Chapter 6: Systems Design

Chapter 6: Foundations for Systems Design

What is Systems Design?

  • Analysis determines "what" is required, while design specifies "how" the system will be configured and constructed.
  • Design bridges the gap between requirements and actual implementation.
  • The objective of design is to serve as a blueprint for construction.
  • Analysis and design results are documented to coordinate the work.

Analysis to Design to Implementation

  • Analysis Objective: Understand and specify what the new system will accomplish.
  • Analysis Models and Documents: Requirements models.
  • Design Objective: Describe in detail how the new system will be implemented.
  • Design Models and Documents: Design models.
  • Implementation Objective: Build a new system that fulfills user needs.

Design Models

  • Design is a model building activity.
  • The formality of the project dictates the type, complexity, and depth of models.
  • Agile/iteration projects typically build fewer models, but models are still created.
  • Jumping to programming without design often causes less than optimum solutions and may require rework.

From Analysis Models to Design Models

  • Requirements Models:
    • Domain model class diagram.
    • Use case diagrams.
    • Activity diagrams and use case descriptions.
    • System sequence diagrams.
    • Requirements state machine diagrams.
  • Design Models:
    • Component diagrams.
    • Deployment diagrams.
    • Design class diagrams.
    • Interaction diagrams (sequence diagrams).
    • Design state machine diagrams.
    • Package diagrams.
    • View layer, Data layer.

Design Activities and Iterations

  • Core Processes:
    • Identify the problem and obtain approval.
    • Plan and monitor the project.
    • Discover and understand details.
    • Design system components.
    • Build, test, and integrate system components.
    • Complete system tests and deploy the solution.
  • Design Activities:
    • Describe the environment.
    • Design the application components.
    • Design user interface.
    • Design the database.
    • Design the software classes and methods.
  • Iterations occur throughout the design activities.

Key Design Questions for each Activity

  • Design Activity: Describe the environment.
    • Key Question: How will this system interact with other systems and with the organization's existing technologies?
  • Design Activity: Design the application components.
    • Key Question: What are the key parts of the information system and how will they interact when the system is deployed?
  • Design Activity: Design the user interface.
    • Key Question: How will users interact with the information system?
  • Design Activity: Design the database.
    • Key Question: How will data be captured, structured, and stored for later use by the information system?
  • Design Activity: Design the software classes and methods.
    • Key Question: What internal structure for each application component will ensure efficient construction, rapid deployment, and reliable operation?

Describe the Environment

  • Two key elements in the environment:
    • Communications with External Systems
      • Message formats, Web and networks.
      • Communication protocols.
      • Security methods.
      • Error detection and recovery.
    • Conforming to an existing Technology Architecture
      • Discover and describe existing architecture
      • Chapter 7 provides more details

Design the Application Components

  • Application component is a well-defined unit of software that performs some function(s).
  • Issues involve how to package components including:
    • Scope and size – what are the functions, boundaries, interfaces?
    • Programming language – what are the accepted languages?
    • Build or buy – is an acceptable version available to purchase?

Typical Models for Defining Application Components

  • Component diagram illustrating View Layer, Domain Layer, and Data Access Layer.
  • Package diagram showing the relationship between View layer, Domain layer, and Data layer.
  • Deployment diagram illustrating Application server and Database server.

Design the User Interface

  • To the user, the User Interface is the system.
  • The user interface has a large impact on user productivity.
  • Includes both Analysis and Design tasks.
  • Requires heavy user involvement.
  • Current needs require multiple user interfaces for different devices and environments.

Typical Models for User Interface Design

  • Storyboard examples showing the progression of user interactions.
  • System sequence diagram illustrating user interactions with the system.
  • Small screen menu prototype.

Design the Database

  • An Information System requires data – usually in a database.
  • Current technology frequently uses Relational Database Management Systems (RDBMS).
  • Requires converting the data model to a relational database.
  • Requires addressing of many other technical issues:
    • Throughput and response time.
    • Security.

Design Software Classes and Methods

  • AKA Detailed Design
  • A model building activity
  • Design Class Diagram
  • Sequence Diagrams
  • State-Machine Diagrams

Typical Design Class Diagram

  • Illustrates classes with attributes and methods.
  • Example includes classes like SaleHandler, InventoryItem, Customer, Sale, and SaleItem.

System Controls and Security

  • Integrity Controls: Controls that maintain integrity of inputs, outputs, data, and programs.
  • Security Controls: Controls that protect the assets from threats, internal and external.

Integrity and Security Controls Diagram

  • Diagram showing the relationship between Input, processing, and OS controls, Network access controls, Output controls, Firewall, Internal network, Database controls, and Encryption.

Designing Integrity Controls

  • Integrated into application programs and DBMS.
  • Objectives of Integrity Controls:
    • Ensure that only appropriate and correct business transactions are accepted.
    • Ensure that transactions are recorded and processed correctly.
    • To protect and safeguard assets such as the database.

Input Controls

  • Prevent invalid or erroneous data from entering the system.
    • Value Limit Controls: Check the range of inputs for reasonableness.
    • Completeness Controls: Ensure all the data has been entered.
    • Data Validation Controls: Ensure that specific data values are correct.
    • Field Combination Controls: Ensure data is correct based on relationships between fields.

Output Controls

  • To ensure that output arrives at proper destination (for authorized eyes) and is accurate, current, and complete.
  • Examples:
    • Physical access to printers and display devices.
    • Discarded data – protect from “dumpster diving”.
    • Labels on printed and electronic output to correctly identify source of data.

Redundancy, Backup and Recovery

  • Protect data and systems from catastrophes:
    • Databases
    • Hardware
    • Software applications
    • Networks
    • On-site versus off-site copies

Fraud Prevention

  • Critical to prevent internal fraud, embezzlement, or loss.
  • Fraud Triangle:
    • Opportunity
    • Motive
    • Rationalization

Class Activity 1 Scenario Summary

  • An employee in IT hacked the company's bank account and stole several thousands of Rands.
  • The employee bragged about hacking abilities, was trusted and unsupervised, and faced financial struggles due to his house burning down.
  • The employee feels guilty and promised to pay back the money.
  • This scenario demonstrates all elements required for fraud.

Class Activity 2 Scenario Summary

  • Managers at Creative Rugs have access to all aspects of ordering and processing payments of rugs.
  • One of the managers has a serious gambling problem and is drowning in debt.
  • This presents a high risk of fraud.

Fraud Risk - Factors and Techniques

  • Factors affecting fraud risk:
    • Separation of duties
    • Records and audit trails
    • Monitoring
    • Asset control and reconciliation
    • Security
  • Risk-reduction techniques:
    • Design systems so those with asset custody have limited access to related records. Ensure that no one has sufficient system access to commit and cover up a fraud.
    • Record all transactions and changes in asset status. Log all changes to records and databases, and restrict log access to a few trusted persons.
    • Incorporate regular and systematic procedures to review records and logs for unusual transactions, accesses, and other patterns.
    • Limit physical access to valuable assets, such as inventory, and periodically reconcile physical asset counts with related records.
    • Design security features into individual systems and supporting infrastructure. Review and test security features frequently. Use outside consultants to conduct penetration testing attack and fraud vectors from external and internal sources.

Designing Security Controls

  • Protect all assets against external threats.
  • Other objectives:
    • Protect and maintain a stable, functioning operating environment 24/7 (equipment, operating systems, DBMSs).
    • Protect information and transactions during transmission across networks and Internet.

Designing Security Controls - Access and Authentication

  • Access Controls: Limit a person’s ability to access servers, files, data, applications.
  • Authentication: To identify users.
  • Access control list: List of valid users.
  • Authorization: Authenticated user’s list of permission level for each resource.
  • Registered Users: Those with authorization.
  • Unauthorized Users: Anyone not registered.
  • Privileged Users: Those that maintain lists and systems.

Types of Users

  • Diagram showing the relationships between Registered users, Unauthorized users, Privileged users, and how they interact with the system and data.

Data Encryption

  • Method to secure data – stored or in transmission.
  • Encryption: Alter data so it is unrecognizable.
  • Decryption: Convert encrypted data back to readable format.
  • Encryption Algorithm: Mathematical transformation of the data.
  • Encryption Key: A long data string that allows the same algorithm to produce unique encryptions.

Symmetric Key Encryption

  • Encryption method that uses the same key to encrypt and decrypt.
  • Diagram illustrating the process where Person 1 encrypts a message using a secret key, sends it over the Internet, and Person 2 decrypts it using the same secret key.

Asymmetric Key Encryption

  • Encryption method that uses different keys to encrypt and decrypt (Public Key Encryption).
  • Diagram illustrating the process where Person 1 encrypts a message using Person 2's public key, sends it over the Internet, and Person 2 decrypts it using their private key.

Digital Signatures and Certificates

  • Digital Signature: Technique where a document is encrypted using a private key. The document is encrypted with a private key but can only be decrypted with the correct public key.
  • Digital Certificate: An organization's name and public key that is encrypted and certified by an authorized third party.
  • Certifying Authority: The authorized third party, widely known and accepted, built into Web browsers.

How a Digital Certificate is Used

  • Diagram illustrating the steps of a client requesting to connect to a secure server, the server sending a signed digital certificate, the client verifying the certificate, generating a secret key and encrypting it with the server's public key, and then both communicating securely using the secret session key.

Secure Transactions

  • Secure Sockets Layer (SSL): Standard set of protocols for authentication and authorization.
  • Transport Layer Security (TLS): An Internet standard equivalent to SSL.
  • IP Security (IPSec): Internet security protocol at a low-level transmission.
  • Hypertext Transfer Protocol Secure (HTTPS): Internet standard to transmit Web pages.

Summary: Activities of Systems Design

  • Describe the environment.
  • Design the application components.
  • Design the User Interface.
  • Design the database.
  • Design the software classes and methods.