Off Switch: When the need arises for an immediate power
shut down during situations like a computer room fire or an emergency
evacuation, an emergency power-off switch at the strategic locations would
serve the purpose. They should be easily accessible and yet secured from
unauthorized people.
i. Locks on Doors
• Cipher locks (Combination Door Locks) - Cipher locks are used in low
security situations or when many entrances and exits must be usable all the
time. To enter, a person presses a four-digit number, and the door will
unlock for a predetermined period, usually ten to thirty seconds.
• Bolting Door Locks – A special metal key is used to gain entry when the
lock is a bolting door lock. To avoid illegal entry, the keys should not be
duplicated.
• Electronic Door Locks – A magnetic or embedded chip-based plastics card
key or token may be entered a reader to gain access in these systems.
ii. Physical Identification Medium: These are discussed below:
• Personal Identification Numbers (PIN): The visitor will be asked to log
on by inserting a card in some device and then enter their PIN via a PIN
keypad for authentication.
• Plastic Cards: These cards are used for identification purposes. Customers
should safeguard their card so that it does not fall into unauthorized hands.
• Identification Badges: Special identification badges can be issued to
personnel as well as visitors. For easy identification purposes, their color of
the badge can be changed. Sophisticated photo IDs can also be utilized as
electronic card keys.
iii. Logging on Facilities: These are given as under:
• Manual Logging: All visitors should be prompted to sign a visitor’s log
indicating their name, company represented, their purpose of visit, and person
to see. Logging may happen at both fronts - reception and entrance to the
computer room. A valid and acceptable identification such as a driver’s license,
business card or vendor identification tag may also be asked for before
allowing entry inside the company.
• Electronic Logging: This feature is a combination of electronic and biometric
security systems. The users logging can be monitored and the unsuccessful
attempts being highlighted.
iv. Other means of Controlling Physical Access: Other important means of
controlling physical access are given as follows:
• Video Cameras: Cameras should be placed at specific locations and
monitored by security guards. Refined video cameras can be activated by
motion. The video supervision recording must be retained for possible future
play back.
• Security Guards: Extra security can be provided by appointing guards aided
with CCTV feeds. Guards supplied by an external agency should be made to
sign a bond to protect the organization from loss.
• Controlled Visitor Access: A responsible employee should escort all visitors.
Visitors may be friends, maintenance personnel, computer vendors,
consultants and external auditors.
• Bonded Personnel: All service contract personnel, such as cleaning people
and off-site storage services, should be asked to sign a bond. This may not be
a measure to improve physical security but to a certain extent can limit the
financial exposure of the organization.
• Dead Man Doors: These systems encompass a pair of doors that are typically
found in entries to facilities such as computer rooms and document stations.
The first entry door must close and lock, for the second door to operate, with
the only one person permitted in the holding area.
• Non–exposure of Sensitive Facilities: There should be no explicit indication
such as presence of windows of directional signs hinting the presence of
facilities such as computer rooms. Only the general location of the information
processing facility should be identifiable.
• Computer Terminal Locks: These locks ensure that the device to the desk is
not turned on or disengaged by unauthorized persons.
• Controlled Single Entry Point: All incoming personnel can use controlled
Single Entry Point. A controlled entry point is monitored by a receptionist.
Multiple entry points increase the chances of unauthorized entry. Unnecessary
or unused entry points should be eliminated or deadlocked.
• Alarm System: Illegal entry can be avoided by linking alarm system to inactive
entry point and the reverse flows of enter or exit only doors, to avoid illegal
entry. Security personnel should be able to hear the alarm when activated.
• Perimeter Fencing: Fencing at boundary of the facility may also enhance the
security mechanism.
• Control of out of hours of employee-employees: Employees who are out of
office for a longer duration during the office hours should be monitored
carefully. Their movements must be noted and reported to the concerned
officials frequently.
• Secured Report/Document Distribution Cart: Secured carts, such as mail
carts, must be covered and locked and should always be attended.
(C) Logical Access Controls: These are the controls relating to logical access to
information resources such as operating systems controls, application software
boundary controls, networking controls, access to database objects, encryption
controls etc. Table 3.4.4 provides the list of Technical Exposures.
Table 3.4.4: Technical Exposures
Technical Exposures: Technical exposures include unauthorized implementation or
modification of data and software. Technical exposures include the following:
Data Diddling: This involves the change of data before or after they entered the
system. A limited technical knowledge is required to data diddle and the worst part
with this is that it occurs before computer security can protect the data.
Bomb: Bomb is a piece of bad code deliberately planted by an insider or supplier of
a program. An event, which is logical, triggers a bomb or time based. The bombs
explode when the conditions of explosion get fulfilled causing the damage
immediately. However, these programs cannot infect other programs. Since, these
programs do not circulate by infecting other programs; chances of a widespread
epidemic are relatively low.
Christmas Card: It is a well-known example of Trojan and was detected on internal
E-mail of IBM system. On typing the word ‘Christmas’, it will draw the Christmas tree
as expected, but in addition, it will send copies of similar output to all other users
connected to the network. Because of this message on other terminals, other users
cannot save their half-finished work.
Worm: A worm does not require a host program like a Trojan to relocate itself. Thus,
a Worm program copies itself to another machine on the network. Since, worms are
stand-alone programs, and they can be detected easily in comparison to Trojans and
computer viruses. Examples of worms are Existential Worm, Alarm clock Worm etc.
The Alarm Clock worm places wake-up calls on a list of users. It passes through the
network to an outgoing terminal while the sole purpose of existential worm is to
remain alive. Existential worm does not cause damage to the system, but only copies
itself to several places in a computer network.
Rounding Down: This refers to rounding of small fractions of a denomination and
transferring these small fractions into an authorized account. As the amount is small,
it gets rarely noticed.
Salami Techniques: This involves slicing of small amounts of money from a computerized
transaction or account. A Salami technique is slightly different from a rounding technique in the
sense a fix amount is deducted. For example, in the rounding off technique, ` 21,23,456.39
becomes ` 21,23,456.40, while in the Salami technique the transaction amount ` 21,23,456.39 is
truncated to either ` 21,23,456.30 or `21,23,456.00, depending on the logic.
Trap Doors: Trap doors allow insertion of specific logic, such as program interrupts that permit a
review of data. They also permit insertion of unauthorized logic.
Spoofing: A spoofing attack involves forging one’s source address. One machine is
used to impersonate the other in spoofing technique. Spoofing occurs only after a
particular machine has been identified as vulnerable. A penetrator makes the user
think that s/he is interacting with the operating system. For example, a penetrator
duplicates the login procedure, captures the user’s password, attempts for a system
crash and makes user login again.
Asynchronous Attacks
They occur in many environments where data can be moved synchronously across
telecommunication lines. Data that is waiting to be transmitted are liable to
unauthorized access called Asynchronous Attack. These attacks are hard to detect
because they are usually very small pin like insertions and are of following types:
Data Leakage: This involves leaking information out of the computer by means
of dumping files to paper or stealing computer reports and tape.
Subversive Attacks: These can provide intruders with important information
about messages being transmitted and the intruder may attempt to violate the
integrity of some components in the sub-system.
Wire- Tapping: This involves spying on information being transmitted over
communication network.
Piggybacking: This is the act of following an authorized person through a secured
door or electronically attaching to an authorized telecommunication link that
intercepts and alters transmissions. This involves intercepting communication
between the operating system and the user and modifying them or substituting new
messages.
7. Controlled
1. Organizational
evolution of
costs of data loss Control and Audit of Computer-
based Information Systems computer use
Information Systems Auditing
a. Improved
d. Improved System
Safeguarding of assets
efficiency
Organization
b. Improved Data
Integrity c. Improved System
effectiveness