The Computer Revolution/Internet/Security

From Wikibooks

Security

Overview

Internet security falls into categories of software that have been developed to ensure that we all enjoy ourselves on the internet. There are three major areas of concern surrounding internet security: , Authentication of the information ( the information is authentic), authorization( the user has permission to use it), and confidentiality. Confidentiality is a area of major concern because many people shop online, bank online etc. We need to know that our information will not be published to the masses when we enter a site. There is an institutes that has complied a database and training program for the internet called CERT. \ The security is some times important since it can lead your life in danger ,you may create a new Email but for sure you can not delete the information which is stolen .

AQA Information and Communication Technology/Human-Computer Interaction

From Wikibooks

Definition

Human-Computer interaction is concerned with the design, evaluation and implementation of interactive computer systems, using Human-Computer interfaces in the safest and most healthy way.

Ergonomics

Ergonomics are the designs and functionality of the environment. Applying this would be a study of the environment to see how improvement can be made more comfortable for the users.

Measures to improve the ergonomics include:

• Improved lighting
• Furniture better suited

Why is this important?

• Could improve productivity
• Prevent RSI (Repetitive Strain Injury).
  • With adjusable chairs and furniture in the right positions, could be prevented.
• Energy Efficiency
• Improve Job satisfaction (motivates)

Psychological Factors

The understanding of how users receive, process and store information.

Information can be received by 4 main ways:

• Vision (seeing)
  • Distinguishing colours can effect how a person reacts to a situation (Red means Warning or Danger). This shouldn't be relied on because of colour blindness.
• Hearing
  • Most commonly sounds are used in warning messages - the Dong in Windows. This is standard and therefore the user knows straight away that it is a warning.
• Touch
  • Human nature wants something to ensure a button has been pressed - buttons allow that pressure to be enforced.
• Movement
  • The movement of small objects is understandably difficult.

AQA Information and Communication Technology/Database Management Concepts

From Wikibooks

Early databases were flat-file, meaning they were small, had lots of duplicated data and could not relate data to each other. As a result of data duplication, data can be inconsistent in separate parts of the database. Flat-files also tended to be unique to a particular program, making data portability difficult.

A database management system (DBMS) was conceived to help alleviate these shortcomings. This model gives three properties:

• Entities - An area of interest about which the data may be held
• Attributes - Properties of entities
• Relationships - A link between entities
  There are different types of relationships:
  • One-to-one - where an entity has a single link to another entity
  • One-to-many - where an entity may link to many other entities
  • Many-to-many - lots of one-to-ones

By using relationships, you can link data and have queries that will update linked data at the same time, saving time and increasing the accuracy of data. The Wikipedia has more information about DBMS's.

The role of a database administrator (DBA) is to manage and maintain the DBMS for most efficient usage. The DBA maintains access rights, relationships and updates the database of the design if need be.

Data normalisation is the process of increasing database efficiency by reducing duplication of records and producing the best possible database design. A normalised database is consistent and flexible.

Data consistency is ensuring that the data is consistent across all occurances of it (this is made simple using relationships).

Data integrity is the quality of the data held in the database.

Data redundancy is where data is unnecessarily duplicated.

Data independence is where data should be independent of any other changes in the database.

AQA Information and Communication Technology/Policy and Strategy Issues

From Wikibooks

The use of ICT has exploded, it is no longer used by just experts, so an IT policy is required to manage IT resources in an effective and efficient way and to avoid fragmentation between departments of IT systems.

A single IT policy allows for an overall view and control of an organisation's IT setup. It is important to ensure that the policy reinforces the overall strategy of the organisation.

If each section is allowed to develop individually, without an overall IT policy, it would make it difficult to introduce systems such as Management Information Systems

It is important to acknowledge the different needs of users when creating an overall IT policy, however.

• The graphics department may need a higher spec of machine to deal with image/video manipulation
• The publishing department may prefer using Macs.
• Operational users may need to interact with the system in a different way to the tactical/strategic users.

A good IT policy will deal with issues such as:

• Access to information - who needs it?
• How will internal communication work
• How will data be captured?

In order to be successful in the long-term, the IT policy will need to be flexible to deal with new technology, new requirements, and changes to the organisational structure.

Centralised approach

A centralised system is one where the whole IT system in an organisation is ran by a specific area of the company, sometimes called Information Systems.

It has various advantages, such as:

• Increased hardware and software compatability
• The ability to take advantage of economies of scale
• Ease of transfer of data
• Simpler maintenance
• Easier training/reuse of skills due to consistent interface

Decentralised approach

In this approach, each department has it's own strategy and allows for them to plan their IT system exactly to their needs. This has several disadvantages, such as a lack of coherence among the whole organisation, and the lack of expertise.

Upgrading systems

There are various reasons you may wish to upgrade a system. For example, you may have a legacy system that is no longer supported by the vendor and is difficult to maintain and is inefficient. However, even current software may need upgrading. It may not be meeting the needs of the organisation, or the organisation may wish to take advantage of features that may exist in newer versions of the software, or may just want to improve performance with faster hardware. Changes in the organisational structure, objectives, or just a "cutting-edge" business culture may result in upgrades.

Don't upgrade

• This is not always the cheapest option, although involves the least initial capital.
• Is upgrading really necessary?
• Is our current system sufficient to our needs?
• There's no training costs or change management required, and little risk
• The only costs are maintenance costs

Upgrade the entire system

• This involves a lot of capital expenditure
• Has large technical and support implications
• This may involve a totally new infrastructure set up
• High risk

Partial upgrade

• Only upgrade who needs it
• Cheaper than all at once
• May cause incompatibilites in the IT systems
• Medium risk

Future proofing

Future proofing is impossible, and it is impossible to know with certainty what the future will hold. It is only possible to prepare for what could happen.

This generally involves purchasing software with a clear upgrade path, or developing software making it easy to expand in the future. Alternatively, this could be purchasing systems with a higher specification than the organisation actually needs in order to allow for future growth.

A method of future-proofing is leasing, where an organisation leases it's IT systems, and does not actually own it. Therefore, upgrading occurs as part of the lease.

Emulation

Emulation is where software is used to run software which is not designed to run on a particular system. For example, software written to run on a specific hardware platform can be emulated to run on another using emulation software. Of course, it is impossible for this to be anywhere near as efficient as running it on the original hardware, but does reduce the hardware costs of having to buy many bits of different hardware. Additionally, an emulator may not fully emulate all the areas of the hardware it is emulating, so the program may not work as intended.

Hardware emulation also exists, where a piece of hardware emulates another piece to provide compatability with systems designed to use that hardware.

Backup Strategies

This should be part of the corporate IS security policy, as backups are often a weakpoint in security of IS.

A backup strategy should ask these 3 basic questions:

• How often? (the frequency)
• What? (areas to backup)
• Where? (storage of backup)

When deciding on an appropriate backup strategy, we must consider:

• Value of data
• Quantity of data
• Frequency of data change
• Resources available

Backup media

A range of backup media is available, from the old fashioned, but still popular, magnetic tape, Zip drives, or more recently, recordable DVDs and USB flash drives.

Other methods of backup could be online, including RAID (a redundant array of independent disks) which makes backups of data constantly.

Backup strategies

• Full backups
  • All data is backed up
  • For large amounts of data, this takes a long time and requires a lot of space

• Partial backups
  • Only part of the data is backed up at a time. For example, one night might backup the Payroll database, and on the next night, the e-mails are backed up
  • Makes large data sources more managable

• Incremental backups
  • Full backups are made occasionally
  • Incremental backups only back up what's different from the last full backup

• Batch process
  • Similar to incremental backups, but used for databases

• Grandfather-Father-Son Backup
  • Most popular method of backing up
  • A copy of the masterfile and transaction is made at the grandfather level
  • At the father level, a copy of the transaction file and the masterfile as a result of the grandfather master file and transaction file is made.
  • At the son level, a copy of the transaction file and the masterfile as a result of the father master file and transaction file is made.

AQA Information and Communication Technology/User Support

From Wikibooks

User support is now a crucial part of most commerical packages available today. As software becomes more and more complex, users require support in order to use the software.

A good level of support will cost the company more money, but this can be passed on in either the purchase costs, or in a yearly subscription. However, the company's reputation will improve if it has a reputation for good support.

Help desk

A help desk is a form of expert system, or knowledge base. It contains a clever search system, and users can also browse categories to see if their problem has been documented. All common problems, and a lot of not-so-common problems are documented on a help desk.

Technical support line

This is a telephone support line manned by real people, who normally access a knowledge base and walk people through procedures.

Technical support lines are often manned by experts who may have difficulty communicating with managers and business users.

On-screen help

This is normally context sensitive. For example, pressing F1 will bring up the help screen for the task you're currently attempting to perform.

Also, on-screen tutorials and wizards exist to make the package easier to use by walking the user through tasks.

On-site support

This is where the developers attend on-site to assist people with their software installations. This only typically happens with large/complex orders, or with custom software, as the cost of such support is very high.

Patches/bug fixes

If a company discovers a bug in their software, they may release a patch that fixes that image. Patches are typically distributed over the Internet, or on CD-ROM from a technical support line.

Peer support

This is where usergroups exist (mainly on forums or Usenet) who help people with problems.

BBS

This is an area of the Internet where files and upgrades to items are shared, there are typically also message boards here where peer support and also technical support takes place

Mailing lists

Similar to a message board, if you subscribe to a mailing list, then you receive a copy of all e-mails sent to it.

Documentation

There are different levels of documentation for different levels of user. This is typically paper or PDF based.

• Installation documentation
• System documentation (explanation on dataflows, database schema, etc)
• Software documentation (how to use specific features)
• Operational documentation (day-to-day running of the system)

Training

A company needs well-trained employees who can execute their job efficiently. Training can either be for new employees (induction training) or existing employees (if jobs change, there's new technology or new procedures).

Well trained employees are more likely to get promoted (and are therefore better motivated) and have a better-defined career path. Training can lead to:

• Increased sales
• Better service
• Better products
• Better safety
• Lower staff turnover

Different levels of users need different levels of training (workers, middle management, senior management, etc).

Senior managers who understand ICT are more likely to make better informed decisions than their less well informed colleagues on matters such as the corporate IS strategy.

Middle managers need to ensure that IT systems are used efficiently, and also implement the IS strategy.

For workers, the level of training depnds on their level of responsibility and skill. They can use

• skills-based training, for developing general IT skills
• task-based training, for things specific to the IS employed

Even experienced users need to learn new skills if the system changes, so skill-refreshing is also an important part.

There are two main training methods:

1. Computer based - this is is often very cost effective for large groups of people and ensures a consistent standard of training. Users can also work at their own pace and when work is slow.
2. Instructor based - delivered by experienced instructors and has a personal touch, meaning people are more motivated.

There are other training methods, mainly:

• Video training
• Interactive video training
• On line tutorials
• Step by step guides

AQA Information and Communication Technology/Legal Aspects

From Wikibooks

Corporate Information Systems Security Policies

A corporate information systems (IS) security policy exists to protect the company from threat. This security policy should be part of the organisations strategic management. It is important to get it right as

• costs are involved in providing the security the company needs to protect itself
• users are sceptical of computer systems for security and are highly aware of the risks involved
  People don't want to be involved in a company that is known to be insecure

IS security policies exist to

• secure systems against loss of availability, integrity or confidentiality
• prevent and detecting misuse, both against the relevant Acts and the company's internal policies
• investigate and deal with any misuse based on the procedures laid out in the policy
• limit and recover from damage

The three lines of defence in IS security are:

1. prevention
2. detection
3. recovery

The corporate IS policy should include considerations to training and promoting awareness of general security to the end-users of the system, as that is where lapses in security are likely to happen.

They should be educated on matters such as downloading unknown executables from the Internet, or not using easy to guess, common passwords.

Audit Requirements

An audit is a survey taken by a company of its software and hardware. An audit exists to minimise errors of the company's resources database (often used for insurance purposes), to monitor efficiency of systems and to ensure that their software is complying with the appropriate licenses.

The results of an audit are used to increase the accuracy of the company hardware database, allowing for better support and capacity planning.

Many companies use external auditors to minimise the chance of internal fraud, but some companies do internal auditing for the sake of cost. An audit of financial records is required every year under law (for registered companies).

Audits may also cover the accuracy of systems, especially financial systems. There are three type of auditing techniques, where the auditor calculates by hand the expected output of a system and checks that it matches.

• Live data testing - where the auditor uses the actual data the system is figuring at this time. This has the disadvantage of being unable to check all possible data types.
• Historical data testing - in this situation, the auditor puts old data through the system again, so in addition to the manual checks the auditor can check the system agrees with itself both times.
• Dummy data testing - here, the auditor generates fake data that can test all eventualities

This kind of auditing has the problem of whilst the system is being made available to the auditor, it can not be used for its normal functions, and it only provides a snapshot of the system at that moment in time.

Audit trails

An audit trail is a log created by a system that shows what's been changed and who did what. (The Mediawiki has a great example of this, see the history page for this page, for example.)

Disaster Recovery Management

Threats to security and integrity

• Human error (mistakes in data entry, program errors, operator errors)
• Computer crime (Hacking, illegal modification of data, virii and logic bombs)
• Natural disasters (Fire, earthquake, hurricane, flood)
• War and terrorist activity (Bombs, fire)
• Hardware failure (power failure, disk head crash, network failure)

Building security tends to protect the premises against break-in, unauthorised visitors, etc.

Authorisation software involves user ID's and passwords. It forces a user to log in to access their computer and network, and can enforce "access rights", limiting rights to certain files and folders.

Communications security can use call back (when triggered, dials you, instead of you dialling in – confirms your identity), handshaking (a predetermined exchange between two computers, often following an algorithm) and encryption – altering text by a set algorithm only known by the two communicating systems.

Operational security involves using logs to show usage of the system and creating an audit trail.

Personnel security is necessary because personnel are often the most exploitable part of an IS. Basic user knowledge on security is required in order to prevent access using “social engineering”. Unmotivated employees may also become destructive to company data. By splitting the tasks in a transaction so multiple people are required to be involved, this reduces fraud.

Risk analysis

This is part of the overall corporate ICT security policy, and is something which managers, rather than technical staff need to do. The risk analysis could include finding answers to questions such as:

• What is the nature of the data being stored in the system?
• How is the data used?
• Who has access to the system?
• How much money does the company stand to lose if the data is lost, corrupted or stolen?

Disaster planning

Disaster planning generally only concerns the mission-critical aspects of the business, with less vital functions generally being too costly.

To guard against the failure of a business in a catastrophe, two “controls of last resort” can be put in place – insurance and a disaster recovery plan. Insurance is not a prevention method, but it does help to reduce the financial impact of loss.

A disaster recovery plan has to contain provision for backup facilities which can be used in the event of a disaster. Some possibilities are:

• A company owned backup facility, geographically diverse – sometimes known as a “cold standby” site.
• A reciprocal arrangement with another company that runs a compatible computer system.
• A subscription to a disaster recovery service.

How do you select an appropriate recovery plan? Various criteria are used:

• The scale of the organisation and its ICT systems
• The nature of the operation: an on-line system may need to be restored within a few hours, whereas a batch billing process could survive being offline for a few days.
• I The relative costs of the different options: a company with several sites linked by telecoms may be able to formulate a DRP which temporarily moves operations to an alternate site.
• The perceived chance of disaster occurring. A company in Intake may need a plan to cope with theft, but not with earthquakes.

Legislation

We've already touched on the legislature covering ICT in ICT1. For ICT4, you'll need to be able to recall the Data Protection Act, the Copyright, Designs and Patent Act, the Computer Misuse Act and the Health and Safety Act. When designing a corporate IS strategy, the company should ensure that it complies with the relevant legislature.

AQA Information and Communication Technology/IS Within Organisations

From Wikibooks

Information Systems

Data processing systems are systems which capture data and store it in a more useful form for later use, such as an EPOS system storing a list of items sold in a transaction file.

Information systems (IS) take data (generally taken from the data capture system) and turn them into information which can be used to make decisions. For example, a supermarket information system may take the transaction files of the EPOS and turn them into a “best selling” list for decision making.

Information systems are important in decision making as they help managers collate the large amount of data that is at their disposal into the more usable form of information. Good quality and efficient processing of information results in better decision making.

Management Information Systems

Management Information Systems (or MIS) exist to take information from internal (such as EPOS data) and external (such as market research) sources and turn them into useful information. Appropriate information is then relayed to managers at different levels, for the task they are responsible for.

An effective MIS becomes an integral part of the organisation to work together to meet the business objectives. Taking the systems approach to the MIS, we have the Inputs (external and internal data), Processing, and Outputs (reports, query results and expert systems)

The development and lifecycle of an IS

The systems lifecycle is a convenient lifecycle most systems follow (not just IS). The stage of the system in the lifecycle depends on which type of development is currently taking place on the system.

The systems life cycle has 6 stages.

Feasibilty Study

Why have a new system? The feasibility study aims to identify the reasons for having one (or not having one, if the existing system works well).

• The current system may not meet the requirements of the organisation
  This could occur if the needs of the business change, or the previous system was not implemented correctly.
• The current system may be outdated
  Technological advances may mean that the current system is inefficient, and potentially incompatible and becomes hard to maintain. For example, an old EPOS system may not be able to take advantage of the new "Chip & Pin" systems being deployed.
• The system may be become difficult to maintain
  Old systems running on dated hardware may become difficult to locate replacements for, and developers who can develop in COBOL (for example) may be difficult to find.

The feasibility study primarily checks 5 areas of feasibility, called TELOS.

• Technical feasibility - Does the technology exist to be able to create the system?
• Economic feasibility - Is the capital available to develop the system? Are there cheaper ways of developing the same system?
• Legal feasibility - Has the law been taken into account? (For example, the Data Protection Act)
• Operational feasibility - Can current work practices support the new system?
• Schedule feasibility - Can the system be developed in the required timeframe?

Analysis

An analysis of the current system and user requirements must be performed at an early stage when developing the system.

Staff at all levels of the organisation must be involved in the analysis stage for an accurate analysis to be performed. This can be done with

• Interviews
• Document inspection
• Questionnaires
• Observation (such as a Time and Motion study)

The finished analysis report will:

• show what (not how) the new system will work
• document the data flows of the organisation (including the inputs and outputs)
• analyse the costs and benefits of the system
• explain how the system will be implemented
• explain how the system will fit in with the organisational structure, and any changes to working practices required
• consider alternatives (hardware configuration, software design, etc)

Design

This is where it is explained how the system will work. An explanation of hardware and software requirements should be included in the design document.

It should contain how the inputs and outputs of the system will be captured/output - including any validation checks for the input data, and an explanation of the processes of the system should be included.

The user interface should be described (usually with the aid of diagrams) here also.
Most modern systems are developed modually, so a breakdown of the modules and tasks of each will also be part of your design document.

Your design should also include your test plan. Your test plan should cover extreme, erroneous and normal data for each input, and the expected output of such.

The final section of the design document is the changeover plan. Here, we should be considering how we'll be implementing the finished system and changing over from the new one.

Implementation and Testing

This stage is where the creation of the system from the design plan is performed. Ideally, the system should be tested continually with the test plan to identify problems as soon as possible for correction. There should also be milestone targets, where the system should be tested again.

Installation

Once the system has been created, it should be implemented into the organisation (as per the changeover plan).

Maintenance

Sometimes referred to as evaluation.

Once the system has been succesfully installed, it needs to be reviewed to ensure that it is meeting the needs of the organisation as laid out in the analysis. If it is not, then there are types of maintenance that can be performed:

• Perfective - Improvements to the system not originally identified in the analysis
• Adaptive - Alterations to the system, say if the needs of the organisation change
• Corrective - Solving problems in the system that were not identified during testing

Success or failure of an MIS

Developers might only have one indicator of the success of a MIS. Whether or not it works. However, just because it works doesn't mean the MIS is successful. No-one may use the completed MIS, for example.

There are better indicators of MIS success.

• Does the system get used?
• Are the end-users happy with the system?
• Does the system meet the original objectives laid out in the analysis?

Factors leading to success

• User involvement
  • Involving users in the analysis and testing phases tends to lead to a better system that will increase end-user satisfaction
• System complexity
  • Highly complex systems tend to fail if they're undertaken by inexperienced teams
• Development management
  • A poorly managed project is more likely to suffer from
    • Cost over-runs
    • Delays
    • Performance problems
• Support from the management
  • New systems must be backed by the management of the organisation the system is being developed for
    • Correct funding must be made available
    • Manpower must be made available
    • Changes to the existing system must be supported

Factors leading to failure

MIS can fail at any point in the lifecycle, but failures often become more apparant later on the lifecycle, when it becomes very expensive and difficult to correct them.

The most likely point of failure is at the analysis stage.

• A poor analyst was appointed with poor analysis skills
• The wrong type of research was done, especially with regard to the current system
• Poor staffing levels for the analysis to take place
• Users were not sufficiently involved

Failure at the design stage can be because of

• Inability of the system to meet future needs
• Major changes to working practices are required
• Users were not sufficiently involved

At the implementation stage, the failure could be due to

• An underestimate of coding time
• Lack of necessary software development skills
• A poor design
• Poor internal communication
• Low level of allocated resources
• No proper test plan is designed, and therefore no proper testing occurs
• The end-users are not involved in testing, and there are no acceptance tests

At the installation stage,

• No conversion plan was developed
• Insufficient funds allocated to conversion
• Poor documentation of the new system
• There are no performance evaluations