Information Systems controls - facility control and procedural control

Facility CONTROLS and Procedural Controls

Controls are constraints and other restrictions imposed on a user or a system, and they can
be used to secure systems against the risks just discussed or to reduce damage caused to systems,
applications, and data.
 Controls are implemented not only for access but also to implement policies and ensure that nonsensical data is not entered into corporate databases.

Application Reliability and Data Entry Controls

 The most reliable programs consider every possible misuse or abuse. A highly reliable program includes code that promptly produces a clear message if a user either makes an error or tries to circumvent a process.

For example, a Web site invites users to select a username and password, and the operators demand passwords that are not easy to guess. The application should be programmed to reject any password that has fewer than a certain number of characters or does not include numerals. A clear message then must be presented, inviting the user to follow the guidelines.

Controls also translate business policies into system features. For example, Blockbuster Video uses its IS to implement a policy limiting debt for each customer to a certain level. When a renter reaches the debt limit and tries to rent another DVD, a message appears on the cash register screen: “Do not rent!” Thus, the policy is implemented by using a control at the point of sale. Similar systems do not allow any expenditures to be committed unless a certain budgetary item is first checked to ensure
sufficient allocation. A spending policy has been implemented through the proper software.

Access Controls

Unauthorised access to information systems, usually via public networks such as the Internet,
does not always damage IT resources. However, it is regarded as one of the most serious threats
to security because it is often the prelude to the destruction of Web sites, databases, and other
resources, or theft of valuable information.

Access controls are measures taken to ensure that only those who are authorised have
access to a computer or network, or to certain applications or data. One way to block access to
a computer is by physically locking it in a facility to which only authorised users have a key or
by locking the computer itself with a physical key. However, in the age of networked computers,
this solution is practical only for a limited number of servers and other computers. Therefore,
these organisations must use other access controls, most of which rely on software.

Experts like to classify access controls into three groups: what you know, what you have, and
who you are.

1. “What you know” includes access codes such as user IDs, account numbers, and

passwords.

2. “What you have” is some kind of a device, such as a security card, which you use

directly or which continuously changes coordinated access codes and displays them for you.

3. “Who you are” includes your unique physical characteristics.

The most common way to control access is through the combination of a user ID and a
password. While user IDs are usually not secret, passwords are. IS managers encourage users to
change their passwords frequently, which most systems easily allow, so that others do not have
time to figure them out and to limit the usefulness of stolen passwords.
Some organisations have systems that force users to change their passwords at preset intervals, such as once a month or once every three months. Some systems also prevent users from selecting a password that they have used in the past, to minimise the chance that someone else might guess it, and many require a minimum length and mix of characters and numerals.

Access codes and their related passwords are maintained either in a special list that becomes part of the operating system or in a database that the system searches to determine whether a user is authorised to access the requested resource.

A more secure measure than passwords is security cards, such as RSA’s SecureID. The device
is distributed to employees who need access to confidential databases, usually remotely. Employees
receive a small device that displays a 6-digit number. Special circuitry changes the number
both at the server and the device to the same new number every minute. To gain access,
employees enter at least one access code and the current number. The device is small enough to
be carried on a key chain or in a wallet. This two-factor access control increases the probability
that only authorised people gain access. This is an example of using both what you know and
what you have.

In recent years, some companies have adopted physical access controls called bio-metrics. A
bio-metric characteristic is a unique physical, measurable characteristic of a human being that
is used to identify a person. Characteristics such as fingerprints, retinal scans, or voice prints can
be used in bio-metrics. They are in the class of “who you are.” When a fingerprint is used, the user
presses a finger on a scanner or puts it before a digital camera. The fingerprint is compared
against a database of digitised fingerprints of people with authorised access. A growing number
of laptop computers have a built-in fingerprint scanner for the same purpose. The procedure is
similar when the image of a person’s retina is scanned. With voice recognition, the user is
instructed to utter a word or several words. The intonation and accent are digitised and
compared with a list of digitised voice samples.