Module 5

Security and ethical issues in MIS

Security of an Information System

Information system security refers to the way the system is defended against unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or destruction.

There are two major aspects of information system security −

 Security of the information technology used − securing the system from malicious cyber-attacks
that tend to break into the system and to access critical private information or gain control of
the internal systems.
 Security of data − ensuring the integrity of data when critical issues, arise such as natural
disasters, computer/server malfunction, physical theft etc. Generally, an off-site backup of data
is kept for such problems.

Guaranteeing effective information security has the following key aspects −

 Preventing the unauthorized individuals or systems from accessing the information.

 Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.
 Ensuring that the computing systems, the security controls used to protect it and the
communication channels used to access it, functioning correctly all the time, thus making
information available in all situations.
 Ensuring that the data, transactions, communications or documents are genuine.
 Ensuring the integrity of a transaction by validating that both parties involved are genuine, by
incorporating authentication features such as "digital signatures".
 Ensuring that once a transaction takes place, none of the parties can deny it, either having
received a transaction, or having sent a transaction. This is called 'non-repudiation'.
 Safeguarding data and communications stored and shared in network systems

Control in MIS

Controls are constraints and other restrictions imposed on a user or a system, and they can be used to
secure systems agains the risk or to reduce damage caused to systems, applications, and data. Controls
are implemented not only for access but also to implement policies and ensure that nonsensical data is
not entered into corporate databases.Controls consist of all the methods, policies, and organizational
procedures that ensure the safety of the organizational assets the accuracy and reliability of its
accounting records, and operational adherence to management standards. Users and builders of
systems must pay close attention to controls throughout the systems life span.

Information system controls are methods and devices that attempt to ensure the accuracy, validity. and
propriety of information system activities. Information system (IS) controls must be developed to ensure
proper data entry. processing techniques. storage methods. and information output. Thus, IS controls
are designed to monitor and maintain the quality and secure at. passing, output, and storage activities
of any information system.

Type of Controls

C Computer systems are controlled by a combination of general controls and application controls.
General are the overall controls that establish framework for controlling the design, security, and use
Computer programs throughout an organization. While application controls are general controls that are
unique to each application:

1) Application control

i Input controls

ii Processing controls

iii Output controls

IV) Storage controls

2) General control

I Physical controls

ii Access controls

iii Data security

Application Controls

The application controls or the information system controls are designed to monitor and maintain the
quality and security of the input, processing, output, and storage activities of any information system.
Application controls include both automated und manmal procedures that ensure that only authorized
data are completely and accurately processed by an application. They cost of controls applied from the
business functional area of a particular system and from programmed procedures. The mformation
system controls can be classified as

1) Input Controls: Input controls are the procedures that check data for accuracy and completeness
when they enter the system. There are specific input controls for input authorization, data conversion,
data editing, and error handling

Examples: Input Controls

i) Edit Checks: Edit checks are the programmed routines that can be performed to edit input data for
errors before they are processed For example, data might be checked to make sure they were in the
right format (a password should contain only alphanumeric characters.

ii) Control Totals: Control totals ane the totals established before hand for input and processing
transaction computer can be programmed to conduct "reasonable checks" to determine if input data
exceed certain speed limits or are out of sequence. For example, a record count is a control total that
cons of counting the number of inpur recorda and comparing this total to the number of records
counted at other stages

2) Processing Control Processing controls are the routines for establishing that data are complete and
accurate du updating. These controls at developed to identify errors in arithmetic calculations and
logical operations, and to e that data are not lost.

Examples: Processing Controls

i) Checkpoint Checkpoints minimize the effect of processing errors or failures, since processing can be
restarted from the last checkpoint

ii ) Control Totals: Control total is a type of processing control also. Computer programs count the totals
fro transactions input or processed.

iii) Computer Matching: Computer matching matches input data with information build on master files.

For example, software checks the internal file labels on magnetic disk to identify the file and to provide
control tou for the data in the file

3) Output Controls: Output controls are the measures that ensure that the results of computer
processing are accurate complete, and properly distributed

Examples: Output Controls

i) Control Totals: Control totals on output are usually compared with control totals generated during the
impuls processing stages. The fotal number of transactions processed should be balanced with total
number of transact input or output check

ii) Report Distribution Logs: Documentation specifying that authorized recipients have received their
reports, checks, or other critical documents.
4) Storage Controls: Storage controls are the measures taken to protect our data resources Account
codes, passwords, and other security codes are used to allow access to authorized users only. Typically,
a multi level password is used However, for even stricter security, passwords can be encrypted.

Examples: Storage Controls

i) Passwords: Databases and files are protected from unauthorized access by security programs that
require prope identification before they can be used. Security codes like passwords are used for this
purpose.

ii) Backup Files: Backup files are duplicate files of data or programs. Such files may be stored in special
storage used to reconstruct new current files if current files are destroyed.

General Controls

General controls govern the design, security, and use of computer programs and the security of data
files in genen throughout the organization's information technology infrastructure. On the whole,
general controls apply to computerized applications and consist of a combination of hardware, software,
and manual procedures that create an overall control environment.

Types of General Controls

1) Physical Controls:

It refers to the protection of computer facilities and resources. This includes protecting physical
property such as computers, data centers, software, manuals, and networks.

Physical security may include several controls such as the following:

i) Appropriate design of the data center. For example, the site should be non-combustible and
waterproof.

ii) Shielding against electromagnetic fields. iii) Good fire prevention, detection, and extinguishing
systems, including sprinkler system, water pumps, and adequate drainage facilities. A better solution is
fire-enveloping Halon gas systems.

iv) Emergency power shut-off and backup batteries, which must be maintained in operational condition.

v) Properly designed, maintained, and operated air-conditioning systems.

vi) Motion detector alarms that detect physical intrusion.

2) Access Control:

It is the restriction of unauthorized user access to a portion of a computer system or to the entire
system. It is the major defense line against unauthorized insiders as well as outsiders. To gan acos a user
most first be authorized. Then, when the user attempts to gain access, he/she must be authenticated
Access to a computer system basically consists of three steps:

 Physical access to a terminal

 Access to the system, and
 Access to specific commands, transactions, privileges, programs, and data within the system

Access procedures match every valid user with a Unique User-Identifier (UID) They also provide an
authentication method to verify that users requesting access to the computer system are really who
they elam to be User identification can be accomplished when the following identifies cach user

 Something only the user knows, such as a password.

 Something only the user has, e.g., a smart card or a token.
 Something only the user is, such as a signature, voice, fingerprint, or retinal (eye) scan It is
implemented via biometric controls, which can be physiological or behavioral, and whose cost is
relatively very.

3)Data Security Controls:

This security concerned with protecting data from accidental or intenuonal disclosure to unauthorized
persons, or from unauthorized modification or destruction. Data security functions are implemented
through operating systems, security access control programs, database/data communication products,
recommended backup/recovery procedures, application programs, and external control procedures.
Data security must address the following issues - confidentiality of data, access control, critical nature of
data, and integrity of data.

Data integrity is the condition that exists as long as accidental or intentional destruction, alteration, or
loss of data does not occur. It is the preservation of data for their intended use.

4) Other General Controls:

Several other types of controls are considered general Representative examples include the following

 Programming Controls: Errors in programming may result in costly problems. Causes include the
use of incorrect algorithms or programming instructions, carelessness, inadequate testing and
configuration management, or lax security. Controls include training, establishing standards for
testing and configuration management, and enforcing documentation standards.
 Documentation Controls: Manuals are often a source of problems because they are difficult to
interpret or may be out of date. Accurate writing, standardization updating, and testing are
examples of appropriate documentation controls. Intelligent agents can be used to prevent
documentation problems.
 System Development Controls: System development controls ensure that a system is developed
according established policies and procedures. Conformity with budget, timing, security
measures. and quality documentation requirements must be maintained.
Ethical issues in MIS

Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to
make choices to guide their behaviors. Information systems raise new ethical questions for both
individuals and societies because they create opportunities for intense social change, and thus threaten
existing distributions of power, money, rights, and obligations. Like other technologies, such as steam
engines, electricity, telephone, and radio, information technology can be used to achieve social
progress, but it can also be used to commit crimes and threaten cherished social values. The
development of information technology will produce benefits for many and costs for others.

Ethical issues in information systems have been given new urgency by the rise of the Internet and
electronic commerce. Internet and digital firm technologies make it easier than ever to assemble,
integrate, and distribute information, unleashing new concerns about the appropriate use of customer
information, the protection of personal privacy, and the protection of intellectual property.

Other pressing ethical issues raised by information systems include establishing accountability for
the consequences of information systems, setting standards to safeguard system quality that protect the
safety of the individual and society, and preserving values and institutions considered essential to the
quality of life in an information society.

The major ethical, social, and political issues raised by information systems include the following moral
dimensions:

 Information rights and obligations. What information rights do individuals and organizations
possess with respect to information about themselves? What can they protect? What
obligations do individuals and organizations have concerning this information?
 Property rights and obligations. How will traditional intellectual property rights be protected in a
digital society in which tracing and accounting for ownership are difficult and ignoring such
property rights is so easy?
 Accountability and control. Who can and will be held accountable and liable for the harm done
to individual and collective information and property rights?
 System quality. What standards of data and system quality should we demand to protect
individual rights and the safety of society?
 Quality of life. What values should be preserved in an information-and knowledge-based
society? Which institutions should we protect from violation? Which cultural values and
practices are supported by the new information technology?

The Types of The Threats of Information System Security

11.1 Unauthorized Access (Hacker and Cracker)

One of the most common security risks in relation to computerized information systems is the danger of
unauthorized access to confidential data .The main concern comes from unwanted intruders, or hackers,
who use the latest technology and their skills to break into supposedly secure computers or to disable
them .A person who gains access to information system for malicious reason is often termed of cracker
rather than a hacker.

11.2 Computer Viruses (Ran Weber ,1999)

Computer virus is a kind of nasty software written deliberately to enter a computer without the user’s
permission or knowledge ,with an ability to duplicate itself ,thus continuing to spread .Some viruses do
little but duplicate others can cause severe harm or adversely affect program and performance of the
system .Virus program may still cause crashes and data loss .In many cases ,the damages caused by
computer virus might be accidental ,arising merely as the result of poor programming .Type of
viruses ,for example ,worms and Trojan horses .

11.3 Theft

The loss of important hardware, software or data can have significant effects on an organization’s
effectiveness .Theft can be divided into three basic categories: physical theft, data theft, and identity
theft.

11.4 Sabotage

With regard to information systems , damage may be on purpose or accidental and carried out an
individual basis or as an act of industrial sabotage .Insiders have knowledge that provide them with
capability to cause maximum interruption to an agency by sabotaging information systems .Examples
include destroying hardware and infrastructure ,changing data ,entering incorrect data ,deleting
software ,planting logic bombs ,deleting data ,planting a virus .

11.5 Vandalism

Deliberate damage cause to hardware, software and data is considered a serious threat to information
system security .The threat from vandalism lies in the fact that the organization is temporarily denied
access to someone of its resources .Even relatively minor damage to parts of a system can have a
significant effect on the organization as a whole.

11.6 Accidents

Major of damage caused to information systems or corporate data arises as a result of human
error .Accidental misuse or damage will be affected over time by the attitude and disposition of the staff
in addition to the environment .Human errors have a greater impact on information system security
than do manmade threats caused by purposeful attacks .But most accidents that are serious threats to
the security of information systems can be mitigated