Full ISCA Course Notes - Final
Full ISCA Course Notes - Final
Full ISCA Course Notes - Final
| P a g e
CA Final Course
Paper – 6
Information
Systems
Control
And
Audit
(Revised Syllabus)
Notes by:
Vaibhav Gupta
2 | P a g e
About the Author
Vaibhav Gupta is an experienced corporate trainer, author of various
business books, and a known faculty member with GMCS‐I of North Indian
Regional Council (NIRC) of Institute of Chartered Accountants of India
(ICAI). He has trained more than 20000 corporate employees and more
than 10000 students, with more than 6500 students in the CA course only,
in a variety of soft skills and business skills. He completed his Masters in
Business Administration (MBA) degree from Leeds Business School,
United Kingdom ‐ which is one of the leading global business schools ‐ with a merit award in
Management of Information Systems (MIS). Primarily a successful entrepreneur with
substantial entrepreneurial interests in multiple business organizations, he additionally retains
a great interest in exploring academics in the subject areas that he has so expertly studied and
practised. His experience as a consultant with a variety of multinational organizations including
the big four firms like KPMG, and Ernst and Young has strengthened his understanding of the
way businesses function.
MIS forms the backbone of global business strategies and operations because of its sheer ability
to steer an enterprise towards its goals in the most efficient manner. Being a merit holder in
MIS, he holds exquisite and detailed knowledge of the subject. Being a subject matter expert
coupled with a unique and easily comprehensible teaching style, the lectures and notes
prepared by him provide not only the conceptual clarity to the students, but also provide to the
students the right direction to face the challenging examination questions confidently.
He strongly believes in the study modules provided by Institute of Chartered Accountants of
India (ICAI) and understands the only problem students face in these notes – complex language.
This discourages the students from generating prolonged interest in this wonderful and
interesting topic which also carries a great importance for students’ careers in the long run.
Therefore, through his notes and lectures, Vaibhav has tried to present the content given in
ICAI module in an engaging manner using real business examples and scenarios so that the
students can understand the subject at its core, however simplifying the language in order to
enable students to learn the concepts. The notes and lectures also include easy tips and
intelligent tricks to remember the lengthy theoretical part, which will enable the students to
get a good grasp at the subject and score well in the tests by remembering it in its easiest form.
3 | P a g e
Index
Chapter No. Title
of Information Systems
3. Protection of Information Systems 78
4. Business Continuity Planning and Disaster Recovery 117
Planning
5. Acquisition, Development, Implementation of 142
Information Systems (Appendix – SDLC Chart)
Case Studies 259
Practice/ revision Question bank 261
Course Comparison 276
4 | P a g e
Chapter 1
Concepts of
Governance and
Management of
Information Systems
5 | P a g e
What is ‘Governance’? Governance means controlling.
“Governance is a set of responsibilities and practices by board and executive management to
provide strategic decisions to ensure the achievement of business objectives of an enterprise
by managing its risk and optimum utilization of its resources.”
‘Governance’
Corporate Governance Business Governance
Purpose is to Regulate the legal and Performance comes from effective Strategy
compliance issues. and Decision Making.
Ensures good corporate governance
and effective processes. Ensures maximized shareholders’ returns.
Performed by monitoring committees Done by the board members and executive
like Audit & other Nominated management team.
committees.
Internal in nature.
External in nature.
For example: marketing policies, investment
For example: Sarbanes Oxley Act of US, policies etc.
Clause 49, SEBI Regulations
6 | P a g e
‘Corporate Governance’
Formally, it may be defined as;
“a system to
direct and control a company
by the board members and executive management
with an objective to maximize shareholders’ interests.
It concerns
establishing relationships
among various stakeholders
by removing conflicts and separation of business functions
that were incompatible (could not work together).
It also aims at
appointing an independent audit committee
managing the risk and ensuring compliance to various rules and regulations.
Finally, it establishes
Answerability to the shareholders of the company
of board members and others who are
entrusted with the power
to control and monitor
the decisions and performance,
7 | P a g e
A business is like a BUD, which when watered and taken care of properly, grows into becoming
a flower. By properly implementing, monitoring and controlling, and governing the IT,
Gopalbisenji’s sweetshop, which has now turned into a big enterprise, could see their business
coming CLOSER to them – meaning, it helps them to easily and closely manage the business. So
the benefits of effective governance are – ‘BUD CLOSER’. Let’s see what it is.
B: Behavior of IT became as per management’s desire to achieve objectives.
U: Understanding of decisions, rights and frameworks which govern the company business
increased.
D: Decision making became effective and in line with the strategies.
C: Conflicts among shareholders, board, stakeholders, management were removed.
L: Limitations due to large organization structure was overcome because of smooth, fast
and targeted flow of relevant business information.
O: Objectives of the organization were achieved.
S: Stability within the organization enhanced as there were lesser conflicts of interests.
E: Execution of IT outsourcing arrangements became effective, and fast.
R: Relationships among various stakeholders improved as their objectives were met with.
So, the benefits of Governance are: ‘BUD CLOSER’. Remember it!
8 | P a g e
‘IT Governance’
Since IT controls most of the business processes these days, hence it must be controlled
separately. Hence, IT governance may be defined as;
Governance: means system
System is always created: to direct, control and monitor
Reason behind controlling or monitoring is: to achieve business objectives
What is the ultimate objective: to meet shareholders needs i.e., maximize the value of shares.
Let’s see if the above concept works to define ‘IT GOVERNANCE’. IT – Information technology
without which large enterprises will fail to run efficiently. IT Governance is:
“a system to control or direct the IT activities of an enterprise of company by the board and
the management to achieve business objectives with an ultimate objective to meet
shareholders needs”
‘How to determine the Status of IT Governance in a company?’
Why is it important to determine the current status? – Because once we know the current
status, we can understand the further developments we are supposed to make to support our
strategies and business objectives. It also helps the board to identify the potential risk areas
and work on them in advance in order to reduce, control or be prepared for them.
9 | P a g e
Identify the
key decision
makers
Monitoring of
Process of
and
decision
improvement
making
in results
Status of IT
Governance
Being Gather the
prepared for information
exceptions relevant to
and handling make
them decisions
Identify
decision
making
mechanisms
Answer to six questions will determine the status of IT governance in a company:
1. Who are the key decision makers?
2. How do they make decisions?
3. Based on what information do they make decisions?
4. What mechanisms do they use to make decisions?
5. How do they identify and manage exceptions or variations?
6. How the results are monitored and improved?
‘Benefits of IT Governance’
Do you know the specialty of CACTUS plant?
A cactus plant doesn't move, because it's tightly rooted in the soil. But it spreads
quickly by branching off. In fact, one plant can root outward in such a way as to
10 | P a g e
end up forming a dense, treelike growth over quite an area of ground. Similarly, a company gets
rooted deeply and strongly when it manages and governs its IT successfully like a cactus and
continues to spread by branching off.
Depending on what level a company has implemented and managed IT, the benefits a company
may derive can be summed up as: ‘CACTUS MOVE’. What is it?
So when it comes to remembering benefits of IT Governance, remember: ‘CACTUS MOVE’
‘Governance of Enterprise IT (GEIT)’
Part of corporate governance which deals with Implementation of framework of Information
Systems (IS) controls within an enterprise – Relevant and including all key areas.
Primary Objectives:
Analysis and clear communication:
Requirements of GEIT
Establish and maintain:
11 | P a g e
1) Framework (principles, processes, practices and structures– ‘3Ps’)
2) Responsibilities and Authorities
To achieve:
Enterprise’s Mission, Goals and Objectives
‘Benefits of GEIT’
Without proper alignment, proper running of
any system cannot be ensured.
Hence, it is important to align Governance of IT
with Enterprise Governance
12 | P a g e
Benefits of GEIT
Effective supervision with transparency
Compliance ‐ legal and regulatory
Board members
Decision making in line with
Enterprise objectives
Consistent approach with
complete integration and
alignment
Enterprise
Governance
13 | P a g e
‘How to Implement GEIT’
There are three steps related to governance system to implementation of GEIT:
• Identify and engage with stakeholders
• Document understanding of requirements
• Judgment on current and required design of GEIT
Evaluate
• Leadership – Support, buy‐in and commitment
• ‘3Ps’ of GEIT = design principles, decision‐making,
authority levels
• Information
Direct
• Effectiveness and Performance
• Effective operation of ‘3Ps’
Monitor
‘Do you Remember ‘Raju’?’
I hope, you remember ‘Ramalinga Raju’ of ‘Satyam’. ‘Satyam’, one of the largest IT companies
in India, registered the biggest scandal of its times and became the biggest example of a flawed
corporate governance. But how did Raju did that? Let’s understand.
Let’s see the following checklist and try to understand if Satyam had all of them.
1. Clear assignment of responsibilities and decision making authorities
2. A well established approvals seeking system related to the execution of decisions made
3. Well developed mechanism of interaction and cooperation among board, senior
management and auditors
4. Appropriate financial and managerial incentives were already offered to senior management
and other employees.
14 | P a g e
Yes, we all agree that above mentioned features were there in Satyam’s way of working.
However, there were some important characteristics that were missing:
5. The company lacked strong internal control systems.
6. It did not have strong internal or external auditors who could have averted the scandal by
honest, accurate and timely reporting.
7. Special monitoring of risk areas related to conflicts of interest, especially senior
management, and key decision makers in this case.
8. Appropriate flow of information – internal as well as externally to the public.
Raju became greedy as he thought that financial or management incentives that he was getting
were not sufficient (Point 4). Then he also realized that there was no special monitoring on the
conflict of interest either. His personal interest became higher than organizational interest
(point 7). He also observed that there were lacunas in internal controls (Point 5) and he could
alter the internal information, hence external too (point 8). So he misused his positions and
discrepancies in system to flout his responsibilities and authorities (point 1) and ignored,
disrespected or distorted the approval seeking mechanisms (point 2). He also negatively
influenced the interaction mechanism among the senior ladder of organization (point 3).
The only way by which it could have been saved was by Auditors’ honest, accurate and timely
reporting – which once again, unfortunately, did not happen leading to India’s biggest
corporate scandal.
And above mentioned 8 points are the best practices or features of effective corporate
governance. But as we can see, it all starts with leadership’s commitment towards achieving
organization’s objectives. The moment there will be a conflict between organizational and
personal interests, scandal will arise.
15 | P a g e
‘Entterprise R
Risk Managementt’
Enterprisse must take
e a comprehensive appro
oach while implementin
ng the intern
nal controls. Look
at the follow flowchaart.
Overalll business o
objectives,
processes, structure, teechnology and
risk appetiite
Risk Managgement Strategy designeed
b
by managem ment
Strategy implementaation at each h
level off enterprise o
operations
Closely inttegrated imp
plementation
‘Sarban
nes Oxleyy Act’
It focusess on implem
mentation an
nd review of two things rrelated to ‘Financial aud
dit’:
9 In
nternal controls
9 Evvaluation off risks, security and controls
In case of applying th
he same in ITT environmeent, it takes inputs from ‘COSO’.
16 | P a g e
‘COSO’ ‐ Committee of Sponsoring Organizations of Treadway
Commission
Established in 1985 in US by 5 private organizations, namely;
1. Institute of Management Accountants
2. American Accounting Association
3. The American Institute of Certified Public Accountants
4. The Institute of Internal Auditors
5. Financial Executives International
Definition of Enterprise Risk Management as per COSO
“Enterprise Risk Management is a process, effected by an entity’s Board of Directors,
Management and other personnel, applied in strategy setting and across the enterprise,
designed to identify the potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.”
17 | P a g e
‘Internal Controls as per COSO’
Environment (control): This is the starting point. First, a controlled environment must be
created that ensures that business processes and their owners adhere to accountability,
responsibility and ethical code of conduct.
Risk (assessment): Risks associated with business processes must be assessed properly
Activity (control): Control activities must be developed to manage and mitigate the risks.
Monitoring (performance): Continuous monitoring of the performance of Internal Controls.
Information & Communication: They help in exchange of information needed to conduct,
manage and control business operations.
18 | P a g e
‘Internal Controls over Financial Reporting’
Securities and Exchange Commission’s (SEC) final rules has defined ‘internal controls over
financial reporting’ as a “process designed by, or under the supervision of, the company’s
principal executive and principal financial officers, or persons performing similar functions, and
effected by company’s board of directors, management and other personnel, to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally accepted accounting
principles. It includes those policies and procedures that ‘reasonably assure’ that:
1. Records related to the transactions and disposition of company’s assets have been
maintained accurately and fairly in reasonable details.
2. Unauthorized acquisition, use or disposition of company’s assets that could have a material
effect on financial statements have been prevented or timely detected.
3. Transaction, necessary to prepare financial statements, are recorded as per the generally
accepted accounting principles, and that all the recorded receipts and expenditures were made
after authorization by management and board of directors of the company.
Under the same final rules, company’s annual report must include a report which is called
‘Internal control report of management’. It must include statement, concerning company’s
internal control over financial reporting, of;
1. Management’s responsibility towards establishing and managing them.
2. Framework that management used to conduct the evaluation of its effectiveness.
3. Management’s assessment of their effectiveness as of company’s most recent FY
ending. (Whether they had been effective or not). Two things must be remembered
while giving this statement: Disclosure of material weaknesses in the internal control;
and Statement should not call it effective, if there were found one or more material
weaknesses.
4. Auditor’s attestation report of management’s assessment.
‘Responsibility of Implementing Internal Controls’ – SOX
AS per SOX, CEOs and CFOs are personally and criminally liable for the quality and effectiveness
of their organization’s internal controls. They have to attest to the public about its
effectiveness. Internal controls provide only reasonable assurance and not absolute. However,
19 | P a g e
all they ensure is that financial statements are created as per International or local established
accountant standards. This can be achieved through only two ways:
1. Enforcement of the policies
2. Adherence to Risk Avoidance Methodology – also called ‘Internal Controls’
‘IT Steering Committee’
Steering means ‘to drive’. IT Steering Committee means a group of people who
have been assigned the task to steering the IT process and requirements of a
company in line with an enterprise’s goals and objectives.
It comprises usually of a board member leading the committee and functional
heads of all the key departments including audit and IT. Their role must be
documented and approved by senior management.
The functions of IT Steering Committee can be classified under five primary heads,
as shown below:
‘IT Strategic Planning’
There are four steps to IT strategy planning:
1. Enterprise Strategic Plan
2. Information Systems Strategic Plan
3. Information systems Requirements Plan
4. Information Systems Applications and Facilities Plan
Enterprise Strategic Plan
This step is to build the overall strategy for the enterprise’s business. It includes deciding vision,
mission, long term and short term objectives of the business. It discusses and visualizes all the
units of a business, including Information Systems in an integrated fashion to formulate and
understand the strategy to achieve the business goals. IT plan must be aligned to enterprise
plan so that it only helps the organization to reach its objectives.
Information Systems Strategic Plan
It starts with evaluating the business requirements of an enterprise with respect to Information
Technology (IT). Once the requirements are established, market assessment is done to evaluate
different IT products and opportunities available in the market and assess as to which one is
most suitable as per enterprise’s business requirements. A single process flow of IS Strategic
Plan can be understood by picture given below:
21 | P a g e
Regular and Periodical
Strategic Planning
Long Term Plans
Operational Plans
Short Term Goals
The important actions required in order to create a strong IS Strategic Plan are:
Enterpr
ise Current
Busines Stock of
s IT and Risk
Strateg Infrastr Monitor IT Appetit
y ucture markets e
22 | P a g e
Information Systems Requirements Plan
A clearly defined Information architecture is required to optimize the organization of
Information systems. There is lot of Business Information which must be organized. First step is
to create a Business information model which must be maintained and updated regularly. Once
this model or framework for information usage is created, appropriate systems are defined to
optimize the use of such information. Based on this architecture, IS requirements plan is drawn
so at to meet the information requirements of an enterprise. Steps to creating information
architecture are shown in picture given below:
Enterprise Information Architectural Standards
Information Model
of Enterprise
Data Syntax Rules Data Data ownership
Repository and
Dictionary
23 | P a g e
Information Systems Applications and Facilities Plan
It is made on the basis of the information systems architecture. The key components of this
plan are:
Organization
changes required
Facilities required
Hardware/ Software
acquisition along
with development
schedule
Specific
application
systems to be
developed along
with time
schedule
‘How to Align IT Strategy with Enterprise Strategy’
It’s a simple 6 steps process which can be remembered easily as ‘UADCDC’
U: Understand Enterprise Direction: (Internal and External environment analysis)
A: Assess three things: current business performance, current IT capabilities and external
IT services. Understand enterprise IT architecture. Identify current problem areas and develop
recommendations for betterment. Evaluate options of developing inside or sourcing from
external vendors or service providers by undertaking cost‐benefit analysis
D: Define the target IT capabilities. Once the previous two steps are taken, it is easier to
identify future IT capabilities to be developed.
C: Conduct a gap analysis – between current and target environment. Align the assets with
business outcomes so that investment base is optimized and asset base (both internal and
external) is utilized.
24 | P a g e
D: Define the strategic plan and road map. A company’s IT goals should contribute towards
overall enterprise’s goals. IT used in the company should further support IT enabled investment
program, IT services and IT assets.
Success can be measured by:
• Evaluating to which extent IT goals are supporting the enterprise goals
• Gauging the stakeholder’s satisfaction w.r.t. planning proposed
• Understanding the extent to which IT value drivers are supporting business value
drivers.
‘Are we deriving Business Value from Use of IT?’
And it is indeed an important evaluation because if our investments in IT are not being used in
optimized fashion to deliver the business value as targeted, it shows a strong lacuna in our IT
strategy. Before we understand the evaluation process, let’s understand the implications of
such an alignment using the picture given below:
25 | P a g e
Process to evaluate business optimization can be explained through picture given below:
1. Whether portfolio of IT enabled
investments, services and assets
are able to achieve enterprise
goals at reasonable cost?
Evaluate
2. Are there any changes required
to optimize value creation?
Monitor Direct
What: IT enabled investments and services Who: The management
To do what: whether business is generating
What: value management principles
projected value and benefits because of IT and practices
enable investments
To do what: optimal value realization
How: By monitoring Key goals and metrics
from IT enabled investments
To evaluate the success of process of ensuring business value from the use of IT, we must try to
determine the percentage of IT enabled investments or services in cases where:
1. Full economic life cycle is completed and benefits have been realized
2. Expected benefits have been realized
3. Operational Costs and benefits have been clearly defined and approved
Finally, a satisfaction survey with stakeholders regarding the IT financial information – ‘ACT’
A: Accuracy……………..C: Clarity………………..T: Transparency
26 | P a g e
‘Risk Management’
Information Security (IS) can be defined as:
“Procedures and practices to assure that Computer facilities are available at all required times,
(and) data is processed completely and efficiently and that access to data in computer systems
is restricted to authorized people.”
Sources of Risk:
‘THIN PERM’
T: Technological and Technical issues
H: Human Behavior
I: Individual Activities
N: Natural Events
P: Political Circumstances
E: Economic Circumstances
R: Relationships – Commercial and Legal
M: Management Activities and Controls
Risk can only be of three types:
1. That there is a loss potential in each threat or vulnerability
2. That extent of loss is uncertain pertaining to such possibility
3. That someone or something may be doing it deliberately
27 | P a g e
Risk terminologies
Asset: something that has a value for an organization. Anything can be called as an asset if it
has one or more of the following:
1. It must have value for the organization. For example,: land
2. Not easily replaceable. Replacing them should require enormous cost, time, skill and
resources. For example: machinery
3. They represent the company in the outside world. Company is threatened to lose its identity
if they lost it. For example; trademarks, logos, patents – GE, Samsung, LG, Micromax
4. Information about them is highly confidential. For example; process combinations, recipes
etc. – Maggi, Coca Cola, Frooti
Vulnerability: refers to the weakness in the system because of which system is exposed to
threat or attacks. For example; lack of antivirus makes your computer system vulnerable for
virus attack.
Vulnerability is a state in the computing system which allows an attacker to:
Pose as another entity
Access data without permission or authorization
Conduct a denial of service
Execute commands as another user
‘PACE’ – Attackers ‘PACE’ into business to cause damage.
Threat: An entity, circumstance or event with the potential to harm the software system or
components through PACE. It attacks the system with an intention to harm.
Exposure: Exposure is the extent of loss which a business may face in both short and long run
due to the attack on the system.
28 | P a g e
Likelihood: Likelihood or probability of a threat’s success in harming the system.
Attack: Attack is an attempt to gain unauthorized access to the system to compromise its
services or dependability or simple a set of actions to designed to compromise CIA
(Confidentiality, Integrity or Availability)
(vulnerable to) (exploit to cause)
And process of identifying such system related risks and estimating their size and impact on the
organization is called – ‘Risk Analysis’. Risk analysis or assessment includes following:
Potential harm on
Identification of Identification and
CIA and its impact
threats and analysis of security
on business
vulnerabilites controls
operations
Risks generated may be direct or indirect but how do these risks arise in the first place? It
happens due to the reasons given below:
Widespread use of technology: Since latest technology is easily available to almost everyone, it
has increased the chances of people misusing it to attack the systems. Moreover, almost
everything today is driven by technology; it lures the attackers by being an easier victim.
Interconnectivity of systems: Being interconnected, systems have become independent and
accessible by a large number of people. This has made them vulnerable to outside attacks.
Devolution of management and control: Less control, more autonomy which further leads to
vulnerability and risk.
29 | P a g e
Elimination of distance, time and space as constraints: All an attacker needs to attack a system
is another system. One may attack while sitting in any country and time zone and get away by
attacking any other system in any country and time zone.
Contest for supremacy among attackers: There is a whole class of attackers who attack systems
only to prove that they can do it. They may do it for quick monetary gains or simply to prove
that are capable of attacking any system from the remotest corner of the earth by just using a
computer and their knowledge of it.
Unevenness of technological changes: A newbie hacker in USA may be using a highly advanced
technology to attack a professional organization in India which may be using latest technology
available in India, however obsolete as per US standards. New softwares are launched each day
making this gap only wider, hence making obsolete systems vulnerable.
External factors such as legislative, legal and regulatory requirements: Sometimes, certain
external legal requirements demand a company to operate in a certain way which stops them
from taking necessary measures to eliminate risks making the vulnerable to external attacks.
One or more of the above mentioned reasons give a ‘WIDE CUE’ to the attackers to attack a
system.
Countermeasure: To reduce the vulnerability of the system, an action, device, procedure,
technique or any other measure used is called as a countermeasure.
For example; installing antivirus software and regularly updating it is a countermeasure against
virus attacks.
But it may happen that a new virus has been released and the antivirus that a system has has
not been updated yet. And before it could be updated, your system caught this virus. This kind
of risk, which remains even after taking a countermeasure, is called ‘Residual risk’. So an
organization’s risk management cannot be completed without accepting residual risk and
safeguarding the system against it. But risk can never be completely removed. It may only be
reduced. So a management must manage risk so as to keep it at a minimum level so that it may
be managed.
30 | P a g e
‘Risk Management Strategies’
Risks are first identified and analyzed to understand the right treatment which should be given
to them. Depending on the size and impact of the risk, the treatment should be decided upon.
Remember the 5Ts concept to under the risk management strategy:
• Accept it as a cost
Tolerate of running business
(when risk is • Keep a periodical
not too big) check on it to keep
it under control
Terminate • Replace the
(when it is technology or
due to an
identifiable persons causing
factor) such risk
• Outsource the non
core vulnerable
Transfer
area
• Get it insured
• When everything
else is done and
Treat risk persists, treat it
using the right
methods
• When the
Turn Back probability is too
low, ignore it.
‘Risk Management’
A simple process of managing risk can be depicted by using the picture given below:
31 | P a g e
Risk Management
Risk Assessment Risk Mitigation/ Control
1. Effects of risk on current and
future use of IT
Evaluate 2. The risk appetite
3. If the risks are identified and
managed
Monitor Direct
What: Key goals and metrics
What: Establishment of risk management
practices
Of what: Risk management Processes
To do what: To ensure that actual risk
To do what: to establish how problems will never exceeds the board’s risk appetite
be identified, tracked and reported for
correction. How: By assuring that IT risk management
practices are appropriate.
32 | P a g e
‘Risk Management Implementation’
C: Collect: Data: to enable risk identification, analysis and reporting: IT related: effective
M: Maintain: inventory: of 1) known risks and risk attributes: frequency, impact and
response: 2) resources, capabilities and current control activities.
A: Articulate (communicate): risk: to stakeholders: about current state of IT exposures
and opportunities: to generate response
D: Define: Risk management action portfolio: Manage opportunities and reduce the risk: to
an acceptable level
R: Respond: risk: timely: effective measure: to limit the size of loss:
from IT related events
‘And how do an Enterprise monitor IT Risk Management?’
By using a few metrics, like:
P: Percentage: IT risks and critical business processes of the total enterprise risks
N: Number: IT related incidents: which were not identified in risk assessment.
33 | P a g e
‘Key Points to Remember in IT Compliance Review’
• IT is the backbone of enterprise’s business operations. Thus, there is a need for separate
GRC (Governance, Risk Management and Compliance) for IT related activities, as a part
of Enterprise GRC.
• Like in US, SOX act covers it, similarly, in India Clause 49 of SEBI Listing agreements cover
it. Mostly the two are similar, but different in one major thing that is, SOX directs
Companies and Auditors through detailed guidelines on compliance, but SEBI doesn’t. In
India, auditors and companies are governed largely by the directives of ICAI, which
further is limited only to audit perspectives.
• It is not only covered under SEBI, but is covered under Companies Act, 1956 too; hence
it is mandated by law not only to the listed companies but to all the companies.
• Similarities between SOX and Clause 49 of SEBI are:
o CEO’s and CFOs are liable personally as well as criminally
o They will certify about the effectiveness of internal controls
o They will disclose it to the auditors about the material weaknesses in company’s
internal controls of the financial reporting.
‘Control Objectives for Information and Related Technologies’
(COBIT 5)
What is COBIT 5?
• A GEIT framework given by ISACA (Information Systems Audit and Control Association)
• Provides good practices in governance and management at a holistic and
comprehensive level
• Manages IT related risk and ensures compliance, continuity, security and privacy
• It aims to optimizing business value derived from IT by maintaining a balance between
realizing benefits and optimizing risk levels and resource use.
• Set of globally accepted principles, practices, analytical tools and models that an
enterprise can use in a customized fashion enabling it to achieve its business objectives.
34 | P a g e
‘Five Principles of COBIT 5’
Principle 1: Meeting Stakeholder needs
Enterprise creates value for stakeholders by maintaining a balance between realization of
benefits and optimization of risk and use of resources. Every enterprise and its goals get
affected by external factors like political, market, industry, etc. and internal factors like
organization, culture, risk appetite etc. That’s why governance and management needs of every
enterprise are different and should be customized. COBIT 5 uses goals cascade mechanism
using which it breaks down the stakeholders needs into specific, actionable and customized
enterprise goals, IT goals and enabler goals as given in the picture below:
35 | P a g e
Principle 2: Covering the Enterprise End‐to‐End
Look at the picture given below:
36 | P a g e
It covers all functions within enterprise and integrates IT governance into corporate
governance. It deals with IT function as one of the important assets of the organization.
Principle 3: Applying a Single Integrated Framework
COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:
y Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
y IT‐related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2,
CMMI
This allows the enterprise to use COBIT 5 as the overarching governance and management
framework integrator.
Principle 4: Enabling a Holistic Approach:
Cobit 5 looks at the governance and management of enterprise IT as a whole. It takes into
account all the enablers of business which help a business reach its objectives and integrates
them so that they function as a whole to meet stakeholders’ needs.
37 | P a g e
Seven enablers of COBIT 5
Enabler Integration
• Both IT and business teams use processes to get work done with consistent outcomes.
Security teams must include how work is done when designing a security framework
and program.
• An organizational structure (a management hierarchy) is designed to monitor and reach
strategic and operational objectives. Leaders (decision makers) from each level are
typically stakeholders in business processes and expected outcomes.
• An organization is a living entity, with its own culture, ethics, and behavior as exhibited
by its employees. Changing the way employees see their working world is not easy and
must be considered when trying to secure the workplace.
• Information is what we attempt to protect… and it is usually everywhere. In most cases,
information is critical for business operations and must be available when and where
needed. Further, access to the data should not come with unacceptable response times
caused by poorly designed security controls.
• IT delivers information via services, infrastructure, and applications.
• All security control implementations require attention to people, skills, and
competencies: both in and out of IT.
• Principles, policies, and frameworks provide the means to integrate all enablers into an
overall solution resulting in secure operational success. The enablers help achieve the
outcomes expected when developing principles, policies, and frameworks.
Principle 5: Separating Governance from Management
It creates a clear demarcation between governance and management so that they operate
independently towards achieving the enterprise objectives. They perform different activities,
require different organizational structures and serve different purposes as shown in picture
given below:
38 | P a g e
Role of Governance as per COBIT 5 is: (EDM: Evaluate, Direct, and Monitor)
“to ensure that stakeholder needs, conditions, and options are evaluated to determine
balances, agreed‐on enterprise objectives to be achieved; setting direction through
prioritization and decision making; and monitoring performance and compliance against
agreed‐on direction and objectives.”
Role of Management as per COBIT 5 is: (PBRM: Plan, Build, Run, and Monitor)
“to plan, build, run and monitor activities in alignment with the direction set by governance
body to achieve the enterprise objectives.”
Terminologies:
APO: Align, Plan, and Organize
BAI: Build, Acquire, and Implement
DSS: Deliver, Service, and Support
MEA: Monitor, Evaluate, and Assess
39 | P a g e
‘COBIT 5 Process Reference Model’
It defines and describes all the processes normally found in an enterprise related to IT activities.
Though it is comprehensive, yet it must be customized as per the enterprise needs. Look at the
model given below:
Features of this model are:
1. It facilitates an operation model and common language across the enterprise involved in IT
activities, which are the prerequisites of good governance system.
2. It also provides for measuring and monitoring IT performance, IT assurance, communicating
with service providers, and integrating best management practices.
40 | P a g e
‘How GRC program is implemented?’
• Define applicable GRC requirements
• Identify regulatory and compliance requirements
• Review the current GRC status
• Determine most optimal approach
• Establish success measurement parameters
• Using process oriented approach
• Adapting global best practices
• Using uniform and structured approach which can be audited too.
‘Why to use COBIT 5 Best Practices for GRC?’
(Governance, Risk Management, and Compliance)
1. A simple GRC programs aims only at compliance, however, COBIT 5, being comprehensive in
nature, not only satisfies the legal mandates of compliance, but also serves the purpose of
meeting business objectives.
2. Senior Management is not only responsible for successful GRC implementation and
monitoring, but is also responsible to meet stakeholders’ needs.
3. It would provide a comprehensive approach and will enable the management to select from
the best practices to design policies, practices, principles and standards. (3Ps)
4. Appropriate governance processes and enablers get integrated as a part of normal business
practice.
5. It also ensures faster and efficient external audits as COBIT 5 is an internationally recognized
and widely accepted as a basis for IT audit procedures.
41 | P a g e
‘How to Measure the Success of GRC Program?’
Reduction of Improvement in
• useless controls and related time to • Processes through streamlining
execute them (audit, test and • timely reporting (regular compliance
correct) issues and corrective measures)
• control failures in all areas • Acts as a control panel to the senior
• expenditure (legal, regulatory and management ‐ over all compliance
review) and key issues
• time required for audit
• process time through automation of
control and compliance measures
‘Using COBIT 5 for IS Assurance’
• It meets expectations of multiple stakeholders benefitting both internal and external
stakeholders.
• It is written in simple non technical language, thus can be easily used by all the
stakeholders internal and external.
• It implements GRC from end to end perspective and is globally accepted as the best tool
to do that.
• It works as an overarching framework which includes and integrates all other business
and IT related frameworks.
42 | P a g e
COBIT 5 can fulfill assurance needs in the areas as depicted in the following picture:
‘Evaluation of IT Governance Structure and Practices by Internal
Auditors’
Though audit of IT governance can be performed by both Internal and External Auditors,
however, Internal audit leads to effective IT governance by providing the evaluation within the
enterprise. The Institute of Internal Auditors (IIA) has laid out following guidelines for Internal
Audit purposes.
43 | P a g e
Leeadership
•rrelationship bbetween IT ob bjectives and current organizational neeeds
•aability of the leadership too communicatte the same tto enterprise personnel
including IT
•iinvolvement o of IT leadersh
hp towards acchieving enteerprise goals
•MMeasurement of IT's contrribution towaards enterprisse goals
•RRoles and ressponsibilites ddistribution w
within the IT o
organization
•tthe way they are being exeecuted
•rrole of seniorr managemen nt and board iin establishing and maintaaining strong
g
governance
O
Organization S
Structure
Processes
•EEvaluate the IT processes aand controls to mitigate riisks
•PProcesses use
ed by IT organnization for co
onsistent delivery of expected services
Risks
•IIT process revview to identiify, asssess an
nd monitor risk within IT eenvironment
•AAccountablityy of personneel within risk mmanagementt and the exteent to which
e
expectations are being meet
Co
ontrols
•AAssess key co
ontrols defined by IT
•OOwnership, documentatio on and reporting of elf valid dation aspectts
•EEvaluation of the controls and their abbility to mitigaate risks in light of
r
requirements ppetite, tolerrance levels and compliancce requiremeents
s as per risk ap
Peerformance M
Monitoring
•EEvaluate the fframework an
nd systems to
o measure an
nd monitor the results
44 | P a g e
IIA also provide areas (sample areas) which Internal Auditors may review as a part of their
review of GRC.
Scope:
Evaluation of and contribution to the improvement of Governance, Risk management and
compliance through a systematic approach
Governance:
Must assess and make recommendation to improve governance to achieve effective:
• performance management and accountability
• communication of risk and control information
• coordination and communication among board, auditors and management
• Ethics and values
Enterprise Ethics:
Evaluate the (‘EID’) Effectiveness, Implementation and Design of ethics related to organization
objectives
Risk Management:
Evaluation of and contribution to the improvement of Risk management processes
Interpretation:
Determine if the risk management processes are effective (SOAR)
• Significant risks are identified and assesses
• Organizational objectives support and aligned with Organization’s mission
• Appropriate response to the risks are selected according to the risk appetite
• Risk information is captured and communicated timely across the organization
Risk Management Process:
Auditors can keep evaluating them periodically in the light of different evidences and
circumstances. These results when combined in the end provide comprehensive information
about the overall risk management strategy of the enterprise.
Evaluate Risk Exposures:
45 | P a g e
Evaluate risk exposures related to governance, operations and information systems (SCARE)
• Safeguarding assets
• Compliance
• Achievement of organization objectives
• Reliability and integrity of information
• Effectiveness and efficiency
Evaluate Fraud and Fraud Risk:
Evaluate the probability of a fraud and risks associated with its occurrence.
Address Adequacy of Risk Management Process:
Report the management about the risks assessed during the evaluation of risk management
process in the light of organizational objectives but auditors should not get involved in the
process of managing risks. They should only act as consultants.
‘Purpose of Review of Assessing and Managing Risks’
This review serves the purpose of providing assurance to the management that:
1. Enterprise has identified all the risks relevant to IT implementation in enterprise.
2. It has appropriate risk management strategy to mitigate the risks.
3. Risk management strategy supports management decisions by achieving IT objectives.
4. It can adequately respond to threats by reducing complexity, increasing objectivity, and
identifying important decision factors.
Review also includes, whether
1. Enterprise is undertaking risk identification and impact analysis
2. It is taking cost‐effective measures to mitigate risks
Specifically, it includes:
• Ownership and accountability (yours as it was your cycle and your body)
46 | P a g e
• Identification (meeting an accident, damage to cycle, scolding from parents, leaves from
school)
• Tolerance (defined and communicated) (how much pain you can tolerate, how much
repair expenses you can tolerate)
• Root cause analysis (because you don’t know how to ride it)
• Mitigation measures (Take a friend along to help you)
• Measurement (Qualitative/ Quantitative) (How big accident or injury? Or how many)
• Assessment methodology. ( by watching others or listening to others who learnt before
you)
• Action plan (ask your friend to hold you when you learn)
• Timely reassessment (learn to balance a bit and then check if you still fall)
‘Evaluating and Assessing the System Controls’
It is covered under MEA 01 Monitor, Evaluate and Assess the System of Internal Control. It has
primarily 3 objectives:
1. Continuous monitoring and evaluation of control environment – both internal and external
2. Enable management to identify deficiencies and inefficiencies and to take action for
improvement
3. Planning, organization and standardization of internal control and assurance processes
How to evaluate and assess the system of Internal controls of an
enterprise?
(Identify and Assure)
47 | P a g e
Monitor
• Monitor, benchmark and improve the control system
Review Controls Effectiveness
• review of monitoring and test evidence to ensure the effective
operation of controls
• maintain evidence of effective operation of controls through:
periodic testing, continuous monitoring, independent
assessments etc.
Perform Control Self Assessments
• Encourage management and process owners to perform
periodical self assessment to ensure that controls are complete
and effective.
Identify and Report Deficiencies
• Identify deficiencies, analyze and understand root cause
• Escalate deficiencies and report to stakeholders
Assurance
•Independent and Qualified Assurance Providers ‐ Auditors must be
belonging to an independent entity and have adequate knowledge.
Must adhere to codes & ethics.
•Planning ‐ Base planning on enterprise and compliance objectives,
assurance goals and priorities, internal risks, resource shortage, and
knowledge of enterprise
•Scope ‐ Define and document the scope of assurance and its objectives
•Execute ‐ Execute the plan. Report the findings. Provide opinions and
recommendations as required concerning ‐ indeitified operational
performance; external compliance and; internal control system
residual risk
48 | P a g e
Chapter 2
Information Systems
Concepts
49 | P a g e
“What is a syste
em?”
“It is a group of interconnectted compon nents working towardss the accom
mplishment of a
common n goal by accepting
a in
nputs and producing
p o
outputs in an orderedd transformation
process.””
nents of a syystem: input, processingg, storage and output.
Primarilyy, there are ffour compon
Input: daata entering the system
Processin
ng: manipulaation of dataa
Storage: Storing the data for current and futture use
Output: TThe result de
elivered afteer processingg and storagge
‘Informaation Systtems’
“a system
m that comp prises of peo
ople, computer systems,, data and n network thatt helps to co
ollect,
store andd analyze daata to produ
uce the desirred informattion for the functioning,, betterment and
expansioon of businesss.
‘Compo
onents off Informaation Systtem’
C
Components
off Information
System
Computer
People Data Netwo
ork
System
Hardware Software
50 | P a g e
‘C
Classificaation of SSystem’
System ccan be classiffied on the b
basis of fourr parameterss which are sshown in piccture below::
•Abstracct
•Also known as conceeptual becausee it deals with
On the basiss concepts and theoriees.
•Physicaal
mentss
of elem •a tanggible system the componentss of which workk
togethher to achieve a common goaal
•Open
•a systeem which depeends on the inp puts from
Interactive enviro
•Closed
onment to prod duce outputs for environmen nt
Behavior •A systeem achieves itts goal withoutt any input from
enviro
onment and cannot be changged as per the
m
changes in environmment
•Manuaal
•data ccollection, storaage, analysis and maintenance
Humman is done by the humaan beings
•Automated
In
nterve
ention
n •When the above meentioned tasks are done by th
system
m automaticallyy based on cerrtain pre‐
he
defineed parameters
•Determministic
•When the system op perates in a pree‐defined
Workking/ manneer using a set o
•Probabbilistic
of instructions
Outpput •A systeem which givees information only at the
probable points and never at the eexact points
51 | P a g e
‘Inform
mation Mo
odel’
INPUUT: Data is collecteed from internal o
or
exterrnal environments and convverted intto
suitable formaat requireed for pro
ocessing.
PROCESSSING: Coollected data is
manipulaated as peer the req
quiremen nts and
is processe into m
meaningfu ull informaation.
OUTTPUT: In
nformatio on is storeed for
servving preseent or futture need
ds.
‘Functtions of In
nformatio
on System
ms’
52 | P a g e
‘Features of a Computer Based Information System’
• System is created according to the predetermined enterprise objectives and all systems
work together to achieve that.
• A system is a framework of interrelated sub‐systems which are interdependent for the
inputs.
• In one subsystem fails, mostly, the whole system shuts down. However, it may depend
on the specific system design.
• Inputs between two subsystems flow through interaction.
• The outputs of different subsystems are integrated to achieve the common goal of the
overall system.
‘Subsystems of an Organization’s Information System’
Subsystem Objectives Other Activities Components or Sub‐
applications
Finance • Ensure • Income and • Financial
financial expenditure accounting
viability forecasting • Accounts
• Enforce • Manage funds receivable/
financial and other payable
discipline financial • Treasury
• Monitor resources • Cash/ Fund
budgets Management
Marketing & • Maximize • Customer • Dealer
sales sales acquisition management
• Achieve • Market system
customer penetration • Customer
satisfaction • Product/ relationship
and retention Company management
promotion (CRM)
• Order processing • Order Processing
• Customer System
grievance
handling
• Commissions and
payouts to
channel partners
Production/ • Optimum • Production • Shifts
Manufacturing utilization of schedules management
53 | P a g e
54 | P a g e
‘Typ
pes of Info
ormation
n Systemss’
There aree three typees of informaation system
ms required ffor smooth ffunctioning o
of an
organizattion. (as sho
own in picturre given belo
ow)
Office
Operatioons Managgement
Au
utomation
S
Support Sys
stems Support Systems
S
Systems
Electronic
Process C
Control Decision Support Document
Systems (PCS) Systtems (DSS) Management
S
Systems (EDMS S)
Electronic
Enterp
prise Exxecutive
Message
Collaborration Info
ormation
C
Communicatio n
Systems (ECS) Systtems (EIS)
S
Systems (EMCS S)
Teele‐conferencing
and Video
Conferencing
S
Systems (TVCS S)
I. O
Operations Suppo
ort System
ms (OSS)
Main Objjective: To improvve the operation efficien
ncy of an entterprise
Function: To processs the data geenerated and used in bu
usiness operations
down into three elementts:
This can be broken d
• Capturing transaction data
• Organize it in files and folders
• Processing them using application software
• Generating reports
• Processing queries from different departments.
It may be done in two ways: Periodic data preparation or online processing. Periodic data
processing is done in a batch wise periodical manner. For example; Pay‐rolls processing is a
monthly process. However, online processing is mostly widely used for most of other functions
because it provides up to date information.
TPS is the best example of a typical information system comprising four main components:
Inputs: For example: A customer places an order and has made the payment or entered
into an agreement to buy.
Data Capturing
Facilitates another operation by communicating data
Authorizes another operations in the process
Standardize operation by indicating which data needs recording and what actions must be
taken
Provides a permanent file for future use.
56 | P a g e
Processing: Creating journals and registers. Journals are created for accounting reasons.
Registers are used to record information not related to accounting.
Storage: Storage of data is done in ledgers or files.
Outputs: Reports or documents generated in the system are outputs. For example; While
placing an order for raw materials, a Purchase Order is generated to validate the purchase. This
Purchase order is an output.
‘Why TPS is Important for an Enterprise?’
TPS is the back bone of any enterprise. If there is no TPS, there is no information system
because:
1. It manages large volumes of data. It captures every transaction that an enterprise
enters into in every department quickly and accurately. Thus, the storage requirements are
extremely large.
2. It automates the basic business operations. If TPS at any operational level fails, it will
bring a halt to the entire system. As we have seen above, once a customer order is placed,
everything else moves automatically.
3. It reduces the manual workload and improves the efficiency of the people associated
with different operations. Hence, the benefits are tangible and quantifiable. Therefore, it is
easier to do a cost‐benefit analysis before designing a TPS.
4. It is the primary source of information for other systems. As it is written above, if there
were no TPS, there would be no information system.
B) Process Control System (PCS): Assembly lines are the best example of process control
systems. Once the process is fed into the computers, it moves on automatically. It reduces the
time and manpower wastage, enhances production in terms of both quantity as well as quality.
C) Enterprise Collaboration Systems (ECS) – There are several such systems which help
different people in an organization to collaborate and communicate with each other. For
example, emails.
57 | P a g e
II. Management Support Systems (OSS)
Main Objective: To support managers in decision making
Function: To provide right information to the right people at the right time.
Roles: Mainly aid in the decision making process.
This, again, can be broken into three elements:
MIS has been defined by Davis and Olson as, “An integrated user‐machine system designed to
provide information to support operational control, management control and decision making
functions in an organization.” It supports the manager on two levels: Top level – strategic, and
Middle level – tactical. The information in MIS is available in form of graphs, reports, tables,
charts etc.
But before we know more about MIS, we must first know what it is NOT. There are several
myths that most people carry pertaining to MIS. Some of these myths are:
1. Any reporting system is MIS.
2. Any computer based information system is MIS.
3. MIS is a management technique.
4. MIS is the name of technology.
5. MIS is implementation of organizational systems and procedures.
6. Studying MIS means studying computers.
7. More data means more information to the managers.
‘How an effective MIS should be?’
Requirement‐‐‐ÆPlanning‐‐‐ÆDesign‐‐ÆMode
As per Requirement: It is required by the management at all levels ‐ Top, Middle or
Operating level management.
58 | P a g e
1. Since it is for the use of the management, thus it should be made after understanding the
needs of the specific management and the objectives it would like to fulfill by utilizing the
information generated by the system.
2. Similarly, since the management is going to use it, then designing must be done as per
managements inputs and design must also be critically reviewed by management to ensure that
it meets the specifications decided upon.
3. Since management’s objectives are comprehensive and holistic, therefore, the information
system must also have an integrated approach. Information system, therefore, must have both
functional and operational inputs for developing more meaningful information keeping in view
all the subsystems of the company.
As per Planning: Management uses the information generated through MIS for both
strategic and operational decision making reasons. So naturally, they would like the system to
help them in creating relevant decisions relating to both.
1. MIS establishment is a time consuming process and takes up to 3 years. Designer must take
into account the projected future objectives and structure of the organization and accordingly
the system should be able to generate information required in future also.
2. It should be implemented in each subsystem in a phased approach, integrating them later so
that information generated is consolidated but has taken into account the outputs of each
subsystem thus making the entire exercise more meaningful.
As per Design: Designing refers to the treatment of data as input and generation of output
with a futuristic vision enabling the management to reach their organizational goals.
1. Data must be common both in terms of inputs as well as outputs. This can be achieved only
by capturing data in its most original form, its minimal processing, and restricting the output or
reports to only the most relevant ones. Information system, thus, will be efficient because of no
duplication and simplified operations.
2. To avoid duplication or loss of data, it must be stored in a single large repository and should
be transmitted for use by separate subsystems as per their requirements and authorization.
As per Mode: ‘Computerized or Manual?’ Is the question here. Computer additionally,
provides accuracy, agility, and consistency and increases the overall effectiveness.
59 | P a g e
‘Things to do before creating an effective MIS’
Support of Top Management: Why is support from Top management required?
Resources: Resources required in developing MIS are large and expensive. Without
support from top management, they simply cannot be implemented.
Effectiveness: If there is no support from top management, it would never be
prioritized. If it is not prioritized, it will be lost in the seemingly more important daily business
operations.
How can it be achieved?
Give all the supporting facts to the top management and explain in exact quantifiable terms the
magnitude of benefit in the light of cost. A quantifiable benefit will get them wholeheartedly
involved into it.
Quality System and Management Staff: Information systems are a tricky business which
demands quality at both implementation and strategic level. To handle the implementation,
company requires qualified, skilled and experience team of technology experts and to work at
strategic level, management experts are required. Moreover, both should have the knowledge
of each others’ business that is, technology experts must understand the decision making
process and information requirements of an organization, whereas, management experts must
understand the concepts and operations of computers.
Database: Data should be accurate, updated, and useful with no duplication. Hence,
database should be:
1. user‐oriented
2. Common
3. Restricted as per authorization
4. Separately controlled by special authority –Database Management System (DBMS)
Control and Maintenance of MIS: Finally, it should operate as it was designed
to operate. No shortcuts or user driven system overrides should be allowed.
Maintenance, similarly, weakens the controls if done without supervision. Hence,
formal methods of system maintenance must be documented.
60 | P a g e
‘How to Evaluate MIS?’
Evaluation is primarily done on following grounds:
1. It should be able to meet future information needs of the management.
2. Meeting future information requirements, which could be unexpected as well, demands
flexibility.
3. Take the views of users and designers about the capabilities or shortcomings of the system.
4. Guide the managing authority to take necessary steps to maintain it.
‘Why is it difficult to implement MIS?’
There may be a few but important constraints when it comes to implementing and operating
MIS. Some of them are:
1. Non availability of experts who hold both system and management perspective. Most
efficient way is to train carefully selected internal staff.
2. ‘Which subsystem to start with when starting to install it?’ This is the most disturbing
question for experts. They should identify, as per management’s requirements, as to which
subsystem holds maximum importance.
3. Implementing approach taken by experts is non‐standardized because of varied objectives of
business concerns.
4. Non‐cooperation from staff, which can be removed by organizing lectures about the utility of
system and their involvement to a certain degree in its implementation.
‘Things that MIS cannot do – Limitations’
1. Quality of outputs in directly proportional to quantity of input and processes.
2. MIS is only a tool for management to make decisions. It is only an information provider.
3. It may not have enough flexibility to cope with dynamism in industry.
4. It is a fixed system which cannot give customized solutions.
61 | P a g e
5. It takes into account only the numbers driving the business and not the human factors like
morale, ethics, morals etc. of the employees.
6. Effectiveness of MIS is dependent on the culture of organization. A company in which people
communicate freely will have a better MIS as compared to the one in which people do not
share vital information.
7. Effectiveness also decreases due to unstable management, organization structure or
operational teams.
B) Decision Support Systems (DSS): If MIS is all about information that helps in decision
making, Decision Support System (DSS) is all about the tools required for decision making. It is a
software based system which helps decision makers to compile useful information from raw
data, documents, personal knowledge or experience and/ or business models to identify and
solve problems and make decisions. Through DSS, managers get tools to solve their structured,
semi‐structured or unstructured problems. Remember, DSS does not make decisions, rather
gives the managers tools which enable them to make their own decisions.
For example; American Airlines produced a DSS that helps decide how much to overbook and
how to set prices for each seat so that a plane is filled and profits are maximized.
‘Characteristics of DSS’
You know a system is DSS when:
• This supports decision making at all levels of management.
• It is able to help group making decisions.
• It is flexible and adaptable as per the needs of individual managers and can also change
as per changing environment.
• Its main aim is to get a decision and not data or information or their communication.
• It should be easy to use and user‐friendly. No computer programming knowledge should
be required.
• It can be used for all kinds of problems: structure, semi‐unstructured, unstructured.
62 | P a g e
‘Components of DSS’
DSS stands on 4 pillar or 4 components: User, Database, Planning Language and Model Base.
Let’s understand what these are.
The user:
• It supports two kinds of users: managers and specialists.
• User must understand the problem thoroughly to be able to decide the right course of
action.
• Managers usually come with basic computer knowledge and for them it should be user
friendly. It should serve the needs of all the managers at every level of an organization.
• Specialists are people with ability to deal with complex systems and are more detail
oriented.
Databases:
• It may have one or more than one databases.
• It takes into account external as well as internal data. For example; it has sales figures of
last 5 years as well as current economic condition.
• DSS users may create additional databases as per their requirements. They may also
draw data from other sub systems as per their authority level. For example, a finance
manager may draw data from marketing and HR as well when working on financial
budgets.
To facilitate the above features, data is implemented in three levels in DSS.
1. Physical level: This is the core data or base data which is implemented on the main
hard disk. It is controlled by operating system. Since this is the central database, no
changes are directly made to this by the users.
2. Logical Level: It is a DBMS designed program. It arranges the data in tabular form
according to the nature of data that is, internal or external. This addresses the users’
requirements as per their authority level and needs.
3. External Level: Once the schema is defined at logical level, small units are given to
the managers – sub schemas – that contain all the relevant data needed by one
manager. Changes made into this are not reflected into the main data. They stay on the
system of particular manager for decision making requirements.
63 | P a g e
Planning Language:
Two types of planning languages are used in DSS:
Model Base:
You have a spreadsheet open and wish to do regression analysis of the data provided by the
system or yourself. ‘Model base’ or the brain of DSS is the collection of all such formulas and
models which a user would like to perform on the data. ‘Regression analysis’ model which has
been kept in the model base would allow the user to interact with the data using the
spreadsheet. So we can understand that they must be customized as per an organization’s
requirements.
‘Difference between DSS and MIS’
C) Executive Information System (EIS):
• An EIS is a special type of DSS designed to support decision making at the top level
of an organization.
• An EIS may help a CEO to get an accurate picture of overall operations, and a
summary of what competitors are doing.
• These systems are generally easy to operate and present information in ways easy
to quickly absorb (graphs, charts, etc.).
‘Characteristics of EIS’
A typical EIS system
• May start with a timely and direct access to the report of the firm’s financial and
business situation. Key performance indicators are clearly displayed.
• Will allow the executive to drill down from any figure to see its supporting data.
• Will provide options to the executive. The executive can select a level of detail (for
example, sales by state) if further investigation is needed.
• Leads to better decisions because of the top down approach and use of internal as
well as external data.
• User does not need to know complex languages to understand or extract
information from an EIS. It also provides online analysis tools like trend analysis, BCG
matrix etc.
‘The Environment in which EIS operates’
“We are focusing at building a new line of luxury brands which provide a great travel
experience to the business class.”
Now, what would you understand out such decisions? Probably, for a layman, it sounds pretty
ambiguous, but from the company’s strategic advantage, it means a lot. But these are the kinds
of decisions CEOs make. It means the decisions of the top management are extremely broad
and unstructured. The environment, accordingly, in which EIS operates, is also ambiguous. Few
of the key characters are:
1. Lack of Structure: As we have seen above, most of the decisions top management makes
are unstructured.
65 | P a g e
2. Highly uncertain: Most of the situations faced by CEOs are for the first time and they have
no example or model. Thus, it is difficult to ascertain their exact requirements.
3. Future Orientation: It is always future oriented that is, what is going to happen in 3
years or 5 years is the main concern for a CEO. Business environment changes frequently,
hence enterprise must be flexible enough to change while moving towards the projected
future. So it works in a highly ambiguous environment as no knows what exactly is going to
happen in future.
4. Informal Source: The information based on which executive management acts is mostly
informal and requires manager’s gut feeling so as to ascertain the degree of authentication.
5. Less details: Since, the decision making spectrum is broad, the details required are
broad too. So it’s more about quality of the data than quantity.
‘Contents of EIS’
Firstly, contents of EIS are dependent upon the requirements of executives. Secondly, it should
be able to provide information in response to the questions that they ask as they use the
system.
Given below are the few guidelines using which content of EIS may be decided upon:
• Easy to understand and collect.
• Data should reflect enterprise’s objectives in the areas of productivity, resource
management, quality and customer service.
• Performance indicator should reflect everyone’s contribution in a fair and consistent
manner.
• Information must be available to all the employees and must not contain any
confidential information.
• It must evolve as the organization change with time so as to meet its needs at all the
times.
66 | P a g e
‘Difference between EIS and Traditional Information Systems’
Dimensions EIS Traditional Information
Systems
Management Level Top management Lower staff
Nature of Information Access Specific agendas and Status reporting
aggregate reports
Nature of information Online tools and analysis Offline status reporting
provided
Information Sources More external Internal
Drill down facility to go Available Not available
through details at successive
levels
Information Format Graphical with explanation Tabular
Nature of Interface User‐friendly Computer based.
III. Office Automation Systems (OAS)
As the name suggests, it aims to reduce the time and resource wastage by automating the
ground level noncore office operations. Such operations broadly include;
Document Capture: Storage of documents coming from outside like, emails, notes, charts,
graphs must be captured and stored.
Receipts and Distribution: Distribution of correspondences to designated recipients.
Calculations: Usual calculations like totaling, percentages, commission calculations
‘Benefits of Office Automation’
• It will improve inter as well as intra organization communication.
67 | P a g e
• It reduces time and resource wastage.
• Reduce the cost of office communication.
• It improves the accuracy of information and ensures uninterrupted communication.
‘Computer Based Office Automation systems’
Text Processing Systems: Its main features are:
• It automates the tasks that require manual writing like letters, reports, memos etc.
Standard stored templates and information are used to produce them correctly.
• Depending on the scale, enterprises may opt for simple word processing systems or
desktop publishing systems.
• Desktop publishing systems, owing to their association with laser or inkjet printers,
scanners and other such devices, produce good quality documents.
Electronic Document Management System: The key things to remember are:
68 | P a g e
Global
Access to Capture,
the Store and
Documen Produce
ts
Enable Remote
Access
Electronic Document Management System: Quick transmission of information is the key to
rapid growth in modern business world. Using automated communication systems like
69 | P a g e
Fascimile, telephone, email etc. reduces time and cost of communication, and assures accuracy
of message.
Components of Message Communication Systems:
Email
Fascimile (Fax)
Voice Mail
• Quick and • electronic • Similar to email
Reliable communication of with digitalized
• Facilitates online images and voice being the
editing, saves documents over mode of
paper, and can be phone communication.
stored • computer
• Can be sent to automates the fax
large number of by sharing the
people facilites
simultaneosuly • Getting obsolete
and be forwarded as email has
as well become the
• Can be integrated preferred way
with any other communication
system like
websites
• Can be accessed
from anywhere
• It's economical
not only in terms
of absolute cost,
but saves time
too.
Teleconferencing and Video‐conferencing Systems:
70 | P a g e
•two o or more perrsons located
d at •two or mo ore persons located at
different locations communiccating different lo
ocations com mmunicating
withh each other using with each other using ccomputers,
inteerconected phhones systemm webcams aand visual
•In ccase of compuuter based, pe‐ communiccation software
recoorded presenntations can bbe •Being expeensive, it is sttill used for
donne saving further time specific an
nd critical purposes only
Video‐
Teleeconferencing
conferencing
IV. O
Other Infformation
n Systems
A) Exxpert System
ms
Expert syystem is a highly advanced DSS syystem which helps in making deccision relateed to
expert arreas by utilizzation of expert knowleedge in that particular area. It explaains and usees the
same loggical and reasoning process which exxperts follow w to make d decisions. Examples are ggiven
belo
w:
•providees advice in th
he areas of taaxation,
Acco
ounting an
nd Financce investm
ments, credit‐aauthorization n etc.
•helps in
n determiningg sales targetss, marketing ttiming,
Marketting discounnt policies
•Determ mines process accuracy, quality adheren
nce,
Manufactturing maintenance, transportatiion routes
facility m
•Helps in
n assessing ap
pplicant qualiifications and
d
Person
nnel vetting resumes
•project proposals, trraining and deevelopment,
G
General Bu
usiness perform
mance evaluattion, acquisition strategiess
71 | P a g e
‘W
Why do e
enterprise
es need EExpert Sysstems?’
Only two
o factors are responsiblee for their creeation:
1. Cost and availability factor: Expert knowledge holders are scarce and eexpensive.
Expert Systemss
TThey retain and They act as a
They aree always They nnever get They can be ussed
accumulate training aid to
available tired or busy as strategic too
ols
knowledge the novices
‘Be
enefits off Expert SSystems’
Propertiees that a system must po
ossess to be able to quaalify as beingg an expert ssystem are:
1. Itt must have been createed by taking the inputs frrom a real expert of a su
ubject in ord
der to
understaand their exaact thinking process when it comess to solving aa problem p pertaining to
o that
particular proble.
2. Itt is based on a complex llogical infereence processsing system..
3. The domain o
or the subjecct area is sm
mall, rather, n
niche.
4. The problem which they solve can bee solved with
h the help off only an exp
pert.
72 | P a g e
B) Knowledge Management Systems
Every company has a lot of knowledge which is represented through databases, documents,
policies, procedures, and unexplored capabilities of individuals. A knowledge management
system identifies captures, evaluates, retrieves and shares this knowledge within the business.
For example; Siemens’ ShareNet is the best recognized knowledge management system.
C) Functional Business Information Systems
Functional Information System is based on the various business functions such as
Production, Marketing, Finance and Personnel etc. These departments or functions are known
as functional areas of business. Each functional area requires applications to perform all
information processing related to the function.
D) Strategic Information Systems
Strategic Information System is a system that helps companies alter their business strategy or
structure. It is used to hasten the reaction time to environmental changes and aid the company
in achieving a competitive advantage over its competitors. They help in producing low cost
quality products.
E) Cross Functional Information Systems
Cross functional information systems integrate the activities of entire business process and are
called so because they cause departmental boundaries. It requires coordination of activities
across multiple departments with the users changing the way they work. There is no clear line
of work and fierce competition among different departments generally hinders the
development of the system.
So from all the discussion above, we can safely conclude that information systems help an
enterprise in three ways:
1. Support their business processes and operations
2. Support their decision making process
3. Support strategic competitive advantage
73 | P a g e
‘Information as a Key Business Asset and its Relation to Business
Objectives and Processes’
Processed data is information. A company that is highly informed about its business,
environment, competitors, and everything else which affects their business positively or
negatively stands to gain a competitive advantage because this information helps them in
proactive decision making, creating a strategic plan for the future, and develop in them the
capability or knowledge to deal with the adversities. Information can be displayed in form of
graphs, tables, images, reports, graphics etc.
What qualifies to be useful and effective information?
Availability: It should be available at the time of need.
Objective: It should serve the purpose which it intends to serve. Purpose of any information
is to inform, evaluate, persuade, and organize. This helps in decision‐making, generating new
concepts and ideas, problem identification and solving, planning and controlling the human’s
business needs.
Format/ Mode: It should be provided in the format or mode which is most
understandable to the users. Format or mode should be simple, easy to understand and should
highlight the most relevant points.
Updated: Obsolete information serves no purpose to any organization.
Rate: The rate of transmission or reception represents the time required to make a particular
situation understandable.
Frequency: It should have a frequency optimum enough to create or show an impact.
Adequacy: Information should be complete and adequate because only such
information can help in decision making.
Reliability: Reliability is generated through correctness of information and it is measured by
the decision in favor of information.
Validity: The closeness of information to its purpose measures the validity.
Quality: The correctness of information defines its quality.
Transparency: It is essential in decision and policy making.
74 | P a g e
‘Role
e of Information in
n Businesss’
Look at the picture ggiven below:
Lo
ong Term Plan
n
Sho
ort Term Plan
Routine A
Activities
1. Itt helps the business to o
operate with efficient deecision makin
ng in uncertaain situation
ns.
2. Itt enables an organization
n to perform
m in a compeetitive enviro
onment.
3. In
nformation e
enables achievement of goals for an
n organizatio
on.
4. Itt focuses on building effiicient and in
nnovative pro
ocesses.
5. Itt is used as aa strategic to
ool which en
nables an orrganization tto create efffective long term
and shorrt term strate egies.
75 | P a g e
‘Different Information Systems that Serve Different Organizational
Levels’
Answer is ‐ ‘SMOKE’
S M O K E
Strategic Management Operational Knowledge Expert
‘The Accounting Information System’
Captures, Records, Processes, and Reports (CRPR)
• Capture accounting data from business processes through processes, procedures and
systems;
• Record the accounting data in appropriate records;
• Process the detailed accounting data by classifying, summarizing and consolidating;
• Report the summarized accounting data to internal and external users.
‘Impact of IT on information Systems for different Sectors’
1) E‐Business or e‐commerce
Advantages:
24 hour operational, efficient business relationship, no middlemen, unlimited marketplace,
secure payments, easier business administration, highly updated, no space needed.
Key Investment areas:
Domain and hosting space, designing and maintenance of website.
Types of Businesses:
76 | P a g e
B2B (Business to Business), B2C (Business to Customer), C2C (Customer to Customer), C2B
(Customer to Business)
2) Financial Service Sector
Includes BFSI (Banking, Finance Services and Insurance), which store large amount of
transaction data on a daily basis using IT, and can operate nationwide.
Advantages:
24 hour customer services and connection through automated SMS and E‐banking services,
savings on time, manpower and cost, secure transactions, frequent customer updates.
3) Wholesale and Retailing
Point of sale terminals (till systems), stock and inventory, sales and accounting, customer
services and management, customer mapping and promotions analysis, supply chain and
logistics, management reports.
4) Public Sectors
Includes public sector or government run departments like Police stations,
universities, hospitals, departments etc.
‘IT Technologies on which Businesses
Run’
Internet Softwares
Business Computer
and and
Websites Hardware
Intranet Packages
77 | P a g e
‘Enterprise Resource Planning (ERP) Packages’
• A fully integrated business management system
• Integrates the core business and management process
• Provides an organization a structured environment
• Supporting the decisions concerning all business functions
• By accurate and reliable real‐time information
Objectives of ERP
• Providing support to adopt best business practices
• Implementing best business practices to enhance productivity
• Empower customers and suppliers
ERP is a multi module software system which integrates all business functions into a single
software system using a single integrated database.
It may also apply Data mining which helps in database analyses and decision support. It
helps in market analysis and management by finding patterns in customer behavior. It helps the
company in target marketing, relation management, market basket analysis, cross selling,
market segmentation, risk analysis, customer retention, improved underwriting, quality control,
competitive analysis and fraud detection.
78 | P a g e
Chapter 3
Protection
Of
Information Systems
79 | P a g e
‘Information Security’
Information security involves protecting valuable assets against loss, disclosure or damage in
the context of information as assets. Information should be protected in any form that is:
recorded, processed, stored, shared, transmitted, or retrieved from an electronic medium. The
possible losses due to internal or external threats are:
Loss of data ‐ ‐ ‐Inaccessibility ‐ ‐ ‐Alteration ‐ ‐ ‐wrongful disclosure
Objective of Information Security
‐ protecting of interests of those relying on information and
‐ protecting the information systems and communications that deliver the information
‐ from harm
‐ resulting from failures of ‘CIA’.
What is CIA?
Confidentiality: Prevention of information from unauthorized disclosure.
Integrity: Prevention of unauthorized modification of information.
Availability: Prevention of unauthorized withholding or deletion of information.
What qualifies as ‘Sensitive Information’?
‘SOF’
S – Strategic Plans
O – Operations
F – Finances
‘Information Security Policy’
“It is a statement of intent by the management about how to protect a company’s information
assets’.
It primarily aims at:
80 | P a g e
It should be well written and documented.
‘Tools to Implement Policy: Standards, Guidelines, and Procedures’
Standards: Technologies and methodologies
Guidelines: Directions to implement the policy smoothly
Procedures: Detailed steps to accomplish specific security related tasks
Policy must be communicated companywide and should be made available to all the employees
easily. It should be written in simple form so that it can be easily understood by all the
employees.
What an ideal information Security Policy must cover?
• Define information security
• Reasons behind its implementation and its goals and principles
• Brief explanation of policies, standards, guidelines and procedures
• Define all responsibilities
• Reference to supporting document
Just like every other policy or process, it must have an owner who is responsible for its
maintenance and update.
Who all a Security policy comprises of?
• Management members with budget and authority
• Technical experts who know what can or cannot be supported
• Legal experts who know the legal consequences of various policy changes.
81 | P a g e
That itt is accessible to all employyees
Thaat all emp
ployees arre aware about itss existence
That it de
efines how IS policcy is implemented in organization
TThat no ssuch stateement has been issued contrary to tthe fact
that mosst employyees havee a role to
o play in IS securityy of an
orgganization
n
T
That the p
policy hass an owneer, respon
nsible for its mainttenance
That iit is updatted
82 | P a g e
Hieraarchy of Info
ormation Se
ecurity Policyy
Information
Security Policyy
Organizatioon
User Secuurity Con
ndition of
Security
Policyy Con
nnection
Policies
Informaation Security Policyy
Defines information security, its overall objeectives and importance ffor the userss
User Se
ecurity Poliicy
This policcy sets out the responsib
bilities for th
he users of ITT systems in
n an organizaation.
Acceptaable Usage
e Policy
This is for acceptable
e use of emaail and Intern
net services..
Organizzation Info
ormation SSecurity Po
olicy
This policcy sets out tthe group p
policy for thee security off the inform
mation assetss and IT useed for
processinng this assett.
Networrk and Systtem Security Policy
This setss out a dettailed policyy for system
m and netw
work securitty an organ
nizaapplies to IT
department users.
Informaation Classsification P
Policy
This sets out for the classification
n for information.
83 | P a g e
Condition of Connection
This sets out the rules or the conditions to make internal or external connections with the
computer systems and networks.
‘Components of Security Policy’
A sound Security Policy ‘CLIPS’ the organization’s information assets for authorized and secure
usage.
84 | P a g e
‘Information Systems Control’
Control is defined as ‘policies, procedures, practices and structures’ (remember 3Ps?) that are
designed to provide reasonable assurance that business objectives will be achieved and
undesired events are prevented, detected and corrected (PDC).
Information Systems Control procedure may include:
Strategy and Direction
General Organization and management
Access to IT resources
System development
Operation Procedures
System Programming and technical support functions
Quality assurance
Physical access controls
BCP and DRP
Network and Communication
Database Administration
PDC internal and external threats
85 | P a g e
Information must be protected against unauthorized access, alterations, or loss. Let’s see how it
affects the business and its different components.
Access to assets and records: Especially in large organizations where systems are
interconnected over a wide global spread, it becomes easier to sneak into the gaps created and
cause severe losses.
Concentration of Programs and Data: Concentration of data at either one point or at
different points, both pose severe risks to the system.
Personnel: There has to be a proper training in using these systems and it must be ensured
that not only does the staff get the necessary authorizations to perform their duties skillfully,
but in a controlled environment.
Segregation of Duties: No one process should entirely be in one person’s or team’s or
department’s hand.
Record Keeping: The basic routine transactions must be done in controlled environment
so that there are minimum chances of errors or losses.
86 | P a g e
Internal Controls comprises of 5 interrelated components:
87 | P a g e
‘Information Systems Control Techniques’
‘Objectives’
The main objective is to reduce or eliminate the potential threats or in simple words,
causes of the exposure to potential loss. Some of these threats or exposures are:
• Errors or omission in data
• Improper authorizations and improper accountability
• Inefficient activity
A computerized environment may lack one or more of the below mentioned IS controls:
• Lack of understanding of IS risks and related controls with management, users
and even IT staff
• Absence of inadequate IS control framework;
• Complexity of implementation of controls in large distributed computing
environments and extended enterprises;
• Inappropriate technology implementations or inadequate security functionality in
technologies implemented.
The control objectives serve two main purposes:
• Outline organization policies as laid down by the management
• Evaluation criteria for the control objectives
88 | P a g e
‘Catego
ories of C
Controls’
As per Ob
bjectives As p
per IS
As per FFunctions
(PDCs) Resources
Internal
Prevventive Envirronmental
Accounting
Dettective Physical Access Op
perational
Comp
pensatory IS op
perational
IS
Man
nagement
SDLC
89 | P a g e
As Per Objectives
Preventive Controls: Implementing preventive controls starts with:
• Understanding the vulnerabilities of assets
• Understanding the possible threats
• Provision of necessary controls to prevent the threats
Detective Controls: These controls are designed to detect errors, omissions or malicious acts
that occur. Such occurrences must be reported as well. Detective controls must have the
following characteristics:
• Clear understanding of lawful activities. Any deviations must be reported as malicious or
unlawful.
• Established mechanism to refer the reported unlawful activities to the appropriate
person or authority.
• Interaction with Preventive control to prevent the occurrence
• Surprise checks by supervisors.
Corrective Controls: Once an error has been detected, the next step is to either correct it or
reduce its impact. BCP or Business Continuity Plan is a corrective control mechanism. Corrective
controls should include:
• Minimizing the threat’s impact
• Understanding as to why it happened
• Providing corrective actions to the problems
• Gathering feedback from preventive and detective controls
• Correct error arising from a problem
• Modifying current processing systems to minimize future occurrences.
Compensatory Controls: If you cannot install CCTV camera in your home, at least ensure
that it has strong locking system. Compensatory controls are those controls which compensate
for the absence of control systems that are actually required because an organization should
not spend on locks if the cost of locks is more than the cost of asset itself.
As per the IS Resource
Environmental Controls: To control the external environment in which IT system is
working. For example; AC, electricity, smoke detection, fire‐extinguishers etc.
90 | P a g e
Physical Access Controls: Controlling the physical access to tangible or intangible IS
resources. For example; security guards, access smart cards, door alarms, CCTV etc.
Logical Access Controls: Controls relating to logical access to information resources. For
example; network controls, access to database objects, encryption controls etc.
IS Operational Controls: These are the controls relating to IS operation, administration and
its management. For example; IS infrastructure management, Helpdesk operations etc.
IS Management Controls: Controls relating to IS management, administration, 3Ps etc.
As per Functions
Internal Accounting Controls: Controls intended to safeguard the client’s assets and
reliability of financial records.
Operational Controls: Dealing with day to day transactions and operations
‘Control Techniques’
• Organizational controls
• Management controls
• Financial controls
• Data Processing Environment controls
• Physical Access controls
• Logical Access controls
• SDLC controls
• BCP controls
• Application controls
91 | P a g e
Organizational Controls: These controls are concerned with the decision‐making processes
that lead to management authorization of transactions. Companies with large data processing
facilities separate data processing from business units to provide controls over its costly
hardware, software and human resources. Combining data processing into the business units
would be too much responsibility for one manager. Organizational control techniques include
documentation of:
• Reporting responsibility and authority of each function
• Definition of responsibilities and objectives of each function
• Policies and Procedures
• Job Descriptions
• Segregation of duties
1. Reporting Responsibility and Authority of each function
Each IS function must have a well defined reporting structure with clear assignment of
authorization with respect to the use of IS.
2. Responsibilities and objectives
Each IS function must be clearly defined and documented, including systems software,
application programming and systems development, database administration, and operations.
IS Management team responsible for effective and efficient utilization of IS resources = Senior
Managers of the groups and manager of each group. Their responsibilities include:
• Providing information to senior management on IS resources
• Planning for expansion of IS resources
• Controlling the use of IS resources
• Implementing activities and functions that support company’s strategic plan to meet its
objectives.
3. Policies, Practices, Procedures and Standards (3Ps)
Policies: Refer to rules and regulations as to what can be done by whom
Procedures: The correct way to do what the team members are supposed to do
Practices: Ethical and answerable practices to be followed within an organization
Standards: The benchmarks of the work quality which must be aligned and supportive to the
enterprise’s objectives.
Documented policies should exist in IS for:
92 | P a g e
• Use of IS resources
• Physical security
• Data security
• On‐line security
• Use of information systems
• Reviewing, evaluating, and purchasing hardware, software
• System development methodology
• Application program changes
4. Job Descriptions
Management’s specific expectations for job performance – Well documented description with
established responsibility and accountability of an employee.
5. Segregation of Duties
To prevent and detect frauds like:
• Theft of assets, funds, data and equipments
• Modification of data leading to misstated and inaccurate financial statements
• Modification of programs in order to perpetrate irregularities like rounding down,
salami etc.
Impact of such threats caused by human act must be minimized. Organization structure must
ensure highest level of separation of duties. Things to remember while segregating:
• Nature of business operations
• Managerial policy
• Organization structure with job description
• IT resources deployed
This is a very common technique. One employee checks the work of another. Example: IS audit
is separated from business operations groups.
Responsibility of segregation is with senior management. From a functional perspective,
segregation of duties should be maintained between following functions:
• IS use
• Data entry
• Computer operation
93 | P a g e
• Network management
• System administration
• Systems development and maintenance
• Change management
• Security administration
• Security audit
Guidelines with reference to ‘Segregation of Duties’:
Separate those, who can:
• run live programs from those who can change programs.
• access data from those who can run programs
• input data from those who can reconcile or approve data
• test programs from those who can develop programs
• enter errors or transfer data to error log from those who can correct the errors like end
user departments
• enter data from those who can access the database
• Responsibility: The strategy to have a senior management personnel responsible for the
IS with the overall organizational structure
• An IT Organization Structure: There should be a prescribed IT organizational structure
with documented roles and responsibilities and agreed job descriptions
• The IT Steering Committee: The committee will be responsible for the overall direction
of IT.
Financial Controls: Procedures to check or controlling the original transactions or documents
before inputting them into the system. Reports are generated to reflect un‐posted items, non‐
monetary changes, item counts etc to exercise control over TPS. Some of the financial control
techniques are:
• Authorization: Authority to perform some act typically accessing to such assets as
accounting or application entries.
• Budgets: Budget is the amount of time or money expected to be spent during a
particular period, project or event. It must also be compared with actual performance.
• Cancellation of Documents: Marking a document in such a way to prevent its reuse.
94 | P a g e
• Documentation: Written or typed explanations of actions taken on specific transaction or
explaining the performance of a task.
• Dual Control: For example: Bank Lockers or teller machine but don’t get confused with
dual access.
• Input/ Output verification: compare output with the input. This is an expensive
control, usually recommended by auditors.
• Safekeeping: Keep them in safe.
• Sequentially numbered documents: used to detect missing documents using a
sequence or coding.
• Supervisory Review: review and sign‐off by a supervisor. Difficult to control as auditor
was not present at the time of supervision.
Data Processing Environment Controls: Hardware and software related controls including
procedures exercised in IS environment. For example; online transaction system, database
administration etc.
Physical Access Controls: These controls are personnel: Security guards etc to prevent or
control unauthorized access to the hardware or software by employees or outsiders.
Logical Access Controls: Authorization control to access to systems, data, programs,
networks so as to safeguard information’s CIA.
SDLC (System Development Life Cycle) Controls: Manual functions and activities performed
to control the application systems development. Two main requirements: System development
standards; documented procedures for the activities in each phase.
BCP Controls: Presence of operational, tested and well maintained IT CP – aligned with
overall BCP.
Application Control Techniques: Programmatic routines within the application program
code so that data remains accurate, complete and valid during input, update and storage. Any
function or activity that works to ensure the processing accuracy of the application can be
considered as an application control.
Audit Trails: Logs which are created to record activity at the system, application and user
level.
95 | P a g e
‘Application or User Controls’
1. Boundary Controls: It includes access control mechanisms – links authentic users to
authorized resources. Three steps ‐ Identification, authentication and authorization.
The user can give three factors of input information for the authentication process and gain
access to his required resources.
Class of Information Types of Input
Personal Information Name, Date of Birth, Account Number, Password, PIN
Personal Characteristics Fingerprint, voice, signature, retinal pattern
Personal Objects Identification cards, badge, Key, Finger ring
96 | P a g e
Some of the prominent Boundary Control Techniques are given as follows:
• Cryptography: Programs that transform data into cipher text (meaning less to anyone).
This includes encrypting the data into the cryptograms. Its strength depends on the time
and cost to decipher the cipher text. There are three techniques to do it:
• Transposition – permute the order of characters within a set of data
• Substitution – replace with key‐text
• Product Cipher – combination of the above two.
• Passwords: minimum password length, avoid using common words, period change,
use of special characters, number of entry attempts
• PIN: password assigned to a user by an institution a random number stored in its
database. It is vulnerable.
• Identification Cards: ID cards store information required in authentication process.
• Biometric Devices: Biometric identification like retina, finger print etc.
2) Input Controls: ensuring the accuracy and completeness of data and instruction
input into an application system. They are important because input process is time consuming,
needs human intervention and error prone.
Existence and Recovery Controls: input data may have to be reprocessed in the event of
loss, corruption or destruction. Controls relating to instructions are often in the form of changes
to data, which are recorded in audit trail. Thus, source documents and transaction listings must
be stored securely for longer reasons.
97 | P a g e
3) Processing Controls: validation checks to identify errors during processing of
data. Required to ensure completeness and accuracy of data. They are enforced through DBMS
that stores the data.
4) Output Controls: Presentation, format and delivery of output to end user should be
in a consistent and secured manner. CIA should be maintained.
5) Database Controls: Update controls and report controls are the mechanisms which
protect the integrity of database when application software acts as an interface between the
user and database. Major update controls are given as follows:
• Sequence check between Transaction and Master Files: Synchronization and
sequence of processing between the two is critical to maintain the integrity of updates,
insertion or deletion of records in the master file with respect to transaction records. Errors
are this stage will lead to corruption in critical data.
• Ensure all records and files are processed: While processing, the transaction file
records must be mapped to the respective master file. Similarly end‐of‐file of the
transaction file with that of master file.
• Process multiple transactions for a single record in the correct order: Order in
which transactions are processed against the product master record must be done on a
sorted transaction codes.
• Maintain a suspense account: When a mismatch occurs between master and
transaction record due to failure in the corresponding record entry in the master
record; it is stored into suspense account. A zero balance in suspense account means
no errors.
Major Report controls are given as below:
• Standing Data: Maintain integrity of the standing data. For example; fixed interest rates,
pricing tables. Any changes or errors in this data will reflect in all the calculations. Periodic
monitoring by annual checking or by calculating a control total is mandatory.
• Print‐Run‐to Run Control Totals: Run‐to‐Run control totals help in identifying errors or
irregularities like record dropped erroneously from a transaction file, wrong sequence of
update or the application software processing errors.
• Print Suspense Account entries: These account entries are to be periodically monitored
with the respective error file and action taken on time.
• Existence/ Recovery Controls: The back‐up and recovery strategies together constitute
the controls required to restore failure in database. Back‐up strategies are implemented
98 | P a g e
using prior version and logs of transaction or changes to database. Recovery strategies
involve roll‐forward or roll‐back methods.
‘Controls over Data Integrity and Security’
A Simple 5‐scale grade to classify the data as per its value:
• Top Secret: Highly sensitive internal information that could seriously damage an
organization if ousted or damaged. For example: a new market development strategy
• Highly Confidential: Information which could seriously impede organization’s
operations and is considered critical to its ongoing operations. For example; lay off strategy
• Proprietary: Procedures, project plans, designs and specifications which forms the
basis of the organizations functioning. For example; Maggi
• Internal Use only: Information not approved for general circulation and its leakage
or loss could cause inconvenience but not any serious damage or financial loss to the
organization.
• Public Documents: Information in public domain like annual reports, press
statements etc.
‘Data Integrity’
PDC – Prevent, Detect and Correct errors is the Primary objective.
All transaction flow through various stages of processing. Such controls ensure the integrity of
inputs, storage, programs, transmissions and outputs. Data integrity controls protect data from
accidental or malicious alteration or destruction and provide assurance to the user that the
information meets expectations about its quality and integrity. Data Integrity assessment
involves two steps:
• Virus Detection and elimination software is installed and activated.
• Data integrity and validation controls are established to provide assurance that the
information has not been altered and the system functions as intended.
An auditor should be concerned with testing of user‐developed systems; changes or the release
of data unknown to the user could occur because of the design flow. There is always a
possibility of erroneous data being present in the system while user will remain unaware of it.
Third party other than designers or users must check it. This is critical especially in case where
service desk is outsourced to an application services provider. Release of customer information
to such an entity must be controlled through contractual requirements with penalties if data is
compromised. Sic category of integrity controls are summarized in table given below:
99 | P a g e
‘Data Integrity Policies’
• Virus signature updating: Regular Automatic updates
• Software Testing: Testing before installation
• Division of Environments: The division of environments into Development, Test and
Production is required for critical systems
• Off site Backup Storage: Back ups older than one month must be sent offsite for
permanent storage
• Quarter‐end and Year‐end back‐ ups: Must be done separately from normal
schedule for accounting purposes.
• Disaster Recovery: A comprehensive disaster recovery plan must be used to ensure
the continuity of the business in the event of an outage.
‘Data Security’
Protection of data against accidental or intentional disclosure to unauthorized persons as well
as the prevention of unauthorized modification and deletion of the data. An IS auditor is
responsible to evaluate the following while reviewing the adequacy of data security controls;
• Who is responsible for the accuracy of data?
• Who is permitted to update data?
• Who is permitted to read and use data?
• Who is responsible for determining who can read and update data?
• Who controls the security of data?
• In case it is outsourced, what security controls and protection mechanism does the
vendor have in place to secure and protect data?
• Contractually, what penalties or remedies are in place to protect the tangible and
intangible values of the information?
• The disclosure of sensitive information is a serious concern to the organization and is
mandatory on the auditor’s list of priorities.
‘Logical Access Controls’
100 | P a g e
Are the system‐based mechanisms used to designate who or what is to have access to a specific
system resource and the type of transactions and functions that are permitted. Following
critical procedures must be evaluated:
• Logical access controls restrict users to authorize transactions and functions.
• There are logical controls over network access.
• There are controls implemented to protect the integrity of the application and the
confidence of the public when the public accesses the system.
Logical Access Paths
Operator Console: Intruders can cause serious damage through operator consoles. Hence,
access must be restricted. This can be done by:
• Keeping it at a visible‐to‐all place or
• By keeping in a restricted zone accessible only to authorized personnel.
Modem – converts – digital data to analog data ‐ it is an interface between remote terminal
and telephone line. A dial back line identifies the remote user and ensures the security by
confirming and presence and exactness of the data sent.
3) Telecommunication Network:
101 | P a g e
Number of computer terminals are linked to the host computer through network of
telecommunication lines.
‘Logical Access Issues and Exposures’
In an online system, opportunities of access are more; hence the level of control for this system
must be more complex.
Operating
Access Point/
User System
Control
Network Operating Access Point/
Systems Control
Application Software Access Point/
Control
Database Access Point/
Control
Access control mechanisms should provide security to the following applications:
102 | P a g e
• Access control software
• Application software
• Data
• Data dictionary/ directory
• Dial‐up lines
• Libraries
• Logging files
• Operating systems password library
• Procedure libraries
• Spool queues
• System software
• Tape files
• Telecommunication lines
• Temporary disk files
• Utilities
‘Issues and Revelations related to Logical Access’
Compromise or absence of logical access controls in the organizations may result in potential
losses due to exposures that may lead to the total shutdown of the computer functions.
International or accidental exposure of logical access control encourages technical exposures
and computer crimes. These are given as follows:
a) Data Diddling: change of data before or after it enters into the system. This happens
before computer security can protect the data.
• Time Bomb: explodes at a particular date, and time.
• Logic Bomb: Get activated by a combination of events.
similar to bombs, but a computer clock or particular circumstances do not necessarily activate
it. A Trojan can cause harm in following ways:
• Change or steal the password
• May modify records in protected files
• May allow illicit users to use the systems
They do not damage the hosts. They cannot copy themselves. They do not get transferred
unless specifically copied. For example; Christmas card detected on internal email system of
IBM.
d) Worms: Worm can easily replicate or copy itself within the network to other
systems because it does not need a host. But that makes them highly identifiable as they are
standalone programs.
e) Rounding Down: This refers to rounding of small fractions of a denomination and
transferring these small fractions into an authorized account. As the amount is too small, it
rarely gets noticed.
f) Salami Techniques: This involved slicing of small amounts of money from a
computerized transaction or account.
g) Trap Doors: Trap doors allow insertion of specific logic, such as program interrupts
that permit a review of data. They also permit insertion of unauthorized logic.
• Financial Loss
• Legal Repercussions
• Loss of credibility or Competitive Edge
• Blackmail/ Industrial Espionage
• Disclosure of Confidential, Sensitive or Embarrassing information
• Sabotage
• Spoofing: Spoofing attack involves forging one’s source address. One machine is
used to impersonate the other and it happens when one of the machines are found
vulnerable.
104 | P a g e
Who can be behind all the above?
Hackers
Employees (Authorized or unauthorized/ Current or Former)
IS Personnel: Easiest access: Segregation of duties can control it efficiently.
End Users
Interested or educated outsiders
Competitors
Foreigners
Organized Criminals
Crackers
Part‐time and Temporary Personnel
Vendors and Consultants
Accidental Ignorant
3) Asynchronous Attacks: They occur in many environments where data can be
moved asynchronously across telecommunication lines. Numerous transmissions must wait for
the clearance of line before data being transmitted. Data that is waiting to be transmitted are
liable to unauthorized access called asynchronous attack. These attacks are hard to detect.
Some of them are:
Data Leakage: it is done by dumping files to paper or stealing computer reports and
tape
Piggy‐baccking: Act of follo
owing an authorized perrson through
h a secured door.
Hacker
Modifies meessage or Add
ds contents
to message from MMr. B
Captures Message from Mr. B.
Internet/C
Communication
Hacker
Hacker disrrupts servicess provided by
server/
Internet/Communication
106 | P a g e
4) Remote and distributed data processing applications can be controlled in following
ways:
• Remote access to computer and data files through the network should be implemented.
• Having a terminal lock can assure physical security to some extent.
• Applications that can be remotely accessed via modems and other devices should be
controlled appropriately.
• Terminal and computer operations at remote locations should be monitored carefully
and frequently for violations.
• To prevent unauthorized users access to the system, there should be proper control
mechanisms over system documentation and manuals.
• Data transmissions over remote should be controlled. The location which sends data
should attach needed control information that helps the receiving location to verify the
genuineness and integrity.
• Replicated copies at multiple locations must be identical copies containing the same
information and it should be ensured that duplicate data does not exist.
• Adequate physical security controls have been implemented.
• Data is protected from interception
• Mobile and portable systems are protected.
107 | P a g e
‘Logical Access Control across the System’
The purpose is to restrict access to information assets/ resources. Need to know and need to do
basis using principle of least privileges – should be just sufficient. The data, an information
asset, can be:
• Data at Process
• Data at Rest
• Data in Transit
‘Physical Access Controls’
Physical Access Issues and Exposures
Results of unauthorized physical access or exposure:
• Data abuse
• Blackmail
• Embezzlement
• Damage, vandalism or theft to equipments or documents
• Public disclosure of sensitive information
• Unauthorized entry
• Accidental ignorant
• Addicted
• Discontented
• Experiencing financial or emotional problems
• Former employee
• Notified for their termination
• On strike
• Threatened by disciplinary action or dismissal
Or Interested or informed outsiders, such as competitors, thieves, organized crime and
hackers.
The areas of concern include the following:
108 | P a g e
• How far the hardware facilities are controlled to prevent unauthorized entry?
• Are the hardware facilities protected against forced entry?
• Are intelligent computer terminals locked or otherwise secured to prevent illegal
removal of physical components like boards, chips and the computer itself?
• When there is a need for the removal of computer equipment from its normal secure
surroundings, are authorized equipment passes required for removal?
The facilities that need to be protected from the auditor’s perspectives are:
• Communication channels
• Computer room
• Control units and front end processors
• Dedicated telephone lines
• Disposal sites
• Input/ output devices
• Local area networks
• Micro computers and personal computers
• Minicomputer establishments
• Off‐site back up file storage facility
• On‐site and remote printers
• Operator consoles and terminals
• Portable equipment
• Power sources
• Programming area
• Storage rooms and supplies
• Tape library, tapes disks, and all magnetic media
• Telecommunications equipment
Similar controls must be available at service providers or other third parties and it should be a
matter of concern for auditors too.
b) Access Control Mechanisms
• Identification
• Authentication, and
• Authorization
Operation of access control mechanism happens in following sequences:
109 | P a g e
• Users must identify themselves
• Users must authenticate themselves and the mechanism must authenticate itself.
• Users request for specific resources, their need for those resources and their areas of
usage of these resources.
The mechanism accesses previously stored information about users, the resources they can
access and the action privileges they have with respect to these resources; it then permits or
denies the request. Users may provide four factors of authentication information as shown
below:
Remembered information Name, Account number, passwords
Objects possessed by the user Bade, plastic card, key
Personal characteristics Finger print, voice print, signature
Dialog Through/ Around computer
c) Authorization: Consider the authorization function in terms of a matrix where
rows represent users and columns represent the resources and the element represents the
users’ privilege on the resources.
There are two approaches to it:
• Cipher Locks: (also called combination door locks)
• Bolting Door locks: Special metal key which does not have a duplicate
• Electronic Door Locks: A magnetic or embedded chip based plastic card key or token may
be entered into a reader to gain access in these systems. The reader device upon
reading the special code that is internally stored within the card activates the door
locking mechanism.
Why Electronic door locks are better?
• Through the special internal code, cards can be made to identify the correct individual.
• Access needs may also be restricted using special internal code and sensor devices.
• Degree of duplication is reduced.
• Card entry can be deactivated easily.
• This calls for an administrative process dealing with issuing, accounting for and
retrieving the card keys.
• Biometric Door Locks: Extremely secure where an individual’s unique body
features such as voice, retina, fingerprint or signature, activate these locks.
111 | P a g e
2) Physical Identification Medium
• Personal Identification Number (PIN): secret number assigned to the employee in
conjunction with some means of identifying the individual, serves to verify the
authenticity of individual.
• Plastic Cards: These cards are used for authentication purposes
• Identification Badges: Special ID badges can be given to employees and visitors.
Change in color identifies with authentication level.
3) Logging on Facilities
• Manual Logging: Sign a visitor’s log. A valid and acceptable identification may also
be asked for.
• Electronic Logging: this is a combination of electronic and biometric security systems.
Users logging can be monitored and unsuccessful attempts may be highlighted.
4) Other means of Controlling Physical Access
• Video Cameras
• Security Guards
• Controlled visitor access
• Bonded personnel
• Dead Man doors
• Non exposure of sensitive facilities
• Computer terminal locks
• Controlled single entry point
• Alarm system
• Perimeter fencing
• Control of out of hours of employee – employees
• Secured report/ Document distribution cart
112 | P a g e
‘Environmental Controls’
Issues covered are:
• Environmental issues and exposures
• Audit and evaluation techniques for Environmental Controls
From the perspective of environment exposures and controls, IS resources may be categorized
as follows (with the prime focus on facilities)
Hardware and Media: equipment relating to computing, communication and storage
Information Systems Supporting Infrastructure of Facilities: This includes:
• Physical Premises: like computer rooms, cabins, server rooms, data center premises,
printer rooms, and Remote facilities, staging room and storage areas.
• Communication closets
• Cabling ducts
• Power source
• Heating, Ventilation and Air conditioning
Supplies: Third party maintenance procedures viz. air‐conditioning, fire safety and
civil contractors.
People: Every person entering the premises must be made accountable and responsible
for environmental controls n their respective Information Processing Facility (IPF). Training is an
important component too.
• Fire
• Natural Disasters
• Power spike
• Air conditioning failure
• Electrical shock
113 | P a g e
• Equipment failure
• Water damage or flooding
• Bomb threat/ attack
Other questions that auditor must ask pertaining to the environmental issues and exposures
are:
• Is the power supply to compiler equipment properly controlled?
• Are the A/cs, humidity and ventilation control systems protected against electricity
effects using static rug or anti static spray?
• Is consumption of food, tobacco or drinks prohibited by policy around computers?
• Are backup media protected from damage due to variation in temperatures?
• Are they guarded against strong magnetic fields and water damage?
• Is the computer equipment kept free from dust, smoke and other particulate matter?
‘Controls for Environmental Exposures’
Water detectors: should be placed under the raised floor and near drain holes. Should be
present near any unattended equipment storage facilities. For easy identification, their location
should be marked on the raised computer room floor. They should produce an audible alarm.
Hand held Fire Extinguishers
Manual Fire alarms
Smoke Detectors: placed above and below the ceiling tiles. Fire suppression should be
supplemented.
Fire suppression systems: Various fire suppression techniques are given below:
• Dry‐Pipe Sprinkling Systems – they don’t damage equipment as there is not leakage.
• Water based systems – they do damage equipment in case there is a leakage.
• Halon‐ pressurized Halon gas that removes oxygen from air. It is inert and does
not damage the equipment. Affects ozone layer; hence is banned.
Strategically Locating the Computer room: No basement or ground floor
Fireproof walls, floors, ceilings surrounding the computer room. – at least 3‐hour fire
resistance rating.
Electrical Surge Protectors: to reduce the damage caused by Power spikes. Incoming current
is measured by a regulator and depending upon the intensity of current, it may be increased or
decreased to ensure that a consistent current passes through. Such protectors are generally
built into the UPS.
UPS/ Generator: A UPS system consist of a battery or gasoline powered generator that
interfaces between the mains electrical power entering the facility and the electrical power
supplied to the computer. The system cleanses the power to ensure wattage into the computer
is consistent.
Emergency Power off Switch: In case of a necessity of immediate power shut down
during situations like a computer room fire or an emergency evacuation, an emergency power
off switch at the strategic locations would serve the purpose. They should be easily accessible
and yet secured from unauthorized people.
Wiring places in Electrical Panels and Conduit: Electrical fires are always a risk. To prevent
those, wiring should be placed in the fire resistant panels and conduit. Conduit generally lies
under fire‐resistant raised floor in the computer room.
Prohibitions against Eating, Drinking, and Smoking within the Information Processing Facility:
The prohibition should be clear e.g. a sign on the entry door.
Fire Resistant Office Materials: Materials used n IPF should be fireproof.
‘Cyber Frauds’
Major reasons behind Cyber Frauds are:
• Failure of internal control system
• Failure of organizations to update themselves to a new set of risk
115 | P a g e
• Smart Fraudsters
Fraud as defined by SA 240 (Revised), on “The Auditor’s responsibility to consider fraud and
error in an audit of financial statements”, defines fraud as “intentional misrepresentation of
financial information by one or more individuals among employees, management those
charged with governance, or third parties.”
Fraud: Intentional error
Cyber Fraud: When it is committed using technology.
On the basis of functionality, these are of two types:
• Pure Cyber Frauds: Done by extensive use of technology. For example: Website
Hacking
• Cyber Enabled Frauds: Frauds, which can be committed in physical world also but
with use of technology; the size, scale, location of frauds changes. For example:
Withdrawl of money from bank account by stealing PIN numbers.
‘Cyber Attacks’
Phishing: It is the act of attempting to acquire information such as usernames, passwords,
and credit card details (and sometimes, indirectly, money) by disguising as a trustworthy entity
in an electronic communication.
Network Scanning: Process to identify active hosts of a system, for purpose of getting
information about IP addresses etc.
Virus/ Malicious Code: As per section 43 of the IT Act, 2000, “Computer Virus” means any
computer instruction, information, data or program that destroys, damages, degrades or
adversely affects the performance of a computer resource or attaches itself to another
computer resource and operated when a program, data or instruction is executed or some
other event takes place in that computer resource
Spam: Emailing the same message to everyone on one or more Usenet News Group or
LISTSERV lists.
Others:
• Crackers – hackers with malicious intentions
116 | P a g e
• Eavesdropping – eaves dropping using wire tapping
• E‐mail forgery – sending email messages that look as if someone else sent it
• Email threats
• Scavenging – this is gaining access to confidential information by searching corporate
records.
Impact of Cyber Frauds on Enterprises:
• Financial loss
• Legal repercussions: section 43A of IT Act 2000 fixes liability on companies/
organizations.
• Loss of credibility or competitive edge
• Disclosure of Confidential, Sensitive or Embarrassing Information
Techniques to Commit Cyber Frauds:
Hacking
Cracking
Data diddling
Data Leakage
Denial of Service Attack (DOS)
Internet Terrorism
Logic Time Bombs
Masquerading or Impersonation
Password Cracking
Piggybacking
Round Down
Scavenging or Dumpster Diving
Social Engineering techniques
Super zapping
Trap door
117 | P a g e
Chapter 4
Business Continuity
Planning
&
Disaster Recovery
Planning
118 | P a g e
‘What is Business Continuity Management (BCM)?’
Business continuity management (BCM) is a framework for identifying an organization's risk of
exposure to internal and external threats.
The goal of BCM is to provide the organization with the ability to effectively respond to threats
such as natural disasters or data breaches and protect the business interests of the
organization. BCM includes disaster recovery, business recovery, crisis management, incident
management, emergency management and contingency planning.
A business continuity management system emphasizes the importance of:
• Understanding continuity and preparedness needs, as well as the necessity for
establishing business continuity management policy and objectives.
• Implementing and operating controls and measures for managing an organization’s
overall continuity risks.
• Monitoring and reviewing the performance and effectiveness of the business continuity
management system.
• Continual improvement based on objective measurements.
‘Why an Enterprise Needs Business Continuity Management?’
To be a successful business, an enterprise must meet two requirements:
1. It must meet its objectives
2. It must remain continued with no interruptions in operations and services
Enterprises face threats and risks. And sometimes, such threats and risks may force an
enterprise to stop its operations which would further prevent it from meeting its objectives. In
order to recover from such a threat situation, it must have a well defined, pre‐meditated, and
pre‐tested plan, should have ample reserves in teams and infrastructure and should be agile
enough to quickly transit to back up plan.
Business Contingency or the threats or risks: Business Contingency is a possibility of
event, occurrence of which may lead to disruptions of business operations and services. When
such an event happens, the computer system stops to work, thereby, halting the critical
business functions leading to disruptions.
A company may meet disruptions or discontinuation of operations or services due to any of the
following:
119 | P a g e
Fire, flood, hurricane, tornado, earthquake, volcanoes
Plane crashes, vandalism, terrorism, riots, sabotage, loss of personnel, etc.
Anything that diminishes or destroys normal data processing capabilities
BCP Process: Business Continuity Plan (BCP), in simple words, is a plan to preserve the
critical business functions, both manual and automated ones, in the face of a disaster to ensure
the continuity of minimum level of services necessary for critical operations. For example, in
case of a disaster, a bank’s ATM should still be running for its customers. The purpose of BCP is
to ensure that vital or critical functions are restored within an acceptable time frame. So the
plan starts with identification of such critical business operations and services. It ensures that
manpower and resources are available for disaster preparation and response and the plan is
followed quickly as per the procedures laid out.
Business Continuity Planning: It is an ability of an enterprise to recover from a disaster
and continue operations with least impact. Not only having a BCP, but also its regular audit is
equally important to confirm that it is there adequately to serve an organization’s needs.
‘Documentation’
A successful organization must always be ready for a disaster with a well documented plan of
action, which shows that it is ready and has sufficient spare resources to manage the
continuity. This documentation is called BCP Manual. This document states the description of
actions to be taken, resources to be used and procedures to be followed before, during and
after an event that severely stops all of the business operations or a critical part of it.
BCP manual must:
1. Provide a reasonable assurance to the management about an enterprise’s readiness to face
disasters.
2. Anticipate different disasters scenarios and outline the action plan to recover from them with
minimum damage, while ensuring the continuity of key operations and services.
3. It should specify the responsibilities of BCP team which liaisons between affected areas and
support functions.
120 | P a g e
‘BCM Policy’
The main losses which an organization may face during disaster are: Loss of revenue,
reputation, productivity, and customer satisfaction. And to save them during a disaster is the
main goal of BCP.
So owing to its importance and criticality to an organization, following issues must be laid out in
an organization’s BCM policy:
1. Clear and documented identification of the critical business operations and services.
2. Development of recovery and continuity plans by scenario analysis.
3. Teams and resource planning to achieve such recovery and continuity, and to liaison
between affected areas and support functions.
4. Ongoing testing, and update plan so that it doesn’t fail in real incident.
5. A clear assignment of Planning and management responsibility to a member belonging to
senior management.
There are only two things which a BCP policy lays out:
1. Set up of BCM
2. Management and Maintenance.
‘Business Continuity Planning’
BCP is
• The creation and validation
• Of a practical logistical plan
• For how an enterprise will recover and restore
• Partially or completely interrupted critical business functions
• Within a predetermined time after a disaster.
121 | P a g e
The basic layout which BCP should provide for in case of a disaster is shown in picture given
below.
Combating it and Exact measurement
Starting point and
returning to normal of resources need
follow on steps
operations for the resurrection
Business Continuity life cycle consists of 4 vital steps as shown below:
122 | P a g e
A business continuity life cycle must answer to 5 important questions:
1. What are the requirements and what should be done?
2. What is the right way of doing it?
3. How it should be done?
4. Is it workable and worth getting an approval?
5. How to maintain it for the real time use?
To achieve the above, every plan would require some resources which include: Information,
technology, manpower, telecommunications, Process, Facilities. In each category, a mix of all
these resources in the proportion of their requirement is ascertained with an objective of
optimizing the costs and minimizing the losses.
‘Objectives and Goals of Business Continuity Planning’
Key objectives are:
• Safety and well being of people on the premises at the time of disaster;
• Continue critical business operations; Business
• Minimize the duration of a serious disruption to operations and resources; Continuity
• Minimize the immediate damage or loss;
• Establish management succession and emergency powers;
• Facilitate effective coordination of recovery tasks; Disaster Recovery
• Reduce the complexity of recovery task;
Crisis
• Identify critical lines of business and supporting functions ‐
Management
All the above objectives can be classified into 4 goals of BCP as shown below:
Identify
weaknesses & Minimize the Facilitate effective Reduce the
implement a duration of coordination of complexity of
disaster prevention disruption recovery tasks recovery effort
plan
123 | P a g e
‘Developing a BCP’
The key parameters which form the foundation of developing a BCP are:
1. Documenting the impact of an extended loss to operations and key business functions.
2. Analysis of efforts and resources required to develop and maintain an effective recovery
plan.
3. Reporting it to the management. This is done to obtain their consent, support and
participation.
4. Focus on disaster prevention and impact minimization, as well as orderly recovery;
5. Select business continuity teams that ensure proper balance required for plan
development;
6. Develop a business continuity plan that is understandable, easy to use and maintain;
and
7. Integrating the business continuity plan into routine business activities so that plan
remains viable over the time.
To achieve the above parameters in an organized manner, a Business Continuity Plan has been
framed as an eight phased mechanism;
Preplanning Vulnerabilities Business Impact
Activities Assessment/ Analysis
Define
(BCP Initiation) Requirements Detailing Requirements
BCP
Review/ Audit
Project Management
Plan
Development
Initial Plan
Testing and Plan Maintenance
Testing Program
Implementation Program
124 | P a g e
Let’s discuss each phase separately:
Phase I: Pre‐Planning Activities (Project Initiation)
Who drives it, manages it and makes the Decision? ‘Steering Committee”
Who drives the Project? ‘Project Manager’
What they try to achieve:
9 Refine the scope of project and associated work programs
9 Develop project schedules
9 Identify and address any issues that could have an impact on delivery and the success of
the project
9 Development of a policy to support recovery programs
9 Awareness program to educate management and senior individuals directly
participating in the project
Phase II: Vulnerability Assessment and General Definition of Requirements
‘Prevention is better than cure’ is a universal concept which holds true in every situation.
Before planning for disaster recovery, the Project team should first focus on disaster
prevention. And that’s what they do at this stage.
Project team, under supervision of steering committee, is supposed to undertake follow tasks in
this phase:
9 Current Security Assessment – The team will first assess the current security systems
pertaining to the computing and communications environment.
9 Reporting the finds and recommendations to the steering committee for approval to
take corrective measures timely.
9 Improve the prevailing security systems and installing security systems where they were
not already present.
9 Define the scope of planning effort.
9 Analyze, recommend and purchase software required for recovery planning and
maintenance.
9 Develop a planning framework.
9 Assemble Project team and conduct awareness sessions.
125 | P a g e
Phase III: Business Impact Assessment (BIA)
BIA helps the project team to:
1. Identify critical systems, processes and functions;
2. Assess the economic impact of disasters on such systems because of which disruption of
operations or services will take place.
3. Assess the duration for which business can sustain or survive this disruption – This duration is
called ‘Pain Threshold’.
Report of this assessment should be present to the Steering Committee.
Phase IV: Detailed Definition of Requirements
Now, since we know which critical functions and processes we have to concentrate upon, it will
be easier to create a list of requirements to safeguard it again disasters and to ensure that it is
operation within the prescribed time limit which should be before the ‘Pain Threshold’. So a list
of hardware, software, support, facilities is being created at this stage keeping in mind the
duration of disruption.
Phase V: Plan Development
Now is the time to define the recovery plan components and documenting the plan. This
includes implementation of changes to the way systems are being used by the users, upgrading
the existing data processing procedures, vendor negotiations, etc. Recovery teams will also be
assigned with their roles and responsibilities.
Phase VI: Testing/ Exercising Program
In this stage, test plan is created. The phase starts with testing goals and must evaluate various
testing procedures to select the most relevant one. Test‐as‐you‐go program should be
established.
126 | P a g e
Phase VII: Maintenance Program
Next stage is the maintenance of the plans and integrating them to the existing change
management strategies. The plan must clearly indicate the changes required to be done in the
existing environment to include the maintenance program.
Phase VIII: Initial Plan Testing and Implementation
Before implementation, once the plans are developed, initial test of plans are conducted and
the required modifications to the plans are made. This process is a summation of the activities
listed below:
Defining the Test Identifying Test Structuring the
Purpose and Teams Test
Approach
Conducting
the Test
Modify the Plans as Analyzing Test
appropriate Results
127 | P a g e
‘Components of BCM Process’
BCM – Management Process
The management process marks the beginning of BCM project. It enables
• Business continuity
• Capacity establishment (as per organization’s requirement)
• Capability establishment (as per organization’s requirement)
128 | P a g e
BCM – Understanding your Business or Information Collection Process
Assessment of most important products and service‐‐‐ÆIdentification of critical operations and
services to deliver them‐‐‐ÆRequirements to implement BCM strategy.
BCM – Strategy Process
Assessment of different strategies available, depending on the processes and technology
already present in an organization, is done so that the most appropriate strategy is selected.
Strategy chosen or selected must be able to generate response at an acceptable level and
should be able to restore the critical functions within acceptable time limits before the ‘Pain
Threshold’.
BCM – Development and Implementation process
Develop a management framework capable of managing unfavorable incidents, ensures
business continuity and recovery and create recovery plans.
BCM – Establishing continuity culture
Extensive trainings in BCM, incident management, business continuity and recovery and
restoration plans are provided to ingrate BCM into the company’s culture.
BCM – Testing and Maintenance
This stage calls for testing, maintenance and audit. It reviews the entire process for its
completeness, accuracy and freshness and identify the shortcomings while recommending the
improvements.
129 | P a g e
‘BCM Management Process’
The first step towards creating a successful BCM is to create a BCM Management Process. It
defines who is going to manage it and how is it going to be managed and it records and
documents it.
1) Organization Structure
Every Process demands authority and responsibility. So this process also starts with appointing
a senior person who would be accountable for BCM implementation and Maintenance. All the
people, whether as a Project manager or as a part of steering committee are responsible for
making this program successful and their individual responsibilities must be communicated and
documented.
2) Implementing Business Continuity in the Enterprise and Maintenance
BCM is a continuous process which demands regular implementation and maintenance and it is
the responsibility of the individual department managers to do that. It is a simple process in
which first, a Project manager or a BCM manager is appointed by top management. He is
supported by the department heads or process leaders in implementation and maintenance of
BCM. The program’s also depends upon a clear communication and training policy for all the
stakeholders.
Implementation activities include many things and can be classified according to their purpose:
130 | P a g e
3) B
BCM Docume
entation and
d Records
No busin
ness processs operates without
w doccumentation
n. Documenttation beinggs control to
o the
process including BCM. There are four typess of documen ntation requ
uired
‘IPPC’: Incid
dent Plan
nning/ People Con
ntrol
Incident P
Planning People C
Control
• In
ncident • BCCM Policy • Strrategy • Pro
ocesses
m
managemen nt • BCCP • Aims and • Documents
p
plan • BIIA bjectives
ob • Chaange
• Local
L • RAA • Fu
unctions and
d • Reccords
a
authority ris
sk activities
reegister • Traaining
• In
ncident log
‘BCM In
nformatio
on Collecction Proccess’
In order to design an ollowing must be
a effective BCM, accurate information relateed to the fo
possesseed by an ente erprise.
1. Core objectivves, structuree, values and d environmeent of an entterprise.
2. A
Activities, ass
sets and resoources that ssupport a coompany’s pro oducts and sservices.
3. Im
mpact and co onsequencees of their failure.
4. Liist of perceivved threats tthat could d
disrupt the enterprise’s kkey productss and servicees.
Why do w
we need this informatio
on?
• To refine the scope of BCCP
• D
Develop timee schedules
• Id
dentify and aaddress the factors that could lead tto failure of plan.
• To develop a policy to support recovery program m
• To create awaareness amo ong management and seenior officialls.
131 | P a g e
Outcomes are reviewed by top management and approved. Review will also include BIA and RA
so that finding and decisions made upon them are accurate and relevant to stakeholders’
needs.
‘Business Impact Analysis’
It simple means systematic analysis of the impact of potential threats caused by disasters. BIA
assesses and documents the losses caused due to the disruption of activities or functions that
support key products and services due to disaster. It is helpful in
• identifying the critical processes, products and systems
• assess the impact of disasters on the disruption of activities or functions that support
key products and services
• assess the ‘pain threshold’
For each activity, product or services that support the delivery of key products and services, the
enterprise should:
• identify critical business processes
• assess the impact if the activity is disrupted over a period of time
• identify the maximum time limit within which such activities must be resumed
• assess the minimum level at which activity needs to be performed on its resumption
• identify the length of time within which normal levels of operation need to be resumed
• Identify any interdependent activities, assets and other supporting infrastructure or
resources that must also be maintained simultaneously.
And it must all be documented. BIA report should be presented to top management.
Based on this report, systems and resources required to support the critical services will
be identified.
132 | P a g e
‘Classification of Critical Activities’
Business Categorization: Each function is classified into three categories:
Vital: The most important ones without which system cannot run
Essential: Very important ones, sometimes vital since they must be supporting one
of the vital functions
Desirable: Functions which if remain functional will add to the benefits however in
case they shut down, it is not going to shut the system down
But how to decide whether a function is vital, essential or desirable?
This can be done by evaluating each function or activity on the basis of following
parameters:
• Loss of revenue
• Loss of reputation
• Decrease in customer satisfaction
• Loss of productivity (man‐hours)
All the parameters shall be graded on a three‐point scale (1‐3) where
1 = Low (L)
2 = Medium (M)
3 = High (H)
133 | P a g e
Look at the matrix given below:
Y (Probability of likelihood of a calamity)
(Business impact on activity)
3 (Minor) means due to high probability of calamity (3), but low impact on business (1)
since the activity’s importance is low (desired), the impact would be minor (3x1=3).
Similarly, 9 (Catastrophe) represents high probability of occurrence of a disaster (3)
with high impact on business value since the business activity is vital, the impact
would be catastrophic (3x3=9)
‘Risk Assessment’
Risk means the assessment of chances of disruption and the associated risks with resources
which support the activities which produce major business products or services. It could be due
to both external threats like fire, flood, earthquake or any other natural or manmade calamities
and vulnerabilities like virus, hackers etc. BIA and Risk assessment jointly help an enterprise to:
1. Prevent disruption;
2. Disruption caused for the shortest period of time;
3. Limit the impact of disruption.
These measures are known as ‘Loss treatment’ or ‘Risk Mitigation’.
134 | P a g e
‘BCM Strategy Process’
What is a strategy?
Strategy is:
A series of plans
Which enable an enterprise to manage an incident
which impacts the site operations
and subsequently, recover its critical activities and their supporting resources
within the agreed upon time scales.
Strategy may be any, depending on the enterprise’s needs, however they must always aim at
achieving the following:
1. Prepare to avert the impact of disaster
2. Reduce the potential impact
3. Minimize the loss and risk caused by the impact
‘BCM Development and Implementation Process’
As a part of the development and implementation process, the first step is to create an
exclusive organization structure and Incident management or crisis management team which is
specially trained and motivated to perform BCM activities at the time of any disaster. This will
enable an organization to achieve 5 Cs related to incident and recovery:
• Confirm – that the incident has taken place (of what type and to what degree)
• Control – the situation
• Contain – the incident
• Communicate – to the stakeholders
• Coordinate – within teams to appropriate response
135 | P a g e
‘The Incident Management Plan (IMP)’
The moment the first instance of an incident happening is noticed, Incident Management Plan
manages it. IMP should have top management support in terms of budgets for development,
maintenance and training. The plan should be documented; must be flexible depending on the
incidents and its projected impact as done by BIA and RA; and must address all possible issues
including stakeholders’ issues.
‘The Business Continuity Plan (BCP)’
After the incident has been managed ‐ confirmed, controlled, contained, communicated and
coordinated – BCP comes into effect for recovery. Depending on the situation and the damage
caused, BCP gets implemented as was documented.
‘BCM Testing and Maintenance Process’
There are 4 steps to it – Testing, Maintenance, Review, Training
‘BCM Testing’
Testing must be done periodically because of the following reasons:
1. Each time testing is done; there will be a new set of flaws – both in planning and
implementation
2. The plan gets obsolete with time; therefore it must be updated regularly.
Why do we do testing?: To ensure and assure that it will work as planned at the time of
real situation.
Testing must aim to improve BCM capability. It can be done by:
• Practice – enterprise’s capability to recover
• Incorporation – all critical activities into BCP
• Highlighting – assumptions and question them
• Instilling – confidence
• Raising – awareness through communication
• Validating – effectiveness and timeliness of restoration of critical activities
• Demonstrating – competence of primary response teams and their alternatives.
136 | P a g e
Pertaining to developing BCP, the objectives of testing should be to ensure that:
• Complete
• Workable
• Competence evaluation
• Resources
• Manual recovery procedures and IT backup systems
• Business continuity training program
Implementation:
Plans have been developed now. Next are testing, analysis and modifications.
• Define ‐ the test approach and purpose
• Identify ‐ test teams
• Structure ‐ the test
• Conduct ‐ the test
• Analyze ‐ the test results
• Modify – The plan
‘BCM Maintenance’
The basic idea behind maintenance is to ensure that everything related to recovery process is
up‐to‐date. What a BCM maintenance process aims at?
1. To demonstrate that the process is proactive
2. Key people are trained
3. Resources are updated
4. Monitoring and control are ongoing
5. Material changes have been incorporated
137 | P a g e
Similarly, the key tasks to be managed in BCP Maintenance are:
• Who takes the ownership and responsibility to maintain it?
• How to tell the personnel responsible for maintenance that the changes have been
made and it is the time to update the system?
• In what frequency, the plan should be updated?
• How the plan is going to be updated?
• Implement version control procedures
‘Reviewing BCM Arrangements’
An audit or self‐assessment of BCM program should be done to verify”
• All key products and services and their supporting critical operations and resources have
been identified.
• BCM policies, strategies, frameworks and plans are aligned to enterprise’s objectives.
• Management and capability of BCM are effective and competent.
• BCM’s solutions are effective, up‐to‐date and as per the level of risk.
• Maintenance and exercising programs have been implemented – effectively
implemented.
• Incorporates the changes and modifications identified during testing.
• Training and awareness are concurrent.
• Communication has been done to the staff and they understand their roles and
responsibilities.
• Change control processes are in place and work properly.
‘BCM Training Process’
• Efficient – Program development;
• Confidence – in staff and customers – that the process can manage business;
• Every decision will involve its implications – resilience will grow; and
• Minimize the likelihood and impact of disruptions.
How is it supported?
• Leadership
• Assignment of responsibilities
138 | P a g e
• Awareness
• Skills training
• Exercising plans.
‘Training, Awareness and Competency’
BCM competencies to be developed within the relevant staff and must be aligned to their
business competency.
• Active listening
• Providing Support
• Constructive response
• Adaptive leadership
• Culture of health, safety and environment
• Contribution acknowledgement
• Encourage calculates risk taking
• Encouragement to idea generation through active response
• Team work through involvement
• Personal integrity
• Bring improvement by improvisation
‘Types of Plans’
Emergency Plan
It signifies the immediate action to be undertaken when disaster strikes. The moment a disaster
strikes, four aspects of emergency plan must be communicated:
1. Who must be informed?
2. What actions must be taken?
3. Evacuation procedures
4. Return procedures
139 | P a g e
Back‐up Plan
Important things to be planned, recorded and communicated as a part of the back‐up plan are:
1. Type of back‐up
2. Frequency of back‐up
3. Procedures of making back‐up
4. Location of back‐up resources
5. Assembling and restarting site
6. Responsible personnel
7. Prioritization of operations
8. Time frame for recovery of system
9. Updating the back‐up plan
Recovery Plan
Back‐up is for attaining partial functioning of systems so that the critical functions that support
key products and services may be restarted. Recovery plan is documented set of procedures for
full recovery of systems.
First step, as usual, is to make a Recovery Committee. Committee’s responsibilities should be
laid out and recovery priorities should be mentioned. Members should be trained and reviewed
periodically. If any member leaves the organization, new members must be appointed
immediately and must be briefed and trained appropriately.
Test Plan
Final Step of Disaster Recovery Plan is Test Plan. Why do we test the plan?
To identify the deficiencies in the emergency, back‐up and recovery plan. It is done to know if
our organization or personnel is prepared for a disaster and to what extent. Testing must be
done in a range of disaster scenarios, and it should specify the scale or criteria on which the
planning is deemed satisfactory. And it should be periodical. But usually, top managers in
organizations are often reluctant for the testing as testing disrupts regular business operations.
That’s why it must be done in a phased approach.
First level testing: inspections
140 | P a g e
Second level testing: Must be done on a slow day, Prior notice should be given to relevant
personnel so that they come prepared and sometimes, should be done without warning.
Types of Back‐ups
Back‐up system + back‐up data = Total system’s back‐up
1. Full back‐up: When a complete back up of the database is taken and restored
whenever required. Not practical and economical as it demands a large storage space
and consumes too much time and consume. Also it is unrealistic to be restored.
2. Incremental back‐up: Full back is taken once and then on each back up date, only the
incremental or additional files are added up from the date of first back up. Economical
and easier to take the backup but restoration is quite difficult as it has to pass through
each restoration point.
3. Differential back‐up: Most economical and easier to be implemented. One time full
back up is taken and then each subsequent back is taken from the date of first back up.
Restoration is simple and quick, however, duplicate files get accumulated.
4. Mirror Back‐up: Exact copy of the full back up is created but they are not password
protected or compressed so security is always a big issue with this type of back up.
Alternate Processing Facility Arrangements
Cold Site: Just the necessary infrastructure is present. ‘Pain threshold’ must be high.
Hot Site: Absolutely ready to be used. ‘Pain threshold’ is usually lower. It is very expensive
to own; hence usually outsourced and shared with multiple parties.
Warm Site: Facilities along with necessary hardware and communication lines are provided.
Reciprocal Site: Arrangement between two similar organizations to help each other in
times of adversities.
If a third party site is to be used, proper contract should be entered into ensuring that the
following has been covered:
• How quickly the site can be made available subsequent to the disaster?
• The number of organization that will be sharing the site
• Priority to be given to concurrent users of site in case of common disaster
141 | P a g e
• Period for wh hich site can be used
• Conditions un nder which it can be useed
• Faacilities and services to be provided
d by owner
• W
What control s will be placed
Disastter Recovvery Proccedural Pllan
Plan
ns and
Em
mergency System and
Proccedures People
Co
ommunicati Data
•Dettailed description on
n •Appoiinting and
of p
purpose and •Contact lisst of
trainin
ng vendors
scoope of plan •Emmergency peopleeto
•Con ntingency plan Seervices
nuumbers
differeent •Contracts of
back‐up
testting and recovery respon nsibilities
proocedure •Lisst of vendors location
•Keeping
•Con nditions for •Emmployees' alternatives as •Insurance
activiating the plaans co
ontact well papers and
are activated. nuumbers claim form
ms
•Mediccal
•Falll Back Proceduures •Deetails of Proced dures to •Primary
‐ sh
hifting and airlines, hotels be followed computer
securing essential annd transport center andd their
bussiness operatioons arrrangement
•Namees of configurattion
emplo oyees
to ttemporary traineed for •Location o
of
locaations data and
emerggency
program ffiles,
•Ressumtion situatiions
Proocedures documenttation
manuals
•Maaintenance
schedule ‐ how an nd
wheen will it be
testted adn
maintained.
•Reggular update
142 | P a g e
Chapter 5
Acquisition
Development
&
Implementation
Of
Information Systems
143 | P a g e
‘Busin
ness Proccess Dessign’
Prese
ent Proce
ess Docum
mentation
• Undderstandingg the busin
ness and itss
objeectives
• Documenting the existin ng businesss
proccesses
• Analysis of doccumented processess
Proposed
d Processs Docume
entation
• Understaanding thee business processes
necessarry to achieve objectivves
• Desigingg the new p
processes
• Documentation of new rocessses,
preferab
bly using CAASE tools
Imp
plementattion of New Proceess
• Validating
• Implementing
• Tessting
144 | P a g e
Why organizations fail to achieve their systems development
objectives?
U D M T
Users: Problems related to users are:
Developers: Problems related to the developers are:
145 | P a g e
Management: Problems related to management are:
Technologies (new): Most users are not updated or trained as per the latest
technology available or being proposed to be developed.
Role of an Accountant in Development Work
1. Return on Investment (ROI): This refers to the return an entity shall earn on a
particular investment i.e. capital expenditure.
Cost of Project: This includes three types of costs:
Benefits: Can be divided into tangible and intangible and should tell about the
payback period as well. For example, after spending 1 crore into development, a
company saves 40Lacs rupees of cost and errors, ROI comes out to be 40% and it
also tells us that the payback period is going to be 2.5 years.
146 | P a g e
‘Systems Development Methodology’
• The project is broken into a number of identifiable processes with a defined starting
point and ending point. Each process comprises several activities. This division helps in
effective production, planning and control.
• Specific reports and other documentation are produced at specific predetermined
points. Such documentation and reports are called ‘Deliverables’. They help to main the
accountability in the process.
• Users, managers and auditors are required to participate in the process and provide approval at
different points called ‘Management Control Points’. Approval process is called ‘Sign offs’.
• The system must be tested thoroughly prior to implementation to ensure that it does what it
intends to do.
• Adequate training plan must be created for the users.
• Formal program change controls are established to preclude unauthorized changes to computer
programs.
• A post implementation review of the developed system must be done to ensure the
effectiveness and efficiency of the system.
‘System Development Models’
There are six models which are used by the organizations depending on their use and
objectives:
1. Waterfall Model
2. Prototyping Model
3. Incremental Model
4. Spiral Model
147 | P a g e
5. RAD (Rapid Action Development) Model
6. Agile Model
‘Waterfall Model’ or the Tradition Model (or approach)
Investigation
Requirements
Analysis
System Design
System
Development
System Testing
Implementation
and Maintenance
The key characteristics of this model are:
• Project is divided into sequential phases with some overlap and splash back
acceptable between phases.
• Emphasis is on planning, meeting time schedules, target dates and
implementation of an entire system at one time.
• Tight control is maintained over the life of the project through extensive
documentation, formal reviews and sign‐offs.
Strengths:
• Ideal for supporting less experienced developers
148 | P a g e
• Quality, reliability, adequacy and maintainability is ensured due to orderly sequence
• Progress is measurable
• Conserves resources
Weaknesses:
• Inflexible, slow, costly and cumbersome
• Backward movement is only slight
• It depends on the early requirement analysis at which point user may not be clear about
it.
• Problems are usually discovered during design and coding or even later such as Testing.
• Performance cannot be tested unless entire system is coded
• Making changes at the last stage may prove very costly
• Excessive documentation makes it very time consuming
‘The Prototyping Model’
To develop smaller systems like MIS, DSS and EIS, Prototyping model is the most favored one
because it is less time consuming. The basic idea behind this model is to:
• To develop a small or pilot version called a prototype of the system or a part of it.
• Prototype is built quickly at a much lower cost.
• Idea is to modify it by regular user interaction, finally converting it into a fully developed
system.
• As users work on it, they make suggestion to make it better and more usable.
• Suggestions are incorporated.
• Finally, when it is ready for the sign offs, either it is accepted or rejected.
• If in case it gets rejected, the knowledge gained in the entire process is used to create a
fully developed new system.
It is a series of four steps:
• Identify information system requirements
o Only fundamental requirements are taken
o Process of determining them can be less formal and time consuming
• Develop initial prototype
o Base model is prepared with no consideration to internal controls
o Emphasis is more on ease of use and flexibility
149 | P a g e
o It works just as a normal interactive system but at a smaller scale
• Test and revise
o Prototype is given to users to experiment with after a proper demonstration
o Users note their feedback and recommendations
o Prototype is redesigned or modified as per the suggestions
o Prototype is resubmitted for approval
• Obtain user sign‐off of the approved prototype.
o Users formally approve the version of prototype which commits them to current
design and establishes a formal contract as to the scope of activity of the system
Strengths
• Improves user participation at all levels
• Especially useful in resolving unclear objectives
• It helps in identifying confusing and difficult functions and missing functionality
• Encourages innovation and flexible designs
• Enables quick implementation of an incomplete but functional design
• Results in addressing the user needs and requirements through active participation
• A very short period of time is required to develop and start experimenting with a
prototype
• Most errors are usually detected and eliminated.
Weaknesses
• Approval process and control are not strict
• Incomplete or inadequate problem analysis may occur resulting in inefficiency of the
system
• Requirements may frequently change
• Identification of non functional elements is difficult to document
• Prototype may not have sufficient checks and balances incorporated
• It can be successful only if the system users are willing to devote significant time in
experimenting with prototype which users may not be willing to do.
• Interactive process causes it to be experimented with quite extensively. Because of this
developers are tempted to minimize the testing and documentation. It can make the
system error prone
• User behavior may be an issue as all the user requirements may not be met.
150 | P a g e
The Incremental model
Method of software development where model is designed, implemented, and tested
incrementally until the product is finished. The product is considered finished once it meets all
the requirements. This model is a combination of waterfall and prototyping both.
• The product is decomposed into a number of components, each of which are designed
and built separately – termed as builds.
• Each component is delivered to the client when it is complete.
• This allows partial utilization of product and avoids long time consumption.
• It also helps ease the traumatic effect of introducing a new model at once.
Key characteristics are:
• A series of mini waterfalls are performed where all phases of waterfall development
model are completed for a small part of the system, before proceeding to the next
increment.
• Overall requirements are defined before starting it.
• Initial stages are similar to waterfall followed by iterative prototyping.
Requirements‐‐ÆDesign‐‐ÆImplementation‐‐ÆIntegration and testing‐‐Æoperation
Strengths
• Moderate control is maintained over the life of the project through the use of written
documentation and formal review and signoffs.
• Stakeholders can be given concrete evidence of the project status
• More flexible and less costly to change as per user requirements or errors identified
• It helps to mitigate integration and architectural risks earlier in the project
• It allows the delivery of a series of implementations which can be quickly converted into
a full scale model
• Monitoring the development process is better as the project moves ahead gradually.
Weaknesses
• Overall business problem and technical requirements are often not met with.
• Not all requirements are gathered up front; hence, architectural flaws
151 | P a g e
• So
ome module es may be co
ompleted eaarlier than otther, hence resource waastage
• D
Difficult to de
emonstrate eearly successs to manageement
Spiral Model
It combinnes both design and pro ototyping elements in stages. It triees to combin
ne top down n and
bottom u up concepts.. It combines the featuree of waterfaall and proto
otyping modeel. It is mean
nt for
pensive and complicated
large, exp d projects.
Key charaacteristics:
• New system rrequirementts are taken in as much detail as posssible
N
• Preliminary design
d is creeated for neew system. This phase is most imp
portant phaase in
w
which all posssible models to develop the most cost effective model arre analyzed.. This
sttep has beenn added to aaddress and mitigate all possibility o of risks.
• A
A first prototy
ype of the new system is constructeed. This is a ssmaller one..
• A second pro
A ototype is evvolved by teesting the firrst one after through teesting. This sstage
w
would have requiremen nt analysis, planning and
a design for the second proto
otype,
co
onstructing it and finallyy, testing it.
152 | P a g e
Strengths
• It enhances risk avoidance
• It can incorporate Waterfall, Prototype, and Incremental methodologies depending on
the need.
Weaknesses
• It is challenging to determining the exact composition of which methodologies to be
used in different circumstances.
• It is quite complex and comes with limited reusability
• A skilled and experienced Project manager is required
• There are no firm deadlines, hence there is always a risk of not meeting budget or
schedules
Rapid Application Development (RAD) Model
The main feature of this model is that it uses minimal planning to be able to develop rapid
software development. So planning and development actually go hand in hand. Lack of
planning makes the software to be written much faster and makes it easier to change
requirements. Key features include:
• Key objective is fast development and delivery of a high quality system at a relatively
low investment cost.
• Iterative prototyping at any stage of the process
• Active user involvement
• Fulfilling the business needs holds the prime importance w.r.t. technological or
engineering excellence.
• Timing and scheduling is the most important thing as the deadlines or “timeboxes”
cannot be allowed to be extended. Requirements may be reduced but deadline won’t
be compromised.
• Generally includes, JAD (Joint Application Development), where users are intensely
involved in the design process.
• Cannot be developed without active user participation.
Strengths
• Operational version of the application is available very quickly
153 | P a g e
• Produces systems at a much lower cost
• Quick initial reviews are available
• It involves a greater commitment from Management as well as the users
• It focuses on only the essential elements from the users’ point of view.
• It provides for rapid change in system design as per users’ requirements.
Weaknesses
• Quality is adversely affected due to fast speed and lower cost.
• It may end up with more requirements than needed
• It may lead to inconsistent designs with in and across the system
• Insistent naming conventions and inconsistent documentation may lead to violation of
programming standards
• Formal reviews and audits are more difficult to implement than for a complete system
• Tendency to difficult problems to be pushed to the future to demonstrate early success
to the management
• Once again, come modules may get developed earlier than the others leading to
resource wastage
Agile Model
This is an organized set of software development methodologies based on iterative and
incremental development. It promotes adaptive planning, evolutionary development and
delivery; timeboxed approach and rapid and flexible response to change. Key features are:
• Key objective: customer satisfaction by rapid delivery of useful software
• Changes can be made even at a later stage
• Working software is delivered within weeks
• Performance measurement: Working software + low cost + quick delivery
• Continuous attention to technical excellence and good design
• Regular adaptation to changing circumstances
Strengths
• Quick response to changing requirements
• No time and effort wastage because of constant user participation
• Face to face communication leaves a little scope for guess work.
154 | P a g e
• End result is a high quality software in least possible time with a highly satisfied
customer
Weaknesses
• In case of some software deliverables, especially the large ones, it is difficult to assess
the efforts required at the beginning of the software development life cycle.
• No emphasis on designing and documentation
• Potential threat to business continuity and knowledge transfer as it is purely based on
verbal communication
• It needs more rework due to lack of planning and lightweight approach
• It can easily get off track if the users are not clear about the final outcome
• It lacks attention to outside integration
‘System Development Life Cycle’
Key features:
• Generic sequence of steps or phases – one phase giving a starting point to the next one
• Deliverable are critical to the success of this model. Deliverable include: Document,
Artifacts, prototypes, a system test plan or even a hardware object.
• Better planning and control by project managers
• Compliance to prescribed standards ensuring better quality
• Documentation is the most important aspect of this model
For an IS Auditor
• There is a clear understanding of various phases of SDLC on the basis of detailed
documentation created during each phase, which can be reported as well
• IS auditor, if has technical knowledge, can be a guide during different phases of SDLC
• He can also provide evaluation of the methods and techniques used through various
development phases.
Shortcomings:
• It may be cumbersome
• End product is not visible for a long time
• Time duration may be prolonged
• Unsuitable for small or medium sized companies or projects
155 | P a g e
The process starts with one of the user citing or raising a problem within the existing system.
Different phases of SDLC
1. Preliminary Investigation
2. Systems Requirement Analysis
3. Systems Design
4. Systems Development
5. Systems Testing
6. Systems Implementation
7. Post Implementation Review and Maintenance
Stage I Preliminary Investigation
It is initiated by some sort of system request by a user in any of the departments. The basic
reason for investigation is to:
• Determine whether the solution is as per the business requirements or strategies
• Determine whether the existing system may rectify the situation without a major
modification
• Define the time frame for which the solution is required
• Determine the approximate cost to develop the system
• Determine whether the vendor product offers a solution to the problem
The main steps of preliminary investigation are:
1. Identification of Problem:
The problem is escalated to the IT Steering Committee which appoints a system analyst to do
problem identification. The key tasks that a system analyst carries out are:
• Clarify and understand the project request
• Determine the size of the project
• Determine the technical and operational feasibility of the alternative approaches
• Assess costs and benefits of alternative approaches
• Report findings to the management with recommendation – acceptance or rejection
2. Identification of Objectives:
Once the problem has been identified, it is easy to work put and precisely specify the key
objective of the proposed solution or system.
156 | P a g e
3. Delineation of Scope:
It means drawing a visible boundary as to ‘what is to be done’ and ‘what is not to be done’. This
is the most essential phase during the investigation as it clearly outlines the scope of the
project. It may be performed on various dimensions:
Functionality: What functions will be delivered through the solution?
Data to be Processed: What data is required to achieve these functions?
Control Requirements: What controls are required?
Performance Requirements: What level of response time, execution time and throughput is
required?
Constraints: What are the conditions the input data has to conform to?
Interfaces: Are there any special hardware/ software that the application may require?
Financial Viability: Are we ready for the financial outlay required?
While delineating, we need to consider a few more aspects:
Who do we need to take the requirements from: Manager or champion or Executive Sponsor
Whose profile do we need to understand: Users
What do we need to clearly quantify while presenting the proposed solution for approval:
Economic Benefits
What do we need to understand about the solution: Impact on Business
What else do we need to give weight to: Intangible Benefits
How can we get the desired information for delineation?
• Reviewing Internal Documents
• Interviews
157 | P a g e
4. Feasibility Study
Once the possible solutions have been identified, project feasibility i.e., the likelihood that
these systems will be useful for the organization is determined. It is carried out by ‘Systems
Analyst’. It simply means evaluating all the options or alternatives through cost/benefit analysis
so that the most feasible or desired system can be selected for development. Following areas
must be covered for the purpose of feasibility:
• Technical: Is the technology needed available?
• Financial: Is the solution financially viable?
• Economic: Return on Investment?
• Schedule/ Time: Can the system be delivered in time?
• Resources: Do we have ample resources available and are Human resources
reluctant for the solution?
• Operational: How will the solution work?
• Behavioral: Is the solution going to bring any adverse effect on the quality of work?
• Legal: Is the solution valid in legal terms?
Technical Feasibility: (Also read page no. 5.25 of the revised module)
It may try and answer whether implementation of the project viable using current technology.
It must try and answer the following questions:
• Does the necessary technology exist to do what is proposed? (or acquired)
• Does the proposed equipment have the technical capacity to hold the data required to
use the new system?
• Can the proposed application be implemented with existing technology?
• Will the proposed system be ready to handle a large number of users at multiple
locations?
• Can the system be expanded if possible?
• Are there any technical guarantees of accuracy, reliability, ease of access and data
security?
Financial Feasibility:
• The solution proposed may be prohibitively costly for the user organization.
Economic Feasibility:
158 | P a g e
It includes evaluation of all the incremental costs and benefits expected if the proposed system
is implemented. Following must be estimated:
• Cost of investigation
• Cost of hardware and software for the application development
• Benefits in terms of reduced costs and costly errors
• Cost if nothing changes (if the proposed system is not developed)
Schedule or Time Feasibility:
It involves design team’s estimation of how long it will take a new or revised system to become
operational and communicating this information to IT Steering Committee. The lesser the time
taken, the higher the chance of approval.
Resources Feasibility:
This focuses on manpower or human resources. Implementing sophisticated software solutions
becomes difficult if the manpower resources are not participating or favorable.
Operational Feasibility:
It tried to ascertain the views of workers, employees, customers, and suppliers about the use of
computer facility.
• Is there sufficient support for the system from management and from users?
• Are current business methods acceptable to users?
• Have the users been involved in planning and development of the project?
• Will the proposed system cause harm?
• Will individual performance be poorer after implementation than before?
Behavioral Feasibility:
It refers to the systems’ behavior with respect to the input data. Also, it is checked if the input
data for the proposed system is readily available or collectable or not?
Legal Feasibility:
It is ascertained whether the system will be able to meet all legal requirements or not.
159 | P a g e
5. Reporting Results to Management
Results are reported to the management with a covering letter of intent attached.
Recommendations pertaining to acceptance or rejection of the proposed system should be
submitted. Not all systems may be accepted.
6. Internal Control Aspects
It is not possible to implement controls post the implementation of the software; hence it
should be done at each level of SDLC. To check controls, auditors may be used internally or
experts may have been hired externally. External consultants may prove expensive but internal
auditors may not have the required expertise.
Pertaining to investigation, following questions should be asked in order to implement controls:
• Whether problem definition is proper?
• Whether all feasibility studies have been properly done?
• Whether results of feasibility studies have been documented?
• Whether management report submitted reflects outcome of feasibility studies done?
Stage II Systems Requirements Analysis
This phase includes a thorough and detailed understanding of the current system. The
deliverable at the end of this stage is a document called – Systems Requirements Specification
(SRS).
This has following stages:
1. Fact Finding
This stage aims at understanding the needs of the business and requirements. To assess this,
the analyst should interact extensively with people who will be benefitted from the system in
order to determine what their exact requirements are. Following techniques may be utilized by
the analyst to achieve it:
Documents: Manuals, input forms, output forms, diagrams of current operations,
organization carts, job descriptions and other documents can be a good source of the users’
current requirements.
160 | P a g e
Questionnaires: Users and managers are asked to complete questionnaires about the
information systems. The main strength is that a large amount of data can be collected through
a variety of users quickly. Responses can be analyzed rapidly with the help of a computer.
Interviews: Users and managers may also be interviews to extract information in depth. It
will provide the analyst a larger picture of the problems and opportunities.
Observations: Only by observing how users react to prototypes of a new system, the
system can be successfully developed.
2. Analysis of Present System – ‘RAR – RAR ‐ MU’
Detailed analysis of present system involves collecting, organizing and evaluating facts about
the system and the environment in which it operates. The following areas should be studied in
depth:
Analyzing Inputs: What kind of source documents the organization is using for inputs?
What are the other sources from which the data was originally created? What is contained in
each form facilitating various processes in organization? Who prepared it and what was the
purpose behind it? From where the form is initiated and where is it completed? It is important
to know how these inputs fit into the framework of the system.
Reviewing Data Files: The analyst should investigate the data files maintained by each
department, noting their number and size, where they are located, who uses them and the
number of times per given time interval, these are used. Information on common data files and
their size will be an important factor, which will influence the new information system. This
information may be contained in the systems and procedures manuals.
Analyzing Outputs: The outputs or reports must be properly and carefully scrutinized to
determine how well they will meet the organization’s needs. The analyst must understand what
information is needed and why, who needs it and when and where is it needed.
161 | P a g e
Modeling the Existing System: As the logic or inputs, methods, procedures, data files,
data communications, reports, internal controls and other important items are reviewed and
analyzed in top down approach; the processed must be properly documented, including
relevant flow charts and diagrams for clear understanding of senior management.
3. System Analysis of Proposed Systems (Start from Output)
The required systems objectives should align with the project’s objectives and should be in
accordance with the following:
• Outputs are produced with great emphasis on timely managerial reports that utilize the
management by exception principle.
• Databases are maintained with great accept on online processing capabilities.
• Input data is prepared directly from original source documents for processing by
computer system
• Methods and procedures that show the relationship among the above mentioned
components
• Work volumes and timings are carefully considered for present and future periods
including peak periods.
After outputs have been determined, it is possible to infer the other things. The output‐to‐input
process is recommended because other things depend on output.
4. System Development Tools
Following tools and techniques may be employed to improve current information systems and
to develop new ones.
Flowcharts are used in analyzing, designing, documenting, or managing a process
or program in various fields.
o Data Flow Diagrams (DFD): A DFD uses few simple symbols to illustrate the
flow of data among external entities (such as people or organizations),
processing activities and data storage elements. A DFD is composed of four basic
elements.
o System Components Matrix: It is a matrix framework to document the
resources use, the activities performed and the information produced by an
information system. It can be used as an information system framework for both
systems analysis and system design.
163 | P a g e
• User Interfacce:
U Deesigning the interface between
b ennd users and the comp puter
syystem is a major
m considderation of a system an nalyst whilee designing the
t new sysstem.
Foollowing too ols can be ussed to createe it:
o Layou ut Form and Screen geneerator: Thesse are for prrinted reporrt used to fo ormat
or “paint” the desired layou uts and con ntact withou ut having to
o enter commplex
formaatting inform mation.
o Menu u Generator:: It outlines the funnctions, which the systtem is aimeed to
accom mplish. Menu u may be lin nked to otheer submenuss that will en nable the usser to
underrstand how the screens and sub‐sscreens will be used fo or data entry or
inquirry.
o Reporrt Generatorr: It has ccapacity of p performing ssimilar functtions as found in
screen n generatorss.
o Code Generator: ws the analyyst to generate modular units of so
It allow ource
code from the higgh level specifications p provided by the system analyst and d play
signifiicant role in systems devvelopment p process.
• D
Data Attribut tes and Relaationships: Data reso ources are defined, cataloged and
designed by tthis categoryy of tools.
o Data D Dictionary: A Data Dictionary contains deescriptive information about
a
the data items inn the files of
o a business informatio on system. In simple words,
w
data dictionary
d iss a computeer file abou ut data. Each computerr data dictio onary
contains information about a single datta item used in a busin ness information
system m as shown below:
164 | P a g e
• Detailed Systtem Processses: Detaileed processess and proced
D dures requirred in the design
of a compute er program aare created by using tecchniques and d tools like D Decision treee and
D
Decision tables. They document th he complex conditional logic invollved in choosing
among the information p processing allternatives in n a system.
o Decisiion Tree: A decission tree or tree diagram m is a suppo ort tool that uses
a tree
e like graph or model of
o decisions and their possible sequ uences, inclu uding
chancce event ou utcomes, ressource costs and utility. Common nly, it is useed in
operaations researrch, specifically in decission analysiss, to help id
dentify a straategy
most likely to reacch a goal and to calculatte probabilitties.
o Decisiion Table: A decission table iss a table whhich may acccompany a flow
chart,, defining th
he possible contingenciies that may be consid dered withinn the
prograam and thee appropriatte course off action for each contin ngency. The four
parts of decision ttable are givven as follow ws:
Condition Stub – This lists the con nditions
Action Stu ub – This lissts the actio
ons to be taaken along various program
branches
Condition Entries – Th his lists the possible permutations of answer to o the
questions in condition ns stub
165 | P a g e
Action Enttries – This lists actionss correspond
ding to the ccondition en
ntries
contingent upon the sset of answeers to questio ons of that ccolumn.
The abovve all can be
e achieved in
n a simple m
manner by ussing the following toolss:
• Sttructured En
nglish: Alsso known as Program Deesign Languaage (PDL), it refers to the use
of English lan
nguage with the syntax of structuree programm ming. This, Sttructured En
nglish
aims at gettin
ng the beneffits of both tthe programming logic aand natural language.
• CASE tools: CASE – Computer Aided Softwaare Engineerring is a range of softtware
packages whhich provide on‐screen modules which facilitaate all the tools
t on a single
s
platform and
d enable thee system devvelopers to draw and create
c flowccharts and tables
w
with precision
n and accuraacy.
166 | P a g e
All the above components and tools combined help the system developers to achieve their
objectives and identify all the possible alternatives.
167 | P a g e
168 | P a g e
6. R
Roles involve
ed in SDLC: A varieety of tasks during SDLLC are perfo
ormed by sp
pecial
teeams/ commmittees/ individuals.
7. In
nternal Conttrols: This is the most
m importtant phase.. Some of the key co
ontrol
asspects are:
W
Whether pres sent system analysis hass been propeerly done?
W
Whether app propriate dommain, were eexpert was eengaged?
W
Whether all u user requirem
ments of pro oposed systeem have beeen considereed?
W
Whether SRS S document has been prroperly mad de and vetteed by users, domain exp perts,
and system analysts?
Stage III Syste
em Designing
Key pointts to be cove
ered:
• The objective e is to design
n the most caapable inforrmation system.
• Itt describes the processs of implem
mentation using
u hardw
ware, softwaare and nettwork
faacilities. Basic steps Invo
olve:
169 | P a g e
o Screen design and reports
o Processing steps and computation rules for the new solution
o Determining data file or database system file design
o Preparing the program specifications
o Internal/ external controls
• This phase is responsible for creating a ‘blue printing’ for the design.
Design phase includes Architectural Design and Acquisition of hardware/ system software
platform: These are described as follows:
Functional decomposition has three elements: Module (the box), Connection (the
arrow), and Couple (data flow).
• Design of Data/ Information flow: It is a major step in the conceptual design of
the system. The main components required are: existing data/ information
flows, problems with the present system, and objective of new system. All these
have been identified in the analysis phase and documented in SRS.
170 | P a g e
• Design of Database: Extent to which a database will support the organization in
terms of its geographic presence – Local to global. The design of database
involves four major activities as shown below
Design Activity Explanation
Conceptual Modeling Application domain via entities/ objects, their attributes, static and
dynamic constraints
Data Modeling Accessible and easy to manipulate data models
Storage Structure Linearizing and partitioning of data enabling its storage in a device.
Design
Physical Layout Design How to distribute the storage structure a cross specific media and
locations
• User Interface Design: How will user interact with a system or in simple
language, will use the system? The points that must be kept under consideration
are:
o Source documents to capture raw data
o Hard copy output reports
o Screen layouts for dedicated source document input
o Inquiry screens for database interrogation
o graphic and color displays
o requirements for special input/ output device
Output is the most important feature for users; hence output must be designed
with great care, keeping in mind the needs of the users.
• Physical Design: For this purpose, logical designed is transformed into units
which in turn can be decomposed further into implementation units such as
programs and modules. Effectiveness and efficiency are the main concerning
factors. Some of the generic design principles being applied to develop the
design of typical information systems include the following:
o Two to three alternative designs must be created to choose the best out
of them
o Design must be based on detailed analysis
o Software functions designed should be directly relevant to business
activities
o Design should follow the laid down standards
o Design should be modular, with high cohesion and high coupling
171 | P a g e
b) System Acquisition
• Acquisition Standards: Reliability and Security issues can be addressed on
through properly laid out acquisition standards. It focuses on;
o Product should be reliable, secure and functional
o Must be compatible with existing systems
o Properly reviewed by the managers
o Must be done through proper mechanism involving Invitations‐to‐tender
and Request‐for‐proposals
o Standards must be clearly detailed in request for proposal
• Acquiring Systems Components from vendors: First decision is whether to
buy the equipment of lease it from a third party or rented. This task is givn to
“System Acquisition Committee”. Once it is done, RFP – Request for Proposals’
are invited from vendors. The following must be kept in mind while selecting
vendor:
o Vendor Selection: RFP must be sent to selected vendors only.
o Geographical Location of Vendor: To check whether vendor as local
support persons. This stage is also called as ‘technical validation’.
o Presentation by selected vendors: Team evaluates vendors’
presentations proposals by using techniques.
o Evaluation of User Feedback: Take user feedback on the aspects
of system, operations, problems, vendor response to support calls.
172 | P a g e
Some specific considerations for hardware and software acquisition are as
follows:
• Benchmark test must be done for proposed machine
• Software consideration – current application programs as well as new
programs
• Benchmarking problems are aimed at determining whether the computer
offered by the vendor meets the requirements of the buyer
• Benchmarking problem would then comprise creating a job mix
containing long jobs, short jobs, printing jobs etc.
• This approach can be a realistic and tangible comparison tool for vendors’
proposals.
• Tests enables buyer to effectively evaluate cross performance of various
systems
• Benchmarking problems, however, can take considerable time and
efforts to select problems representative of the job mix which itself must
be precisely defined.
c) Other Acquisition Aspects
o Checklists: most simple and a subjective method of validation
and evaluation. The various criteria are put in check list in the
form of suitable questions. Vendors are supposed to provide
answers to them based on which comparative evaluation is done.
o Point‐Scoring Analysis: it is an objective method. User
needs must be matched with software capabilities.
• Public Evaluation Reports: Several consultancies and independent
agencies compare and contrast the hardware and software performance
for various manufacturers and publish their reports in this regard.
• Benchmarking Problems Related Vendor’s Solutions: Solution
provided by a vendor to the benchmarking problems must meet the
requirements of the job at hand.
• Testing Problems: Test problem are devised to test the true
capabilities of the hardware, software or system. The results achieve by
the machine can be compared and price performance can be judged.
Stage IV System Development: Programming Techniques and Languages
Designs are converted into functional system through programming and coding. A good coded
3
application and programs should have following characteristics: (UR EA)
• Usability: user‐friendly interface and east to understand documentation.
• Reliability: program should consistently deliver the results expected.
• Robustness: application should be strong enough to uphold its operations in adverse
situations
• Readability: Must be easy to maintain in the absence of programmer as well.
• Efficiency: performance per unit cost with respect to relevant parameters and it
should not be unduly unaffected with increase in input values
• Accuracy: It must answer ‘What program must do’ and ‘what it must not do’
Other related aspects of this phase are given as below:
Language selection may be based on various application area: algorithmic consideration;
data structure complexity; knowledge of software developers, performance
consideration etc.
c) Program Debugging: It is the oldest form of testing which corrects syntax and
diagnostic errors so that the program compiles cleanly. A clean compile means that code
will be converted into machine language instructions.
d) Testing the Programs: A thorough testing should be planned by the programmer,
including testing of all the exceptions. A log of the testing results should be kept which
will help in finding faults and debugging.
e) Program Documentation: The writing of narrative procedures and instructions for
people, who will use software, is done throughout the program cycle. Managers and
users should carefully review all the internal and external documentation in order to
ensure that the software functions as per the document.
f) Program Maintenance: Requirements change over a period of time so certainly,
some changes are required. Usually, this is the task of maintenance programmers.
Stage V System Testing
To evaluate the correctness, completeness and quality of the developed computer software,
testing must be done. Role of testing is to find those errors which were not found previously so
that the corrections may be made. Different types of testing done are:
Unit Testing: Unit testing as the name suggests refers to the testing done to
check the accuracy of the smallest source code programs or units of the software
program. These units when combine, form the module, which upon further
combination becomes the fully developed software. There are five types of testing
done under this category:
175 | P a g e
a. Functional Tests: To check whether the programs do what they are
supposed to do
b. Performance Tests: How the program is reacting: reaction time, execution
time, throughput etc.
c. Stress Tests: It is done to test how stable the system is. Unit is exposed
to beyond normal conditions, usually up to a breaking point. These tests put
overload or stress on the software code to see when it breaks down.
d. Structural Tests: It is done to examine the internal processing logic of
software.
e. Parallel Tests: same test data is used for old and new system to do a comparable
analysis.
Unit tests can also be classified as Static and Dynamic depending on the
technique used.
a) Desk Check: done manually by the programmer
b) Structures Walk through: Application developer lead the programmer
into the program text who aims at finding errors
c) Code Inspection: The program is received by a formal committee. Review is
done through formal checklists.
ii) Dynamic testing: This testing s done through execution of programs in normal
operating environments.
a. Black Box Testing:
i. It takes the external perspective of test code.
ii. Test may be functional or non functional, usual functional that they are.
iii. Normal, extreme, valid and invalid input cases are introduced and
executed to uncover errors.
iv. Internal structure of test object is not known
v. It is applicable to all levels: unit, integrated and full system
vi. It is usually used for the bigger and complex systems.
vii. The only problem with this technique is that it cannot ensure full path
checking.
viii. It does not require programming knowledge
b. White Box testing:
i. It takes the internal perspective
ii. It requires programming skills as it checks the entire structure of the
software path.
c. Gray testing: it requires both depending on where it requires what. For internal
working of a software, ‘white testing’; is done. Once it is over, Black box testing
is done for the rest.
176 | P a g e
iii) Integrated Testing: Units will be integrated to make module and tested as a
whole. It checks the information is passed through out the layout or structure that
we created. This can be done in following ways:
a. Bottom Up Integration: It is a traditional strategy. First unit is tested, then
sub‐system, then integrated unit. It takes time and delays the management
decision making system.
b. Top Down: Full module is tested using a STUB instead of real program. Once
the main module is tested, then stubs one by one are tested with real modules.
Advantage is: it starts with management decision making problem so delivers the
required results faster. However, the disadvantage is testing is done through
stubs and not real modules so behavior may vary in real situation which are
more complex.
c. Regression testing: Testing which is done whenever a new change is made
into the existence testing. Changes may cause problem with functions which
otherwise were working faultlessly.
iv) System Testing: Complete software with all other components is tested as a
whole. Purpose is to ensure the effectiveness or efficiency of the software
developed. Following are different kinds of System testing:
a. Recovery Testing: To check whether the software can recover from crashes,
hard drive failures etc.
b. Security testing: Six basic security are concepts: CIA, Authorization,
Authentication and non‐repudiation
c. Stress or Volume testing: Whether the system is capable of taking stress or
not. It is tested up to the breaking point.
d. Performance testing: speed and efficiency of a computer
v) Final Acceptance Testing: It is conducted when the system is just ready for
implementation. It is done to ensure that the system is meeting the business and
user needs as per the acceptable standards. It has two major parts:
a. Quality Testing: It is ensured that the system qualifies the quality standards
and the development process is as per the organization’s quality assurance
policy, methodology and prescriptions.
b. User Acceptance Testing: it ensures that it is functioning as the user wants it
to function. It is of two types:
i. Alpha Testing: Firstly, it is given to be used and tested by internal users
and developers
ii. Beta Testing: Secondly, it is given to external users for testing to get their
feedback.
177 | P a g e
vi) Internal Testing Controls: Some questions which must be answered at the
end of this stage to enforce controls are:
a. Whether the test suite prepared by testers includes actual business scenarios?
b. Whether test data used covers all possible aspects of system?
c. Whether CASE tools like ‘Test Data Generators’ were used?
d. Whether the results have been documented?
e. Whether the tests have been performed in correct order?
f. Whether the modifications have been done or not?
g. Whether the modifications made have been properly authorized and
documented?
Stage VI System Implementation
The process of ensuring that the information system is operational and then allowing users to
take over its operations for use and evaluation is called Systems Implementation. Various
stages involved are given as follows:
• Equipment Installation: This refers to the hardware installation to support the new
system. Following stages are followed:
o Site preparation: An appropriate ambience or location as prescribed and
typical equipment must be kept ready. Other things like; humidity control,
temperature, dust control specifications given by vendor must be followed.
o Installation of New Hardware/ Software: It must be physically installed by the
manufacturer, connected to the power source and wired to communication
lines.
o Equipment checkout: Turn on the equipment to test under normal
operating conditions. Routine diagnostics tests should be run by vendors, in
house teams should also extensively test it.
o Training Personnel: Training programs must be arranged companywide to
ensure that the end user of the system is thoroughly trained else mistakes made
by them may cause several losses.
• System Change‐over strategies: Conversion or changeover is the process or shifting
from the old system to the new system. Four types of implementation strategies are
usually followed:
o Direct Implementation/ Abrupt Change over: Everything at once or
complete change at once. It is done usually on a slow day. A fixed date, time etc
is planned and it is executed.
178 | P a g e
o Phased Changeover: gradual or phase wise change over. One department or
function at a time.
o Pilot Changeover: New system takes over all at once but only at a small scale.
Problems are identified and corrections are made before accepting it
companywide, finally.
o Parallel Changeover: This is the most secured mechanism in which both
systems, old and new, run parallel for a while before finally scrapping the old
one after comparing the effectiveness of the two.
Technical activities necessary to facilitate the changeover or conversion are:
179 | P a g e
Stage VII Post Implementation Review and Maintenance
Post Implementation Review: The aim is to check the efficiency and effectiveness of the
system developed. It should be done about 6 weeks to 6 months from the date of
implementation. Primarily, it checks two things: Whether the system is operating properly and
whether the user is satisfied with the system or not. It involves three types of evaluations:
System Maintenance: Maintaining the system is an important aspect of SDLC. System
will be required to be updated at regular intervals due to ongoing organization and
technological changes. Maintenance can be categorized in the following ways:
Auditor’s Role in SDLC
Mainly three objectives:
o Efficiency
o Effectiveness
o Economy
Additionally, an auditor must be there to ascertain whether adequate audit trails and controls
were created to ensure the integrity of data processed and stored and the effectiveness of such
controls. In order to achieve this goal, an auditor must:
o Attend project and steering committee teams’ meetings
o Examine project control documentation
o Conduct interviews
To ensure effective and adequate controls, an auditor must include the following:
o Documented policy and procedures
o Established project team with all infrastructure and facilities
o Developers/IT managers are trained on procedures
181 | P a g e
o Appropriate approvals are being taken at identified mile stones
o Development is carried over as per standards, functional specifications
o Separate test environment for development/ test/ production/ test plans
o Design norms and naming conventions are as per standards and are adhered to
o Business owners testing and approval before system going live
o Version control on programs
o Source code is properly secured
o Adequate audit trails are provided in the system
o Appropriateness of methodologies selected.
Auditor should conduct a post implementation review to ensure that the system meets the
business objectives. They should also understand whether the system is generating benefits in
relations to the cost incurred and if the users are being satisfied by using this new system.
The core idea is to find discrepancies or mistakes or errors at various stages of SDLC program
and recommend a corrective action.
182 | P a g e
Chapter 6
Audit of Information
Systems
183 | P a g e
There are two very important steps in Audit:
• Evidence Collection
• Evidence Evaluation
Information systems have changed the way both the things used to happen. Auditors face
following issues in during Evidence Collection because of Information Systems:
Four things are required w.r.t. computers to facilitate an Audit
Data retention and Storage: Client’s limited data storage and retention may result in non‐
availability of auditable data or transactions of an entire period.
Input Documents: If the inputs were not entered using the source document. For example;
telesales orders. Also, in certain cases, input transactions may happen automatically for
example: automatic calculation of depreciation on assets at the end of each month
Audit Trail: If audit trails do not exist for a sufficient time
Output: If the Output cannot be made available in hard format.
There are many legal issues pertaining to admissibility of such audit evidence. It varies from
country to country and court to court.
Similarly, there are problems experienced in case of evidence evaluation because of the
following:
Categories of IS Audits
• Systems and Application
• Information Processing Facilities
• Systems Development
184 | P a g e
• Management of IT and Enterprise Structure
• Telecommunications, Intranets, and Extranets
Steps in Information Systems Audit
1) Scoping and Pre audit survey: Objective is to determine the scope of the audit as
agreed upon with the management. It includes: web browsing, background reading, and
observations.
2) Planning and Preparation: Scope is broken down into detailed steps and generation
of audit work plan or risk‐control‐matrix.
5) Reporting
Audit Standards and Best Practices
It’s all about measuring 3Es’ – Economy, Efficiency and Effectiveness and auditors need
framework or guidelines to assure about an organization’s IS system’s 3Es’. Many well known
organizations have facilitated this task:
1. ISACA: 16 auditing standards, 39 auditing guidelines, and 11 auditing procedures.
Important framework is COBIT.
2. ISO 27001: Best practice certification for Information Security Management System (ISMS)
3. Internal Audit Standards: IIA issued Global Technology Audit Guide.
4. Standards issued by ICAI
5. ITIL: Information Technology Infrastructure Library is a set of services for ITSM that
focuses on aligning IT services with the needs of the business.
185 | P a g e
Basic Plan
1. Deciding extent of planning as per the size of company, complexity of audit and
auditor’s experience with both.
2. Obtaining business knowledge is a must.
3. May be discussed with audit committee, management and staff to ensure full
cooperation.
4. Auditor should develop and document an overall audit plan.
5. Planning should be an iterative process throughout the audit cycle.
Preliminary Review
1. Knowledge of Business
• Nature of Business
• Economic and industry factors affecting it
• Outsourced partners like vendors, clientele
• Competence level of Top management and IT management
• IT organizational structure
2. Understanding the Technology
• Analysis of business processes and level of automation
• Assessing the dependency of an organization on IT
• Studying network diagrams to understand physical and logical network connectivity
• Understanding extended enterprise architecture like SCM, CRM, and ERM etc.
• Knowledge of technologies and their advantages or limitations
• Studying 3Ps of IT
3. Understanding Internal Control Systems
Emphasis has to be laid upon compliance and substantive testing.
4. Legal Considerations and Audit Standards
• Careful evaluation of legal and statutory implications on audit work done
• IS audit could be a part of statutory requirement, hence related stipulations,
regulations, and guidelines for the conduct of his audit must be considered.
186 | P a g e
• Understanding of minimum set of control objectives to be achieved by the subject
organization imposed by statutes.
• Audit standards applicable to his or her conduct and performance of audit work.
5. Risk Assessment and Materiality
Risk Assessment is a critical and inherent aspect of Information System Auditor’s planning and
implementation. It includes: identification of risk, assessment of risk and recommending
controls to reduce the risk to an acceptable level. Risk assessment determines the scope of
audit and assesses the level of audit risk and error risk. Risk assessment will aid in planning for:
• Nature, extent and timing of audit procedures
• Business functions to be audited
• Amount of time and resources to be allocated
Steps that can be followed to adopt a risk based approach to create an audit plan are listed
below:
• Inventory the information systems in use and categorize them
• Identify the systems with impact on critical functions or assets
• Assess the risks affecting these systems with their BIA
• Decide the audit priority, resources, schedule and frequency.
Different types of Risks
Inherent Risk (Key points to be covered while writing an answer)
1. Vulnerability of Information Resources or Resources controlled by Information systems
to Theft, destruction, disclosure, unauthorized modification, or other impairment.
2. Risks should be ascertained assuming that there are no internal controls.
3. Internal controls are ignored because they will be covered under Control Risks.
4. It basically aims to aid auditor in his assessment of risks or material gaps which the audit
subject may or may not be subjected to if there were no internal controls.
For example: If controls are removed, then ATM is a high risk subject.
187 | P a g e
Control Risk (Key points to be covered while writing an answer)
1. Material Risks which, appearing alone or in combination of other errors, internal
controls System will most likely be not able to Prevent, Detect or Control.
2. It is a measure of auditor’s assessment that Risk will cross its tolerable level.
3. This assesses whether the client’s internal controls are effective or not.
Detention Risk (Key points to be covered while writing an answer)
1. Material Risks which, appearing alone or in combination of other errors, will not be PDC
in audit as well
IS Audit and Audit Evidence
According to SA‐230, Audit Documentation refers to
• Record of audit procedures performed,
• Relevant audit evidence obtained, and
• Conclusions that auditor reached (working papers or work papers to record and
demonstrate the audit work from one year to another)
Evidence is also required for the following purposes:
• Means of controlling current audit work
• Evidence of audit work performed
• Information about business being audited
Problem with IS environment is that evidences are not available in physical form, but in
electronic form.
Documentation by Auditor
Auditors have to make reports for which they need documented evidences. Following actions
must be taken by auditor to address the problem of non availability of the evidences in physical
form:
• Use of special computer aided audit techniques
• Audit timing can be planned in conjunction with transactions occurrence
188 | P a g e
As per SA‐200, “Overall Objectives of an Independent Auditor and Conduct of an Audit with
Standards of Auditing” any opinions of auditors are subjected to the limitations such as:
• Nature of financial reporting
• Nature of audit procedures
• Time and cost constraints
• No valid excuse or reason to omit an audit procedure
• Fraud, especially involving senior management or collusion
• Existence and completeness of related party relationships and transactions
• Occurrence of on compliance with laws or regulations
• Business continuity risks
Provisions related to Digital Evidences
As per Indian Evidence Act, 1972, “Evidence” means and includes:
1) All statements, which the court permits or requires to be made before it by witnesses, in
relation to matters of fact under inquiry; such statements are called oral evidence;
2) All documents produced for the inspection of the court, such documents are called
documentary evidence.
Documentary Evidence also includes ‘Electronic Records’. It is covered under Information
Technology Act 2000.
Concurrent Audit
Real time information needs real time auditing to provide continuous assurance about the
quality of data. There are two ways in which this can be achieved; use of embedded modules
and other is special audit records used to store the audit evidence collected.
Types of Audit Tools
Snapshots
• Snapshot software is built into the system at those points where material processing
occurs
• It takes images of the flow of any transaction as it moves through the application.
189 | P a g e
• These images are used to assess the authenticity, accuracy and completeness of the
process.
• Two things should be focused upon: snapshot points locations and reporting design and
implementation
Integrated Test Facility (ITF)
• Dummy entity is introduced in the application system files.
• Audit test data is processed against entity.
• Two important steps to be considered: Method of Entering Test Data and Method of
removing the effects of ITF Transactions.
Method of Entering Test Data
(Method 1)
• Tag the transactions to be tested
• Program the application system to recognize the tag
• After recognizing, it will update Master file and ITF dummy file.
Advantage: ease of use and testing with transactions representative of the normal system
processing.
Disadvantage: embedded modules may interfere with production processing.
(Method 2)
• Prepare a special test data
• Enter test transactions within production input into the application system
Advantage: more complete coverage of execution paths and application system does not
have to be modified to tag or identify ITF transactions.
Disadvantage: Preparation of test data could be time consuming and costly.
Method of Removing the Effects of ITF transactions:
(Method 1)
Program the application system to recognize the ITF transactions and ignore them.
190 | P a g e
(Method 2)
Submit additional inputs that reverse the effects of ITF transactions.
System Control Audit Review File (SCARF)
• Embed audit software modules within a host application system to provide continuous
monitoring of the system’s transactions.
• Information is recorded onto a special audit file – the SCARF master files
• Information contained is then examined by the auditors
SCARF is similar to snapshot technique with other data collection capabilities being the only
difference present.
Types of information collected using SCARF
• Application system Errors: Basic design and programming errors or errors that could
creep into the system during updates or maintenance
• Policy and Procedural Variances: Whether the 3Ps are being followed or not
• System Exception: monitor the system exceptions. For example, a sales person is
permitted to allow some discount on MRP. SCARF can be used to check how frequently
this exception is used by a Sales Person
• Statistical Example: Collects all the statistical samples’ information on one file and
allows analytical review tools to be used thereon
• Snapshots and Extended Records: can be written on SCARF file and printed as
required
• Profiling Data: Collect data to build profiles of system users
• Performance Measurement: Collect data useful for measuring or improving the
performance of an application system
Continuous and Intermittent Simulation (CIS)
This is a variation of SCARF with primary aim to trap exceptions whenever application system
uses DBMS. Process is given as follows:
1. DBMS read a transaction and passes it to CIS. CIS decide whether it wants to examine it.
If yes, next steps are followed, else it awaits further information.
2. CIS replicates or simulates the application system processing.
191 | P a g e
3. Every update to the database that arises from processing the selected transaction will
be checked by CIS to determine the discrepancies between results it produces and those
the application system produces.
4. Exceptions identified by CIS are written to exception log file.
Main Advantage: It provides online auditing capability without making any modifications in
application programming.
Why Continuous Auditing?
• Enable the auditors to test a larger sample of client’s transaction (up to 100%), hence
improving the quality of audit
• Reduces time and cost
• Perform both – test of controls and substantive tests – throughout the year.
Surprise Test Capability: No help needed from system or application staff as it is system
generated. So a surprise evidence collection can be done at any point of time without staff
being informed or involved.
Training for new users: Using ITFs, new users can submit any data to application system,
and obtain feedback on any mistakes they make via the system’s error reports.
Disadvantages or limitations of Continuous Audit System
• Management support to the auditors may not be there to develop, implement, operate
and maintain it.
192 | P a g e
• Auditors may not be involved in the application system development, which is
extremely important.
• Auditors need the knowledge and experience of working with computer systems to be
able to use continuous audit system efficiently and effectively.
• It may not be required at places where audit trails are adequate and costs of errors and
irregularities are not too high.
• They can be effective only in a stable application.
Audit Hooks
They are primarily used to flag suspicious transactions. When audit hooks are employed.
Auditors can be informed of questionable transactions as soon as they occur. It displays a
message on auditor’s terminal.
Audit Trail
• Audit trail refers to the log file that is designed to record activity at the system,
application, and user level.
• This is primarily a detective technique.
• Determining which events to log is a management decision.
• An effective audit policy will capture all significant events and no trivial activities.
• It tries to record the events in chronological order.
• Record is needed to: fulfill statutory requirements, detect consequences of errors, and
allow system monitoring and tuning.
Audit trail Objectives
• Detects unauthorized access to system:
o It may happen real time or after the fact.
o Primary objective is to detect system breach from outsiders.
o It may detect changes caused to system by a worm or virus.
o After the fact logs can be stored electronically and can be used for review
periodically.
o They can be used to determine if such access was accomplished, or attempted
and failed.
193 | P a g e
Implementing an Audit Trail
• Careful selection of events for the purpose of implementing an audit trail is very
important. Otherwise, importance information may get lost in superfluous data relating
to daily operations.
General Controls
Operating System Controls
What does an operating system do?
• Schedule jobs
• Manage Hardware and Software Resources
• Maintain System Security
• Enable multiple user resource sharing – through multiprogramming
• Handling interrupts
• Maintain Usage Records
So we can understand that Operating System is one of the most critical software for any
computer which needs to work in a well controlled environment.
Control Objectives
Protection in terms of USER
194 | P a g e
USER – USER
USER – OS
USER – From Themselves
Protection in terms of OS
OS – OS
OS – USER
OS – Environment
Operating System Security or Access Controls
Answers three questions:
Who can access the system?
Which resources they can use?
What actions they can take?
The following are the security components found in a secure operating system:
Log‐in Procedure
Access Token: If the login is successful, Access token is created which hold the relevant
information pertaining to user and determines all the actions which user may take.
Access Control List: This defines all the access privileges available to authenticated users. If
details in Access Token match with Access Control List, the access is granted.
Discretionary Access Control: Access Control List is kept and maintained by system
Administrator who decides about what access must be authorized to which user. However, in
distributed systems, a resource user is appointed from among the users. Such Resource owners
may be granted discretionary access control which allows them to grant access privileges to
other users.
Remedy from Destructive Programs
195 | P a g e
• Purchase software from reputed vendor
• Examine software before implementation
• Establish educational program for user awareness
• First install the application on a single un‐networked computer and test it thoroughly
• Make back up copy of key file
• Always use updated anti‐virus software
Data Management Controls
Two categories of controls:
• Access Control
• Backup Control
Access Control
Prevent unauthorized access to data from viewing, retrieving, computing or destroying it.
a) User controls as discussed above
Backup Control
It refers to availability of system in the event of data loss by being able to retrieve files and
databases.
Various backup strategies are given below:
Dual Recording of Data: Two complete copies are maintained and they are concurrently
updated.
Periodic Dumping of Data: Periodic complete or partial dumping of data is done at a
schedules time and copied and saved in a storage medium – magnetic tape, removable disk,
optical disk.
196 | P a g e
Logging Input Transactions: Creating transaction logs of input that causes the database to
change. Normally, this is done in conjunction with data dumping. In case of complete failure,
the last taken dump will be loaded and updated using the logs.
Logging Changes to Data: This involves copying a record each time it is changed by an
update action.
Restoration should be done for all backups at least twice a year.
Organizational Structure Controls
As done in Chapter 3
Additional Points:
To save from the compromises that may occur due to above, the following must be done:
System Development Controls
To ensure that proper documentations and authorizations are available for each phase of
system development process, controls are created for new system development activities:
System Authorization Activities:
• Systems must be authorized to ensure their economic justification and feasibility.
• It should be formal and documented: New system request must have been
submitted in written form from users to system professionals, who would have
evaluated and approved or rejected the request.
User Specification Activities:
• User must be actively involved in systems development process.
• User must have written a detailed description of logical needs that must be satisfied by the
system.
• This document should reflect the users point of view regarding the problem.
197 | P a g e
Technical Design Activities:
• In SDLC, technical design activities transform user requirements into a set of detailed technical
specifications that must meet users’ needs.
• This includes, general systems design, feasibility analysis and detailed system designing.
• Quality of documentation that emerges at the end of each phase of SDLC determines the
adequacy of these activities.
• Documentation is both a control and evidence
Internal Auditor’s Participation:
• Auditors should be involved in entire SDLC wherever required and such involvement should
have started right at the inception point.
• Auditor’s role is to make conceptual and control related suggestions.
Program Testing:
• All program modules must be thoroughly tested before implementation.
• Results must be compared with expected results in order to find programming and logic
errors.
• For audit purposes, test data used during testing must be preserved for future use.
• Auditors will use the same test data as a basis to plan and design future audit tests.
User Test and Acceptance Procedures:
• All the units must be assembled into the complete system and must undergo rigorous
testing just before implementation.
• The testers’ profiles should included, system managers, internal auditors and users.
• Acceptance by user departments must come only after the testing has taken place.
• Such user acceptance must be documented.
System Maintenance Controls
They should be given the same treatment as new development. Whenever maintenance causes
extensive changes to program logic, additional controls should be forced. Such controls include:
testing and acceptance procedure as mentioned above.
198 | P a g e
Computer Center Security and Controls
Three components must be secured:
• Physical Security
• Software and Data Security
• Data Communication Security
Physical Security
It includes security from
• Fire
• Water
• Power Variation
• Pollution and Unauthorized intrusion
Fire Damage
• Automatic and manual fire alarms
• Control panel to show the exact location of fire which has triggered the manual or
automatic alarm
• Master switches for installed for power and automatic fire suppression
• Manual fire extinguishers at strategic locations
• Fire exits should be clearly marked
• All staff members should be trained.
• Incident Management Plan should be implemented, maintained and documented
• Less wood and plastic should be used in computer rooms
Water Damage
• Waterproof surroundings wherever possible
• Adequate drainage system
• Install alarms at strategic points
• Gas based fire suppression system
Power Supply Variation
• Voltage Regulators
• Circuit breakers
• UPS battery backup
199 | P a g e
• Generator
Pollution Damage – Primarily Dust
• Dust free environment must be created in computer room.
• Things which enable the room to stay dust free should only be allowed inside computer
rooms like Air conditioners.
• Regular cleaning to create a dust free environment must be created.
Unauthorized Intrusion
It can be done in two ways:
1) By physical entering and damaging or stealing
2) By tapping into communication lines and eavesdropping.
Measures that may be taken are:
• Provision of Identification badges to everyone including bonded personnel
• Manual or Electronic logging
• Guard Dogs
• Entry in computer restricted area
• Log books
• Alarms
• Prevent wire tapping
• Physical intrusion detectors
• Security of Documents, data & storage media
Software and Data Security
Following are some of the measures that an organization can take to prevent its software or
data:
• User authorization
• Passwords and PINs
• Monitoring after office hours activity
• Segregation, check and control over critical information
• Frequent audits
• Screening and background checks before recruitment
200 | P a g e
• Encryption of data
• Security software
• Management checks
• Backup of data/ information
• Antivirus software
Data Communication Security
This can be implemented through following controls:
• Audit trails of crucial network activities
• User identification
• Passwords to gain access
• Terminal locks
• Sender and receiver authentication
• Check over access from unauthorized terminals
• Encryption of data/ information
• Proper network administration
• Hardware and system software built in control
• Use of approved network protocols
• Network administrations
• Internally coded device identifier
Internet and Intranet Controls
Two major threats must be covered under this category:
• Component failure: Data must be lost or corrupted through component failure. These
include:
o Communication lines: twisted pair, coaxial cables, fiber optics, microwave,
satellite etc.
o Hardware: Ports, modems, multiplexers, switches etc.
o Software: Packet switching software, polling software, data compression
software etc.
• Subversive threats: An intruder attempts to violate the integrity of some components
in the sub‐system. These may include:
201 | P a g e
o Invasive tap: By installing it on communication line, data may be modified or
read.
o Inductive Tap: Electromagnetic transmissions may be read and data can be read
only.
Controlling such risks
Firewalls
• Electronic firewalls may be installed to insulate the internet and intranet from
intrusion.
• Firewall enforces access control between two networks.
• All traffic must pass through this.
• Only authorized traffic, internal or external, must be able to pass.
• It can also insulate some portions or intranet from internet access.
Controlling Denial of Services (DoS) attacks
Connection flooding must be prevented. When a user creates a connection through TCP/IP, a
three way handshake takes place between SYN packets, SYN ACK packets, ACK Packets.
Computer hacker transmits hundreds of SYN packets to receiver but never responds with an
ACK to complete the connection. As a result, the port of receiver’s server is clogged with
incomplete communication requests and prevent legitimate request from access.
Encryption
Conversion of data into secret code and transmission over networks is called encryption.
Encryption algorithm uses key. The more bits in a key, the stronger would be encryption. It can
be done through: Private key or Public key
Recording of Transaction Log:
All attempts of intrusion must be recorded in the logs. Log maintains all the information
pertaining to the attempt.
Call Back Devices
Key to network security is to keep the intruder off the intranet. Call back device works as given
below:
202 | P a g e
• Call‐back device requires the user to enter a password and then the system breaks the
connection
• If the caller is authorized, the call back device dials the caller’s number to establish a
new connection
• This helps in protecting the connection from following:
o Access from unauthorized terminals
o Access from unauthorized telephone numbers
o Prevent a hidden intruder
o Call forwarding
o Man in the middle attack
Personal Computer Controls
Risks related to personal computers are given below:
• They are small and easy to connect and disconnect. They can be stolen and taken out of
organization.
• Pen drives and hard disks can be stolen easily.
• Since it is a single user oriented machine, it does not provide inherent data protections.
Problems can be caused by viruses and pirated software.
• Segregation of duty is not possible since the number of staff is low
• Due to vast number of installations, the staff mobility is higher and hence becomes a
source of information leakage.
• The operating staff may not be adequately trained.
• Weak Access Control
Security measures that could be exercised are given below:
• Physically locking the system
• Proper logging of equipment shifting – like gate pass
• Centralized purchase of hardware and software
• Standards set for developing, testing and documenting
• Uses of anti malware software
• User control
Role of IS Auditor in Physical Access Controls
Risk Assessment: The auditor must satisfy himself/ herself that the risk assessment
procedure adequately covers periodic and timely assessment of all assets, physical access
threats, vulnerabilities of safeguards and exposures there from.
Controls Assessment: The auditor based on risk profile, evaluates whether the physical
access controls are in place and adequate to protect the IS assets against the risks.
Review of Documents: It requires review of relevant documentation such as Information
Security Policy and Procedures, premises plans, building plans, inventory list and cabling
diagrams.
Audit of Environment Controls
Related aspects are given as below:
Role of Auditor in Environmental Controls: The IS should satisfy not only the effectiveness of
various technical controls but also the overall controls safeguarding the business against
environmental risks. Some of the critical audit considerations that an IS auditor should take into
account while conducting his/ her audit id given below:
Audit Planning and Assessment: As a part of risk assessment:
• Risk profile should include different and comprehensive list of environmental risks that
an organization is exposed to.
• Controls assessment must ascertain that acceptable risks are under proper control
• Security policy must be reviewed to assess policies and procedures
• Building plans and wiring plans need to be reviewed to determine the appropriateness
of IPF, review of surroundings, power and cable wiring etc.
• The auditor should review personnel to satisfy him or her about employees’ awareness
about and participation in environmental threats and incident management plan
respectively.
• Administrative procedures such as preventive maintenance plans, incident reporting
and handling procedures, testing plan and procedures need to be reviewed.
Audit of Environmental Controls
IS Auditor must verify the following by physical inspections and observations.
204 | P a g e
• Type of material used for the construction of IPF
• Presence of all kinds of safety measures and equipments
• Emergency plans, evacuation plans etc. Periodical fire drill logs
• Documents for compliance with legal and regulatory requirements with regards to fire
etc.
• Power supply and related controls
• Environmental control equipment such as air conditioning et al.
• Compliant logs and maintenance logs to assess if MTBF and MTTR are within acceptable
levels
• Identify user activities like eatables, drinks, smoke etc.
Application Controls
Since we already know that an application does only three things that is, Input, Processing and
Output, hence, controls related to an application can be categorized as:
• Input controls
• Processing Controls
• Output Controls
Input Controls
It includes the following:
• Source Document Controls
• Data Coding Controls
• Validation Controls
Source Document Controls
Controls over source documents include:
• Using pre‐numbered source documents
• Use source documents in sequence
• Periodically audit source documents
Data Coding Controls
205 | P a g e
Two types of errors can corrupt a data code and cause processing errors: Transcription and
Transposition
• Transcription Errors
o Addition Errors – when an extra digit is added to the code – 83276 is recorded as
832766
o Truncation Errors – when a digit or character is removed from the end of the
code – 83276 – 8327
o Substitution Errors – replacement of one digit in a code with another. 83276 –
83266
• Transposition Errors
o Single Transposition Errors – when two adjacent digits are reversed – 12345 is
recorded as 21345
o Multiple Transposition Errors – when nonadjacent digits are transposed – 12345
– 31254
Validation Controls
Input validation controls are needed to detect errors in the transaction data before the data are
processed. There are three levels of input validation controls:
• Field Interrogation
• Record Interrogation
• File Interrogation
Field Interrogation: it involves programmed procedures that examine the characters of the
data in the field. Following types of field interrogation can be used:
• Limit Check: The field is checked by the program against predefined limits to ensure
that no input error has occurred.
• Picture Checks: These check against entry of incorrect/ invalid characters.
• Valid Code Checks: checks against predetermined transaction codes, tables or order
data. Predetermined codes may either be embedded in the programs or stored in files.
• Check Digit: This method is to detect data coding errors. It is a control digit added to
the code when it is originally assigned that allows the integrity of the code to be
established during subsequent processing.
• Arithmetic Checks: Simple arithmetic is performed in different ways to validate the
result of other computations of values of selected data fields.
• Cross Checks: to tally the results appearing in different files.
Record Interrogation: These are listed as follows:
206 | P a g e
• Reasonableness check: Whether the value specified in a field is reasonable for
that particular field?
• Valid Sign: The content of one field may determine which sign is valid for a numeric
field.
• Sequence Check: Physical order must match the logical order.
File Interrogation: These are discussed as follows:
• Version usage: Proper version of a file should be used for processing the data
correctly.
• Internal and External Labeling: Labeling of storage media as to what it contains so
that correct files are loaded. External labeling for manual and internal labeling for
automated.
• Data File Security: CIA of data file should be preserved.
• Before and After Image and Logging: The application may provide for before and
after images of transactions. These images combined with logging of events enable
restructuring the data file back to its last state of integrity.
• File Updating and Maintenance Authorization: Controls must exist for updating and
maintenance.
• Parity Check: This control is required in case of transmitted data. Check codes are
added to ensure the correctness of data.
Processing Controls
• Run‐to run controls
• Reasonableness Verification
• Edit checks
• Field Initialization: To prevent data overflow, set all fields to zero or blank before
inserting the field or record.
• Exception Reports: These reports are generated to identify errors in data processed.
These provide transaction code and why it was not processed or what was the error in
processing.
Output Controls
Storage and Logging of Sensitive, Critical forms: Preprinted official stationery should
be stored securely to prevent unauthorized usage.
207 | P a g e
Logging of Output Program Executions: Logging required to access outputs.
Retention Controls: They consider the controls related to duration for which outputs
may be retained before being destroyed. Type of storage medium should be given due
importance.
Audit of Application Security Controls
Application security is the most important aspect. The approach is defined as per who is
using an application in an organization and what it intends to serve. There are three layers
of application security as per the organization levels: Operational, Tactical and Managerial.
Operational Layer: The operational later audit issues include:
• User Accounts and Access Rights
• Password Controls
• Segregation of Duties
Tactical Layer: At this layer, security administration is put in place. This includes:
• Timely Updates: User profiles must be timely updated and any change must be
properly approved and documented through correct channel.
• IT Risk Management: It further includes:
o Assessing risk over key application controls
o Conducting a regular security awareness program for users
o Enable application users to perform self‐assessment
o Reviewing application patches before implementation and regularly
monitoring critical application logs
o Monitoring peripheral security in terms of updating antivirus software
208 | P a g e
• Interface Security: Security of shared data that is, interfaced data, must be
secured during transmission especially where data is unencrypted.
• Audit Logging and Monitoring: Regular monitoring of audit logs on exception basis
must be done.
Strategic Layer
A comprehensive information security program fully supported by top management and
communicated well to the organization is of paramount importance to succeed in
information security. The security policy should be supported and supplemented by
detailed standards and guidelines. Auditor needs to check whether all these guidelines have
been properly framed and are they capable of achieving the business objectives that
application concerned must deliver.
209 | P a g e
Chapter 7
Information
Technology
Regulatory
Issues
210 | P a g e
Objectives of Information Technology Act, 2000
The objectives of the Act are given as follows:
• To grant legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication commonly referred to as
“electronic commerce” in place of paper based methods of communication;
• To give legal recognition to Digital signatures for authentication of any information or
matter, which requires authentication under any law;
• To facilitate electronic filling of documents with Government departments;
• To facilitate electronic storage of data;
• To facilitate and give legal sanction to electronic fund transfers between banks and
financial institutions;
• To give legal recognition for keeping of books of accounts by bankers in electronic form;
and
• To amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers Book
Evidence Act, 1891, and the Reserve Bank of India Act, 1934.
Digital Signature and Electronic Signature [Chapter‐II]
This chapter gives legal recognition to electronic records and digital signatures.
How a digital signature is created?
1. Electronic record in converted into a message digest by using a mathematical function
known as “Hash Function” which digitally freezes the electronic record. Hash key ensures the
integrity of content of electronic record.
211 | P a g e
2. Identity of the sender is authenticated through “Private Key” which attaches itself to the
message digest and can be verified only by a person holding a corresponding “Public Key”.
3. Message and encrypted hash are sent over internet.
4. Intended receiver decrypts thee hash using the public key.
5. Any tempering with the contents of the electronic record will immediately invalidate the
electronic record.
“Electronic Record” as per section 1(t) has been defined as
"Electronic Record" means data, record or data generated, image or sound stored, received or
sent in an electronic form or micro film or computer generated micro fiche
Meaning:
Electronic Record refers to any kind of data which has been stored, received or sent in electronic form
either directly or through an electronic device.
[Section 3] Authentication of Electronic Records
Authentication of Electronic Records
(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by
affixing his Digital Signature
(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system
and hash function which envelop and transform the initial electronic record into another electronic
record.
Explanation
For the purposes of this sub‐section, "Hash function" means an algorithm mapping or
translation of one sequence of bits into another, generally smaller, set known as "Hash Result"
such that an electronic record yields the same hash result every time the algorithm is executed
with the same electronic record as its input making it computationally infeasible
(a) to derive or reconstruct the original electronic record from the hash result produced by the
algorithm;
(b) that two electronic records can produce the same hash result using the algorithm.
(3) Any person by the use of a public key of the subscriber can verify the electronic record.
212 | P a g e
(4) The private key and the public key are unique to the subscriber and constitute a functioning
key pair.
Meaning:
Electronic Signature will gain legal recognition if it satisfies the following conditions:
• Anyone who has digital signature may authenticate an electronic record
• Authentication must have been done by asymmetric crypto system and hash function because
of which
o The message can be derived or tempered with
o Two electronic records cannot have same hash function
• Any person who has the public key can verify it
• Private and public keys must be unique.
[Section 3A] Electronic Signature
(1) Notwithstanding anything contained in section 3, but subject to the provisions of sub‐
section (2), a subscriber may authenticate any electronic record by such electronic signature or
electronic authentication technique which‐
(a) is considered reliable ; and
(b) may be specified in the Second Schedule
(2) For the purposes of this section any electronic signature or electronic authentication
technique shall be considered reliable if‐
(a) the signature creation data or the authentication data are, within the context in which they
are used, linked to the signatory or , as the case may be, the authenticator and of no other
person;
(b) the signature creation data or the authentication data were, at the time of signing, under
the control of the signatory or, as the case may be,the authenticator and of no other person;
(c) any alteration to the electronic signature made after affixing such signature is detectable
(d) any alteration to the information made after its authentication by electronic signature is
detectable; and
(e) it fulfills such other conditions which may be prescribed.
213 | P a g e
(3) The Central Government may prescribe the procedure for the purpose of ascertaining
whether electronic signature is that of the person by whom it is purported to have been affixed
or authenticated
(4) The Central Government may, by notification in the Official Gazette, add to or omit any
electronic signature or electronic authentication technique and the procedure for affixing such
signature from the second schedule;
Provided that no electronic signature or authentication technique shall be specified in the
Second Schedule unless such signature or technique is reliable
(5) Every notification issued under sub‐section (4) shall be laid before each House of Parliament
Meaning: Electronic signature is considered reliable if:
1. Signature creation data or authentication data belongs to the signatory or authenticator
2. Signature creation data or authentication data were in possession of signatory or authenticator
3. Any alteration after the signature is placed is detectable
4. Any alteration after the information is authenticated is detectable
Additionally, central government may prescribe the procedure of ascertaining the ownership of the
signature
It may add or omit any authentication or signature technique and the procedure for affixing the
signature
Unless no technique or procedure is listed in schedule 2 as reliable.
Electronic Governance [Chapter III]
[Section 4] Legal Recognition of Electronic Records
Where any law provides that information or any other matter shall be in writing or in the
typewritten or printed form, then, notwithstanding anything contained in such law, such
requirement shall be deemed to have been satisfied if such information or matter is
(a) rendered or made available in an electronic form; and
214 | P a g e
(b) accessible so as to be usable for a subsequent reference
Meaning: An electronic record will be considered legal despite of the fact that in any other law it
has been specified that it must b in printed form, if
1. if it is rendered or made available in electronic form
2. it is accessible and usable in that law’s reference
[Section5] Legal recognition of Electronic Signature
Where any law provides that information or any other matter shall be authenticated by affixing
the signature or any document should be signed or bear the signature of any person then,
notwithstanding anything contained in such law, such requirement shall be deemed to have
been satisfied, if such information or matter is authenticated by means of digital signature
affixed in such manner as may be prescribed by the Central Government.
Explanation ‐
For the purposes of this section, "Signed", with its grammatical variations and cognate
expressions, shall, with reference to a person, mean affixing of his hand written signature or
any mark on any document and the expression "Signature" shall be construed accordingly.
Meaning: Despite that in any other law, it is required to have a proper signature; electronic
signature will be considered legal if it satisfies the requirements to be met by Central Government.
[Section 6] Use of Electronic Records and Electronic Signature in Government and its agencies
(1) Where any law provides for
(a) the filing of any form, application or any other document with any office, authority, body or
agency owned or controlled by the appropriate Government in a particular manner;
(b) the issue or grant of any license, permit, sanction or approval by whatever name called in a
particular manner;
(c) the receipt or payment of money in a particular manner, then, notwithstanding anything
contained in any other law for the time being in force, such requirement shall be deemed to
have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is
215 | P a g e
effected by means of such electronic form as may be prescribed by the appropriate
Government.
(2) The appropriate Government may, for the purposes of sub‐section (1), by rules, prescribe ‐
(a) the manner and format in which such electronic records shall be filed, created or issued;
(b) the manner or method of payment of any fee or charges for filing, creation or issue any
electronic record under clause (a).
Meaning: What constitutes to be a valid electronic record and other related factors for the
purpose of government and its agencies?
Under any law
• Filing of any form, application or any other official document as prescribed by relevant
government
• Issuance of license, permits or any other official document under relevant government
As prescribed by any specific government
• any manner or format in which such records will be filled, created or issued
• any charges or fees collected or paid for the filling, creating or issuing of electronic record
[Section 7] Retention of Electronic Records
(1) Where any law provides that documents, records or information shall be retained for any
specific period, then, that requirement shall be deemed to have been satisfied if such
documents, records or information are retained in the electronic form, ‐
(a) the information contained therein remains accessible so as to be usable for a subsequent
reference;
(b) the electronic record is retained in the format in which it was originally generated, sent or
received or in a format which can be demonstrated to represent accurately the information
originally generated, sent or received;
(c) the details which will facilitate the identification of the origin, destination, date and time of
dispatch or receipt of such electronic record are available in the electronic record:
Provided that this clause does not apply to any information which is automatically generated
solely for the purpose of enabling an electronic record to be dispatched or received.
216 | P a g e
(2) Nothing in this section shall apply to any law that expressly provides for the retention of
documents, records or information in the form of electronic records. Publication of rules.
regulation, etc.. in Electronic Gazette.
Meaning: Rules applicable to retention of electronic record under any law if law provides for
the retention for a stipulated time
• Information contained in that record must be available
• Record has been kept in its original form or in a form which demonstrates its original
information
• Details regarding its origin and receipt must still be available
However, these rules do not apply to the situations where any other law specifies the retention of
electronic record in any other format.
[Section7A] Audit of Documents etc in Electronic form
Where in any law for the time being in force, there is a provision for audit of documents,
records or information, that provision shall also be applicable for audit of documents, records
or information processed and maintained in electronic form (ITAA 2008, Standing Committee
Recommendation)
Meaning: where audit is provided for any documents, electronic documents and information
will also be audited.
[Section 8] Publication of rules, regulation, etc, in Electronic Gazette
Where any law provides that any rule, regulation, order, bye‐law, notification or any other
matter shall be published in the Official Gazette, then, such requirement shall be deemed to
have been satisfied if such rule, regulation, order, bye‐law, notification or any other matter is
published in the Official Gazette or Electronic Gazette:
Provided that where any rule, regulation, order, bye‐law, notification or any other matters
published in the Official Gazette or Electronic Gazette, the date of publication shall be deemed
to be the date of the Gazette which was first published in any form
Meaning: Under any law, publication of any matter in an official gazette will be considered
to be an electronic record if it was published in electronic form.
If it was published in both forms, date of publication will be considered to be the one which
appeared in the first publication
217 | P a g e
[Section 9] Sections 6, 7 and 8 Not to Confer Right to insist document should be accepted in
electronic form
Nothing contained in sections 6, 7 and 8 shall confer a right upon any person to insist that any
Ministry or Department of the Central Government or the State Government or any authority
or body established by or under any law or controlled or funded by the Central or State
Government should accept, issue, create, retain and preserve any document in the form of
electronic records or effect any monetary transaction in the electronic form.
Meaning: No section gives a right to any person to force the inclusion of any document or
transaction in electronic form.
[Section 10] Power to Make Rules by Central Government in respect of Electronic Signature
(Modified Vide ITAA 2008)
The Central Government may, for the purposes of this Act, by rules, prescribe
(a) the type of Electronic Signature;
(b) the manner and format in which the Electronic Signature shall be affixed;
(c) the manner or procedure which facilitates identification of the person affixing the Electronic
Signature;
(d) control processes and procedures to ensure adequate integrity, security and confidentiality
of electronic records or payments; and
(e) any other matter which is necessary to give legal effect to Electronic Signature.
Meaning: Rules that Central Government may create w.r.t. Electronic Signature
• Type of electronic signature
• Manner and format in which it shall be affixed
• Manner in which the person to whom signature belongs shall be identified
• Controls to ensure CIA of records or payments
• Any other matter which legalizes electronic signature
218 | P a g e
[Section 10A] Validity of contracts formed through electronic means (Inserted by ITAA 2008)
Where in a contract formation, the communication of proposals, the acceptance of proposals,
the revocation of proposals and acceptances, as the case may be, are expressed in electronic
form or by means of an electronic record, such contract shall not be deemed to be
unenforceable solely on the ground that such electronic form or means was used for that
purpose.
Meaning: Contracts will not be deemed void or solely on the ground of being in electronic form.
Where any security procedure has been applied to an electronic record at a specific point of
time, then such record shall be deemed to be a secure electronic record from such point of
time to the time of verification.
Meaning: An electronic record will be considered secure from the time of application of security
measure to it to the time it gets verified.
Verified means, in relation to digital signature, electronic record or public key, to determine whether:
• Initial electronic record was affixed with digital signature by using private key corresponding
to the public key of the subscriber
• Initial electronic record is retained intact or has been altered since the time of affixation of
digital signature
[Section 15] Secure Electronic Signature (Substituted vide ITAA 2008)
An electronic signature shall be deemed to be a secure electronic signature if‐
(i) the signature creation data, at the time of affixing signature, was under the exclusive control
of signatory and no other person; and
(ii) the signature creation data was stored and affixed in such exclusive manner as may be
prescribed
Explanation‐ In case of digital signature, the "signature creation data" means the private key of
the subscriber
219 | P a g e
Meaning: An electronic signature will be considered secure if
• It was under exclusive control of the signatory
• It was kept securely
[Section 16] Security procedures and Practices
The Central Government may for the purposes of sections 14 and 15 prescribe the security
procedures and practices
Provided that in prescribing such security procedures and practices, the Central Government
shall have regard to the commercial circumstances, nature of transactions and such other
related factors as it may consider appropriate.
Meaning: Central government may lay down the security procedures and practices while
keeping into account the commercial circumstances, nature of transactions and other related
factors.
Penalties, Compensation and Adjudication [Chapter IX]
[Section 43] Penalty and Compensation for damage to computer, computer system, etc
If any person without permission of the owner or any other person who is in charge of a
computer, computer system or computer network ‐
(a) Accesses or secures access to such computer, computer system or computer network or
computer resource
(b) Downloads, copies or extracts any data, computer data base or information from such
computer, computer system or computer network including information or data held or stored
in any removable storage medium;
(c) Introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network;
(d) Damages or causes to be damaged any computer, computer system or computer network,
data, computer data base or any other programmes residing in such computer, computer
system or computer network;
(e) Disrupts or causes disruption of any computer, computer system or computer network;
220 | P a g e
(f) Denies or causes the denial of access to any person authorized to access any computer,
computer system or computer network by any means;
(g) Provides any assistance to any person to facilitate access to a computer, computer system or
computer network in contravention of the provisions of this Act, rules or regulations made
there under,
(h) Charges the services availed of by a person to the account of another person by tampering
with or manipulating any computer, computer system, or computer network,
(i) Destroys, deletes or alters any information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
(i) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter
any computer source code used for a computer resource with an intention to cause damage,
(Inserted vide ITAA 2008) 17
He shall be liable to pay damages by way of compensation not exceeding one crore rupees to
the person so affected.
Explanation ‐ for the purposes of this section ‐
(i) "Computer Contaminant" means any set of computer instructions that are designed ‐
(a) to modify, destroy, record, transmit data or programme residing within a computer,
computer system or computer network; or
(b) by any means to usurp the normal operation of the computer, computer system, or
computer network;
(ii) "Computer Database" means a representation of information, knowledge, facts, concepts or
instructions in text, image, audio, video that are being prepared or have been prepared in a
formalized manner or have been produced by a computer, computer system or computer
network and are intended for use in a computer, computer system or computer network;
(iii) "Computer Virus" means any computer instruction, information, data or programme that
destroys, damages, degrades or adversely affects the performance of a computer resource or
attaches itself to another computer resource and operates when a programme, data or
instruction is executed or some other event takes place in that computer resource;
(iv) "Damage" means to destroy, alter, delete, add, modify or re‐arrange any computer
resource by any means.
221 | P a g e
(v) "Computer Source code" means the listing of programmes, computer commands, design
and layout and programme analysis of computer resource in any form
[Section 43 A] Compensation for failure to protect data (Inserted vide ITAA 2006)
Where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay
damages by way of compensation, not exceeding five crore rupees, to the person so affected.
(Change vide ITAA 2008)
Explanation: For the purposes of this section
(i) "body corporate" means any company and includes a firm, sole proprietorship or other
association of individuals engaged in commercial or professional activities
(ii) "reasonable security practices and procedures" means security practices and procedures
designed to protect such information from unauthorized access, damage, use, modification,
disclosure or impairment, as may be specified in an agreement between the parties or as may
be specified in any law for the time being in force and in the absence of such agreement or any
law, such reasonable security practices and procedures, as may be prescribed by the Central
Government in consultation with such professional bodies or associations as it may deem fit.
(iii) "sensitive personal data or information" means such personal information as may be
prescribed by the Central Government in consultation with such professional bodies or
associations as it may deem fit.
Meaning: Any physical or logical loss to the computer or data or information system owned
or used by any person or using the computer or data or information system owned by a person is
liable to be punished and the entitles the losing party a compensation up to 1cr.
However, if the party which owns or uses such computer fails to implement proper security
measures as prescribed by central government under the expert guidance, the loss caused to a
third party because of such negligence will be entitled for compensation up to 5 cr.
222 | P a g e
[Section 44] Penalty for failure to furnish information, return, etc
If any person who is required under this Act or any rules or regulations made there under to ‐
(a) furnish any document, return or report to the Controller or the Certifying Authority, fails to
furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand
rupees for each such failure;
(b) file any return or furnish any information, books or other documents within the time
specified therefor in the regulations, fails to file return or furnish the same within the time
specified therefore in the regulations, he shall be liable to a penalty not exceeding five
thousand rupees for every day during which such failure continues:
(c) maintain books of account or records, fails to maintain the same, he shall be liable to a
penalty not exceeding ten thousand rupees for every day during which the failure continues.
[Section 45 Residuary Penalty
Whoever contravenes any rules or regulations made under this Act, for the contravention of
which no penalty has been separately provided, shall be liable to pay a compensation not
exceeding twenty‐five thousand rupees to the person affected by such contravention or a
penalty not exceeding twenty‐five thousand rupees.
Meaning: Anything violations of laws and rules under this act, which are not penalized
separately in the above given list, will get covered under this section. Compensation up to 25000
or penalty up to 25000
Offences under IT Act [Chapter XI]
Sections Offence Explanation Punishment
65 Tampering with Means tampering with Imprisonment up to 3
‘computer source computer program, commands, years or fine up to 2 Lakhs
code’ design, layout etc. or both
66 Computer Related Anything done dishonestly (as Imprisonment up to 5
offences per sec 24 of IPC) or years or fine up to 5 Lakhs
fraudulently (as per sec 25 of or both
IPC) that comes under section
43
66A Sending offensive Offensive or false information Imprisonment up to two 3
messages through or any email to addressee or years with fine
223 | P a g e
[Section 68] Power of Controller to give directions (Amended Vide ITAA 2008)
(1) The Controller may, by order, direct a Certifying Authority or any employee of such Authority to take
such measures or cease carrying on such activities as specified in the order if those are necessary to
ensure compliance with the provisions of this Act, rules or any regulations made there under.
(2) Any person who intentionally or knowingly fails to comply with any order under sub‐section (1) shall
be guilty of an offence and shall be liable on conviction to imprisonment for a term not exceeding two
years or to a fine not exceeding one lakh rupees or to both.
Meaning: The controller may direct any certifying authority to do or not to do something
provided it is for the reason of ensuring compliance the provisions of this act.
If the person is found guilty of not following this order intentionally, conviction up to 2 years or fine
up to 1 Lakh or both.
[Section 69] Powers to issue directions for interception or monitoring or decryption of any
information through any computer resource
(1) Where the central Government or a State Government or any of its officer specially
authorized by the Central Government or the State Government, as the case may be, in this
behalf may, if is satisfied that it is necessary or expedient to do in the interest of the
sovereignty or integrity of India, defense of India, security of the State, friendly relations with
foreign States or public order or for preventing incitement to the commission of any cognizable
offence relating to above or for investigation of any offence, it may, subject to the provisions of
sub‐section (2), for reasons to be recorded in writing, by order, direct any agency of the
appropriate Government to intercept, monitor or decrypt or cause to be intercepted or
225 | P a g e
monitored or decrypted any information transmitted received or stored through any computer
resource.
(2) The Procedure and safeguards subject to which such interception or monitoring or
decryption may be carried out, shall be such as may be prescribed
(3) The subscriber or intermediary or any person in charge of the computer resource shall,
when called upon by any agency which has been directed under sub section (1), extend all
facilities and technical assistance to ‐
(a) provide access to or secure access to the computer resource containing such information;
generating, transmitting, receiving or storing such information; or 28
(b) intercept or monitor or decrypt the information, as the case may be; or
(c) provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to assist the agency referred to in
sub‐section (3) shall be punished with an imprisonment for a term which may extend to seven
years and shall also be liable to fine.
Meaning: An authorized government employee for the reason of national security can direct
any governmental appropriate agency to intercept, monitor or decrypt any information processed
through the computer resource. Points to remember:
1. Procedure and safeguards may be prescribed.
2. Incharge of such computer resource shall
a) Provide access or secure access to the computer resource
b) intercept or decrypt the message
c) Provide information stored in computer
d) Any person who fails to comply will be punishable up to 7 years with fine.
[Section 69A] Power to issue directions for blocking for public access of any information
through any computer resource
(1) Where the Central Government or any of its officer specially authorized by it in this behalf is
satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of
India, defense of India, security of the State, friendly relations with foreign states or public
226 | P a g e
order or for preventing incitement to the commission of any cognizable offence relating to
above, it may subject to the provisions of sub‐sections (2) for reasons to be recorded in writing,
by order direct any agency of the Government or intermediary to block access by the public or
cause to be blocked for access by public any information generated, transmitted, received,
stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public may
be carried out shall be such as may be prescribed.
(3) The intermediary who fails to comply with the direction issued under sub‐section (1) shall be
punished with an imprisonment for a term which may extend to seven years and also be liable
to fine.
Meaning: An authorized government employee for the reason of national security can direct
any governmental appropriate agency to block access to any information by public. Points to
remember:
1. Procedure and safeguards may be prescribed.
2. Any person who fails to comply will be punishable up to 7 years with fine.
[Section 69B] Power to authorize to monitor and collect traffic data or information through
any computer resource for Cyber Security
(1) The Central Government may, to enhance Cyber Security and for identification, analysis and
prevention of any intrusion or spread of computer contaminant in the country, by notification
in the official Gazette, authorize any agency of the Government to monitor and collect traffic
data or information generated, transmitted, received or stored in any computer resource.
(2) The Intermediary or any person in‐charge of the Computer resource shall when called upon
by the agency which has been authorized under sub‐section (1), provide technical assistance
and extend all facilities to such agency to enable online access or to secure and provide online
access to the computer resource generating, transmitting, receiving or storing such traffic data
or information.
(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall
be such as may be prescribed.
227 | P a g e
(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub‐section
(2) shall be punished with an imprisonment for a term which may extend to three years and
shall also be liable to fine.
Explanation: For the purposes of this section,
(i) "Computer Contaminant" shall have the meaning assigned to it in section 43
(ii) "traffic data" means any data identifying or purporting to identify any person, computer
system or computer network or location to or from which the communication is or may be
transmitted and includes communications origin, destination, route, time, date, size, duration
or type of underlying service or any other information.
Meaning: To enhance cyber security, central government may authorize any government
agency to monitor and collect traffic data or information generated, transmitted, received or stored
in any computer resource. Notification must be made in official gazette.
Intermediary appointed by appointed agency shall provide technical assistance and extend all
facilities.
The procedures and safeguards shall be as prescribed
Any intermediary who contravenes ‐ 3 years + fine
[Section 70] Protected system
(1) The appropriate Government may, by notification in the Official Gazette, declare any
computer resource which directly or indirectly affects the facility of Critical Information
Infrastructure, to be a protected system. 29
Explanation: For the purposes of this section, "Critical Information Infrastructure" means the
computer resource, the incapacitation or destruction of which , shall have debilitating impact
on national security, economy, public health or safety. (Substituted vide ITAA‐2008)
(2) The appropriate Government may, by order in writing, authorize the persons who are
authorized to access protected systems notified under sub‐section (1)
(3) Any person who secures access or attempts to secure access to a protected system in
contravention of the provisions of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.
228 | P a g e
(4) The Central Government shall prescribe the information security practices and procedures
for such protected system.
Meaning: Appropriate government may declare any computer resource as a protected system
which directly or indirectly affects the facility of Critical Information Infrastructure. Official
notification must come in official gazette.
People who can access such systems may be authorized by government.
Any person caught for on compliance to this section – 10 years + fine
It is central government which prescribe the IS security practices and procedures for such protected
system.
[Section 70 A] National nodal agency.
(1) The Central Government may, by notification published in the official Gazette, designate any
organization of the Government as the national nodal agency in respect of Critical Information
Infrastructure Protection.
(2) The national nodal agency designated under sub‐section (1) shall be responsible for all
measures including Research and Development relating to protection of Critical Information
Infrastructure.
(3) The manner of performing functions and duties of the agency referred to in sub‐section (1)
shall be such as may be prescribed.
Meaning: Central government may appoint any organization of government as national
nodal agency in respect of Critical Information Infrastructure Protection.
This nodal agency will be responsible for all measures including R & D to protect Critical
Information Infrastructure. The manner of performing functions shall be as prescribed.
[Section 70 B] Indian Computer Emergency Response Team to serve as national agency for
incident response
(1) The Central Government shall, by notification in the Official Gazette, appoint an agency of
the government to be called the Indian Computer Emergency Response Team.
(2) The Central Government shall provide the agency referred to in sub‐section (1) with a
Director General and such other officers and employees as may be prescribed.
229 | P a g e
(3) The salary and allowances and terms and conditions of the Director General and other
officers and employees shall be such as may be prescribed.
(4) The Indian Computer Emergency Response Team shall serve as the national agency for
performing the following functions in the area of Cyber Security,‐
(a) collection, analysis and dissemination of information on cyber incidents
(b) forecast and alerts of cyber security incidents
(c) emergency measures for handling cyber security incidents
(d) Coordination of cyber incidents response activities
(e) issue guidelines, advisories, vulnerability notes and white papers relating to information
security practices, procedures, prevention, response and reporting of cyber incidents
(f) such other functions relating to cyber security as may be prescribed
(5) The manner of performing functions and duties of the agency referred to in sub‐section (1)
shall be such as may be prescribed.
(6) For carrying out the provisions of sub‐section (4), the agency referred to in sub‐section (1)
may call for information and give direction to the service providers, intermediaries, data
centers, body corporate and any other person
(7) Any service provider, intermediaries, data centers, body corporate or person who fails to
provide the information called for or comply with the direction under sub‐section (6) , shall be
punishable with imprisonment for a term which may extend to one year or with fine which may
extend to one lakh rupees or with both.
(8) No Court shall take cognizance of any offence under this section, except on a complaint
made by an officer authorized in this behalf by the agency referred to in sub‐section (1)
Meaning: Indian Computer Emergency Response Team, appointed by Central Government,
headed by Director General, acts as National Agency for Incident Response. Its role includes all
activities mentioned as above.
For achieving its objectives, agency may take help from service providers, intermediaries, data
centers, body corporate and any other person.
Any person who fails to comply – up to 1 year or with fine up to 1 lakh or both.
Complaint must be made by an authorized officer.
230 | P a g e
[Section 71] Penalty for misrepresentation
Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller
or the Certifying Authority for obtaining any license or Electronic Signature Certificate, as the
case may be, shall be punished with imprisonment for a term which may extend to two years,
or with fine which may extend to one lakh rupees, or with both.
Meaning: Any misrepresentation or suppression of material fact for obtaining any license or
Electronic Signature Certificate – up to 2 years or up to 1 Lakh or both
[Section 72] Breach of confidentiality and privacy
Save as otherwise provided in this Act or any other law for the time being in force, any person
who, in pursuant of any of the powers conferred under this Act, rules or regulations made there
under, has secured access to any electronic record, book, register, correspondence,
information, document or other material without the consent of the person concerned
discloses such electronic record, book, register, correspondence, information, document or
other material to any other person shall be punished with imprisonment for a term which may
extend up to two years, or with fine which may extend to one lakh rupees, or with both.
Meaning: Unless otherwise provided for under this act or any other law, any person who has
secured access to any electronic record without the consent of the person concerned and discloses
to any other person – up to 2 years or up to one lakh or both
[Section72 A] Punishment for Disclosure of information in breach of lawful contract
Save as otherwise provided in this Act or any other law for the time being in force, any person
including an intermediary who, while providing services under the terms of lawful contract, has
secured access to any material containing personal information about another person, with the
intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses,
without the consent of the person concerned, or in breach of a lawful contract, such material to
any other person shall be punished with imprisonment for a term which may extend to three
years, or with a fine which may extend to five lakh rupees, or with both.
Meaning: If any person including an intermediary while providing services under a legal
contract, has secured access to any material containing personal information about another
person with the intent of cause loss, without the consent of the person concerned or in breach of
legal contract – up to 3 years or up to 5 lakhs or both.
231 | P a g e
[Section 73] Penalty for publishing electronic Signature Certificate false in certain particulars
(1) No person shall publish a Electronic Signature Certificate or otherwise make it available to
any other person with the knowledge that
(a) the Certifying Authority listed in the certificate has not issued it; or
(b) the subscriber listed in the certificate has not accepted it; or
(c) the certificate has been revoked or suspended,
unless such publication is for the purpose of verifying a digital signature created prior to such
suspension or revocation
(2) Any person who contravenes the provisions of sub‐section (1) shall be punished with
imprisonment for a term which may extend to two years, or with fine which may extend to one
lakh rupees, or with both.
Meaning: No person can publish an electronic signature or give it to anyone else knowingly
that:
• It wasn’t certified by the authority listed
• Subscriber listed in the certificate has not accepted it
• Certificate has been revoked or suspended unless it was before the suspension
Up to 2 years or up to one lakh
[Section 74] Publication for fraudulent purpose
Whoever knowingly creates, publishes or otherwise makes available a Electronic Signature
Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a
term which may extend to two years, or with fine which may extend to one lakh rupees, or with
both
[Section 75] Act to apply for offence or contraventions committed outside India
(1) Subject to the provisions of sub‐section (2), the provisions of this Act shall apply also to any
offence or contravention committed outside India by any person irrespective of his nationality.
31
232 | P a g e
(2) For the purposes of sub‐section (1), this Act shall apply to an offence or contravention
committed outside India by any person if the act or conduct constituting the offence or
contravention involves a computer, computer system or computer network located in India.
Meaning: This will be applicable to everyone in this world who, outside India, contravene or
offend any computer network located in India.
[Section 76] Confiscation
Any computer, computer system, floppies, compact disks, tape drives or any other accessories
related thereto, in respect of which any provision of this Act, rules, orders or regulations made
there under has been or is being contravened, shall be liable to confiscation:
Provided that where it is established to the satisfaction of the court adjudicating the
confiscation that the person in whose possession, power or control of any such computer,
computer system, floppies, compact disks, tape drives or any other accessories relating thereto
is found is not responsible for the contravention of the provisions of this Act, rules, orders or
regulations made there under, the court may, instead of making an order for confiscation of
such computer, computer system, floppies, compact disks, tape drives or any other accessories
related thereto, make such other order authorized by this Act against the person contravening
of the provisions of this Act, rules, orders or regulations made there under as it may think fit.
Meaning: Any computer resource may be confiscated if it contravenes any provision of this
act. However, if the person who possesses such resource is found to be not responsible for
contravention, then instead of confiscation, court may take action against the person contravening
the provisions of this act.
Enterprises need to take steps to ensure compliance with cyber laws. Some key steps to
achieve that are:
• Designate a cyber law compliance officer as required
• Conduct regular training of relevant employees on Cyber law compliance
• Implement strict procedures in HR policy for non compliance
• Implement authentication procedures as suggested in law
• Implement policy and procedures for data retention as suggested
233 | P a g e
• Identify and initiate safeguard requirements as applicable under various provisions of th
Ac such as: sections 43A, 69, 69A, 69B etc.
• Implement applicable standards of data privacy on collection, retention, access, deletion
etc.
• Implement reporting mechanism for compliance with cyber laws.
Intermediaries Not To Be Liable In Certain cases [Chapter XII]
For the purpose of this section, “network service provider” = intermediary
“third party information” – any information dealt with by a network service provider in his
capacity as an intermediary
[Section 79] Exemption from liability of intermediary in certain cases
(1) Notwithstanding anything contained in any law for the time being in force but subject to the
provisions of sub‐sections (2) and (3), an intermediary shall not be liable for any third party
information, data, or communication link hosted by him.
(2) The provisions of sub‐section (1) shall apply if‐
(a) the function of the intermediary is limited to providing access to a communication system
over which information made available by third parties is transmitted or temporarily stored; or
(b) the intermediary does not‐
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
(c) the intermediary observes due diligence while discharging his duties under this Act and also
observes such other guidelines as the Central Government may prescribe in this behalf (3) The
provisions of sub‐section (1) shall not apply if‐
(a) the intermediary has conspired or abetted or aided or induced whether by threats or
promise or otherwise in the commission of the unlawful act
(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its
agency that any information, data or communication link residing in or connected to a
234 | P a g e
computer resource controlled by the intermediary is being used to commit the unlawful act, the
intermediary fails to expeditiously remove or disable access to that material on that resource
without vitiating the evidence in any manner.
Explanation:‐ For the purpose of this section, the expression "third party information" means
any information dealt with by an intermediary in his capacity as an intermediary.
Meaning: Intermediary shall not be held liable for any third party information hosted by him if
• He is simply providing network services
• The intermediary does not initiate the transmission, select the receiver, select or modify the
information contained
• Intermediary is performing his activities legally.
Intermediary will be liable if:
• He has been involved in unlawful activities
• Upon being notified legally and officially, he doesn’t quickly remove such connections
without violate the evidence.
Examiner of Electronic Evidence [Chapter XII A]
[Section 79A] Central Government to notify Examiner of Electronic Evidence
The Central Government may, for the purposes of providing expert opinion on electronic form
evidence before any court or other authority specify, by notification in the official Gazette, any
department, body or agency of the Central Government or a State Government as an Examiner
of Electronic Evidence.
Explanation:‐ For the purpose of this section, "Electronic Form Evidence" means any
information of probative value that is either stored or transmitted in electronic form and
includes computer evidence, digital audio, digital video, cell phones, digital fax machines".
Meaning: The Central Government for providing expert opinion on electronic form evidence
before any authority may appoint any government body as an Examiner of Electronic Evidence.
235 | P a g e
Miscellaneous [Chapter XIII]
[Section 80] Power of Police Officer and Other Officers to Enter, Search, etc
(1) Notwithstanding anything contained in the Code of Criminal Procedure, 1973, any police
officer, not below the rank of a Inspector or any other officer of the Central Government or a
State Government authorized by the Central Government in this behalf may enter any public
place and search and arrest without warrant any person found therein who is reasonably
suspected of having committed or of committing or of being about to commit any offence
under this Act
Explanation
For the purposes of this sub‐section, the expression "Public Place" includes any public
conveyance, any hotel, any shop or any other place intended for use by, or accessible to the
public.
(2) Where any person is arrested under sub‐section (1) by an officer other than a police officer,
such officer shall, without unnecessary delay, take or send the person arrested before a
magistrate having jurisdiction in the case or before the officer‐in‐charge of a police station.
(3) The provisions of the Code of Criminal Procedure, 1973 shall, subject to the provisions of
this section, apply, so far as may be, in relation to any entry, search or arrest, made under this
section
Meaning: Inspector or above rank official may enter public place and search or arrest
without warrant on the basis of suspicion. The person arrested will be sent without unnecessary
delay before a magistrate or officer‐in‐charge. It will be done as per Code of Criminal Procedure
1973.
[Section 81] Act to have Overriding effect
The provisions of this Act shall have effect notwithstanding anything inconsistent therewith
contained in any other law for the time being in force.
Provided that nothing contained in this Act shall restrict any person from exercising any right
conferred under the Copyright Act 1957 or the Patents Act 1970
[Section 81A] Application of the Act to Electronic cheque and Truncated cheque
236 | P a g e
(1) The provisions of this Act, for the time being in force, shall apply to, or in relation to,
electronic cheques and the truncated cheques subject to such modifications and amendments
as may be necessary for carrying out the purposes of the Negotiable Instruments Act, 1881 (26
of 1881) by the Central Government, in consultation with the Reserve Bank of India, by
notification in the Official Gazette.
(2) Every notification made by the Central Government under subsection (1) shall be laid, as
soon as may be after it is made, before each House of Parliament, while it is in session, for a
total period of thirty days which may be comprised in one session or in two or more successive
sessions, and if, before the expiry of the session immediately following the session or the
successive sessions aforesaid, both houses agree in making any modification in the notification
or both houses agree that the notification should not be made, the notification shall thereafter
have effect only in such modified form or be of no effect, as the case may be; so, however, that
any such modification or annulment shall be without prejudice to the validity of anything
previously done under the notification.
Explanation: For the purpose of this Act, the expression "electronic cheque" and "truncated
cheque" shall have the same meaning as assigned to them in section 6 of the Negotiable
Instruments Act 1881 (26 of 1881).
Meaning: Provisions of this act shall subject electronic and truncated cheques for necessary
modifications or amendments required to carry out the purposes of Negotiable Instruments act.
Both houses should agree or not agree.
[Section 84 C] Punishment for attempt to commit offences
Whoever attempts to commit an offence punishable by this Act or causes such an offence to be
committed, and in such an attempt does any act towards the commission of the offence, shall,
where no express provision is made for the punishment of such attempt, be punished with
imprisonment of any description provided for the offence, for a term which may extend to one‐
half of the longest term of imprisonment provided for that offence, or with such fine as is
provided for the offence or with both.
Meaning: Punishment for the person who attempts to commit an offence – one half of the
longest term of imprisonment or with fine.
237 | P a g e
[Section 85] Offences by Companies.
(1) Where a person committing a contravention of any of the provisions of this Act or of any
rule, direction or order made there under is a Company, every person who, at the time the
contravention was committed, was in charge of, and was responsible to, the company for the
conduct of business of the company as well as the company, shall be guilty of the contravention
and shall be liable to be proceeded against and punished accordingly:
Provided that nothing contained in this sub‐section shall render any such person liable to
punishment if he proves that the contravention took place without his knowledge or that he
exercised all due diligence to prevent such contravention.
(2) Notwithstanding anything contained in sub‐section (1), where a contravention of any of the
provisions of this Act or of any rule, direction or order made there under has been committed
by a company and it is proved that the contravention has taken place with the consent or
connivance of, or is attributable to any neglect on the part of, any director, manager, secretary
or other officer of the company, such director, manager, secretary or other officer shall also be
deemed to be guilty of the contravention and shall be liable to be proceeded against and
punished accordingly.
Explanation‐
For the purposes of this section
(i) "Company" means any Body Corporate and includes a Firm or other Association of
individuals; and
(ii) "Director", in relation to a firm, means a partner in the firm
ISO 27001
It is the international best practice and standard for an Information Security Management
System (ISMS). It is a systematic approach to managing the CIA of confidential information. ISO
27001 is for information security which aims to provide a methodology for the implementation
of information security.
Four Phases of ISMS
• The Plan Phase
o Determine the scope
238 | P a g e
o Write ISMS policy
o Identify risk assessment methodology and determine the criteria for risk
acceptance
o Identify assets, vulnerabilities and threats
o Evaluation of size of risks
o Identification and assessment of risk treatment options
o Selection of controls for risk treatment
o Obtaining management approval for residual risk
o Obtaining management approval for implementing of the ISMS
o Writing a statement of acceptability that lists all applicable controls, states which
of them have already been implemented, and those which are not applicable
• The Do Phase
o Writing a risk treatment plan – describes who, how, when and with what budget
applicable controls should be implemented
o Implementing the risk plan
o Implementing applicable security controls
o Determining the measurement technique
o Carrying out awareness programs and training of employees
o Management of normal operation of ISMS
o Management of ISMS resources
o Implementation of procedures for detecting and managing security incidents
• The Check Phase
o Implementation of procedures and other controls for monitoring and reviewing
in order to establish any violation, incorrect data processing, whether the
security activities are carried out as expected
o Regular reviews of the effectiveness of ISMS
o Measuring the effectiveness of controls
o Reviewing risk assessment at regular intervals
o Internal audit at planned intervals
o Management reviews to ensure that the ISMS is functioning and to identify
opportunities for improvement
o Updating security plans in order to take account of other monitoring and
reviewing activities
o Keeping records of activities and incidents that may affect the effectiveness of
the ISMS
• The Act Phase
o Implementation of identified improvements in ISMS
239 | P a g e
o Taking corrective action and preventive action; applying own and others’ security
experiences
o Communicating activities and improvements to all stakeholders
o Ensuring that improvements achieve the desired objectives
Key benefits of ISO 27001
• It can act as the extension of the current quality system to include security
• It provides an opportunity to identify and manage risks to key information and systems
assets
• Provides confidence and assurance to trading partners and clients; acts as a marketing
tool
• Allows an independent review and assurance to you on information security practices
Reasons for a company to adopt ISO 27001
• Suitable for protecting critical and sensitive information
• Provides a holistic, risk based approach to secure information and compliance
• Demonstrates credibility, trust, satisfaction and confidence with stakeholders
• Demonstrates security status according to internationally accepted criteria
• Creates a market differentiation due to prestige, image and external goodwill
• If a company is certified once, it is accepted globally.
SA 402
SA 402 is a revised version of erstwhile Auditing and Assurance Standard (AAS) 24, “Audit
Considerations Rlating to Entities Using Service Organizations” issued by ICAI in 2002. It deals
with
• Auditor’s responsibility to obtain sufficient appropriate evidence
• Obtaining an understanding of services provided by a service organization
240 | P a g e
ITIL (IT Infrastructure Library)
It focuses on aligning IT services with the business needs. It has five core volumes or
components:
Service Strategy: Guides on design, development and implementation of service management
as strategic asset.
Service Design: Guides on the design and development of services and service management
processes. It includes design principles and methods for converting strategic objectives into
portfolios of services and service assets.
Service Transition: Guides on service design and implementation, ensuring that the service
delivers the intended strategy and that it can be operated and maintained effectively.
Service Operation: Guides the management of a service through its day to day production life.
It also guides on supporting operations by means of new models and architectures such as
shard services, utility computing, web services, and mobile commerce.
Continual Service Improvement: guides on the measurement of service performance through
the service life cycle, suggesting improvements to ensure that a service delivers maximum
benefit.
IRDA Requirements for Systems Control and Audit
I Systems Audit:
• All insurers shall have their systems and processes audited at least once in three years
by a CA firm.
• Current internal, concurrent or statutory auditor is not eligible.
• Firm should have minimum of 3‐4 years experience in IT systems of banks, mutual funds
or Insurance companies
II Preliminaries: Information to be obtained before proceeding with the
audit:
• Location from where the investment is conducted
• IT applications used to manage investment portfolio
• System layout of IT and network infrastructure
• Are systems and applications hosted at a central location or hosted at different office?
• Previous Audit reports and open issues/ details of unresolved issues
241 | P a g e
o Internal Audit
o Statutory Audit
o IRDA inspection/ Audit
• Internal circulars and guidelines of insurers
• Standard Operating Procedures
• List of new products/ Funds introduced along with their IRDA approvals
• Scrip wise list of all investments
• IRDA correspondence files, circulars and notifications issued by IRDA
• IT security Policy
• Business Continuity Plans
• Network security reports pertaining to IT assets
III System Controls
• Data should be transferred electronically without manual intervention.
• Systems should be integrated.
• Audit trails required at every data entry point. Review and maintenance policies exist.
• Auditor’s comment on audit trails required
• Audit should review and confirm that audit trails exist.
• Auditor shall ascertain that the system has separate logins for each user and maintains
trail w.r.t to logins.
RBI Requirements for Systems Control and Audit
I System Controls
• Segregation of duties at each possible level.
• Contingency plans in the event of failure should be implemented and tested.
• Documented appropriate control measure to protect computers from malicious attacks.
• Branches should use uniform software standards hence changes or modifications
implementation should be standard and approved my senior management. Must be
verified by inspection and audit department.
• Responsibility of internal controls effectiveness lies on management.
• Annual review of IS audit policy.
• Quality assurance audit must be conducted at least once in 3 years on bank’s internal
audit including IS audit.
II System Audit
242 | P a g e
• Separate IS audit is required headed by IS audit head reporting to head of Internal Audit
or Chief Audit Executive.
• Auditors must be independent and competent.
• IS audit should be independent of the auditee, both in attitude and appearance. Must
be addressed in engagement letter.
• Banks should ensure that:
o Auditors should have access to information and applications
o Auditors have the right to conduct independent data inspection and analysis
• Auditors should be professionally competent. CISA/ DISA/ CISSP with 2 or more years of
experience in banking.
• IT governance and critical IT controls must be audited (IS audit) at least one a year ( or
more frequently, if warranted by risk assessment)
• IS audits should also cover branches – especially the large and the medium ones.
• IS auditors should review following additional areas that are critical and high risk:
o It governance and Information security governance
o Testing SDLC controls
Pre‐implementation review of controls
Controls are not diluted during data migration
Controls meet bank’s as well as legal policies and requirements.
Appropriate control objectives are met
• Post implementation review of controls. Periodic review should be done as well.
• Detailed audit of SDLC must be carried out.
• Implementation review and data migration review
• IS auditors may validate IT risks so that additional controls may be implemented.
• No inappropriate residual risk must be accepted by management.
In additional, RBI’s inspection wing must also carry out inspections.
SEBI Requirements for Systems Control and Audit
I Systems Audit
• Audit must be conducted as per the norms and guidelines issued by SEBI.
• Auditors should be appointed as per the norms. Auditors can perform a maximum of 3
successive audits. Proposal from auditors must be submitted to SEBI for records
• Audit schedule must be submitted at least 2 months in advance along with scope of
current and previous audit.
243 | P a g e
• Scope of the audit may be extended by SEBI.
• Audit has to be conducted and report must be submitted to Auditee. It should reflect all
compliance and variation issues. Previous audit reports must also be considered and
open items must be covered.
• Auditee management provides their comment about the Non‐conformities and
observations. For each NC, corrective action must be taken within 3 months and
reported to SEBI.
Comments shall be submitted to SEBI within 1 month of completion of audit. Sample areas of
review covered by IS audit assignments are:
II Audit Report Norms
• Systems audit reports and compliance status should b placed before the governing
board of Stock exchanges. System audit report along with their comments must be
communicated to SEBI.
• Report must have explicit coverage of each Major area mentioned in TOR (Terms of
References) and must indicate any Non Conformity or observations.
III Auditor Selection Norms
• Minimum 3 years experience in IT audit of Securities industry participants and
experience should be there in all aspects of industry comprehensively.
• Proper certification should be there like CISA, CISM, CISSP.
• Auditor should have frameworks like COBIT.
• Auditor must not have conflicting interests. No engagement should have been there
over last three years in any consulting with any department/ units of the auditee.
• Auditor must not have any pending cases of its unsuitability with any participant
governed under SEBI.
IV Systems Controls
• Along with audit report, a declaration from MD/ CEO must be submitted certifying the
security and integrity of their IT systems
• A proper audit trail for any changes to KYC data to be maintained.
244 | P a g e
Chapter 8
ERP
&
Other Emerging
Technologies
245 | P a g e
‘Cloud
d Computting’
Cloud Coomputing means
m use of
o computin ng resources through internet.
i Intternet is ussually
visualized
d as clouds; hence the teerm cloud co
omputing.
In cloud computing, users can access database resourrces via inteernet from anywhere,
a f as
for
long as they need,, without worrying
w ab
bout any maintenance
m or manageement of actual
a
resources. For example: Google apps – any application can be acceessed using a browser aand it
can be deeployed on tthousands o of computerss through the internet.
246 | P a g e
‘Cloud Computing vs. Grid Computing’
1. Scalability: They both are scalable. Scalability is achieved through increasing or
decreasing the CPU and network bandwidth depending on the number of users, instances and
the amount of data at a given time.
2. Multi‐tasking: Both the systems offer multitasking as customers can perform
multiple tasks at a single time. Sharing of resources among a large pool of users reduces the
infrastructure cost and peak load capacity. Both offer guaranteed up time up to 99%. If it goes
under 99%, customers receive data credit.
3. Data Storage: Grid computing is economical only for large data storage,
whereas, cloud computing supports both small and large data storage.
4. CPU: Grid focuses on CPU intensive operations, while cloud offers two types of
instances – standard and high‐CPU.
‘Issues with Cloud Computing’
Threshold Policy: When the demand for a resource is high, additional instances are created
to fulfill that, and when the demand decreases, the instances of those resources would be de‐
allocated and put to another use. Working out a threshold policy which enables to detect
sudden changes in demand of a particular resource and how the allocation or de‐allocation
would take place is an important factor in deciding the effectiveness.,
Interoperability: Most cloud server service providers using their proprietary APIs and
formats of importing or exporting data which makes it difficult for the user to shift or distribute
their requirements over different clouds.
Hidden Costs: There are hidden costs in using clouds services. For example; companies
could incur higher network charges from their service provides for storage and database
applications. This outweighs the cost they could save on infrastructure, training, or licensing
new software. Additionally, companies who are far from the location of the cloud providers
would experience latency, particularly when the traffic is heavy.
Unexpected Behaviors: A system or service which usually works well within our
proprietary network may show variations or issues in cloud environment. Testing must be done
in cloud environment to ensure that there are no variations and instances are created
depending on the demand of an application or a resource.
247 | P a g e
Security Issues: Security is a big issue in cloud computing. Consumers should do a security
testing by trying to recover the data through the vendor. If it takes more that the committed
time, check why, and how much service credit will be given in different scenarios.
Software Development in Cloud: It is not feasible in terms of costs or availability of
resources when it comes to developing high end software development in the cloud. It is more
feasible to create internal cloud server pools at the corporate center and extend resources
temporarily for testing purposes.
‘Goals of Cloud Computing’
• To create a highly efficient IT ecosystem, where resources are pooled together and costs
are aligned with what resources are actually used;
• To access services and data from anywhere at any time;
• Flexibility scalability depending on the need of an organization;
• To consolidate IT infrastructure into a more integrate and manageable environment;
• To reduce costs related to IT energy/ Power consumption;
• To enable rapid resources provision as needed.
‘Cloud Computing Architecture’
Key points to Remember
• a cloud computing architecture consists of a front end and a back end connected
through internet.
248 | P a g e
• Front end is the side, the computer users see and back end is where the facilities are
supported.
Front end: it comprises of the clients’ computing device and the applications needed for
accessing the system.
Back end: in cloud computing, back end is the cloud itself which stores all the facilitating
services like databases, servers, etc. Groups of these clouds make up a whole cloud computing
system.
A central server is used to administering the whole system. It is also used for monitoring clients’
demands as well as traffic to ensure smooth functioning of the system. Server follows a set of
rules called Protocols and ‘Middleware’ – a type of software – allows communication or
interaction among the connected computers. The cloud computing system must keep a
redundant back up copy of all the data of its clients.
‘Cloud Computing Environment’
Public Clouds: (Also called provider clouds)
To be used by general public. Key features are:
• Used by individuals, corporations and other organizations
• These clouds are administered by third party vendors over internet
• Services are offered on pay‐per‐use basis.
249 | P a g e
Advantages:
• It allows development, deployment and management of enterprise solutions at
affordable costs
• It allows the organizations to deliver highly scalable and reliable applications rapidly.
Limitations:
Security Assurance is its biggest problem since one cloud is being shared by several people or
organizations.
Private Clouds: (Also called Internal Clouds)
To be used by only one organization’s benefits. Key features:
• Built by company’s IT department for internal use
• Optimize resource utilization within the enterprise
Advantages:
• Improved average server utilization: uses low‐cost servers and hardware while providing
higher efficiencies; thus, reduces the cost
• High level automation leads to reduced operational costs and administrative overheads.
Limitations:
IT teams may have to invest in buying, building and managing the clouds independently.
Hybrid Clouds
As the name suggests, it’s a combination of both with at least one of each. It consists of
infrastructure, platforms, and applications. To enable this, a public cloud vendor must get into a
strategic alliance with a private cloud vendor or vice versa.
‘Cloud Computing Models’
Infrastructure as a Service (IaaS)
• Provides computers, often virtual machines and other resources as service.
• It requires storage required to host the services.
250 | P a g e
• Makes us the system administrator and manage hardware/ storage, network and
computing resources.
• Deployment requires operating system images installation by the clients and their
application on cloud infrastructure.
• Examples: Google Computer Engine, HP Cloud
Platform as a Service (PaaS)
• Computing environment including: operating system, programming language execution
environment, database, and web server.
• Application developers can develop and run their software solutions without incurring
the extra cost of buying their own hardware/ software
• Software/ applications can be made on other’s database.
• All the development tools are provided.
• Examples: Cloud Foundry, Heroku, EngineYard.
Software as a Service (SaaS)
• Large variety of applications is provided to the user over internet hosted on service
providers’ infrastructure.
• Example: Google docs
Network as a Service (NaaS)
• Network or transport connecting services are provided.
• Optimizes the resource allocation by considering network and computing resources as a
whole.
• Example: Virtual Private Network (VPN)
Communication as a Service (CaaS)
Evolved on the same lines as SaaS.
• All hardware and software requirements are provided for
• Services are guaranteed for Quality of Services (QoS)
• Businesses can select communication devices and modes on a pay‐as‐you‐go basis.
• It eliminates large capital outlays.
• Examples: Voice over IP (VoIP), Instant Messaging (IM), Collaboration and
Videoconferencing application using fixed and mobile services
251 | P a g e
Characteristics of Cloud Computing
High Scalability: Since the audience served per cloud is large; hence, scalability
Agility: Everything a client requires is available in a cloud; hence agile
Multi‐sharing: Thousands of people share common resources in a cloud, hence making it
cost efficient.
Services in Pay‐Per‐Use Mode: SLAs of Service Level Agreements clearly define the pay as
you go approach or model for the payment of services used.
Virtualization: Servers and storage devices are increasingly shared using virtualization.
Performance: It is monitored and consistent. Architecture is loosely coupled using webs
services as system interface.
Maintenance: The cloud computing applications are easier to maintain as they are not
placed on individual client’s computer.
Advantages of Cloud Computing
• Cost Efficiency
• Almost Unlimited Storage
• Backup and Recovery
• Automatic Software Integration
• Easy Access to Information
• Quick Deployment
Challenges of Cloud Computing
• Confidentiality: Data must be encrypted before uploading it to cloud as clouds are
hosted on public servers.
• Integrity: Cryptographic Hash function must be deployed to ensure that data is not
modified once it is uploaded to the cloud.
252 | P a g e
• Availability: Backup data, while it is kept in the cloud, must also be maintained and
preserved separately as a part of BCP and DRP.
• Governance: Due to lack of control over the employees and services, it creates
problems relating to design, implementation, testing and deployment. So a strong
governance model is needed to controls the 3Ps.
• Trust: Clients have not been able to trust clouds completely because issues like security
and privacy are not transparent.
• Legal Issues and Compliance: There are several legal issues for which strong
internal control measures on part of service providers must be adopted:
o Clouds’ locations are not known so no information with the user regarding
where the data actually is.
o Whether the data or the records are secure with respect to their CIA?
• Privacy: As discussed already, cloud computing poses a major risk related to
privacy.
• Audit: Auditing definitely is required, but it is time consuming and expensive,
both of which will defeat the basic purpose of cloud computing.
• Data Stealing: Backup policies such as Continuous Data Protection (CDP) should be
implemented in order to avoid issues with data recovery in case of a sudden attack.
• Architecture: Security measures must be built within the Architectural Design
• Identity Management and Access Control: Identity as a Service must also be
introduced in cloud computing environment to provide Identity Management and
Access Control because the one prevalent in organizations may not be extended to the
cloud computing so organizations refrain themselves from shifting to it.
• Incident Response: It should ensure to meet the organization’s requirement during an
incident.
• Software Isolation: Software development must be isolated from the main business
perspective.
• Application Security: Complete access to server with all rights for the purpose of
monitoring and maintenance of server should be with the service provider. Infected
applications need to be monitored. All this is mostly not possible because most service
providers take the server space from server owners.
253 | P a g e
‘Mobile Computing’
It refers to transmission of data via computer without any physical link to a fixed connection
that is through a wireless platform. Mobile computing has solved the biggest problem of
business people: Mobility. Key Features:
• Full range of corporate services and information from anywhere at any time
• Improves productivity of mobile workforce by connecting them to corporate
information systems
• Automats the paper‐based processes
Benefits of Mobile Computing
• Remote access to required and authorized information
• Enables mobiles sales personnel to update work order status
• Facilitates access to corporate services and information at any time, from anywhere
• Provides remote access to the corporate knowledgebase at the job location
• Enhances information quality, flow and ability to control a mobile workforce; hence
improved management
254 | P a g e
‘BYOD – Bring Your Own Device’
It refers to business policy which allows the employees to use their preferred computing device
like, laptops, smart phones etc., for business purposes. All they have to do is to connect to the
corporate network of communication, applications, knowledgebase and database. This has
made work place a highly flexible environment and has encouraged the employees to work
even beyond the regular office hours. Because of this employee satisfaction has increased,
while an organization’s costs have gone down as the employees are happy to invest in updating
and maintaining a device on which organization incurred only one time fixed cost.
BYOD Threats
Network Risks: It is normally exemplified and hidden in ‘Lack of Device Visibility’. It’s not
possible for the IT team to keep a track of all the devices connected to the cooperate network,
posing a big threat on the network. It can also cause maintenance problems as if a virus hits a
network, all the devices will have to be scanned and cleaned; however, there may still be some
devices which IT department doesn’t know about and can carry and keep the virus alive.
Device Risks: It is normally exemplified and hidden in ‘Loss of Devices’. A loss of device
can pose enormous threat to the CIA of important financial and operation data.
Application Risks: It is normally exemplified and hidden in ‘Application Virus and Malware’.
Most of the employee devices are not secured by security software whereas mobile attacks
have only increased over a period of time. Organizations are not clear about – Who is
responsible for the device security – Organization or the user?
Implementation Risks: It is normally exemplified and hidden in ‘Weak BYOD Policy’. A
weak policy which does not concentrate upon key technical or the implementation issues
would result in failed communication to employees and will further lead to misuse of devices. A
weak policy also fails to educate users about security risks; hence enhancing the vulnerabilities.
255 | P a g e
‘Social Media and Web 2.0’
Social Media
Logical networks are difficult to manage because of virtualization. They cannot be as planned as
controlled as the physical computer networks. This problem increases further with social media
because of its highly intelligent network components – Human beings. Various networks are
available depending on the kind of human beings who wish to network within their own kind
depending on profession, knowledge, or maybe choice of entertainment.
A social network may be defined as a group of individuals who have a common set of interests
and objectives. There are a set of network formulators followed by a broadcast to achieve the
network membership. After a minimum number is met, the network starts its basic operations
and goes out to achieve its goals. Success is largely dependent on the contribution, interest and
motivation of its members along with technology or platform support that make the
communication and sharing easier.
Web 2.0 has been the biggest contributor towards developing technology and platforms
facilitating such networks.
Web 2.0
Web 2.0 stands to represent second generation of World Wide Web which focuses on enabling
people to collaborate and share information online. Technically, it is about shifting from static
HTML to dynamic HTML. The main agenda of Web 2.0 is to connect people in numerous ways
and utilize their collective strengths, in a collaborative manner. Many new concepts have been
introduced such as Blogging, Social networking, Communities, and Tagging.
Components of Web 2.0
Communities: online space formed by a group of individuals to share their thoughts, ideas and
have a variety of tools to promote social networking. Very cost efficient as well!
Blogging: Blogs are a means to express one’s thoughts freely with like minded people.
Wikis: A wiki is a set of co‐related pages on a particular subject and allow users to share
content. Wikis replace complex document management systems and are very easy to crate and
maintain.
256 | P a g e
Folksonomy: Users can tag their content online and this enables others to easily find, view or
share the content.
File Sharing/ Podcasting: facility to users to send their media files online for other people
on the network to see and contribute.
Mashups: Facility using which people on internet can congregate services from multiple
vendors to create a completely new service.
Types and Behavior of Social Networks
• Social Contact Networks: Facebook, twitter
• Study Circles: These also include blogging and file sharing.
• Social networks for specialist groups: Linkedin
• Network for Fine arts
• Police and Military Networks: The only difference here is the operation on private
domain due to inherent confidentiality needs
• Sporting Networks
• Mixed Networks
• Social Network for Inventors
• Shopping and Utility Service Networks: Billjunction
Life Cycle of Social Networks
257 | P a g e
Impact of Social Networks
• Helped doctors
• Helped NGOs
Future Scope of Web 2.0 in Social Networks
• Proper education must be imparted to use them online and effectively.
• Areas like space exploration, scientific experimentation, etc. must also be focused on.
Benefits and Challenges for Social Networks using Web 2.0
Benefits
• Easily accessible and implementable technology
• Low cost
• Less time consuming
• Easy and affordable entry and exit
• Global networks have enhances knowledge sharing
258 | P a g e
Challenges
• Data security
• Data privacy
• Privacy and security of individual users
• A majority of people are still in offline networks. Bringing them online will need a lot of
advertising and education which itself is costly.
‘Green IT’
Green IT refers to the study and practice of establishing/ using computers and IT resources in a
more efficient and environmental friendly and responsible way. Computers consume a lot of
natural resources: Raw material to manufacture them, power sources to run, and problem of
disposing them at the end of life cycle. Green computing includes:
• Implementing energy efficient CPU, servers and peripherals
• Proper disposal of e‐waste
Energy Star was conceived by Environmental Protection Agency (EPA), America, in 1992 to
promote energy efficiency in hardware of all kinds.
Steps that users may take to participate are:
• Switch off the power when computer is not in use
• Try to finish most of the task at one go and leave it switched off at other times.
• Use LCD monitors instead of CRT
• Use laptops as compared to desktop
• Use power management features
• Minimize use of paper and properly recycle waste paper.
• Disposal of e‐waste according to central, state and local regulations
• Employ alternate energy sources
Green IT Best Practices
• Involve stakeholder on campus yield policies
• Partnering ensure effective widespread of message
• Guidelines establishment
• Ongoing communication and education
259 | P a g e
Case Study 1
Mr. Kapdewaala is the director of a retail chain called 'Khaana Khazaana Pvt. Ltd'. Each time he plans to
start a new outlet, he needs to do several marketing related analysis like Product mix, product pricing,
market basket, consumer preference etc. which requires the help of a well known market expert ‐ Mr.
Bazaaru Nakhreela. Since Mr. Nakhreela is a very busy man who handles several clients simultaneously,
he is not available all the time and sometimes, do not give preference to Mr. Kapdewaala's
requirements.
Mr. Kapdewaala is quite irritated because of delays caused due to such dependency. He called you ‐ the
IT consultant ‐ yesterday to ask for a permanent solution for his problem. Being an IT/IS consultant, is
there a solution to this problem that you can suggest to him?
If there is a solution, kindly explain in detail as to how this solution will help him? Also mention the key
points to remember while acquiring or developing this solution.
Case Study 2
Cotton Empire Pvt. Ltd. is 30 years old casual garments manufacturing company. Though it is a board
driven company, it has not changed with technological changes. You are a new age strategist who has
recently been hired by them to take their company to a global level. First thing you suggest is to
introduce IT systems in line with global business practices. Based on the information provided above;
a) Suggest the board the system or systems which they must implement in order to manage their
business and support their decision making.
b) System development process has been outsourced. What analysis the service provider must
carry out to understand the development process that needs to be carried out and who must be
appointed to carry out this analysis.
c) Your board is asking you about the risks which would be generated after IS implementation.
Your task is to create a risk management strategy. How would you strategize to control risk and
implement the strategy?
d) Your Internal auditor fixes up a meeting with you and makes you aware about the audit
evidence issues which he would be facing after IS implementation. Which different audit
techniques did he suggest to you?
e) You suddenly realize that your company is situated in an earthquake prone zone and you
understand that your data may be at high risk. What steps should you take to backup your data
in case of earthquake and how and where such backup should be taken and restored?
f) You have to send a highly confidential data to one of the board members. The board member
has warned to sue you in case the information gets leaked out. How would you ensure that the
data reaches the receiver securely and without any tampering and you are also protected from
any legal repercussions within the scope of IT Act 2008?
260 | P a g e
g) Finally, your new system is getting implemented and you want to be highly secure. What will be
your objectives behind securing the information systems?
Case Study 3
A recent lunch with the head of the trade union has confused Mr. Ramneek Lal about the future of his
business. Though his current business is performing well, but market is expected to witness a boom with
a fresh wave of new products. He is confused as to whether or not should he take the risk of venturing
out into new product line.
a) Is there any new system that you as an IT consultant could suggest to him to help him decide?
b) While entering into the legal agreement with him before starting to develop the system, which
components of your analysis must become a part of your agreement?
c) He was surprised when you asked him to include IS auditor in all your team meetings. Explain to
him as to how auditor was going to help in the process and what all things he or she must do in order to
achieve his or her objectives.
d) Unfortunately, IS auditor was a friend of one of his business rivals and he or she stole strategic
data from one of his computers to be shared with the friend with an intention to cause severe losses to
Mr. Ramneek Lal. But before he or she could succeed in that, he or she was caught. As a lawyer, suggest
a proper legal course of action and compensation available to Mr. Lal.
e) Mr. Ramneek Lal wants to be careful the next time and demands strong organizational controls
to be implemented. As an HR expert, suggest various organizational controls that must be implemented
within the organization.
Follow the structure given below. For each problem,
1. Firstly state the problem.
2. Analyze the requirements.
3. Suggest a remedy and explain how this remedy is going to be helpful.
4. Provide a conclusion.
261 | P a g e
Practice/ Revision Question Bank
Note: These questions are meant only for practice and understanding. These are neither the
projected questions nor their expected forms, but just an attempt to make things easier to
revise in an organized format. Although, I have tried to project various forms in which
questions may appear, however, these are neither exclusive nor exhaustive, or conclusive.
Since, November 2014 attempt flags the applicability of new syllabus and possibly, as
rumored, adoption of new style of question paper; hence, the exact form of questions to be
appeared in examination may (read will) be different.
Chapter 1 –Governance, Risk and Compliance
Q1. What is governance? How effective corporate governance can be established in an
organization? What are its benefits?
Answer: Definition of governance. Write about corporate and business governance. BUD
CLOSER
Q2. What is Corporate Governance? What are the benefits of corporate governance?
Answer: Definition (4 points). BUD CLOSER
Q3. How would you determine the status of IT governance in an organization and what
benefits an organization may draw from effective IT governance?
Answer: Definition of IT governance. Status of IT governance (6 steps). Operation
benefits – CACTUS MOVE
Q4. How would you implement an effective GEIT strategy?
Answer: Write about GEIT. Mention its requirements (3Ps Framework and
responsibilities). Write 8 characteristics of strong GEIT. Then will be EDM.
Q5. If you are the CEO of a company, why and how would you like to establish internal
controls over financial reporting of your company?
Answer: Why: because it is your responsibility – criminal as well as personal liability.
Records, transactions and assets. 4 Statements
262 | P a g e
Q6. Suggest the steps to implement internal controls as a part of Enterprise Risk
Management Strategy.
Answer: Define Enterprise Risk Management as per COSO. Environment/ Assessment/
Control/ Monitor/ Information and Communication
Q7. Create an IT steering committee in your organization and document its important
functions.
Answer: General explanation of IT steering committee with its main constituents. Its
functions : Strategy/ Approval/ Review/ Operations/ Reporting
Q8. Company ABC hires you as a strategist to create a IT strategy for them. As a consultant
working with IT steering committee, line out the entire IT strategic plan broadly.
Answer: Enterprise Strategic Plan/ IS Strategic Plan/ IS Requirements Plan/ IS Applications
and Facilities plan
Q9. Why IT strategy should be aligned with Enterprise Strategy? What benefits does an
organization derive out of such alignment? How would you carry out such alignment? How can
you periodically evaluate the value derived out of such alignment?
Answer: Explain Strategic Alignment of IT and business strategy as given in notes followed
by UADCDC. Finally, EDM with parameters of success.
Q10. As an auditor, evaluate the risks which an organization faces as a part of its IT
deployment. Suggest a strong Risk Management Strategy implementation and its regular
evaluation at the management level.
Answer: Begin answer by defining Risk, Asset, Vulnerability, Countermeasure, CIA, Assets,
Likelihood, Threat and Exposure. Suggest the sources of risk due to IT – WIDECUE. Create EDM
system for the management. Suggest 5T’s to manage different kinds of risks. Talk about ‘CA‐
MAD‐R). Finally, establish PNPF.
Q11. Why COBIT 5 is called as COBIT 5? Discuss. (Another form – Discuss 5 principles of
COBIT)
Answer: Because it is based on 5 principles. Explain them all. But begin your answer with
4 points as mentioned in your notes about COBIT 5.
Q12. How does COBIT 5 meet stakeholders’ needs?
Answer: Explain Principle 1.
263 | P a g e
Q13. Why COBIT 5 is a holistic approach towards an effective GEIT?
Answer: Explain Principle 4. Discuss 7 enablers.
Q14. Discuss the 7 enablers of COBIT 5. How do they provide a holistic approach to GEIT?
Answer: Do as the question says – discuss 7 enablers.
Q15. “COBIT 5 establishes a process based systematic approach for the leadership to
strategize the IT processes and services implementation in an organization.” Comment
Answer: Discuss Principle 5.
Q16. COBIT 5 provides the best global practices for GRC. Elaborate.
Answer: Write why COBIT 5 is the best practice. Because of the principles, 3Ps and by
being globally auditable. Also write the ways to measure its success – Improve and Reduce
Q17. Questions may come on Evaluation of IT governance as per IIA or Evaluation or
assessment of Internal controls by auditors.
Chapter 2 – Information Systems
Q1. Create an information model for your organization.
Answer: Input – Processing – Output. Write about subsystems and how they work.
Q2. What are the different Operations Support Systems which you can suggest to your
management and what purpose would they serve?
Answer: Write about TPS, PCS and ECS. Benefits of Operation Support Systems. (Time,
Cost, Accuracy, Collaboration, Automation etc., Decision Making Ability)
Q3. Why do you need a Transaction Processing System for your organization?
Answer: Write all that you can about TPS.
Q4. “Management Support Systems help the management in meeting enterprise’s
objectives through efficient decision making”. Please elucidate.
Answer: Write about management support systems. Explain – MIS, DSS and EIS with their
salient features and the broad spectrum of services which they provide.
264 | P a g e
Q5. Explain 6 characteristics of an effective MIS/ Which factors would you focus on to create
an effective MIS/ What are the prerequisites of an effective MIS/ Which issues you must
address before creating an effective MIS?
Answer: Just remember – As per requirement/ planning/ design/ mode.
Q6. Your MIS development team is facing difficulties in creating MIS for your company. Help
them to solve the difficulties.
Answer: Difficulties in MIS implementation. Also suggest how to solve them.
Q7. What DSS can do that MIS cannot?
Answer: Limitations of MIS in comparison with DSS.
Q8. Your management wants you to develop a system which helps managers in efficient
decision making. Your job is to suggest and explain it for their support.
Answer: Write about DSS and its tools.
Q9. What goals are achieved through DSS implementation which cannot be achieved
through MIS?
Answer: Differences between DSS and MIS.
Q10. The CEO of your company recently got some new business information by his Golf
partner. He wishes to explore the new business opportunity. Which system would you
recommend him to ensure efficient decision making and why?
Answer: Executive Information System because it works in uncertain environment.
Q11. How does an EIS works differently to a traditional information system?
Answer: EIS vs. MIS
Q12. What are the different office automation systems and how do they help in better
functioning of an organization?
Q13. My director was furious as the HR expert he hired once again postponed the meeting
scheduled to discuss key HR policies and planning. He is feeling choked because of the
dependency on this guy. What should I suggest him to get rid of such frustration forever?
265 | P a g e
Answer: Expert Systems and its features.
Q14. What are the different kinds of Information systems an organization may have for
efficient functioning, betterment and expansion of the business?
Answer: SMOKE
Q15. What is information and how would you assess the quality of information?
Answer: Processed data is information. FAVOUR Q MART and VALUE
Q16. “Information is the key to success for any organization.” Explain how.
Answer: Operational – Tactical – Strategic
Chapter 3 – Protection of Information Systems
Q1. What are the objectives of Information Security and how an information security policy
ensures the meeting of such objectives? Why this policy usually fails?
Answer: Risks due to IT – WIDECUE. PDC the CIA of SOF. Must include Management,
technical and legal experts. Should focus on CLIPS. Lack of Management understanding about
their importance.
Q2. What are the main objectives behind implementing controls over the IS systems?
Answer: Preventive/ Detective/ Corrective/ Compensatory
Q3. Which different controls would you like to implement across the organization structure?
Answer: Organization controls – Special discussion on Segregation of Duties
Q4. How would you ensure to reduce the chances of allusion towards harming the security
of Information Systems in your organization?
Answer: Segregation of Duties
Q5. List and explain some of the available financial control techniques.
Q6. What should be the scope of user controls in an organization? How do you ensure their
effective audit?
Answer: refer to Page 100 in notes.
Q7. Discuss the different Boundary Control techniques available to the management team.
Answer: Identification/ Authentication/ Authorization – Cryptography, passwords, PIN, Id
Cards, Biometric Devices
Q8. How would you ensure that data in TPS is controlled and error‐free?
Answer: Input/ Processing/ Output/ Database Controls
Q9. Suggest your management the techniques to control your organization’s IS database.
Answer: Update Controls and Report Controls
Q10. As a IS security specialist, classify the data of your client as per their impact on business
and anticipate all the questions that IS auditor would probably ask?
Answer: To PDC the data against various attacks as given in notes that can cause harm to
its CIA. 5 types of data according to their importance and confidentiality level. IS auditor’s check
points as covered in notes.
Q11. As an IS security specialist, you are supposed to report to the client about the various
ways in which an outsider can access control over the data and the information systems. You
are, additionally, required to list all kinds of attacks for which the client’s management must be
prepared. Also validate the reason to control such attacks.
Answer: Logical Access Controls through Operator Console, Dial‐up Ports and Telecom
Network. Synchronous attacks and asynchronous attacks. Damages due to cyber crimes.
Q12. Suggest your management the various authorization techniques available for all the
employees.
Answer: Ticket Oriented – List Oriented
Q13. How would you ensure that no unauthorized person should be able to enter your
organization?
Answer: Physical Access – Locks, Cards, Logging etc.
Q14. Enumerate the various environmental controls which are required to keep the
organization’s IPF secure.
267 | P a g e
Answer: Fire/ Power/ Water and Dust
Q15. Which are the probable losses my business is exposed because of being run using IT and
connected through internet?
Answer: Pure/ Cyber enabled….Phishing, scanning, virus, spam etc…Financial, reputation,
legal, confidential information
Q16. Our HR policy says that “different set of people must be hired to do the job of
accounting and reconciliation and same rule must apply to other departments as well”. Which
rule is this policy talking about and how it can be applied to other departments?
Answer: Segregation of duties
Q17. My telesales department sells different items to over 200 customers on a daily basis.
Some of the items are sold on a fixed discount basis, however, the discount rate changes each
quarter. How would I ensure that the records are updated regularly and reports are generated
correctly?
Answer: Database controls
Chapter 4 – Business Continuity Planning
Q1. What is Business Continuity Management and what are the main aspects to be covered
in a BCM policy?
Answer: BCM definition and components of BCM policy.
Q2. What are the objectives and goals of BCP and what is the methodology to create a
Business continuity plan?
Answer: Safety of people – Identification of critical business and supporting functions.
Eight phases of BCP development starting from creation of steering committee.
Q3. Business Continuity Management is a strategy that safeguards company’s business from
complete damage in the event of a disaster. How?
Answer: Complete BCM process (yellow diagram with explanation)
Q4. BCM, like any other process, must be a formalized process in every organization.
Comment on this statement.
Answer: Through documentation: IPPC
268 | P a g e
Q6. Which two analyses are required to identify the critical business operations in an
organization and how are they conducted?
Answer: BIA and RA
Q7. A courier company has four basic operations to be carried out in order to run its
business – Pickup of courier packets from agents, processing them at the sorting office, deliver
them to the local offices, make the final delivery. There are widespread communal riots in
Delhi, Haryana, and Punjab. Create a Business Impact Analysis for their Rohtak and Noida
offices for all of their processes.
Answer: Real case study is what it is. Carry out the impact analysis.
Q8. How would you ensure that your business continuity plan works in real situation?
Answer: By Testing and Maintenance
Q9. From the data and data resources perspectives, what would you do to ensure that your
data remains safe and can be recovered easily and safely during a disaster?
Answer: Back up plans and Facilities arrangements including the contract with third party
vendor.
Q10. What aspect would you like to review to ensure that your client has a strong Data
recovery plan?
Answer: PEPS
Chapter 5 – Acquisition, Development and Implementation of Information Systems
Q1. Your client wants you to develop a process to facilitate customers’ refunds quickly to
enhance customer services. What process would you follow to achieve that?
Answer: Business Process Design
Q2. One of my clients suffered heavy losses during developing a new EIS for her
organization. What questions would you ask to help her analyze the potential reasons behind
this?
Answer: UDMT
Q3. A company, while carrying out the process of system development, believes that once it
is done, they would generate a 25% return on their investment. Upon who depends the
269 | P a g e
correctness of this calculation? What calculations he or she must have carried out? What
necessary skills he or she must have acquired in order to carry out such calculations?
Answer: Role of Accountant in SDLC
Q4. Describe basic system development process and the technical terminologies used while
carrying out the process.
Answer: System development methodology
Q5. What are the strengths or weaknesses of Waterfall/ Prototyping/ Incremental/ Spiral/
RAD/ Agile model of system development?
Answer: Strengths or weaknesses of models
Q6. What is the difference between any model and traditional system development model?
Answer: Traditional refers to Waterfall model
Q7. A client of yours wants a low budget, high quality software to be developed as soon as
possible. Which development model would you like to adopt and why? What factors you need
to be careful about in order to ensure successful development?
Answer: Discuss Agile Model.
Q8. An organization has accepted to development a system for automated vendor payment
processing. What do you think must have lead them to reach this decision?
Answer: System Investigation
Q9. You are internal auditor who is involved in each stage of system development process
while developing the software in above mentioned question. Please implement controls at each
stage of the process.
Answer: Implement controls
Q10. You have to submit the SRS document to the management. Which analyses are you
supposed to carry out to prepare this document and how would you carry it out?
Answer: SRA
Q11. How would you ensure that your system requirement analysis was timely, error‐free
and efficient?
Answer: CASE tools
270 | P a g e
Q12. The management of your company is about to finalize the physical design for the
software they are building. Suddenly, you intervene and stop the sign‐off. Why?
Answer: Check the physical design process.
Q13. Despite having pitfalls, I would recommend my client to conduct benchmarking test
while validating a vendor proposal. Why?
Answer: Describe Benchmark test
Q14. As a module leader, how would I ensure that the program code developed by different
teams is a quality code?
Answer: UR3EA. Program Coding standards.
Q15. The implementation of the software that I have developed for my company will happen
next month. What am I planning to do this month?
Answer: Testing
Q16. The CEO of my company is leaving for England next week, but he wants to see the
results of the developed software before he leaves? How should I workout my plan to ensure
that his orders are met with?
Answer: Black box testing and Top down Integration testing.
Q17. Evaluate the software that is implemented and report your review results. Also suggest
the ways to maintain it.
Answer: Post implementation review and maintenance strategies.
Q18. What did my Internal Auditor do in the entire process of SDLC?
Answer: Role of Internal Auditor in SDLC process.
Chapter 6 – Audit of Information Systems
Q1. Why there is a need to develop Computer Aided Audit Techniques and how they can be
solved using CAAT?
Answer: Problems related to evidence
271 | P a g e
Q2. How IS auditor would determine the scope of IS audit and the resources required to
carry out the audit and what is the risk assessment methodology IS auditor would use to ensure
a comprehensive IS audit report?
Answer: Steps of Audit, Preliminary review and Types of risks
Q3. Which law makes it possible for auditor to conduct audit using CAAT?
Answer: IT act 2008
Q4. Discuss Snapshot/ ITF/ SCARF/ CIS technique of Audit.
Answer: Start the answer from Evidence related issues. Go on to describe the IT act 2008.
Then talk about the particular technique in question. Finally, explain the potential benefits and
disadvantages of them. (You may also expect a question separately on their benefits and
disadvantages or limitation)
Q5. How does ‘Audit Trails’ establish the answerability?
Answer: Write about Audit trails.
Q6. An IS auditor has to ensure that the login into an operating system is efficiently
controlled. Which aspects must he or she check?
Answer: Login procedure/ Access token/ Access List/ Discretionary Control/ remedy from
destructive programs
Q7. How would you, as IS auditor, ensure that proper controls have been implemented from
system development and maintenance perspective?
Answer: System Development Controls and Maintenance Controls
Q8. Suggest some control mechanisms to prevent unauthorized access into your company’s
information systems through data communication channels.
Answer: Types of threats: Component failure/ Subversive threat. Controlling such risks.
Q9. Evaluate the physical and environmental controls at your client’s business site.
Answer: Risk assessment and Audit of environmental controls. Inspections and
observations during audit.
Q10. I can reasonably assure in my report that my client’s TPS is error‐free. What must have I
checked to be so sure of my report?
272 | P a g e
Answer: Input Controls – Data Coding and Validation (Field, record, file)
Q11. Hard copy of an important report went missing. It was generated by CEO and was sent
to his secretary to be further delivered to CFO office. How would you find out the perpetrator?
Answer: Output Controls
Chapter 7 – Information Technology (Amended) Act, 2008
Q1. Why was Information Technology Act, 2000 created?
Answer: Objectives of IT act, 2000
Q2. Explain Authentication of Electronic Records as per IT act, 2008.
Answer: Explain the process of hashing, digital signatures, definition of Electronic record
as per section 1(t) and authentication of electronic records as per section 3.
Q3. In a law suit, Mr. A alleged Mr. B to have signed the contract electronically; hence, will
request the court to consider is illegal. How can Mr. B prove in the court that the contract is
legal and must be accepted as evidence?
Answer: Electronic Signature as per Section 3A.
Q4. Explain legal recognition of Electronic Records and Electronic Signatures as per IT act,
2008 for the purpose of governance.
Answer: Section 4/5/6
Q5. What are the conditions to be met as per IT act 2008 to assure the legal validity of an
electronic record?
Answer. Section 7
Q6. Service tax department on 12/01/2014 issued a new notification regarding filing of
service tax on or before 15th of each month starting 01/01/2014 pending which it will attract
penalty. Earlier this date was last day of each month. Notification was posted on 12/01/2014 on
their website. They also published it in newspapers and other official gazettes but it got delayed
and came out on 28/01/2014. Ramu kaka filed his return on 26/01/2014 and was penalized for
it. He objected to it in the court of law stating that it was notified only on 28/01/2014, however,
the court rejected his plea. Why?
Answer: Section 8 of IT act 2008
273 | P a g e
Q7. Who has the power to prescribe the type of electronic signature? What other powers
does this body possess pertaining to electronic signatures?
Answer: Section 2008 – Central government.
Q8. Ramalingam Ramanujam Ramadhikari was angry at his former boss Murugadoss for
having him thrown out of the job for no sufficient reason. He entered his office one morning
and broke his computer with a baseball bat. The management of the company sued him under
section 43 of IT act 2008, but simultaneously got sued by one of their clients under section 43A.
Explain why. Additionally, explain what management of the company must do to protect
themselves from the legal implications arising from the lawsuit initiated by their client?
Answer: Section 43 and 43A. Prove that proper controls were established to protect the
data and the reasonable assurance was given to the client.
Q9. Nishigandha Dasgupta stole the formula to make a new soft drink from the laptop of
competitor’s one of the employees. She was caught. What legal action may be initiated against
her?
Answer: Section 43 again.
Q10. One of the students did not like Vaibhav Gupta’s ISCA classes and sent him abusive
messages through emails. What legal actions can Vaibhav take against that student?
Answer: Section 66A
Q11. The police commissioner of Mumbai called an engineering graduate to help him and his
department track a terrorist who was trying to blackmail by planting a bomb in the city. The boy
came and helped him achieve his goals. What action commissioner could have taken against
the boy had the boy decided against helping him?
Answer: Section 69
Q12. Two terrorists namely, Abbas and Ali, telecasted a video in which they threatened
residents of Mumbai of a bomb attack. To prevent panic, Chief Minister ordered all TV and
Radio channels to stop their telecast. Can Chief Minister do that? Secondly, what if the channels
did not comply with the orders?
Answer: Section 69A
Q13. Mr. Thapar, the CEO of Thapar group of industries, was caught indulged in sexual acts
with kids. One of his employees took the video and posted it on internet. Can the employee be
held liable for punishment?
274 | P a g e
Answer: Section 67B
Q14. ‘Parwarish’, a Delhi based NGO, organizes sex education workshops in schools and
various public places to educate people about safe sex. They use various media aids to serve
their purpose. A person filed a PIL against them. Should they be held liable?
Answer: No
Q15. Which agency is has been created under section 70B of Indian Information Technology
Act to serve as an incident response team? State its key area of responsibilities.
Answer: Indian Computer Emergency Response Team
Q16. As an auditor, suggest the management of your client to create a strong HR compliance
policy to safeguard the company and the management against legal implications covered under
IT act, 2008.
Answer: Steps to create a strong HR compliance policy.
Q17. What are the exceptions available to the intermediaries involved in IT related crimes as
per IT act 2008?
Answer: Section 79
Q18. Which quality system helps in growth of a company’s business in a global market by
assuring the global clients about the company as having a strong Information Security
Management System?
Answer: ISO 27001 – Plan/ Do/ Check/ Act
Q19. How can an organization optimize their IT services by employing ITIL?
Answer: Strategy/ Design/ Transition/ Operation/ Improvement
Q20. Questions on IS audit norms as prescribed by IRDA/ SEBI/ RBI.
Chapter 8 – New Emerging Technologies
Q1. What is cloud computing? What are the issues in using cloud computing?
Answer: Sharing of resources through internet. Explain the architecture: Front end, back
end, protocol and Middleware. Types of clouds: Public, Private and Hybrid. Issues: threshold
275 | P a g e
Policy/ Interoperability/ Hidden Costs/ Unexpected Behaviors/ Security Issues/ Software
development in cloud.
Q2. Why there was a need to develop cloud computing and how is it comparable to Grid
computing?
Answer: Mention the goals of cloud computing and differences between grid and cloud.
Q3. What are the different models of cloud computing? Or which are the different services
cloud computing may offer you? Or how many ways cloud computing may facilitate a user?
Answer: SaaS, IaaS, PaaS (The three most important ones) and then you can write about
NaaS and CaaS.
Q4. What are reasons because of which an organization might not want to work on cloud
computing model?
Answer: Challenges of cloud computing.
Q5. A mobile sales force can achieve higher revenue and productivity. How would you
achieve that?
Answer: Write about mobile computing.
Q6. Explain the main risk areas to be considered and controlled before you implement BYOD
policy.
Answer: Lack of Device Visibility/ Loss of Device/ Application Virus and Malware/
Implementation Risks
Q7. What are the various components of web 2.0?
Answer: Communities/ Blogging/ Wikis/ Folksonomy/ File Sharing and Podcasting/
Mashups
Also read in your notes about Social networks and Green IT.
All The Best!
New Name Topic Topics New/Old Old
Chapte # Chapter #
r#
1 Concepts of
Governance and
Management of
Information Systems
System Old #1
Classification of System Old #1
2.3 Types of Information
System
TPS Old #1
MIS Old #1
DSS Old #1
EIS Old #1
Office Automation Old #1
System
2.4 ES
2.5 Relative Importance of New
Information Systems from
Strategic and Operational
Perspectives
System Development
Systems Development
Methodology
System Development Life Old
Cycle (SDLC
Operation Manuals
Auditors’ Role in SDLC
6 AUDITING OF 6.1 Introduction
INFORMATION
SYSTEMS
6.2 Controls and Audit Old #3
6.3 The IS Audit Old #3
6.4 Performing IS Audit Mostly Old #4 and #9
6.5 IS Audit and Audit Mostly Old #3 and #4
Evidence
6.6 General Controls Some New + some Old Content#3
6.7 Audit and Evaluation Some New + some Old Content#3
Techniques for Physical
and Environmental
Controls
6.8 Application Controls Some New + some Old Content#3
6.8 Audit of Application Some New + some Old Content
Security Controls
8.6 Green IT