CHAPTER SEVEN: INFORMATION SYSTEMS SECURITY
AND CONTROL
After completing this chapter, you will be able to:
• Describe why information systems are so vulnerable to destruction, error, abuse and
system quality problems
• Compare general controls and application controls for information systems
• Select the factors that must be considered when developing the controls of
information systems
• Describe the most important software quality-assurance techniques
• Describe the importance of auditing information systems and safeguarding data
quality
9.1 System Vulnerability and Abuse
The development, implementation and maintenance of information systems
constitute a large and growing part of the cost of doing business, protecting these
resources is a primarily concern. The increasing reliance on information systems,
combined with their connection to the “outside world” in the form of the Internet, makes
security corporate information systems increasingly challenging. The role of computer
controls and security is to protect systems against these and many other mishaps, as well
as to help organizations ensure that their information systems operations complies with
the law and with expectation of employees and customers for privacy. The major goals
of information security are:
• To reduce the risk of systems and organizations ceasing operations.
• To maintain information confidentiality.
• To ensure the integrity and reliability of data resources.
• To ensure the availability of data resources.
• To ensure compliance with national security laws and privacy policies and laws.
9.1.1 Why Systems are vulnerable?
4-- 1
� The threats to computerized information system can stem from technology,
organizational and environmental factors. The threats can be view from two main aspect,
risk to hardware and risk to application and data.
Risk to hardware involves physical damage to computers, peripheral equipment
and communication media. The major causes of such damage are natural disasters,
blackouts and brownout and vandalism.
Natural disasters that pose a risk to information systems (ISs) include fire, floods,
earthquakes, tornadoes and lightning, which can destroy hardware, software or both,
causing total or partial paralysis of systems or communication lines. Flood water short-
circuits and burns delicate components such as microchips. Lightning and voltage surges
cause tiny wires to melt and destroy circuitry. Obviously, all data and programs stored in
memory chips in a computer are lost when this happens. Water from floods and the heat
created when circuits are shorted may also ruin the surface of storage media such as
magnetic tapes or disks, thereby destroying data. In addition, wildlife and human error
occasionally destroy communication lines. The easiest way to protect against loss of data
caused by natural disasters is to automatically duplicate all data periodically and store
duplicate copy in a site many miles away from the office.
Blackouts and brownouts happened when power is disrupted from the computer
which results in computers and its peripheral devices cannot functions. The change in
power supply can have very damaging effects on computer processes and storage.
Blackouts are incidents of a total loss of electrical power, meanwhile in brownouts, the
voltage of the power decreases or there are very short interruptions in the flow of power.
Power failure may not only disrupt operations but also cause irreparable damage to
hardware. Occasional surges in voltage are equally harmful because their impact on
equipment is similar to that of lightning. The popular way of handling brownouts is to
connect a voltage regulator between computers and the electric network. A voltage
regulator boosts or decreases voltage to smooth out drops or surges and guarantees
maintenance of voltage within an acceptable tolerance. To ensure against interruptions in
power supply, organization use uninterruptible power supply (UPS) systems which
provide an alternative power supply for a short time, as soon as a power net fails.
4-- 2
� Vandalism occurs when human beings deliberately destroy computer systems. It
is difficult to defend computers against vandalism. In the work place, the best measure
against vandalism is to allow access only to those who have real need for the system.
Sensitive equipment, such as servers, should be locked in a special room.
Risk to application s and data are theft of information, data alteration and
destruction, computer viruses, programs that support unauthorized access and non-
malicious mishaps.
9.1.2 Concerns for System Builders and Users
The heightened vulnerability of automated data has created special concerns for
the builders and users of information systems. These concerns include:
• Disaster. Fault-tolerant computer systems contains extra hardware, software and
power supply components that can back a system up and keep it running to prevent
system failure. Fault-tolerant technology is used by firms for critical applications
with heavy on-line transaction processing requirements. In on-line transaction
processing, transactions entered on-line are immediately processes by the computer.
Multitudinous changes to databases, reporting or requests for information occurs each
instant. Most of the firms will contract their backup facilities with disaster recovery
firms.
• Security. Refer to the policies, procedures and technical measures used to prevent
unauthorized access, alteration, theft or physical damage to information systems.
• Errors. Computers can also serve as instruments of error, severely disrupting or
destroying an organization’s record keeping and operations.
In addition to disasters, viruses and security breaches, defective software and data pose a
constant threat to information systems, causing untold losses in productivity. Bugs and
defects hides within the codes of software are the major problems faced by most of the
firms. Bugs are the segment of program codes, which causes defects or errors. The main
source of bugs is the complexity of decision-making code. Zero defects cannot be
achieved in large programs because complete testing is not possible. Another reason that
systems are unreliable is that computer software traditionally difficult to be maintained.
Maintenance is the most expensive phase of the systems development process due to
4-- 3
�organizational changes, which affects information requirements. Besides that, the
complexity of the program code and faulty system analysis and design also contributes to
the difficulties in maintenance. Another common source to information systems failure is
poor data quality (data that are inaccurate, untimely or inconsistent with other sources).
Bad data can lead to bad decisions, product recalls and even financial losses.
9.2 Creating a Control Environment
To minimize all the happening of information systems failure, special policies and
procedures must be incorporated into the design and implementation of information
systems. The combination of manual and automated measures the safeguard information
systems and ensure that they perform according to management standards is termed
control. Controls are constraints and other measures imposed on a user or a system and
can be used to secure systems against the risks or to reduce damage caused to systems,
applications and data. Control consists of all the methods, policies and procedures that
ensure protection of the organization’s assets, accuracy and reliability of its records and
operational adherence to management standards. Computer systems are controlled by a
combination of general controls and application controls.
9.2.1 General controls:
General controls are those that control the design, security and use of the
computer programs and the security of data files in general throughout the organization.
It is a combination of system software and manual procedures and applies to all
applications area. General controls include the following:
• Controls over the system implementation process, which audit the systems
development process at various points to make sure that it is properly controlled and
managed.
• Software control, which controls to ensure the security and reliability of software and
also prevents unauthorized access of software programs.
• Physical hardware controls, which controls to ensure the physical security and
correct performance of computer hardware.
4-- 4
�• Computer operations controls, which are the procedures to ensure that programmed
procedures, are consistently and correctly applied to data storage and processing.
• Data security controls, which controls to ensure that data files on either disk or tape
are not subject to unauthorized access, change or destruction.
• Administrative disciplines, standards and procedures, which is a formalized
standards, rules, procedures and disciplines to ensure that the organization’s controls
are properly executed and enforced. The most important administrative controls are
segregation of functions where the principle of internal control to divide
responsibilities and assign tasks among people so their job functions do not overlap,
to minimize the risk of errors and fraudulent manipulation of the organization’s
assets. Written policies and procedures will establish formal standards for controlling
information systems operation. Supervision of personnel involved in control
procedures that ensures that the controls for an information system are performing as
intended.
Weakness in each of these general controls can have a widespread effect on programmed
procedures and data throughout the organization. The following table summarizes the
effect of weakness in general controls:
Weakness Impact
Implementation controls ð New systems or systems that have been
modified will have error of fail to function
as required.
Software control (program security) ð Unauthorized changes can be made in
processing.
ð The organization may not be sure of which
programs or systems have been changed.
Software control (system software) ð These controls may not have a direct effect
on individual applications.
ð Other general controls depend heavily on
system software, so a weakness in this area
impairs the other general controls.
4-- 5
� Hardware control ð Hardware may have serious malfunctions or
may break down altogether, introducing
numerous errors or destroying
computerized records.
Computer operation control ð Random errors may occur in a system.
ð Most processing will be correct, but
occasionally it may not be.
Data file security control ð Unauthorized changes can be made in data
stored in computer systems or unauthorized
individuals can access sensitive
information.
Administrative control ð All of the other control may not be properly
executed or enforced.
9.2.2 Application Controls
Application controls are specific controls within each separate computer application.
They include automated and manual procedures that ensure that only authorized data are
completely and accurately processed by that application. The controls of each
application should encompass the whole sequence of processing. Application controls
can be classified as:
• Input controls. The procedures to check data for accuracy and completeness when
they enter the system. There are specific input controls for input authorization, data
conversion, data editing and error handling. Control total is a type of input control
that requires counting transactions or quantity fields prior to processing for
comparison and reconciliation after processing. Edit checks includes routines
performed to verify input data and correct errors prior to processing. Some important
edit techniques are like reasonableness check, format check, existence check and
dependency check.
• Processing controls. The routines for establishing that data are complete and
accurate during updating. The major processing controls are run control totals,
computer matching and programmed edit checks. Run control totals are the
4-- 6
� procedures for controlling completeness of computer updating by generating control
totals that reconcile total before and after processing. Computer matching is the
processing control that matches input data to information held on master files.
• Output controls. Measures that ensure the results of computer processing are
accurate, complete and properly distributed. Typical output controls includes the
following:
§ Balancing output totals with input and processing totals.
§ Reviews of the computer processing logs to determine that all of the correct
computer jobs executed properly for processing
§ Formal procedures and documentation specifying authorized recipients of
output reports, checks or other critical documents.
4-- 7
