UNIT-5

SECURITY AND RECOVERY IN SYSTEM DEVELOPMENT SYSTEM

DEFINITION OF SYSTEM SECURITY:
 System Security refers to the protection of information systems against unauthorized
access, misuse, modification, or destruction, ensuring data confidentiality, integrity, and
availability throughout the system’s lifecycle.
 It involves identifying potential threats, assessing weaknesses, & implementing security
measures such as authentication, encryption, and access control within system design.

THREATS TO SYSTEM SECURITY:

 Threats refers to potential risks or attacks that can compromise the confidentiality,
integrity, or availability of system resources. These threats can arise from both internal
and external sources and may disrupt system operations, steal data, or damage system
components.
Common threats include:
1. Unauthorized Access
2. Malware Attacks
3. Phishing and Social Engineering
4. Denial of Service (DoS) Attacks
5. Insider Threats
6. Data Interception
7. Software and System Vulnerabilities
8. Physical Security Threats
9. Inadequate Authentication and Authorization
10. Poor System Design
1. Unauthorized Access:
 This occurs when individuals gain access to system data or resources without proper
authentication or permissions. This can lead to data breaks, data theft, or manipulation
of sensitive information.
 Example: A hacker bypassing login controls to access confidential user records.
2. Malware Attacks:
 Malicious software such as viruses, worms, trojans, ransomware, and spyware can infect
the system, damage files, steal information, or disrupt operations.
 Example: A virus spreads through a network, corrupts data & makes system inoperable.
1
3. Phishing and Social Engineering:
 These attacks manipulate users into revealing confidential information like passwords,
OTPs, or other security credentials.
 Example: A fake email pretending to be from IT support asking users to "verify" their
login credentials.
4. Denial of Service (DoS) Attacks:
 These attacks flood a system with excessive requests, causing it to slow down or crash,
making services unavailable to legitimate users.
 Example: A government website becomes unavailable due to a targeted DoS attack.
5. Insider Threats:
 Employees or trusted users may intentionally or accidentally compromise system
security by leaking data, misconfiguring systems, or bypassing protocols.
 Example: A employee copying sensitive files to a personal device.
6. Data Interception:
 When data is transmitted over a network, attackers may intercept (or catch) the
communication and capture sensitive information.
 Example: Sniffing tools used to capture credit card details sent over unsecured Wi-Fi.
7. Software and System Vulnerabilities:
 Unpatched software, outdated systems, or design flaws may be exploited by attackers
to gain control or cause damage.
 Example: A known vulnerability in an old web server exploited by attackers to gain
admin access.
8. Physical Security Threats:
 Physical damage to hardware due to theft, fire, or natural disasters can lead to data loss
or system downtime.
 Example: A server room damaged in a flood causing complete system failure.
9. Inadequate Authentication and Authorization:
 Weak password policies, lack of multi-factor authentication (MFA), or improper role-
based access controls can leave systems exposed.
 Example: Users having full admin rights without needing them, increasing risk.
10. Poor System Design:
 Failure to include security considerations during the system analysis and design phase
can lead to insecure architectures and vulnerabilities.
 Example: Designing a system without encrypting user passwords in the database.
2
CONTROL MEASURES FOR PROTECTING SYSTEMS AGAINST THREATS:
To ensure system security, various technical, physical, and administrative control
measures can be implemented. These help in preventing, detecting, and responding to security
threats.
Key control measures include:
1. Authentication and Authorization
2. Encryption
3. Firewall and Network Security
4. Antivirus and Anti-Malware Tools
5. Regular Security Updates and Patch Management
6. Access Controls and Permissions
7. Intrusion Detection and Prevention Systems (IDPS)
8. Backup and Recovery Plans
9. Physical Security
10. Security Awareness Training

1. Authentication and Authorization:

 Ensures only authorized users access the system.
 Examples: Passwords, biometrics, smart cards, role-based access control (RBAC).

2. Encryption:
 Protects data during transmission and storage by converting it into an unreadable format.
 Example: Customer payment details are encrypted using SSL/TLS during online
transactions.
 SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic
protocols used to secure communication over a network (especially the internet).

3. Firewall and Network Security:

 Firewalls monitor and control incoming and outgoing network traffic.
 Prevents unauthorized access and protects against network-based attacks.
 Example: A firewall blocks unauthorized access to the company's internal network.

3
4. Antivirus and Anti-Malware Tools:
 Detects and removes malicious software.
 Must be regularly updated to handle new threats.
 Example: Antivirus software scans and removes malware from employee computers.

5. Regular Security Updates and Patch Management:

 Fixes software weaknesses that attackers could exploit.
 Example: IT applies monthly security patches to protect against weaknesses.

6. Access Controls and Permissions:

 Limits what users can do within the system.
 Helps in preventing accidental or intentional misuse of data.
 Example: Only HR staff can view and edit employee salary records.

7. Intrusion Detection and Prevention Systems (IDPS):

 Monitors system/network for malicious activity or policy violations.
 Can alert administrators or automatically block threats.
 Example: An IDPS alerts the admin when unusual login patterns are detected.

8. Backup and Recovery Plans:

 Ensures data can be recovered in case of attack or system failure.
 Example: Daily cloud backups & offline storage ensure recovery after system failure.

9. Physical Security:
 Protects hardware and facilities from theft, damage, or tampering.
 Example: Surveillance cameras, biometric locks.

10. Security Awareness Training:

 Educates employees and users about safe practices.
 Helps prevent phishing, social engineering, and other user-based attacks.
 Example: Employees attend annual workshops on phishing and safe internet practices.
4
DISASTER / RECOVERY PLANNING:
 Disaster/Recovery Planning refers to the process of creating strategies and procedures
to restore system functionality and data after unexpected events like hardware failure,
cyber-attacks, natural disasters, or human errors.

Need for Disaster/Recovery Planning:

1. To minimize data loss during hardware failures or cyber incidents.
2. To restore system functionality quickly after a disruption.
3. To protect organizational reputation and ensure business continuity.
4. To comply with legal and regulatory requirements for data security.

Key Components:
1. Risk Assessment and Analysis:
o Identify potential threats (e.g., fire, flood, hacking) and assess impact on systems.
2. Backup Strategies:
o Implement regular data backups stored offsite or in the cloud.
3. Recovery Point Objective (RPO) and Recovery Time Objective (RTO):
o Define acceptable data loss (RPO) and downtime duration (RTO).
4. Disaster Recovery Sites:
o Use hot sites (fully equipped), warm sites (partially equipped), or cold sites (basic
infrastructure) for emergency operations.
5. Communication Plan:
o Establish clear communication channels for stakeholders during a disaster.
6. Roles and Responsibilities:
o Assign specific tasks to IT staff, management, and emergency teams.
7. Testing and Drills:
o Regularly simulate disaster scenarios to evaluate the effectiveness of the plan.
8. Documentation and Updating:
o Maintain detailed documentation of recovery procedures and update them as
systems evolve.

Example: In a Hospital Management System, a recovery plan ensures that patient records
are restored from backups quickly after a system failure, thus maintaining continuity of care.
5
ETHICS IN SYSTEM DEVELOPMENT:
 Ethics in system development refers to the moral principles and standards that guide
behaviour in the planning, designing, developing, implementing, and maintaining of
information systems. Ethical conduct ensures systems are created and used responsibly,
without harming users, organizations, or society.

Importance of Ethics in System Development:

1. Prevent misuse of information.
2. Protect user privacy and data integrity.
3. Maintain public trust in systems.
4. Ensure fairness and transparency in system behavior.
5. Avoid legal complications and liabilities.

Key Ethical Issues in System Development:

1. Privacy and Confidentiality
2. Data Accuracy
3. Security
4. Intellectual Property Rights
5. Bias and Fairness
6. Transparency
7. Accountability
8. Consent and User Rights
1. Privacy and Confidentiality:
o Issue: Unauthorized access to personal or sensitive data.
o Systems often store personal and sensitive data. Developers must ensure data is
protected against unauthorized access.
o Example: In an online banking system, leaking customer account details violates
privacy laws.
2. Data Accuracy:
o Issue: Systems should process and display information correctly. Incorrect or
outdated information can lead to wrong decisions.
o Example: A hospital system showing an incorrect blood group for a patient may
cause a medical error.

6
3. Security:
o Issue: Systems must be protected from hacking, viruses, and data breaches. It
includes encryption, firewalls, access control.
o Example: An e-commerce platform must secure payment information through
encryption.
4. Intellectual Property Rights:
o Issue: Using unlicensed software or plagiarizing code is unethical and illegal.
o Example: A developer copying code from a paid software without permission
violates IP (Intellectual Property) laws.
5. Bias and Fairness:
o Issue: Systems should not discriminate against users based on race, gender, etc.
o Example: A job recruitment system rejecting candidates based on biased algorithms
is unethical.
6. Transparency:
o Issue: Users should understand how decisions are made by the system.
o Example: A university admission system should clearly explain why an applicant
was rejected based on selection criteria.
7. Accountability:
o Issue: Developers must take responsibility for system failures or misuse.
o Example: If a flight booking system crashes and causes loss to customers, the
company must address it.
8. Consent and User Rights:
o Issue: Users should be clearly informed before collecting or using their data.
o Example: A mobile app asking for location access must explain why it is needed.

Role of the System Analyst in Ethics:

1. Ensuring privacy, confidentiality, and data protection.
2. Promoting transparency, user consent, and non-discriminatory system behaviour.
3. Following intellectual property laws and respecting software licenses.
4. Communicating clearly with clients and developers about risks and limitations.
5. Ensuring the system aligns with legal regulations and professional codes of ethics.

7
CASE STUDY: Development of an Online Library Management System
 A college library was using a manual system for issuing and returning books. It resulted
in delays, data loss, and human errors. The college decided to develop a computerized
Online Library Management System (LMS).
Problems Identified:
 Book inventory records were often incorrect.
 Students had to visit the library physically for every transaction.
 No real-time tracking of issued/returned books.
 Manual late fine calculation led to disputes.
Role of the System Analyst:
 Met with librarians, students, and faculty to understand their needs.
 Collected system requirements through interviews and observation.
 Identify system objectives, faster transactions, better record-keeping, and online access.
 Prepared Data Flow Diagrams (DFDs) and Entity-Relationship Diagrams (ERDs).
 Created the System Design Specification document.
System Development Life Cycle (SDLC) Phases Used:
1. Requirement Analysis – Defined user needs and functional specifications.
2. System Design – Created design documents, user interface, and database schemas.
3. Development – Coders built web-based system with login, search, issue/return features.
4. Testing – Conducted unit and user acceptance testing (UAT).
5. Implementation – Rolled out in phases; old records were migrated.
6. Maintenance – Regular updates and feedback-based improvements.
Outcome/ Results:
 Students could check book availability and issue status online.
 Librarians could track inventory and generate reports easily.
 System reduced manual errors and saved time.
 User satisfaction improved significantly.
Ethical Considerations Addressed:
 Secure login for students and staff.
 Data privacy for student borrowing history.
 Accurate fine calculation ensured fairness.
 Access control prevented misuse.
8