-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
1/44
Amity School of Business
111
Amity School of
BusinessBBA General, 2nd Semester
System Analysis and Design
Apeksha Hooda
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
2/44
Amity School of Business
2222
Module- VI
System Security &
Auditing
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
3/44
Amity School of Business
3
System Security: Data Security Backup Recovery during System Database failure
Ethical Issues in System Development Threat and Risk Analysis Audit
System Audit
System Audit Standards (Planning,Implantation and Reporting Standards)
System Analysis and Programming(Overview, Role & Duties of System Experts asAnalyst and Programmer).
Topics
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
4/44
Amity School of Business
4
System Security The Protection of data or hardware against
accidental or intentional damage from adefined threat.
The system security problem can be dividedinto four related issues : Security
Integrity Privacy
confidentiality
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
5/44
Amity School of Business
5
System Security refers to the technical innovation
and procedures applied to the hardware and operatingsystems to protect against deliberate or accidentaldamage from a defined threat.
System Integrity refers to the proper functioning ofhardware and programs without any impropermodification, appropriate physical security, and safetyagainst external threats.
Privacy defines the rights of the users ororganizations to determine what information they are
willing to share with or accept from others and howthe organization can be protected against unwelcome,unfair excessive dissemination of information about it.
Confidentially is a special status given to sensitive
information in a database to minimize the possibleinvasion of rivac .
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
6/44
Amity School of BusinessBasic Components of Security
Confidentiality
Keeping data and resources hidden from
unauthorized disclosure.
Integrity(Data integrity and origin integrity )
It refers to the requirement that information be
protected from improper modification.
Availability
Enabling access to data and resources to
users who have legitimate right.
6
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
7/44
Amity School of BusinessGoals of Security
Prevention
Prevent attackers from violating securitypolicy
Detection Detect attackers violation of security policy
Recovery
Stop attack, assess and repair damage Continue to function correctly even if attack
succeeds
7
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
8/44
Amity School of BusinessThreat & Risk Analysis
Natural Threat
Physical threat
Malicious attack(virus, worm , trojan)
Attack by hackers
8
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
9/44
Amity School of Business
9
Data Security :- Protection of data from loss,disclosure, modification, or destruction. Backup & Recovery :- Restoring a damage database
is generally done by rollforward or rollbackprocedure.
The rollforward approach involves updating a prior valid copyof the data base with the necessary changes to produce acurrent version of database.
The rollback approach starts current invalid state andremoves the record of activity to produce the prior validstate of the database. Either approach depends largely on
the software to bring the backup copy up to date anddetermine the cause of failure.
Backup can be extremely important in a recoveryprocedure. If database is physically damage, onecould not rollback because of the damage database
only roll forward.
Data Security, Backup &
Recovery
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
10/44
Amity School of Business
10
Database Failure In a database environment, there are three types offailures : Catastrophic, logical, and structural
Catastrophic failure is one where part of a database
is unreadable. It is restoring using rollforwardmethod of recovery.
A logical failure occurs when activity to the databaseis interrupted with no chance of completing the
currently executing transaction.
Structural damage is that when a pointer incorrectlystored in a record that points to unrelated or
nonexistent data.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
11/44
Amity School of Business
11
Ethical Issues In System
Development Ethical behavior of the analysts and computerprofessionals has led to the development of standards andcodes of behavior by a number of professionalassociations. Three association are worth mentioning :
Association for Computing Machinery (ACM) Data Processing Management Association (DPMA)
Institute for Certificate of Computer Professional (ICCP)
Ethics can be described as Fairness, Justice, Equity,
Honesty, Trustworthiness, and equality. Stealing, cheating, lying or backing out of ones words alldescribe lack of Ethics.
Code of Ethics: is a declaration of the principles andbeliefs that govern how employees of an organization are
expected to behave.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
12/44
Amity School of Business
12
What is Audit ? Evaluation of a person, organization, system,
process, project or product.
An audit provides a baseline of the existingsystem from which new investment can beaccurately planned, avoiding excessive orinappropriate expenditure.
The goal of an audit is to express an opinion onthe person/organization/system in question,under evaluation based on work done.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
13/44
Amity School of Business
13
Audit is performed by an AUDITOR
There are two types of auditors Internal Auditor
External Auditor
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
14/44
Amity School of Business
14
1. In ternal Auditors Employees of the company hiredto assess and evaluate its system of internal control.
To maintain independence, they present their
reports directly to the top level management.
2. External Auditors Independent staff assigned by
an auditing firm to assess and evaluate financial
statements of their clients or to perform other
agreed upon evaluations. They are called on fromoutside the company.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
15/44
Amity School of Business
15
System Audit It is also called Process Audit: can be conducted for
any activity. Usually made against a specific documentsuch as operating procedure, work instruction,
training manual, etc. A series of activities in which a system auditor, an
impartial position independent of the object of audit,performs overall inspection and evaluation of an
information system, issues advice andrecommendations, and provides any necessary follow-
up.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
16/44
Amity School of Business
16
System audits will help spot any errors inconfiguration which can leave vulnerabilities inthe most secure products.
Audits can help overcome 'rule-creep' as
small system changes over time cumulativelyproduce a significant shift in overall systemsecurity.
A policy audit will check that the securitypolicies which management has communicatedare being adhered to.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
17/44
Amity School of Business
17
System AuditorA person who engages in system audits with the
following knowledge and abilities:
Basic knowledge of information systems Knowledge of system audits
Ability to perform system audits
Related knowledge for the performance ofsystem audits
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
18/44
Amity School of Business
18
System Audit Standard Purpose
Definitions of Terms
Composition of the Standards
Philosophy behind the ImplementationStandards
General Standards
Implementation Standards
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
19/44
Amity School of Business
19
System Audit Standard
Purpose - The purpose of the Standards is to
improve the reliability, security, andefficiency of information systems and thus
contribute to the realization of a healthy
information society by enumerating thematters necessary for system audits.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
20/44
Amity School of Business
20
Definitions of Terms
These are the principal terms used in the Standards
i. Sys tem Audit : A series of activities in which asystem auditor, an impartial position independent of theobject of audit, performs overall inspection andevaluation of an information system, issues advice andrecommendations, and provides any necessary follow-up.
ii. Sys tem Auditor : A person who engages in systemaudits with the following knowledge and abilities:
a. Basic knowledge of information systems.b. Knowledge of system audits.
c. Ability to perform system audits.
d. Related knowledge for the performance of system
audits.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
21/44
Amity School of Business
21
iii. Improvement of reliability: To improve thequality of information systems, prevent failure,minimize the effects of failure, and speed uprecovery.
iv. Improvement of security: To make aninformation system more secure from naturaldisasters, unauthorized access, and destructiveactions.
v. Improvement of efficiency: To improve the costperformance of an information system by makingthe most of its resources.
vi. Basic plan: A general plan of system audits to beperformed during any given year.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
22/44
Amity School of Business
22
vii. Individual plan: A plan for any of the individual systemaudit operations based on a basic plan.
viii. Risk analysis: To identify the risks that may arise fromor in connection with the use of an information systemand analyze the degrees of their effects.
ix. Audited division: A division that is an object of a systemaudit
x. Ma tter noted: A problem pointed out by a systemauditor according to his or her criteria and noted on asystem audit report.
xi. Recommendation of improvement: A matter noted thatis judged by a system auditor as requiring improvementand noted as such on a system audit report
xii. Follow-up: The measure or measures taken by a systemauditor to ensure the audited division carries out any
recommendations of improvement
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
23/44
Amity School of Business
23
Composition of theStandards
The Standards are composed of -
General Standards Implementation Standards
Reporting Standards
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
24/44
Amity School of Business
24
General StandardsGeneral Standards outline the principles of an auditplan that provides a basis for a system audit, thequalifications of a system auditor, and so forth.
1. System
The organization shall prepare a system for properimplementation of system audit
2. Audit PlanPreparation of a basic plan and individual plan forsystem audit.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
25/44
Amity School of Business
25
3. Responsibility and Authority of a system auditor
The system auditor shall make the grounds foreach of his or her judgments clear.
The system auditor may demand data andmaterials from the audited division.
The system auditor may demand a report on theimplementation of improvement be issued by thehead of an organization to an audited division.
4. Professional EthicsThe system auditor shall firmly maintain his or her
position as an impartial evaluator.The system auditor shall be aware of the ethicaldemands on himself or herself and meet the internaland external trust by performing an accurate andsincere system audit.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
26/44
Amity School of Business
26
5. Confidentiality
The system auditor must not divulge any secret he orshe may come to know in the course of performing hisor her job or use such secret for any undue purpose.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
27/44
Amity School of Business
27
Implementation Standards1. Planning Information Strategy Formulation of a General Plan
Formulation of a Development Plan System Analysis and Definitions of Requirements
2. Development Development Procedures System Design Program Design Programming System Tests Conversion
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
28/44
Amity School of Business
28
3. Operation Operation Control Input Management Data Management Output Management Software Management Hardware Management Network Management Configuration Management
Management of Buildings and Related Facilities
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
29/44
Amity School of Business
29
4. Maintenance Maintenance Procedures Maintenance Plan Implementation of Maintenance Confirmation of Maintenance System Conversion Disposal of Old Systems
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
30/44
Amity School of Business
30
5. Common Work Document Management
Preparation Management
Progress Management
Implementation Evaluation
Personnel Management Responsibility and Authority
Implementation of Work Education and Training Health Management
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
31/44
Amity School of Business
31
Outsourcing Outsourcing plan Selection of service providers Service agreements
Contents of services Measures against Disasters
Risk Analysis Anti-Disaster Plan
Backup Alternative Processing and Recovery
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
32/44
Amity School of Business
32
Reporting Standards
1. Preparation of Reports The system auditor must prepare a system audit report. The system audit report must state the results of evaluation
of the reliability, security, and efficiency of an informationsystem. The system audit report must state, as matters noted, the
problems based on the results of the audit. The system audit report must state, as recommendations of
improvement, the important matters that need to be
improved. The system audit report must state improvements that can
be proposed for the matters that need to be improved. The system auditor must state on his or her system audit
report any other matters he or she considers necessary.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
33/44
Amity School of Business
33
2. Reporting - The system audit report must besubmitted to the head of the organization.
3. Follow-up - The system auditor must try to graspthe progress of improvement made based on
recommendations of improvement and promote thatimprovement.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
34/44
Amity School of Business
34
System AnalystThe System Analyst designs and implements
systems to suit the organizations needs. He plays a
major role in seeking business benefits fromcomputer technology. His job is not just confined to
data processing, but also deals heavily with people,
procedures and technology.
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
35/44
Amity School of Business
35
Interpersonal Skills
Technical Skills
Skills of System Analyst
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
36/44
Amity School of Business
36
7Roles of a System Analyst
Change Agent
Investigator and Monitor
Architect
Psychologist
Salesperson Motivator
Politician
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
37/44
Amity School of Business
37
Change Agent
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
38/44
Amity School of Business
38
Investigator andMonitor
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
39/44
Amity School of Business
39
Architect
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
40/44
Amity School of Business
40
Psychologist
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
41/44
Amity School of Business
41
Salesperson
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
42/44
Amity School of Business
42
Motivator
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
43/44
-
8/6/2019 Ace Module - VI (System Secutiry & Auditing)_ami
44/44
Amity School of Business
44
Thank You
&
All the best !