Вы находитесь на странице: 1из 14

ManagementInformationSystems

Unit15

Unit15
Structure
15.1 Introduction

SecurityandEthicalIssues

15.2 ControlIssuesinManagementInformationSystems 15.2.1 15.2.2 15.2.3 15.2.4 15.2.5 15.2.6 15.2.7 15.2.8 15.2.9 15.2.10 15.2.11 15.2.12 15.2.13 15.3.1 15.3.2 15.4 15.5 15.6 Control SecurityControl AdministrativeControl InformationSystemControl InputControl Processingcontrol OutputControl StorageControl ProceduralControl PhysicalFacilityControl PhysicalProtectionControl TelecommunicationControls ComputerFailureControls SecurityTechnique ProceduralSecurityTechniques

15.3 SecurityHazards

EthicalIssues Technicalsolutionsforprivacyprotection. Summary TerminalQuestions AnswertoSAQsandTQs

SikkimManipalUniversity

251

ManagementInformationSystems

Unit15

15.1 Introduction
Informationsystemsoperateinrealworldsituationorenvironmentswhicharealwayschangingand therearelotsofproblemsorpitfallspresentinevitably.Informationsystemsarevulnerabletovarious threats and abuses. Some of these are memory, communication links, terminals, etc. So like any other asset the resources of information systems ie., hardware, software and data, need to e protectedpreferablebybuiltincontroltoassuretheirqualityandsecurity.Thisisoneofthereasons toenforcecontrolonmanagementinformationsystems. LearningObjective: Studentwilllearnabout

1. 2. 3. 4. 15.2

Controlissuesinmanagementinformationsystems Administrativecontrol Thesecurityhazardswhichisverydamagingifnottakencareof. Alsostudentwilllearnabouttheethicsinbusinessinformationsystem

ControlIssuesinManagementInformationSystems

15.2.1 Control Control is the process through which manager assures that actual activities are according to standards leading to achieving of common goals. The control process consists measurement of progress,achievingofcommongoalsanddetectsthedeviationsifanyintimeandtakescorrective action before things go beyond control. also detects goes beyond . The basic steps in control processareshouldinthefollowingfigure.

SikkimManipalUniversity

252

ManagementInformationSystems

Unit15

Establish standardof performance

Measure performance

Actual Vs Standard

Corrective Action

Corrective Action
ControlProcess

Whydoweneedtocontrolmanagementinformationsystem? Informationsystemsoperateinrealworldsituationswhicharealwayschangingandtherearelotsof problems.Informationsystemsarevulnerabletovariousthreatsandabuses.Someofthepointsare memory,communicationslinks,microwavesignal,telephonelinesetc. 15.2.2 SecurityControl The resources of information systems like hardware, software, and data, need to be protected preferablybybuildincontroltoassuretheirqualityandsecurity. TypesofSecurityControl: 1. 2. 3. 4. Administrativecontrol informationsystemscontrol proceduralcontrol physicalfacilitycontrol

SikkimManipalUniversity

253

ManagementInformationSystems

Unit15

15.2.3 Administrativecontrol
Systemsanalystsareactuallyresponsiblefordesigningandimplementingbutthesepeopleneedthe helpofthetopmanagementinexecutingthecontrolmeasure.Topexecutivesprovideleadershipin setting the control policy. Without their full support, the control system cannot achieve its goal. In additiontothis,managersmustbeinvolvedinfunctionssuchaseffectingacontrolpolicy,selecting and assigning personnel, fixing responsibilities, preparing job description, setting standards, preparingastrategicinformationplanandacquiringadequateinsurance.

15.2.4 Informationsystemcontrol
Information system control assures the accuracy, validity and proprietary of information system activities.Controlmustbetheretoensureproperdataentryprocessingtechniques,storagemethods andinformationoutput.Accordinglymanagementinformationsystemcontrolaredesignedtoseeor monitor and maintain quality, security of the input process, output and storage activities of an informationsystem.

15.2.5 InputControl
Asweknowwhateverwegivetocomputerthecomputerprocessesthatandreturnstheresulttous. Because of this very fact, there is a need to control the data entry process. The types of input controlare i. ii. iii. iv. Transaction Codes : Before any transaction can eb input into the system, a specific code shouldbeassignedtoit.Thisaidsinitsauthorization. Forms:asourcedocumentorscreenformsshouldbeusedtoinlputdataandsuchformsmust adheretocertainrules. Verification: Source document prepared by one clerk can be verified by another clerk to improveaccuracy. Controltotals: Data entryand other system activities arefrequently monitoredbythe useof controltotal. For example, record count is a controltotal that consist of counting the total numberofsourcedocumentsorotherinputrecordsandcomparethematotherstageofdata entry.Iftotalsdonotmatch,thenamistakeisindicated. v. vi. Checkdigit:Theseareusedforcheckingimportantcodessuchascustomernumbertoverify thecorrectness. Labels:Itcontainsdatasuchasfilename,anddateofcreationsothatacheckcanbemade thatcorrectfileisusedforprocessing.

SikkimManipalUniversity

254

ManagementInformationSystems

Unit15

vii. Character and field checking : Characters are checked for proper mode numeric, alphabetic,alphanumericfieldstoseeiftheyarefilledinproperly.

15.2.6 ProcessingControl
Inputandprocessingdataaresointerrelatedthatwecantakethemasfirstlineofdefense.Once dataisfedintothecomputer,controlsareembeddedinvariouscomputerprogramstohelp,detect not only input errors but also processing errors. Processing controls are included to check arithmeticcalculationsandlogicaloperations.Theyarealsousedtoensurethatdataarenotlostor donotgounprocessed.Processingcontrolisfurtherdividedintohardwareandsoftwarecontrol. I) 2) HardwareControlTheyarebuiltinthehardwareitselftoverifytheaccuracyofprocessing. Softwarecontroltheyaredesignedtoassurethatrightdataisbeingprocessed.Theyare

likeoperatingsystemsorothersoftwarechecks.Checkinginternalfilelabelsatthebeginningandat theendofthemagnetictapeanddiskfilesisanexampleofsoftwarecontrol.Yetanothersoftware controlistheestablishmentofcheckpointsduringtheprocessingoftheprogram.Theyalsohelpto buildanaudittrial. 15.2.7 Output Control These are developed to ensure that processed information is correct, completeandistransmittedtoauthorizeduserinatimelymanner.Theoutputcontrolaremostlyof samekindasinputcontroleg.Outputdocumentsandreportsarethoroughlyandvisuallyverifiedby computerpersonnelandtheyareproperlyloggedandidentifiedwithroutslips.Controltotalatoutput stage are compared with control total at both input and processing level. A hard copy of listing is maintainedforevidence.Theenduserarecontractedforfeedbackaboutthequalityofinformation. 15.2.8 Storage Control : Control responsibility of files of computer programs and databases is given to librarian or database administrator. They are responsible for maintaining and controlling access to the information. The databases and files are protected from unauthorized users are accidental users .This can be achieved with the help of security monitor. The method includes assigning the account code., password andother identification codes. A list of authorizedusers is providedtocomputersystemwithdetailssuchastypeofinformationtheyareauthorizedtoretrieve orreceivefromit.

SikkimManipalUniversity

255

ManagementInformationSystems

Unit15

AthreelevelpasswordsystemisalsousedinwhichfirstlytheuserhastogivehisorheruniqueID. Then he is asked for his password in order to get access to the information. Finally to access an individualfile,auniquefilenameistobeentered.Sometimesforwritingpurposeadifferentnameis giventofileandthisisanotherwaytocontroltheerror. Lastly,manyfirmsalsousebackupfileswhicharetheduplicatefilesofdataorprograms,possible storesomewhereelse.Filesarealsoprotectedbyfileretentionmeasureswhichinvolvescopiesof filesfrompreviousperiods. If currentfile is corrupted then they are used to reconstructa newfile. Usuallyseveralgenerationoffilesarekeptforcontrolling. 15.2.9 Procedural Control These methods provide maximum security to operation of the informationsystem.Someoftheexamplesare Separation of duties: Each activity related to computerized information system like systems development, computer operation and control of data and program files, is assigned to different groupsofpersons.Systemanalystsandprogrammersarenotallowedtofilesaremaintainedinthe library and the responsibility isgiven to DBA. Finally, a production control system may monitor the progressofinformationprocessing,dataentryandthequalityofinputdata. Standardproceduresaredevelopedandmaintainedinmanualandbuiltinsoftwarehelpdisplayso that every one knows what to do. It promotes uniformity software help display so that every one knows what todo. It promotesuniformityand minimize the chanceoferrorandfraud. It should be keptuptodatesothatcorrectprocessingofeachactivityismadepossible. Authorization requirements the formal review must take place before authorization is given on getting a request for some system development, changes or system conversion. For example, if program change is done by maintenance programmer , it should be approved by the affected departments manger as well as form the manager of programming and manager of computer operation. Thus conversion to new hardware and software, installation of newly developed informationsystem,orchangetoexistingprogramissubjecttoaformalnotificationsothataccuracy andintegrityofinformationprocessingoperationcanbemaintained. 15.2.10 PhysicalFacilityControl Physicalfacilitycontrolaremethodsthatprotectphysicalfacilitiesandtheircontentsfromlossand destruction. Computer centers are prone to many hazards such as accidents, thefts, fire, natural

SikkimManipalUniversity

256

ManagementInformationSystems

Unit15

disasters, sabotage, vandalization, unauthorized used, industrial espionage, destructions etc.. Thereforephysicalsafeguardsandvariouscontrolproceduresarerequiredtoprotectthehardware, softwareandvitaldataresourcesofcomputerusingorganization.

15.2.11

Physical protection control Many type of controlling techniques such as one in

which only authorized personnel are allowed to access to the computer centre exist today. Such techniquesincludeidentificationbadgesofinformationservices,personnels,electronicdoorlocks, security alarm, security policy, closed circuit TV and other detection systems fire detection and extinguishingsystem.,fireproofstoragevaultsfortheprotectionoffiles,emergencypowersystems, humiditytemperatureanddustcontroletc.,areinstalledtoprotectthecomputercentre.

15.2.12

Telecommunication Controls The telecommunication processor and control

softwareplayavitalroleincontrolofdatacommunicationactivity.Datacanebtransmittedincoded fromanditisdecodedinthecomputercentreitself.Theprocessiscalledasencryption.

15.2.13

Computer Failure Controls Computers can fail for several reasons like power

failures, electronic circuitry malfunctions, mechanical malfunctions of peripheral equipment and hidden programming errors. To protect from these, failure precaution any measure with automatic andremotemaintenancecapabilitiesmayberequired.Adequateelectricalsupply,humiditycontrol, airconditioningandfirepreventionstandardsmustalsobeset.Computeroperatorsmustbetrained and supervised carefully. Fault tolerant computer systems may be installed to ensure against computerfailure. Insurance Adequate insurance coverage should be secured to protect the computerized informationsystemusingbusinessfirms.Financiallossesareveryhugeinamount.Manyinsurance companies offer special computer security policies. These include insurance against fire, natural disasters,vandalismandtheftetc.Insurancefordataprocesserrororomissions,andinsurancefor the bonding of information services personnel as a protection against fraud. The amount of such insuranceshouldbeenoughsoastoreplaceaffectedcomputerequipmentandfacilities.Insurance isalsoavailabletocoverthecostofreconstructingdataandprogramfiles.

SikkimManipalUniversity

257

ManagementInformationSystems

Unit15

SelfAssessmentQuestions1:TrueorFalse 1. Control is the process through which manager assures that actual activities are according to standardsleadingtoachievementcommongoals. 2. Inputcontrolisfurtherdividedintohardwareandsoftwarecontrol. 3. A list of authorized users is provided to computer system with details such as type of informationtheyareauthorizedtoretrieveorreceivefromit. 4. Insuranceisalsoavailabletocoverthecostofreconstructingdataandprogramfiles.

15.3

SecurityHazards
Malfunctions: In this type of security hazard, all the components of a system are involved. People,softwareandhardwareerrorscoursethebiggestproblem.Moredangerousarethe problems which are created by human beings due to the omission, neglect and incompetence.

Securityoftheinformationsystemcanbebrokenbecauseofthefollowingreasons: i)

ii)

Fraudandunauthorizedaccess:Thishazardisduetodishonesty,cheatingordeceit.Thiscan bedonethrough a) Infiltrationandindustrialespionage b) Tappingdatafromcommunicationlines c) Unauthorizedbrowsingthroughlinesbyonlineterminals,etc.

iii)

Powerandcommunicationfailure:Insomelocationstheyarethemostfrequenthazardsthan any other else because availability of both of them depend upon the location. Sometimes communicationchannelarebusyornoisy.Therearepowercutsandsometimeshighvoltage sergedestroysasensitivecomponentofthecomputer.

iv) v) vi)

Firehazard:itcanhappenbecauseofelectricalshortcircuits,flammableliquidsetc. Sabotageandriots:sometimestheemployeesdestroythecomputercentreincaseofstrike, lockoutortheremaybechancesofriotsinthearea. NaturalDisasters:Naturaldisastersarenotcontrollable.Theyarenotfrequenthazardsbutif they happen they destroy the things or ruin them. Examples are earthquake, floods, tornadoesandlightening.

vii) Generalhazards : this category covers many more hazards which arenot covered anywhere anddifficulttodefineandcomespontaneously.

SikkimManipalUniversity

258

ManagementInformationSystems

Unit15

15.3.1

SecurityTechniques

Securitycanbemaintainedattwolevels:physicalandprocedural. PhysicalSecurityPhysicalsecurityisfurtherdividedinto: a) PhysicalControlledAccess:Accesscontrolprotectionisthebasistoasecuritysystem.Ifat entry level on can stop unwanted or unauthorized persons then half of the problems can be solvedandharmcanbereduced.Thiscanbedonewiththehelpoffollowingmethodsguard and special escorts , signin/sign out , badges, carrels, closed circuit monitors, paper shredders,onewayemergencydoorandacombinationofvariousapproachorcontroldevices. b) Physical location : Location of computer system is an important consideration in security planning. Thiscanbeachievedbyhavinganyoneofthem (1)Locatingthecomputercentreatremotelocationthatisdistantfromairport,heavytraffic,steam boiler. (2)Thecomputercentrecanbelocatedinaseparatebuilding (3)Thecomputersitecannotcontainanysignthatidentifyittooutsider (4)Powerandcommunicationlinesareunderground.Airintakedevicesshouldbedulyfencedand placedveryhigh (5)Backupofthesystemiskeptatadistantorplacesotherthancomputercentre. c) Physical Protection : Additional protective measures should be considered in an overall protectionplan. Theseitemsare (1)Dumpsanddevices (2)Emergencypower(UPS)aremaintained (3)Adequateandseparateairconditioner,humiditycontroldevicesaretheretocontrolenvironment. (4)Theequipmentsincomputersystemarecoveredbyplasticcoverwhennotinuse. (5)Fireandsmokedetectorsarekepttoprotectagainstfirebreakdowns.

SikkimManipalUniversity

259

ManagementInformationSystems

Unit15

15.3.2

ProceduralSecurityTechniques

Physical security deals with a number of hazards like fire, natural disaster, etc. while procedural controlsdealswithaccesscontrolonly.Sometimesproceduraltechniquestakethehelpofphysical techniques.Proceduraltechniquescompriseofthefollowingways: a) Integrity In the context of security the integrity means the assurance that the system is functionallycorrectandcomplete.Theabsenceofintegritymakesotherconceptineffective.Ifa userisauthorizedtouseitemAfromafile,hehasseenonlyitemAandnotanyotheritemof thefile.Integrityisalsoapplicablewhenpersonhasfinishedhisworkthenhisinformationshould beerasedfromthescreen. b) IsolationInanysysteminwhichahighlevelofsecurityistobemaintained,allcomponentsof the computer should be used in isolation. In computer based information system, this isolation shouldbemaintainedbetweenusersandinformationaswellasbetweenhardwareandsoftware resourcesandprocesses. c) Identification If a system uses the technique of isolation then they must have the ability to identifyauthorizedandproperinterfaces.Thesystemmustbeabletodistinguishwhichusercan accesstheinformationorwhichcannot. d) AuthorizationOnceapersonhasbeenidentified,thequestionariseswhatauthorityhehas?To maintainthesecurity,proceduresmustbesetuptodeterminewhohasaccesstowhatfiles,who has the right to make addition and deletions, and who is responsible for administration of the database? e) AuthenticationIt is an action which determines the validity of something. For this a process amongtheseprocessesmustbefollowed (1)Physicalobservation (2)Periodicdisconnectsandcallbackprocedures (3)Periodicrequestsforfurtherinformationorreverificationfromtheuser. f) Monitoring Monitoring is the act of watching or checking or guarding something. This activity recognized that eventually, either accidentally or intentionally, control will be neutralized or broken.Somespecificsystemcapabilitieswhichsupportthemonitoringare,firstlythesecurity system is installed for detection of security violation, if violation is serious then it immediately locksthesystemforfurtherwork.Allexceptionalconditionsshallbereportedtotheinterioraudit orforreview.Thesystemshouldcollectdataconcerningalluseraccesslikeuser,terminaland

SikkimManipalUniversity

260

ManagementInformationSystems

Unit15

typeofprocessingdate,timeofdayanditemsaccessed.Thesereportsarereviewedbyauditor andsecurityofficerssystematically. SelfAssessmentQuestions2 1. In_______typeofsecurityhazard,allthecomponentsofasystemareinvolved. 2. Physicalsecuritydealswithanumberofhazardslikefire,naturaldisaster,etc.whileprocedural controlsdealswith_________only.

15.4

EthicalIssues

Ethicsisastudyoftheprinciplesandpractices,whichguidestodecidewhethertheactiontakenis morallyrightorwrong.Awelldefinedandacceptedcodeofconductlargelyensurestheobligationof ethicaluseofITforcompetitiveadvantagesandmaterialprogress.Ethicsisaboutvaluesandhuman behaviour. The valuesand human behaviour isprimarily regulated by various legal provisions and canbeenforcedthroughcourts.WhenITsolutionisthoughtanddesigneditisnecessarytocheck whetheritislegallytenablealongwithtechnical,operationalandeconomicfeasibility.Checkinglegal feasibility protects you from violation or breach of law enacted for privacy protection, obligation to providehealthy,hygienic,andcongenialworkatmosphere. Whatisproposediswhenlegalprovisionsandtakingrecoursetojusticesystemisnotfeasibletryto bewithindomainofethicsandachievecompetitiveadvantagewithleastnegativeimpact. Respectingethicalvaluesmeansmakingabeginningtoprotectgenerallyacceptedindividualhuman rights.Therightsare: a. b. c. d. e. f. Therighttohealthylifeandworksafety. Therighttoprivacy. Therighttoprivateintellectualproperty(Information&Knowledge). Therighttodescent. Therighttofairtreatmentandnodiscrimination. Therighttobetreatedbyjustdueprocess.

BeingethicalmeansmakingethicalchoiceofITsolutionandberesponsible,accountable,andable foractionandconsequences.

SikkimManipalUniversity

261

ManagementInformationSystems

Unit15

SelfAssessmentQuestions3:TrueorFalse 1. Ethics is a study of the principles and practices, which guides to decide whether the action takenismorallyrightorwrong. 2. Checkingtechnicalfeasibilityprotectsyoufromviolationorbreachoflawenactedforprivacy protection,obligationtoprovidehealthy,hygienic,andcongenialworkatmosphere. 3. Respectingethical values means makingabeginning to protectgenerallyaccepted individual humanrights.

15.5 TechnicalSolutionsforPrivacyProtection Protecting the privacy of individual or organisation assumed critical importance on emergence of Internet and web technology.As Internet and web enabled solutionsbecame common, individual's riskofprivacyexposureincreasedmanyfold.Implementationofcodeofethicsandrespectingmoral valuesisanobligationtotheorganisation.Sometechnologysolutionsarealsoavailabletoensure suchprotectionandobligation. Before understanding these technology solutions let us know how Internet and web enabled IT solutions affect the privacy of individual. The data entered, processed and sent through Internet passes through different computer systems installed on network across the world. These systems arecapableofkeepingtherecordofthiscommunicationtrafficandalsocancaptureandstorethe communicationwithallconnectingreferencesandidentities. This activity of capturing data, monitoring its use, and storing happens at backend without the knowledge of the user. The communication system capabilities can identify and analyse the following: a. b. c. Identification of a person or location from where an action has started through registration record. Whichfiles,websitesandwebpagesvisited. Which transactions have been attempted and completed, namely buying, selling, displaying, downloadingandothers. If one can put these information sets together and analyse, it may reveal personal data, and the behaviour traits ofan individual. This information then canbeusedproactivelyfor relationbuilding andbusinesspromotions.

SikkimManipalUniversity

262

ManagementInformationSystems

Unit15

Toolstomonitorvisitstowebsitehavebecomepopularbecauseoftheirabilitytotrackthevisitors and their usage of website. Many websites ask information about the visitors and visitor is volunteered to register the information. But personal information can be collected without the knowledge of the visitor using 'cookies.' The technology produces tinyfilesdeposited on computer harddiscknownas'cookies.'Thesecookiesaredesignedtocollectthedataaboutvisitorsandretain itforfutureguidance. 'Web bug' is another tool, which provides server capability to monitor the behaviour of the visitor. Webbugsaretinygraphicfilesinsertedinemailmessagesandwebpages,whichmonitorthevisitor behaviour. These tiny files identify the visitor, and keep track of pages visited and transnit this informationtowebsitemonitorcomputer. Tocontainthesepractices,websiteownerprovidesfacilityonsitebydisplayingboxes,whichshows howthesitewouldbeusingtheinformationandgivesoptiontovisitorto'OptOut'or'OptIn.'When the visitor chooses 'OptOut' the permission to collect and use the information is accorded by the visitor.Ifchoiceis'OptIn'thenvisitorhasnotgivenconsenttocollectanduseinformation. It is also a practice in web community to declare on site organisation's privacy policy for visitors review.'Trustee'sealsbacksuchpublication.Thissealisastampofconfirmationthatorganisation has agreed to adhere to established privacy principles of disclosure, choice, access and security. SuchpublicationsarealsoknownasLegalnotice,disclaimer,andprivacypolicy. If a visitor wants selfgenerated technical solutions to safeguard privacy of information, privacy protection tools are available. The presence of cookies can be controlled using 'Cookie Crusher' tools,whichcomealongwithbrowser.Similarly'Blockingads'toolscontrolorblocktheads,which pop up based on visitor's interest. Encryption technology helps scramble message or data so that nobodycanreadandunderstand. SelfAssessmentQuestions4:TrueorFalse 1. As Internet and web enabled solutions became common, individual's risk of privacy exposure increasedmanyfold. 2. Thisactivityofcapturingdata,monitoringitsuse,andstoringhappensatthefrontendwithoutthe knowledgeoftheuser.

SikkimManipalUniversity

263

ManagementInformationSystems

Unit15

3. Web bugs are plain text files inserted in email messages and web pages, which monitor the visitorbehaviour. 15.6 Summary After going through this unit student would have understood the control issues in management information systems. Theyalso learnabout theways in which administrativedepartment. Students wouldalsoknowaboutthesecurityhazardswhichisverydamagingifnottakencareof.Andalsothe ethicsinbusiness. TerminalQuestions 1. WhatarethevariouscontrolissuesinMIS? 2. Explainthevarioussecurityhazardsfacedbyaninformationsystem. 3. WhataretheethicalissuesinMIS? AnswerstoSelfAssessmentQuestions SAQ1:1True,2False,3True,4True SAQ2:1malfunction,2accesscontrol SAQ3:1True,2False,3True SAQ4:1True,2False,3False AnswertoTerminalQuestions 1. Refer15.2 2. Refer15.3 3. Refer15.4

SikkimManipalUniversity

264

Вам также может понравиться