15
Chapter 15 Design System Interfaces,
Controls, and Security
Systems Analysis and Design in a
Changing World, 5th Edition
15
Learning Objectives






Discuss examples of system interfaces found in
information systems
Define system inputs and outputs based on the
requirements of the application program
Design printed and on-screen reports appropriate for
recipients
Explain the importance of integrity controls
Identify required integrity controls for inputs, outputs, data,
and processing
Discuss issues related to security that affect the design
and operation of information systems
2
15
Overview
This chapter focuses on system interfaces, system
outputs, and system controls that do not require
much human interaction
 Many system interfaces are electronic transmissions
or paper outputs to external agents
 System developers need to design and implement
integrity and security controls to protect system and
its data
 Outside threats from Internet and e-commerce are
growing concern

3
15
Identifying System Interfaces

System interfaces are broadly defined as inputs or
outputs with minimal or no human intervention







Inputs from other systems (messages, EDI)
Highly automated input devices such as scanners
Inputs that are from data in external databases
Outputs to external databases
Outputs with minimal HCI
Outputs to other systems
Real-time connections (both input and output)
4
15
Full Range of Inputs and Outputs
Figure 15-1
5
15
eXtensible Markup Language (XML)
Extension of HTML that embeds self-defined data
structures in textual messages
 Transaction that contains data fields can be sent with
XML codes to define meaning of data fields
 XML provides common system-to-system interface
 XML is simple and readable by people
 Web services is based on XML to send business
transactions over Internet

6
System-to-System Interface Based on
XML
15
Figure 15-2
7
15
Design of System Inputs

Identify devices and mechanisms used to enter input


Identify all system inputs and develop list of data
content for each


High-level review of most up-to-date methods to enter
data
Provide link between design of application software
and design of user and system interfaces
Determine controls and security necessary for each
system input
8
15
Input Devices and Mechanisms
Capture data as close to original source as possible
 Use electronic devices and automatic entry whenever
possible
 Avoid human involvement as much as possible
 Seek information in electronic form to avoid data reentry
 Validate and correct information at entry point

9
Prevalent Input Devices
to Avoid Human Data Entry
15
Magnetic card strip readers
 Bar code readers
 Optical character recognition readers and scanners
 Radio-frequency identification tags
 Touch screens and devices
 Electronic pens and writing surfaces
 Digitizers, such as digital cameras and digital audio
devices

10
15
Defining the Details of System Inputs
Ensure all data inputs are identified and specified
correctly
 Can use traditional structured models



Identify automation boundary
 Use DFD fragments
 Segment by program boundaries
Examine structure charts
 Analyze each module and data couple
 List individual data fields
11
Automation Boundary on a
System-Level DFD
Figure 15-3
15
12
Create New Order DFD with
an Automation Boundary
15
Figure 15-4
13
List of Inputs for Customer Support
System
15
Figure 15-5
14
Structure Chart for Create New Order
15
Figure 15-6
15
Data Flows, Data Couples, and Data
Elements Making Up Inputs
15
Figure 15-7
16
15
Using Object-Oriented Models
Identifying user and system inputs with OO approach
has same tasks as traditional approach
 OO diagrams are used instead of DFDs and structure
charts
 System sequence diagrams identify each incoming
message
 Design class diagrams and sequence diagrams
identify and describe input parameters and verify
characteristics of inputs

17
Partial System Sequence Diagram for
Payroll System Use Cases
15
Figure 15-8
18
System Sequence Diagram for
Create New Order
15
Figure 15-9
19
Input Messages and Data Parameters
from RMO System Sequence Diagram
15
Figure 15-10
20
15
Designing System Outputs
Determine each type of output
 Make list of specific system outputs required based
on application design
 Specify any necessary controls to protect information
provided in output
 Design and prototype output layout
 Ad hoc reports – designed as needed by user

21
Defining the Details of System
Outputs

Type of reports




15
Printed reports
Electronic displays
Turnaround documents
Can use traditional structured models to identify
outputs


Data flows crossing automation boundary
Data couples and report data requirements on
structure chart
22
Table of System Outputs Based on
Traditional Structured Approach
15
Figure 15-11
23
15
Using Object-Oriented Models

Outputs indicated by messages in sequence
diagrams


Originate from internal system objects
Sent to external actors or another external system
Output messages based on an individual object are
usually part of methods of that class object
 To report on all objects within a class, class-level
method is used that works on entire class

24
Table of System Outputs Based
on OO Messages
15
Figure 15-12
25
Designing Reports, Statements, and
Turnaround Documents
15
Printed versus electronic
 Types of output reports





Detailed
Summary
Exception
Executive
Internal versus external
 Graphical and multimedia presentation

26
RMO Summary Report with
Drill Down to the Detailed Report
15
Figure 15-16
27
Sample Bar Chart and Pie Chart
Reports
15
Figure 15-17
28
15
Formatting Reports
What is objective of report?
 Who is the intended audience?
 What is media for presentation?
 Avoid information overload
 Format considerations include meaningful headings,
date of information, date report produced, page
numbers

29
15
Designing Integrity Controls
Mechanisms and procedures built into a system to
safeguard it and information contained within
 Integrity controls



Built into application and database system to
safeguard information
Security controls

Built into operating system and network
30
15
Objectives of Integrity Controls
Ensure that only appropriate and correct business
transactions occur
 Ensure that transactions are recorded and processed
correctly
 Protect and safeguard assets of the organization




Software
Hardware
Information
31
Points of Security and Integrity
Controls
15
Figure 15-18
32
15
Input Integrity Controls
Used with all input mechanisms
 Additional level of verification to help reduce input
errors
 Common control techniques





Field combination controls
Value limit controls
Completeness controls
Data validation controls
33
15
Database Integrity Controls
Access controls
 Data encryption
 Transaction controls
 Update controls
 Backup and recovery protection

34
15
Output Integrity Controls
Ensure output arrives at proper destination and is
correct, accurate, complete, and current
 Destination controls - output is channeled to correct
people
 Completeness, accuracy, and correctness controls
 Appropriate information present in output

35
15
Integrity Controls to Prevent Fraud

Three conditions are present in fraud cases




Personal pressure, such as desire to maintain
extravagant lifestyle
Rationalizations, including “I will repay this money” or “I
have this coming”
Opportunity, such as unverified cash receipts
Control of fraud requires both manual procedures
and computer integrity controls
36
Fraud Risks and Prevention
Techniques
Figure 15-19
15
37
15
Designing Security Controls

Security controls protect assets of organization from
all threats


External threats such as hackers, viruses, worms, and
message overload attacks
Security control objectives


Maintain stable, functioning operating environment for
users and application systems (24 x 7)
Protect information and transactions during
transmission outside organization (public carriers)
38
15
Security for Access to Systems
Used to control access to any resource managed by
operating system or network
 User categories





Unauthorized user – no authorization to access
Registered user – authorized to access system
Privileged user – authorized to administrate system
Organized so that all resources can be accessed with
same unique ID/password combination
39
Users and Access Roles to Computer
Systems
15
Figure 15-20
40
15
Managing User Access
Most common technique is user ID / password
 Authorization – Is user permitted to access?
 Access control list – users with rights to access
 Authentication – Is user who they claim to be?
 Smart card – computer-readable plastic card with
embedded security information
 Biometric devices – keystroke patterns, fingerprinting,
retinal scans, voice characteristics

41
15
Data Security
Data and files themselves must be secure
 Encryption – primary security method



Altering data so unauthorized users cannot view
Decryption

Altering encrypted data back to its original state
Symmetric key – same key encrypts and decrypts
 Asymmetric key – different key decrypts
 Public key – public encrypts; private decrypts

42
15
Symmetric Key Encryption
Figure 15-22
43
15
Asymmetric Key Encryption
Figure 15-23
44
15
Digital Signatures and Certificates
Encryption of messages enables secure exchange of
information between two entities with appropriate
keys
 Digital signature encrypts document with private key
to verify document author
 Digital certificate is institution’s name and public key
that is encrypted and certified by third party
 Certifying authority


VeriSign or Equifax
45
15
Using a Digital Certificate
Figure 15-24
46
15
Secure Transactions
Standard set of methods and protocols for
authentication, authorization, privacy, integrity
 Secure Sockets Layer (SSL) renamed as Transport
Layer Security (TLS) – protocol for secure channel to
send messages over Internet
 IP Security (IPSec) – newer standard for transmitting
Internet messages securely
 Secure Hypertext Transport Protocol (HTTPS or
HTTP-S) – standard for transmitting Web pages
securely (encryption, digital signing, certificates)

47
15
Summary
System interfaces include all inputs and outputs
except those that are part of GUI
 Designing inputs to system is three-step process





Identify devices/mechanisms used to enter input
Identify system inputs; develop list of data content
Determine controls and security necessary for each
system input
Traditional approach to design inputs and outputs

DFDs, data flow definitions, structure charts
48
15
Summary (cont’d)

OO approach to design inputs and outputs


Sequence diagrams, class diagrams
Integrity controls and security designed into system




Ensure only appropriate and correct business
transactions occur
Ensure transactions are recorded and processed
correctly
Protect and safeguard assets of the organization
Control access to resources
49