Spread Knowledge

CS507 - Information Systems - Lecture Handout 34

User Rating:  / 0
PoorBest 

Related Content: CS507 - VU Lectures, Handouts, PPT Slides, Assignments, Quizzes, Papers & Books of Information Systems

Types of Controls

Implementation of controls is a critical security feature of information systems. They block and detect various forms of intrusion and protect various components of the entire information systems, are these telecommunication lines or computer software’s and hard wares.

  1. Access Controls – Controlling who can access the system.
  2. Input Controls – Controls over how the data is input to the system.
  3. Communication Controls – Controls over the transfer of data between LAN, WAN or internet.
  4. Processing Controls – controlling the processing of data
  5. Database Controls – Securing the most important asset of the organization
  6. Output controls – controlling the privacy of the data.

Access Controls

These controls establish the interface between the would-be user of the computer system and the computer itself. These controls monitor the initial handshaking procedure of the user with the operating system. For example when a customer enter the card and the pin code in an automatic teller machine (ATM), the access controls are exercised by the system to block unwanted or illegitimate access.

The identity of the user needs to be established before granting access. The user should be given access to the nature and kind of resources he is entitled to access. Actions taken by users to have access beyond the limits defined should be blocked and recorded.

Why Access Controls?

Access controls have gained critical importance in the modern computing age for two significant reasons.

  • Widespread deployment of distributed systems has resulted in many users being disbursed physically. e.g. through Web based systems, local Area Networks, wide Area Networks
  • The rapid growth of E-Commerce systems has resulted in substantial work being undertaken to identify and authenticate the parties.

Cryptography

In literal terms, cryptography means science of coded writing. It is a security safeguard to render information unintelligible if unauthorized individuals intercept the transmission. When the information is to be used, it can be decoded. “The conversion of data into a secret code for the secure transmission over a public network is called cryptography.”

Encryption & Decryption

Cryptography primarily consists of two basic processes. These processes are explained through a diagram.

  • Encryption – the process of converting data into codes (cryptograms)

Encryption & Decryption

  • Decryption – the process of decoding the code arrived at data actually encrypted

Encryption & Decryption 1

The above processes give rise to two forms of data

  • Clear text – it is the data to be encrypted.
  • Cipher text – it is the code created out of data after encryption

Encryption & Decryption 2

As shown in the above diagram, the original text, or "plaintext," is converted into a coded equivalent called "ciphertext" via an encryption process.
Identification & Authentication

Access controls focus on the correct identification of the user seeking permission to access the system. There can be various sources of identifying and authenticating the user.

  • What a user remembers – name, birthdate, password
  • What a user possesses – badge, plastic card
  • What a user is – personal characterictics

Biometrics

Identification of an individual through unique physical characteristics is proving to be quite safe and secure for allowing access. The study of personal characteristics has been extensively used for identification purposes. Biometrics can be defined as study of automated methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.

Scope of Biometrics

Most commonly, following personal physical characteristics are covered,

  • Finger print
  • Hand print
  • Voice Print
  • Facial profiling – measuring distance between various points on face
  • Iris/retinal recognition – eye patterns

In addition to the aforesaid access controls, there may be

  1. Input controls – controls over correct data entry
  2. Communications controls – controls over transporting data safely through local area networks (LAN’s) or wide area networks (WAN’s).
  3. Processing controls – Controls over the integrity of processing instructions being executed by the operating system and application software’s.
  4. Database controls – implemented to maintain the integrity of the database.
  5. Output controls – controls over providing right content to the users.

The construction of effective security system should take into account the design and implementation of all the above controls.

Processing instructions carried out by the operating system and application software should be monitored by implementation of controls. If the processing controls are not effectively implemented, we could have undesirable situations arising. For example, in case of an operating system, while connecting to a website, a concealed link may be activated at the same time to transfer specified or all information. In case of an application software designed to compute interest at month end may contain unauthorized instruction to transfer pennies or cents or paisas to a particular account. Hence care needs to be taken that calculations are accurate and any rounding up or down is adequately explained and carried out, data is processed correctly as expected, control totals reconcile and processing errors are logged, researched and corrected timely and sufficient audit trail to trace from source to output and vice versa.