Chapter 8 • Basic Systems Concepts and Tools 357SYSTEM TESTING Certainly the most common and
effective of all IS controls is complete system testing. Each
program must be tested individually and in combination
with the other programs in the application. Managers
develop test data that have known results. Programs are run
with typical and atypical data, correct and erroneous data,
and the actual results are compared to what should be
produced. Testing occurs not only when systems are
initially developed but also when systems are modified.
(See Chapter 9 for a description of additional roles played
by users when testing a system.)
Controls in the Implementation Phase
Not all the elements necessary to assure proper systems
operation can be built into an application. Avoiding and
detecting inappropriate access or use, providing data
backups and system recovery capabilities, and formally
auditing the system are all ongoing control mechanisms.
As mentioned earlier, many application-level controls
work in concert with managerial controls. User-managers
are responsible for being familiar with any firm-wide
control mechanisms and identifying when additional ones
are needed for a specific application.
SECURITY The unauthorized use of data can result in a
material loss, such as the embezzlement of funds, or in losses
that are harder to measure, such as the disclosure of sensitive
data. In any case, the security of data and computers is neces-
sary so that employees, customers, shareholders, and others
can be confident that their interactions with the organization
are confidential and the business’s assets are safe.
Security measures are concerned with both logical
and physical access. Logical access controls are concerned
with whether users can run an application, whether they
can read a file or change it, and whether they can change
the access that others have. Managers work with systems
personnel to identify and maintain appropriate authoriza-
tion levels based on work roles and business needs. Two
mechanisms for controlling logical access are authentica-
tion and authorization (Hart and Rosenberg, 1995):
Authenticationinvolves establishing that the person
requesting access is who he or she appears to be. This is
typically accomplished by the use of a unique user
identifier and a private password.
Authorizationinvolves determining whether or not
authenticated users have access to the requested resources
and what they can do with those resources. This is
typically accomplished by a computer check for permis-
sion rights to access a given resource.
Encryptiontechniques are used to encode data that
are transmitted across organizational boundaries. Data may
be stored in an encrypted form and then decrypted by the
application. Unless a user knows the decryption algorithm,
an encrypted file will be unreadable.
The physical security of specific computers and data
processing centers must also be established. Badge
readers; voice, fingerprint, and retina recognition; or com-
bination locks are common. Formal company statements
about computer ethics raise awareness of the sensitivity of
data privacy and the need to protect organizational data.
When combined with knowledge of the use of transaction
or activity logs that record the user ID, network location,
time stamp, and function or data accessed, many security
violations could be discouraged.
Because no security system is foolproof, detection
methods to identify security breaches are necessary.
Administrative practices to help deter computer security
abuses have been compiled by Hoffer and Straub (1989).
Detection methods include the following:- Hiding special instructions in sensitive programs
that log identifying data about users - Analysis of the amount of computer time used by
individuals - Analysis of system activity logs for unusual patterns
of use
With the rise of end-user computing and use of the
Internet, additional risks due to inappropriate behaviors
while using these tools, as well as issues stemming from
work-related use of home PCs, have emerged. Some specific
end-user computing risks and controls are discussed in
Chapter 13. Today, organizations are developing similar
controls to manage intranets and access to external Web
sites from intranets.
BACKUP AND RECOVERY The ultimate protection
against many system failures is to have a backup copy.
Periodically a file can be copied and saved in a separate
location such as a bank vault. Then, when a file becomes
contaminated or destroyed, the most recent version can be
restored. Of course, any changes since the last copy was
made will not appear. Thus, organizations often also keep
transaction logs (a chronological history of changes to
each file) so these changes can be automatically applied to
a backup copy to bring the file up to current status.
A common flaw in backup plans is storing the file
backup in the same location as the master file. If stored
in the same location, a backup is no more likely to
survive a fire, flood, or earthquake than its source file. A
secure, off-site location for the backup must be provided,
along with a foolproof tracking system.
Some organizations (such as airlines, banks, and
telephone networks) can operate only if their online