VCE Software Development Units 3 & 4
Unit 4 Outcome TWO
Outcome 2
On completion of this unit the student should be able to analyse and explain the dependencies between two information systems and evaluate the controls in place in one information system to protect the integrity of its source data. To achieve this outcome the student will draw on key knowledge and key skills outlined in Area of Study 2.
​
Key knowledge
​
Interactions and impact
​
• reasons why individuals and organisations use information systems
• goals and objectives of information systems
• types of interactions (inputs and outputs) generated by information systems
• characteristics of data that has integrity, including accuracy, timeliness, reasonableness, authenticity, correctness
• key legislation that affects how organisations control the storage, communication and disposal of their data and information: the Privacy Act 1988, the Privacy and Data Protection Act 2014, the Copyright Act 1968, the Spam Act 2003 and the Charter of Human Rights and Responsibilities Act 2006
• data management practices that cause conflict between information systems, including data mining
• advantages and disadvantages for stakeholders affected by the operation of information systems • the impact of diminished data integrity on dependent systems
Digital systems
​
• the technical underpinnings of intranets, the internet and virtual private networks
• characteristics of wired and wireless networks
• types and causes of accidental, deliberate and events-based threats to the integrity and security of data and information shared between information systems
• the physical and software controls used by organisations to secure the storage and communication of data in a networked environment
• the role of hardware, software and technical protocols in managing, controlling and securing data shared between information systems
• tools and techniques for tracing transactions between users of information systems.
Key skills
​
• identify data dependencies between information systems
• identify ways in which the integrity of data supplied by information systems can be monitored and controlled when it becomes the inputs to other information systems
• explain ways in which organisations can protect the security of data and information stored and shared in a networked environment
• evaluate the extent to which information system objectives are met through the acquisition of data supplied by another information system in a networked environment
Reasons why individuals and organisations use information systems
​
​Organisations often require assistance when managing data. Imagine going to school where a digital database does not manage all the student information, including personal data, subjects enrolled in, classrooms assigned and educational results. If you go back to the early part of the twentieth century, banks issued passports (paper documents) to keep records of customer accounts. Imagine traveling to another country without access to your bank account via and ATM or EFTPOS.
​
​Government organisations, sporting clubs, non-government organisations, educational institutions and Private Businesses all rely on information systems to manage their payroll systems, their commercial practice, and their management of day to day operations.
​
An information system is made up of hardware devices and software systems to manage and process data. Information systems also include the people who interact with the digital systems to create, control and communicate information.
Goals and objectives of information systems & types of interactions (inputs and outputs) generated by information systems.
​
Organisations make clear statements about their goals and objectives to assist them in making decisions, planning and creating strategies. Goals and objectives keep all new ideas, proposals and other planning issues on track to core business.
A Goal is a broad statement about principles or targets the organisation may strive to achieve.
An Objective is a clear statement about measurable deliverables the organisation wants to achieve in supporting their goal.
Information System Goals & Objectives
​
Information Systems have goals and objectives defined in the early stages of its inception. The goal is how it supports the objectives of its organisation and the objectives are the key functions the systems must have to meet that goal. Information Systems have four key functions, input, output, processing and storing data.
Characteristics of data that has integrity, including accuracy, timeliness, reasonableness, authenticity, correctness
​
When data is input, processed, stored and output as information it is important the quality of the data is ensured. Validation techniques make sure data entered into the system reflects the reality it is designed for.
​
Data Integrity is affected by five components:
-
Accuracy
-
Timeliness
-
Reasonableness
-
Authenticity
-
Correctness.
​
Accuracy VS Correctness
​
The source of the data (Data Set or Customer User) may input Accurate Data which may also be Correct, but this is not always necessarily the case.
For example: – A Data Set of measurements can be used or entered by a Customer User. If the data has been entered accurately – it means the data produced by the process of measure has been accurately input into the system. Therefore the data is true to source.
However if an expert in the area of measure comes along and repeats the process and finds that the “accurate data enters is not CORRECT data the expert can then update the data to be both ACCURATE AND CORRECT.
​
Authenticity
​
Data authenticity is related to the trustworthiness of the source. If UNESCO produced a Data Set you can rely on the data authenticity as UNESCO is a trusted research body. The best method of ensuring authentic data is to collect it from primary sources, then it is the method and timeliness of the data collection that may interfere with Data Integrity.
​
Timeliness
​
Keeping data sets is common practice for data to be compared over a time frame. However time can limit the integrity of the data if it is out of date, or collected at a point in where the data will be affected by other issues indirectly.
​
Data that has a “use by date” can include:
-
phone numbers
-
addresses
-
student progress results
-
prices and preferences
​
The timing of data collection can also influence the integrity of the data. If a survey is collected about concerns about refugee numbers is taken before and after a terrorist incident this seemingly unrelated factor can influence the responses provided. Many students find that collecting data for school projects using an online survey is often completed by respondents when they are in less serious circumstances which can affect the quality of their responses. When students do face-to-face surveys with peers they find they get better quality answers.
​
Key legislation that affects how organisations control the storage, communication and disposal of their data and information:
​
-
The Privacy Act 1988,
-
The Privacy and Data Protection Act 2014,
-
The Copyright Act 1968,
-
The Spam Act 2003 and
-
The Charter of Human Rights and Responsibilities Act 2006
​
PRIVACY
​
The Privacy Act (1988): The Privacy Act 1988 (Privacy Act) regulates how personal information is handled. The Privacy Act defines personal information asinformation or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.
​
Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.
​
https://www.oaic.gov.au/privacy-law/privacy-act/
​
The Privacy Act includes thirteen Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as most Australian and Norfolk Island Government agencies. These are collectively referred to as ‘APP entities’. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.
​
​
The Privacy and Data Protection Act 2014
The Victorian Commissioner for Privacy and Data Protection is an independent statutory officer established by the Privacy and Data Protection Act 2014 (Vic) (which commenced on 17 September 2014). This legislation covers the handling of all personal information, other than health information, as well as covering protective data security, in the public sector in Victoria.
​
​
​
COPYRIGHT
​
In Australia, copyright law is contained in the Commonwealth Copyright Act 1968 (Copyright Act).
​
A simple definition of copyright is that it is a bunch of rights in certain creative works such as text, artistic works, music, computer programs, sound recordings and films. The rights are granted exclusively to the copyright owner to reproduce the material, and for some material, the right to perform or show the work to the public. Copyright owners can prevent others from reproducing or communicating their work without their permission or may sell these rights to someone else.
​
In Australia, copyright protection is automatic. There is no need for copyright registration in Australia, nor is there a legal requirement to publish the work or to put a copyright notice on it. A work will be protected as soon as it is put into material form, such as being written down or recorded in some way (filmed or recorded on an audio tape).
​
In relation to software development a programmer may be paid to create a software solution and would need to negotiate the copyright ownership of the software as it may contain content regarding the owners business. It is important that if your client owns the copyright for a software solution created by you, the developer, you cannot offer that same software to another client.
​
SPAM
​
The Spam Act 2003 prohibits the sending of unsolicited commercial electronic messages—known as spam—with an Australian link. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia. The Spam Act 2003 defines a commercial electronic message as offers, advertises or promotes the supply of goods, services, land or business or investment opportunities advertises or promotes a supplier of goods, services, land or a provider of business or investment opportunities helps a person dishonestly obtain property, commercial advantage or other gain from another person.
The Act classifies an electronic message as ‘commercial' by considering:
· the content of the message
· the way the message is presented
· any links, phone numbers or contact information in the message that leads to content with a commercial purpose—as these may also lead the message to be defined as 'commercial' in nature.
HUMAN RIGHTS
​
The Charter of Human Rights and Responsibilities Act 2006 (the Charter) is a Victorian law that sets out the basic rights, freedoms and responsibilities of all people in Victoria. It is about the relationship between government and the people it serves.
​
The Charter requires public authorities, such as Victorian state and local government departments and agencies, and people delivering services on behalf of government, to act consistently with the human rights in the Charter.
​
Twenty fundamental human rights are protected in the Charter because the Victorian Parliament recognises that, as human beings, we have basic rights, including the right to be treated equally, to be safe from violence and abuse, to be part of a family and to have our privacy respected.
Rights under the Charter: https://www.humanrightscommission.vic.gov.au/human-rights/the-charter/rights-under-the-charter
The technical underpinnings of intranets, the internet and virtual private networks
​
Providing access to data through networked devices adds power to information systems. The simplest network is a local area network (LAN) where all devices are located in one building. A LAN can be connected to the internet without providing any access from outside of the LAN. A common example of a LAN is a home network.
​
A WAN includes access via the internet to all authorised servers in an organisation’s network. An example of a WAN is a government department who has offices all over the country all accessing a central server through an intranet.
​
An Intranet is a service that organises an information system access from any location, for example – your school may have an online portal or Moodle that you can access from home through a web login page. All data is located and managed centrally and is defined by users with the authority to access it.
​
Networks are structured either Client Server or Peer to Peer.
-
Peer to Peer – devices are connected directly and share resources. A common example is a home network where all devised and their files are visible from each machine. All peripherals are shared via the LAN.
-
Client – Server – is a type of application architecture where the user’s device (Client) does not process the data. The processing occurs on the server device. An example of this is net – mail. When you log into your net email server the device you are using is not processing the text, saving the emails and sending the message, this is all managed by the online email server
​
Hardware devices that enable networking include:
​
-
Network Interface Cards (NIC) add network capability to desktop computers but most machines have Integrated Network Interfaces on the motherboard. These can allow for Ethernet connection or wireless accessibility. Network enabled devices have a unique address called a MAC number (Media Access Control) which allows the device to be identified as the source of any activity online.
-
Switches are simple and inexpensive devices that allow devices on a LAN to connect to one another. They managed the packets of data sent across the network from the source device to the destination device. The MAC address provides identification for each device connected to the switch. The switch creates a matrix of addresses of all the connected devices so the packets of data are sent to right devices.
-
Routers are intelligent network devices that create links between networks. A common use for a router is to connect a home network to the internet. Routers can convert an Ethernet protocol to a TCP/IP protocol.
-
Wireless Access Points are devices that extend the range of wireless network accessibility. Inexpensive devices that allow wireless enabled devices to connect to a LAN. To ensure security, encryption (WPA, WPA2) are incorporated in the connections.
Network protocols are the rules by which devices communicate. These rules have common standards so that all devices have a common language. Common protocols include:
-
TCP/IP (Transport Control Protocol / Internet Protocol) internet protocols that incorporates the unique identification IP address to assist in finding destination servers.
-
HTTP (Hyper Text Transfer Protocol) manages the connections browsers make with posted HTML data online.
-
FTP (File Transfer Protocol) manages connections where destination servers upload or download data directly to origin devices.
-
Ethernet (CSMA/CD) Listens to the network to wait for an opportunity to send packets to avoid collision.
-
802.11x (WiFi) Uses request to Send / Clear to Send (RTS/CTS)
​
Virtual Private Networks are created with software that provides a direct connection to another device across the internet. It is similar to having a direct wired LAN connection across vast distances. Commonly used for e-commuting so workers can access to the storage drives at their work place from home. VPNs provide a secure connection through the use of encryption.
Characteristics of wired and wireless networks
​
WIRED Transmission Media that enable networking include:
-
Twisted Pair – is composed of two basic copper wires twisted, often used in telephone lines and transmits electronic signals - Unshielded Twisted Pair (UTP). The twisting and the incorporation of external shielding minimises electromagnetic interference in the signals from one device to another. There are plenty of versions of Twisted pair with different data speed capabilities: See: Online for more details https://en.wikipedia.org/wiki/Twisted_pair#Unshielded_twisted_pair_.28UTP.29
-
Optical Fibre Cable transmits light signals, is very expensive to produce and install, and is not susceptible to electromagnetic interference. Optical Fibre is capable of faster speeds and the transmission of more data (bandwidth is broader) that Twisted Pair.
WIRELESS Transmission Media that enable networking include:
-
Microwaves – highly powered electromagnetic waves that can span vast distances without degradation of signal. Requires line of sight between signal transmitter and receiver. Operates at large bandwidths up to 150Mb/s and are commonly used for satellite connections.
-
Radio Waves – (RF Transmissions) are broadcasts using electromagnetic signals in the radio bands. Used by mobile phones and wireless networking. Bandwidth depends of the environment and can be up to 50 Mb/s.
​
The role of hardware, software and technical protocols in managing, controlling and securing data shared between information systems
Data is shared between information systems through networks, shared files, online and acoss intranets. A common example is a student submitting a word document online from home on the school Moodle/portal/intranet. The file would be saved on a local drive on the student's computer and then using a browser that commands TCP/IP protocols, the online interface for the school intranet would be accessed. This could not be accessed without the use of either 802.11x wifi protocols or the use of an ethernet cable to the router. FTP would manage the transfer of the file to be uploaded onto the intranet server while anti-malware scanners check the file. Encryption might also be utilised to ensure the file is not copied in transfer. The data would travel across a range of different cabled transmission media until it finds the destination server.
When the teacher is ready to mark the document, they will use a password to access the file and download it using FTP. The teacher could be at home accessing the file across the internet or at school directly accessing ther server across the LAN. The backbone of a LAN of a school is often Optical Fibre Cable to link the servers and the main access to the internet.
Types and causes of accidental, deliberate and events-based threats to the integrity and security of data and information shared between information systems
Accidental Threats
​
Incompetance is a common source of accidental data loss where employees save files in the wrong location with an unclear title which is subsequently deleted. Anotherexample of incompetance risking security of data is in the instance of a person emailing the wrong file.
Physical damage to hardware can result in loss of data such as dropping a device or suffering substantial damage through a power surge, water or fire. damage,
​
Deliberate Threats
​
Data security is constantly at risk of deliberate threat. A huge industry has emerged in cyber security and the development of anti-malware software. The range of deliberate threats to the integrity and security of data include:
​
-
viruses, trojans and other malware
-
espionage and hacking
-
phishing an other internet scams
-
Denial of Service (DoS) attacks
-
Deliberate theft of hardware or data by persons within an organisation
​
​
​
Event-Based Threats
​
Sometimes data is corrupted and lost due to events not related to human error or deliberate damage. A common event-based threat is when a hardrive crashes and will not reboot. If a file server fails data can be lost in transit to and from the server if it has not been saved in time.
​
Software and operating system failure can result in loss of changes and newly entered data not saved perminantly.
​
​
The physical and software controls used by organisations to secure the storage and communication of data in a networked environment
​
PHYSICAL CONTROL OF DATA STORAGE SECURITY
​
Servers and network enabled machines can be secured behind locked doors. The use of other physical barriers can limit access to authorised persons such as Swipe Card access, key extry, PIN access and biometrics - where a fingerprint or iris scan is made to identify an individual.
​
Barrier techniques include layering levels of access to data within a system. For example the first barrier technique may include physical security measures such as ID to enter a building monitored by security staff. Then key data storage may only be accessed by authorised personal with key entry to relevant areas in the company building.
Data can easily be lost so data back ups need to made and stored in a secure loction away from the work place. Making copies of all saved data once a month in a full back up can be used to restore lost data if a threat affects the system. Weekly partial backups only copy the changes made to the data. Storing the data on a different storage device such as magnetic tape limits the scope of damage made on the whole system. Devices clearly physically tagged with identifying information, are a deterrent to thieves.
​
​
SOFTWARE CONTROLS OF DATA STORAGE SECURITY
Log in protocols are a type of logical security. Each authorised user is provided a UserID which identifies them on the system. Coupled with a sectret password, both are used to gain access to a system. Regular changes to passwords ensure they can not be guessed or key logged. Access logs monitor each person's use of the system. If a security breach is made, an audit of all users can trace everyone's activity on the system.
​
IP addresses identify your machine 's activities on the internet - these can be tracked online. The use of a VPN (Virtual Private Network) protects IP ddresses from being tracked, allowing for anonymity online. This also keeps the transfer of data behind a VPN to be protected from unauthorised persons.
​
Anti malware software protects data from corruption from deliberate and malicious software. Malware ranges from viruses, worms, trojans, spyware and bots.
-
Viruses are software that replicate themselves. Viruses move from device to device through the use of portable storage devices and network access. The "purpose' of most viruses is to delete or corrupt data.
-
Worms replicate themselves to negatively affect the bandwidth of a network. The "conflicker' worm was an infection in 2008 that spread widely around the world.
-
Trojans are malware that pose as legitmate software such as a game or a utility. Once downloaded the trojan infects the computer to turn the computer into a "zombie", delete files or install adware.
-
Spyware collects data from your computer and sends it to the developer of the spyware. It can be infected through another form of maleware but the purpose is to collect key strokes or other data stored on your system. Often victims are unaware of their infection.
-
Adware is form of spyware that focuses on collecting the habits of the user's online shopping activities. This then targets the user in advertising campaigns where "clicks" generate income for the Adware developer.
-
Botnets are a network of zombie computers that are controlled by a malware developer. The zombie computers are employed to attack a website or other network. This attack is often called a DDOS - distributed denial of service where the traffic caused by the zombie computers slows down the bandwidth access to the network causing it to crash.
​
Firewalls provide software and physical security for networks from the internet. A firewall stops unauthorised access from outside providing a boundary to a network. All transport of data in or out of a network passes through the firewall to check for worms.
​
​
SOFTWARE CONTROLS OF DATA COMMUNICATION SECURITY
​
Encryption is an important security measure to protect data as it is transfered across networks. The process involves taking your original message: for example
​
"I have the microfilm, the hand over will take place in the car park"
and applying an encryption key. For example we replace all the vowels with prime numbers and reverse all the words and replace the spaces with vowels:
"29av13h7e31htim41rc13f3lmo2htud13nha29r11vell29wik41t13o11l29cpun13ath2er31cik2rp"
​
This string is impossible to read. When an encryption key is created a Decryption key must also be developed to reverse the process back to the readable message. This is called a Symmetric key encryption.
​
Alternatively an Asymmetric key encryption uses two keys - one is Public (used to encrypt) whie the other is Private (used to decrypt). This is ideal for small amounts of data.
​
​
Tools and techniques for tracing transactions between users of information systems.
Keeping records of users interacting and moving through a digital system is called an access log. An example of this is where Window's Servers provide the utility to turn on tracing and logging as a means to review user activities on the server.
There are three "targets" for tracing:
1. Trace debugging on servers investigate authentication requests to the server and terminate unauthorised acccess.
2. Tracing accessing device – to see what, who and where the authentication request has initiated from.
3. Network tracing monitors the authentication flow travels from device to the server and back.
​
To trace a transactions a unique identifier is required to be passed along to any methods executed in that transaction. A unique ID is added to the the thread at any entry point in the system. These identifying IDs can then be logged to keep records of every authetification process.
​
​
For more informaiton about logs this article is and overview of Tools for Looging Call Transactions and How to Trace Transactions.
Data management practices that cause conflict between information systems, including data mining
​
Data management practices are the methods of data entry, conversion, transfer and storage by authorised users. System managers need to identify the extent to which each user has access. Thees are called user permissions and define who is able to access or edit the data. This is designed to develop layers of access as part of the system security.
​
Errors arising in some data management practices such as manual data entry and data conversion from one file type to another cause issues with information systems. When an organisation does not have clear guidlines or standards in managaing data this can impact on data integrity.
​
Here is an example of data conversion causing data loss:
​
A small teriary educational institution was in the process of digitising all student record information from the paper based system they had relied on to that date. The systems analyst wanted to enter all the data into a spreadsheet so that non-specialised staff can digitise the data by formatting the data types for easy conversion to the new database once updates to the system have been completed. The operations manager did not want to waste money on non-specialised staff and ordered that the data be entered directly into the new database general notes field. The data was not entered into the updated specialised fields that could be searched and sorted. This resulted in the data being essentially lost due to mismanagement. All the paper data was disposed of and the digitised data was unaccessible within the database. This limited the success of data mining the database for student information.
​
Data mining is a process where large data stores are searched for information that can assist in strategic goals. The database in the above example was going to provide a feedback about:
-
the progress of students through the institution,
-
whether prospective student contacts progressed to enrolment
-
the schools of origin of most enrolled students.
​
Compatibility of information systems is crucial for data integrity. In the example above the systems analyst wished to create two compatible systems where data is formated to be transfered into the new database system. Instead operations managermade decisions that limited the compatibility between the new system and an interim system.
​
​
Advantages and disadvantages for stakeholders affected by the operation of information systems
Introducing a new information system to an organisation affects all users and other stakeholders of that system. Stakeholders are all people and organisations that are affected in some way by the system. For example A school database that manages the attendance of students affects the users (general staff) students, teachers and parents as well the management of the school.
​
Advantagous examples for stakeholders for the implementation of new informations systems include:
-
Better communication among stakeholders
-
Improves human resource management, especially calculation of hours worked and salaries
-
Monitoring of workers in the organisation to ensure performance and productivity
-
Tasks can become more efficient and therefore more coast effective
-
Portability and mobility of the sytem can allow for a variation in the work environment
-
Staff can be trained in transferable technical skills
-
The customers of the organisation have better access to transactions - eg: online ordering.
​
Non-advantagous examples for stakeholders for the implementation of new informations systems include:
-
Roles may also be replaced by the aspects of the information system.
-
Setting up new digital information systems are costly and require more specialised staff to maintan and manage the system
-
when communication with customers is mitigated through an automated system, customers lose the "personal touch" when dealing with staff.
-
Communication between staff is affected when a new system is put in place.
-
The transfer of data fromt he old system to the new system needs to be carefully managed and may take extra time and effort to do without data loss.
​
The impact of diminished data integrity on dependent systems
Sometimes systems rely on data to be exported from other systems. Below is an example where a research information system (Medical Research Facility - MRF) is reliant on the output of a medical treatment facility where data integrity is vital. The MRF produces research documentation in the form of peer-reviewed papers that report on the effectiveness of treatments at the Medical Treatment Centre (MTC).
​
Medical Treatment Centre (MTC) produces data about each patient's personal health details such as
-
smoker/non-smoker
-
other illnesses
-
family history
-
diet and exercise
​
Then the data produced from testing the patient and their response to treatment would result in data that the research facility can use.
-
Types of tests conducted – including date, details
-
Test results
-
Treatments
-
Treatment results
​
This all produces a lot of data about the effectiveness of different treatments and test results on different people with varied health histories. The data is sent to MFR where it is data mined for useful information such as "Number of positive outcomes of Treatment A on Disease A for patients with a family history of the disease." The answers to these questons are published for the medical community to refer to in the diagnosis and treatment of patients in the future.
​
If data exported from the MTC is not accurate or complete this will affect the correctness of the outcomes of the MRF. The consequences of incorrect data being published has wide spread impacts throughout the medical community.
​
Loss of Data Integrity
Data integrity could be lost if the data collected on each patient, in this case, is incorrectly handled or stored. Many medical staff interact with patients and it is important that all data management protocols are followed to ensure digital data collected is correct pertaining to each patient.
​
​