A procedure for protecting systems makes sure that the facility is physically secure, provides a recovery/restart capabilit...
A procedure for protecting systems makes sure that the facility is physically secure, provides a recovery/restart capability, and has access to backup files. The potential threats within a firm are :
- Errors and omissions
- Disgruntled and dishonest employees.
- Natural disasters.
- External attack.
Dishonest employees have an easier time identifying the vulnerabilities of a software system than outside hackers because they have access to the system for a much longer time and can capitalize on its weakness.
Fire and other man-made disasters that deny the system power conditioning, or needed supplies can have a crippling effect. Proper planning for safeguards against such disasters is critical, especially in organizations that depend on centralized database systems. Natural disasters are floods, hurricanes, snowstorms, lightning and other calamities.
System reliability is also important in system security design. For example, a facility plagued by hardware outages, bug-ridden software, or a deficient communication network can cause chaos for the end user.
The Personal Computer and System Integrity :
It is easy to make changes in accounting systems that require rigid controls. There is also a tendency to put everything on the microcomputer with hardly a backup. A third problem is the lack of audit trails in most off-the-shelf software packages. It is difficult to reconstruct transactions for audit purposes. Finally, as more personal computers are linked to company mainframes so remote users can access the data, the potential increases for altering the data deliberately or by mistake. Many of today’s operating systems contain no password.
Risk analysis :
The purpose of risk analysis is to determine the probability of problems occurring, the cost of each possible disaster, the areas of vulnerability, and the preventive measures to adopt as part of a security plan.
First, the designer lists the objectives of the system and evaluates them against the existing computer facility to determine the security requirements. The facility in turn, is evaluated against he potential hazards to determine the specific exposures. Security measures are then compared with specific exposures to pinpoint unacceptable exposures. The outcome is a draft specifying the preventive and recovery measures to be adopted for effective system security.
A special risk analysis matrix that specifies the risks, costs and effects, and probability of exposure helps the designer to determine the actions to be taken and how quickly they must be taken. The two key elements in risk analysis are the value or impact of a potential loss and the probability of loss. The goal is to identify the treat that results in the greatest monetary loss and provide protection to the appropriate degree.