Page 421 - Using MIS
P. 421

Chapter 10  Information Systems Security   389




























                                           Michele jumps in at this point. “Sam, let me see if I can bring up an illustration
                                       onto your screen. Do you see the table diagram?”
                                           “Just a second. Something’s loading. Ah, yes, there it is.”
                                           James continues, “OK, the data for each participant is stored in the Person table
                                       in the center. Actually, we store quite a bit more data than shown here, but this will
                                       give you the idea of what we do. The security allowed is stored in attributes called
                                       PolicyStatements in the intersection tables. By default, the value is ‘None.’ However, if
                                       someone decides to share his or her data with, say, a health club, then he or she uses
                                       a form to specify what he or she wants, and we store the result of that decision in the
                                       PolicyStatement attribute. All of our code uses the value of that attribute to limit data
                                       access.”
                                           “That makes sense; it’s a clean design. But what about SQL injection?”
                                           “Good question. There are four types of access allowed: None, which is the
                                       default; Non-identifying; Summary; and Full Access. The last two include the person’s
                                       identity. In the form, those four are presented with radio buttons and the user picks.
                                       There’s no place for SQL injection to occur.”
                                           The meeting continues in this vein for another 15 minutes. Sam seems satisfied
                                       with James’s responses. Afterward, James and Michele walk back to their offices
                                       together.
                                           “James, that was the best meeting I’ve had with him. He’s so impatient with me,
                                       but he related to you really well.”
                                           “Michele, I’m glad you’re happy with it. I couldn’t tell what he thought, but his
                                       questions were good and ones that we’ve thought about a lot.”
                                           “Well, James, you’re good at explaining things. Ever think about going into sales?”
                                           “Heavens, no, Michele. But I’ll take that as a compliment.”
                                           “Thanks again.”





                                       ChaPter PrevIew


                                       This chapter provides an overview of the major components of information systems
                                       security. We begin in Q1 by defining the goals of IS security and then, in Q2, discuss
                                       the size of the computer security problem. Next, in Q3, we address how you, both
                                       as a student today and as a business professional in the future, should respond to
                                       security threats. Then, in Q4, we ask what organizations need to do to respond to
   416   417   418   419   420   421   422   423   424   425   426