Академический Документы
Профессиональный Документы
Культура Документы
Enterprise Governance
It is defined as the set of responsibilities and practices
exercised by the board and executive management with
the goal of providing strategic direction, ensuring that
objectives are achieved, ascertaining that risks are
managed appropriately and verifying that the
organizations resources are used responsibly.
Corporate Governance
Corporate Governance defined as the system by which
business operations are directed and controlled.
Corporate Governance structure specifies the
distribution of rights & responsibilities among different
participants such as Members, Board of Directors, the
controlling shareholders and other stakeholders and
spells out the rules and procedures for making decisions
on corporate affairs.
Corporate governance contribute to sustainable
economic development by enhancing performance of
companies.
Governance
Governance Dimensions
Conformance or Corporate Governance
Benefits of Governance
* Achieving enterprise objectives
* Defining and encouraging desirable behaviour in the
use of IT
* Implementing and integrating the desired business
processes
* Providing stability and overcoming the limitations of
organizational structure
* Improving customer, business and internal
relationships and satisfaction
* Enabling effective and strategically aligned decision
making for the IT Principles
Dimension:
* provides a historic view and focuses on regulatory
requirements.
* Covers corporate governance issues such as: Roles of
the chairman and CEO, Role and composition of the
board of directors, Board committees, Controls
assurance and Risk management for compliance.
* Regulatory requirements and standards generally
address this dimension with
compliance being subject to assurance and/or audit.
* monitored by the audit committee
* Sarbanes Oxley Act of US and the Clause 49 listing
requirements of SEBI are examples of providing for such
compliances from conformance perspective.
IT Governance
Key Practices
Meaning
* refers to the system in which directors of the
enterprise evaluate, direct and monitor IT management
to ensure effectiveness, accountability and compliance of
IT.
* objective is to determine and cause the desired
behaviour and results to achieve the strategic impact of
IT.
Meaning
GEIT is a sub-set of corporate governance and facilitates
implementation of a framework of IS controls within an
enterprise as relevant and encompassing all key areas.
Objectives of GEIT are to analyze and articulate the
requirements for the governance of enterprise IT, and to
put in place and maintain effective enabling structures,
principles, processes and practices, with clarity of
responsibilities and authority to achieve the enterprise's
mission, goals and objectives.
Benefits
Increased value delivered through enterprise IT;
Increased user satisfaction with IT services;
Improved agility in supporting business needs
Better cost performance of IT;
Improved management and mitigation of IT-related
business risk;
IT becoming an enabler for change rather than an
inhibitor;
Improved transparency and understanding of ITs
contribution to the business;
Improved compliance with relevant laws, regulations
and policies; and
More optimal utilization of IT resources.
Benefits
* It provides a consistent approach integrated and
aligned with the enterprise governance approach.
* It ensures that IT-related decisions are made in line
with the enterprise's strategies and objectives.
* It ensures that IT-related processes are overseen
effectively and transparently.
* It confirms compliance with legal and regulatory
requirements.
* It ensures that the governance requirements for board
members are met.
Internal Control
The SECs final rules define internal control over financial reporting as a
process designed by, or under the supervision of, the companys principal
executive and principal financial officers, or persons performing similar functions,
and effected by the companys board of directors, management and other
personnel, to provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles
IT Steering Committee
Meaning
Key Functions
Depending on the size and needs of the enterprise, the senior management may
appoint a high-level committee to provide appropriate direction to IT deployment and
information systems and to ensure that the information technology deployment is in
tune with the enterprise business goals and objectives.
This committee called as the IT Steering Committee is ideally led by a member of the
Board of Directors and comprises of functional heads from all key departments of the
enterprise including the audit and IT department.
The role and responsibility of the IT Steering Committee and its members must be
documented and approved by senior management. As the members comprise of
function heads of departments, they would be responsible for taking decisions
relating to their departments as required. The IT Steering Committee provides overall
direction to deployment of IT and information systems in the enterprises.
* To ensure that long and short-range plans of the IT department are in tune with
enterprise goals and objectives;
* To establish size and scope of IT function and sets priorities within the scope;
* To review and approve major IT deployment projects in all their stages;
* To approve and monitor key projects by measuring result of IT projects in terms of
return on investment, etc.;
* To review the status of IS plans and budgets and overall IT performance;
* To review and approve standards, policies and procedures;
* To make decisions on all key aspects of IT deployment and implementation;
* To facilitate implementation of IT security within enterprise;
* To facilitate and resolve conflicts in deployment of IT and ensure availability of a
viable communication system exists between IT and its users; and
* To report to the Board of Directors on IT activities on a regular basis
IT Strategy Planning
Classification of IT strategy Planning
Meaning
IT strategic plans provide direction to deployment of
information systems and it is important that key
functionaries in the enterprise are aware and are
involved in its development and implementation.
Strategic planning refers to the planning undertaken by
top management towards meeting long-term objectives
Objectives
Enterprise Strategic
Plan,
Information Systems
Strategic Plan,
Information Systems
Requirements Plan,
Focus on striking an
optimum balance of IT
opportunities and IT
business requirements as
well as ensuring its further
accomplishment.
Some of the enablers of the
IS Strategic plan are:
Enterprise business
strategy,
Definition of how IT
supports the business
objectives,
Inventory of technological
solutions and current
infrastructure,
Monitoring the
technology markets,
Timely feasibility studies
and reality checks,
Existing systems
assessments,
Enterprise position on
risk, time-to-market,
quality, and
Need for senior
management buy-in,
support and critical review.
Meaning
Charecterstics
Risk Management
Sources of Risk
Some of the common
sources of risk are:
Commercial and Legal
Relationships,
Economic Circumstances,
Human Behaviour,
Natural Events,
Political Circumstances,
Technology and Technical
Issues,
Management Activities
and Controls, and
Individual Activities.
Information Systems
Applications and
This plan includes:
Specific application
systems to be developed
and an associated time
schedule,
Hardware and Software
acquisition/development
schedule,
Facilities required, and
Organization changes
required.
Terminate/
Eliminate
the risk
Transfer/
Share the
risk
Treat/
mitigate the
risk
In this risk
are accepted
as the impact
of some risks
are very low.
Certain risks
are
associated
with the use
of a
particular
technology,
supplier or
vendors.
These risk
can be
eliminated
by replacing
the
technology
with more
robust
products.
Risk
mitigation
approaches
can be
shared with
trading
partners and
suppliers.
A good
example is
outsourcing
infrastructur
e
management
.
Where other
options have
been
eliminated
suitable
contols must
be devised
and
implemented
to prevent
the rsk from
manifesting
itself or to
minimize its
effect.
Turn back
Where the
probability
or impact of
the risk is
very low,
management
may decide
to ignore the
risk.
*Collect Data
*Analyze Data
*Maintain a risk Profile
*Articulate Risk
*Define a Risk Management Action
Portfolio
*Respond to Risk
System
Meaning
A system is a group of inter
connected components working
towards the accomplishment of
a common goal by accepting
inputs and producing outputs in
an ordered transformation
process.
Component
*Input
*Processing
*Output
*Storage
A computer based Information system is a combination of people, IT and business processes that helps
management in taking important decisions to carry out the business successfully.
Characterstics of CBIS
All systems work for predetermined objectives.
No subsystem can function in isolation; it depends on other subsystems for its inputs.
If one subsystem or component of a system fails; in most of the cases, the whole system does not work.
However, it depends on how the subsystems are interrelated.
Different subsystems interact with each other to achieve the goal of the system.
The work done by individual subsystems is integrated to achieve the central goal of the system. The goal of
individual subsystem is of lower priority than the goal of the entire system.
Information System
Classification of System
On the Basis of
Interactive Behaviour
Closed system
does not
interact with
the
environment
and does not
change with
the changes in
environment.
System where
data collection,
maintenance
and final
reporting is
done by human
efforts.
Automated
System
System where
data
collection,
maintenance
and final
reporting is
done through
computers
and micro
processors.
Deterministic Probabilistic
System
System
It operates in
a predictable
manner
wherein the
interaction
among the
parts is known
with
certainity.
It can be
defined in
terms of
probable
behaviour but
a certain
degree of
errors is
always
attached to it.
Management Information
System(MIS)
Decision Support System(DSS)
Executive Information System(EIS)
Activity Involved
Components
* Input
* Processing
* Storage
* Output
Features
Large volume of data
Automation of basic
operations
Benefits are easily
measurable
Source of input for
other systems
Misconceptions
Management Oriented
Management Directed
Integrated
Common Data Flows
Heavy Planning Element
Sub System Concept
Common Database
Computerized
Evaluation of MIS
Limitations of MIS
Non-availability of experts
Non-availability of cooperation from staff is a crucial
problem
Problem of selecting the sub-system of MIS to be installed
and operated upon.
Approach adopted by experts for designing and
implementing MIS is a non-standardized one.
Pre-requisite
* Database
Quality of the outputs of MIS is basically governed by the quantity of input and
processes.
Not a substitute for effective management.
Not capable to quickly update itself with the changing requirement.
Cannot provide tailor-made information packages.
Ignores Non-quantitative factors.
Less useful for making non-programmed decisions.
MIS effectiveness decreases due to frequent changes in top management,
organizational structure and operational team.
Characterstics
Components of DSS
The user -- Manager and staff specialist (analyst) are the two
broad classes of users with an unstructured or semi-structured
problem to solve.
Databases DSS includes one or more databases that contain
both routine and non-routine data from both internal and external
sources.Database is implemented at three levels : Physical Level,
Logical Level, External Level.
Planning languages Two types of planning languages that are
commonly used in DSS are: General-purpose planning languages and
Special-purpose planning languages.
Model base The planning language in a DSS allows the user to
maintain a dialogue with the model base, which is the brain of DSS
because it performs data manipulations and computations with the
data provided to it by the user and the database.
Meaning
Characterstics
Document Capture
Document Creation
Receipts and Distribution
Filling, Search, Retrieval and Follow up
Calculations
Recording Utilization of Resources
Benefits
Improve communication within an
organization and between enterprises.
Reduce the cycle time between
preparation of messages and receipt of
messages.
Reduce the costs of office
communication both in time and cost of
communication links.
Ensure accuracy of information and
smooth flow of communication.
Characterstics
Benefits
Properties
(B) Knowledge Management Systems -These are knowledge based systems that support the conception, association and propagation of business knowledge within the enterprise.
(C) Functional Business Information Systems - These systems supports the operational and managerial applications of the basic enterprises of an industry.
(D) Strategic Information Systems - These systems provide an industry strategic products, services and capabilities for competitive advantage.
(E) Cross Functional Information Systems - It is also known as integrated information system that combines most of information systems and are designed to produce information
and support decision making for different levels of management and business functions.
Information
Role of Information
Business Intelligence
Business Intelligence (BI) refers to applications and technologies that are used to collect,
provide access and analyze data and information about companies operations. BI software
consists of range of tools. Some BI applications are used to analyze performance or
internal operations e.g. EIS (executive information system), business planning, finance and
budgeting tools. While others are used to store and analyze data e.g. Data mining, data
warehouses, Decision support system etc. Some BI applications are also used to analyze or
manage the human resources e.g. customer relationship and marketing tools. A complete
BI provides consistent and standard information essential in enterprise operations.
Characterstics
* Availability * Prupose/Objective
* Mode & Format * Current/Updated
* Frequency * Transperancy
* Completeness & Adequecy
* Reliability * Validity * Quality
* Value of Information.
Data Mining
Data Mining (DM) can be applied in database analysis and decision support . Other
applications of Data Mining are: text mining, web analysis, customer profiling - it
can list out what types of customers buy what products by using clustering or
classification, identifying customer requirements- it can identify the most demanding
and appropriate products for different customers, and also can list the factors that will
attract new customers by using prediction etc., provide summary information i.e. various
multidimensional summary reports and statistical summary information, finance
planning and asset evaluation cross-sectional and time series analysis, and resource
planning- it can summarize and compare the resources and spending.
Meaning
Security Objective
Issues to address
Impact of Technology
on Internal Controls
Interrelated components
Objective
Categories of Controls
Preventive Controls
Preventive controls are those inputs, which are
designed to prevent an error, omission or
malicious act occurring.
Characteristics of preventive controls are:
A clear-cut understanding about the
vulnerabilities of the asset;
Understanding probable threats; and
Provision of necessary controls for probable
threats from materializing.
Examples of preventive controls are given as
follows:
Employ qualified personnel,
Segregation of duties,
Training and retraining of staff,
Firewalls,
Anti-virus software (sometimes this acts like
a corrective control also), etc., and
Passwords.
Compensatory Controls
IS Operational Controls
IS Management Controls
SDLC Controls
Administrative Controls
Control Techniques
Organizational Management Financial
Controls
Controls
Controls
These controls are
concerned with
the decisionmaking processes
that lead to
management
authorization of
transactions.
Organizational
control
techniques
include
documentation of
Definition of
responsibilities,
authority and
objectives of each
functions,
Policies and
procedures,
Job descriptions,
and
Segregation of
duties.
Management
controls
adapted by
the
management
considering
responsibility,
IT
Organizational
Structure,IT
Steering
Committee to
ensure that
the IS
functions
correctly and
they meet the
strategic
business
objectives.
Financial
controls are
defined as the
procedures
exercised by
the system
user
personnel like
Authorization,
Budgets,
Documentatio
ns, Safe
Keeping,
Supervisory
Review.
Data
Processing
Physical
Environmental Access
Control
Control
These controls
are related to
hardware and
software and
include
procedures
exercised in the
IS environment.
This includes
on-line
transaction
systems,
database
administration,
media library,
application
program
change control,
the data
center.
These controls
are personnel;
hardware and
software
related and
include
procedures
exercised on
access to IT
resources
including offsite use of
information
devices in
conformance
with the
general
security policy
by employees/
outsiders.
Logical Access
Control
SDLC Controls BCP Controls
Logical access
controls are
implemented
to ensure that
access to
systems, data
and programs
is restricted to
authorized
users so as to
safeguard
information
against
unauthorized
use, disclosure
or
modification,
damage or
loss.
These are
functions and
activities
generally
performed
manually that
control the
development
of application
systems,
either through
in-house
design and
programming
or package
purchase.
These controls
are related to
having an
operational and
tested IT
continuity plan,
which is in line
with the overall
business
continuity plan,
and its related
business
requirements so
as to make sure
IT services are
available as
required and to
ensure a
minimum
impact on
business in the
event of a major
disruption.
Application
Control
Techniques
The objective
of application
controls is to
ensure that
data remains
complete,
accurate and
valid during its
input, update
and storage.
Any function
or activity that
works to
ensure the
processing
accuracy of
the
application
can be
considered an
application
control.
Audit Trails
Audit trails are
logs that can
be designed to
record activity
at the system,
application,
and user level.
1. Boundary Controls
The major controls of the boundary system are the access
control mechanisms. Access controls mechanism links the
authentic users to the authorized resources, they are
permitted to access. The access control mechanism has three
steps of identification, authentication and authorization with
respect to the access control policy implemented.
Major Boundary Control techniques are given as follows:
Cryptography: It deals with programs for transforming data
into cipher text that are meaningless to anyone, who does not
possess the authentication to access the respective system
resource or file. A cryptographic technique encrypts data
(clear text) into cryptograms (cipher text) and its strength
depends on the time and cost to decipher the cipher text by a
cryptanalyst. Three techniques of cryptography are
transposition (permute the order of characters within a set of
data), substitution (replace text with a key-text) and product
cipher (combination of transposition and substitution).
Passwords
Personal Identification Numbers (PIN)
Identification Cards
Biometric Devices
2. Input Controls
User Controls
3. Processing Controls 4. Output Controls
5. Database Controls
Protecting the integrity of a
database when application
software acts as an interface
to interact between the user
and the database, are called
update controls and report
controls.
The classification of
information and documents
are;
Top Secret
Highly Confidential
Proprietary
Internal Use Only
Public Documents
Data Security
Data Integrity
The primary objective of data integrity control techniques is to prevent, detect, and correct
errors in transactions as they flow through various stages of a specific date processing
program. Data Integrity controls protect data from accidental or malicious alteration or
destruction and provide assurance to the user that the information meets expectations about
its quality and integrity.
Major data integrity policies are given as under:
Virus-Signature Updating: Virus signatures must be updated automatically when they are
made available from the vendor through enabling of automatic updates.
Software Testing: All software must be tested in a suitable test environment before
installation on production systems.
Division of Environments: The division of environments into Development, Test, and
Production is required for critical systems.
Offsite Backup Storage: Backups older than one month must be sent offsite for permanent
storage.
Quarter-End and Year-End Backups: Quarter-end and year-end backups must be done
separately from the normal schedule, for accounting purposes
Disaster Recovery: A comprehensive disaster-recovery plan must be used to ensure
continuity of the corporate business in the event of an outage.
Online Terminals
Technical Exposure
Telecommunication Network
To access an online terminal, a Using a dial up port, user at
In a Telecommunication
user has to provide a valid login- one location can connect
network, a number of
ID and password. If additional remotely to another computer computer terminals, Personal
authentication mechanisms are present at an unknown
Computers etc. are linked to
added along with the
location via a
the host computer through
password, it will strengthen the telecommunication media.
network or
security.
telecommunication lines.
Whether the
telecommunication lines
could be private or public,
security is provided in the
same manner as it is applied
to online terminals.
* Financial Loss
* Legal Repercussions
* Loss of credibility
* Black Mail
* Sabotage
* Spoofing
Asynchronous Attacks
* Data Leakage
* Wire Tapping
* Piggy Backing
* Denial of Services
User Access
Management
* User Registation
* Privilege Management
* User Password
Management
* Review of User access
rights.
* Password Use
* Unattendd user
Equipment
* Policy on Use of
Network Services.
* Enforced Path
* Segregation of Network
* Network Connection
and Routing Controls
* Security of Network
Services.
* Automated Terminal
Identification
* Terminal log on Procedure
* User Identification and
Authentication
* Password Management
System
* Use of System Utilities
* Alarm to Safeguard Users.
Application and
Monitoring System
* Information Access
Restrictions
* Sensitive System
Isolation
* Event Logging
* Monitor System Use
* Clock Synchronization
Lock on Doors
Cyber Frauds
Types
Meaning
Reasons
* Theft of
Data carried
on Disk
drives.
*
Information
is to be
Encrypted.
Other Means
Mobile
Coputing
Video Cameras
Security Guards
Controlled Visitor Access
Bonded Personnel
Dead Man Doors
Nonexposure of Sensitive
Facilities
Computer Terminal Locks
Controlled Single Entry Point
Alarm System
Perimeter Fencing
Control of out of hours of
employee-employees
Secured Report/Document
Distribution Cart
Water Detectors
Hand-Held Fire Extinguishers
Manual Fire Alarms
Smoke Detectors
Fireproof Walls, Floors and Ceilings
surrounding the Computer Room
UPS/ Generator
Emergency Power-Off Switch
Prohibitions against Eating, Drinking and
Smoking within the Information Processing
Facility.
Documented and Tested Emergency
Evacuation Plans.
Cyber Attacks
Phishing
Network Scanning
Virus/Malicious Code
Spam
Website
Compromise/Malware
Propagation
E-Mail Forgery
E-Mail Threat
Scavenging
Impact
Financial Loss
Legal Repercussions
Loss of credibility or
Competitive Edge
Disclosure of Confidential,
Sensitive or Embarrassing
Information
Sabotage
Password Cracking: Intruder penetrates a systems defense, steals the file containing valid passwords,
decrypts them and then uses them to gain access to system resources such as programs, files and data.
Piggybacking: It refers to the tapping into a telecommunication line and latching on to a legitimate user
before s/he logs into the system.
Round Down: Computer rounds down all interest calculations to 2 decimal places. Remaining fraction is
placed in account controlled by perpetrator.
Scavenging or Dumpster Diving: It refers to the gaining access to confidential information by searching
corporate records.
Social Engineering Techniques: In this case, perpetrator tricks an employee into giving out the
information needed to get into the system.
Super Zapping: It refers to the unauthorized use of special system programs to bypass regular system
controls and performs illegal acts.
Trap Door: In this technique, perpetrator enters in the system using a back door that bypasses normal
system controls and perpetrates fraud.
Masquerading or Impersonation: In this case, perpetrator gains access to the system by pretending to
be an authorized user.
Business Continuity
Planning (BCP)
Business Continuity
Planning(BCP) refers to the
ability of enterprises to recover
from a disaster and continue
operations with least impact.
Business Contingency
BCP Process
BCM Manual
Meaning
A BCP manual is a documented description of actions to be
taken, resources to be used and procedures to be followed
before, during and after an event that severely disrupts all or
part of the business operations.
The BCP Manual is expected to specify the responsibilities of
the BCM team, whose mission is to establish appropriate BCP
procedures to ensure the continuity of enterprise's critical
business functions.
BCM is business-owned, business-driven process that
establishes a fit-for-purpose strategic and operational
framework.
BCM provides:
Advantages
BCM Policy
Meaning
Objective
Areas Covered
Objectives
Goals
5. Plan Development
6. Testing/Exercising Program
7. Maintenance Program
Maintenance of the plans is critical to
the success of an actual recovery. The
plans must reflect changes to the
environments that are supported by the
plans. It is critical that existing change
management processes are revised to
take recovery plan maintenance into
account. In areas, where change
management does not exist, change
management procedures will be
recommended and implemented. Many
recovery software products take this
requirement into account.
The management process enables the business continuity, capacity and capability to be
established and maintained. A BCM process should address the policy and objectives as
defined in the business continuity policy by providing organization structure with
responsibilities and authority, implementation and maintenance of business continuity
management.
Organisational Structure
The organization should
nominate a person or a team
with appropriate seniority
and authority to be
accountable for BCM policy
implementation and
maintenance.
The enterprise should have an exclusive organization structure, Incident Management Team / Crisis
management team for an effective response and recovery from disruptions. In the event of any incident, there
should be a structure to enable the enterprise to:
confirm Impact of incident (nature and extent),
control of the situation,
contain the incident,
communicate with stakeholders, and
coordinate appropriate response.
Risk Assessment
Risk assessment is assessment of the disruption
to critical activities, which are supported by
resources such as people, process, technology,
information, infrastructure supplies and
stakeholders.
Risk assessment consists an objective evaluation
of risk in which asumption and uncertainity are
clearly considered and presented. It is also the
determination of quantitative and qualitative
value of risk.
An enterprise with BCM uses training as a tool to initiate a culture of BCM in all the
stakeholders by:
Developing a BCM program more efficiently;
Providing confidence in its stakeholders (especially staff and customers) in its
ability to handle business disruptions;
Increasing its resilience over time by ensuring BCM implications are considered in
decisions at all levels; and
Minimizing the likelihood and impact of disruptions
Development of a BCM culture is supported by:
Leadership from senior personnel in the enterprise;
Assignment of responsibilities;
Awareness raising;
Skills training; and
Exercising plans.
Types of Plan
Emergency Plan
Back Up Plan
Recovery Plan
Test Plan
Types of Backup
Full Backup
A full backup captures all files on the disk or
within the folder selected for backup. With a
full backup system, every backup generation
contains every file in the backup set. However,
the amount of time and space such a backup
takes prevents it from being a realistic
proposition for backing up a large amount of
data.
Cold Site
If an organisation can tolerate some downtime,
cold-site backup might be appropriate. A cold
site has all the facilities needed to install a
mainframe system-raised floors, air
conditioning, power, communication lines, and
so on. An organisation can establish its own
cold-site facility or enter into an agreement
with another organisation to provide a cold-site
facility.
Incremental Backup
Differential Backup
Mirror back-up
A mirror backup is identical to a full
backup, with the exception that the files
are not compressed in zip files and they
cannot be protected with a password. A
mirror backup is most frequently used to
create an exact copy of the backup data.
Reciprocal Agreement
Two or more organisations might agree to provide
backup facilities to each other in the event of one
suffering a disaster. This backup option is relatively
cheap, but each participant must maintain sufficient
capacity to operate anothers critical system.
If a third-party site is to be used for backup and
recovery purposes, security administrators must ensure
that a contract is written to cover issues such as
how soon the site will be made available subsequent
to a disaster;
the number of organizations that will be allowed to
use the site concurrently in the event of a disaster;
the priority to be given to concurrent users of the site
in the event of a common disaster;
the period during which the site can be used;
the conditions under which the site can be used;
the facilities and services the site provider agrees to
make available; and
what controls will be in place and working at the offsite facility.
Steps Involved
New
Technology
Accountants Involvement
* Return on Investment
* Cost Benefit Analysis
* Skills Expected
Meaning
The waterfall approach is a
traditional development
approach in which each
phases is carried in
sequence or linear fashion.
In this traditional approach
of system development,
activities are performed in
sequence i.e an activity is
undertaken only when the
prior step is fully
completed.
Meaning
The goal of prototyping
approach is to develop a
small or pilot version called
a prototype of part or all of
a system. A prototype is a
usable system or system
component that is built
quickly and at a lesser cost.
Steps Involved
* Preliminary Investigation
* Requirement Analysis
* System Design
* System Development
* Ststem Testing
* System Implementation.
Steps Involved
Identify Information
System Requirements
Develop the Initial
Prototype
Test and Revise
Obtain User Signoff of the
Approved Prototype
4. Spiral Model
5. RAD Model
1. Waterfall Approach
Characterstics/Princples
Advantages/ Strengts
Project is divided into
sequential phases.
Emphasis is on
implementation of an entire
system at one time.
Activities are
interconnected.
Extensive use of
Documentation
Disadvantage/Weakness
2. Prototyping Approach
Advantages/ Strengths
It improves both user participation in system development and
communication among project stakeholders.
It is especially useful for resolving unclear objectives; developing
and validating user requirements.
It helps to easily identify, confusing or difficult functions and
missing functionality.
It enables to generate specifications for a production application.
It encourages innovation and flexible designs.
It provides for quick implementation of an incomplete, but
functional application.
It typically results in a better definition of these users needs and
requirements than does the traditional systems development
approach.
A very short time period is normally required to develop and
start experimenting with a prototype.
6. Agile Methodologies
Disadvantages/ Weakness
Approval process and control are not strict.
Incomplete or inadequate problem analysis may occur
whereby only the most obvious and superficial needs will be
addressed.
Requirements may frequently change significantly.
Identification of non-functional elements is difficult to
document.
Designers may prototype too quickly, without sufficient
upfront user needs analysis.
Prototype may not have sufficient checks and balances
incorporated.
Prototyping can only be successful if the system users are
willing to devote significant time in experimenting.
The interactive process of prototyping causes the prototype
to be experimented with quite extensively.
Prototyping may cause behavioral problems with system
users.
Meaning
Features
3. Incemental Approach
Advantages/ Strengths
4. Spiral Model
Advantages/ Strengths
Meaning
Features
Meaning
Rapid Application
Development (RAD) refers
to a type of software
development methodology
which uses minimal
planning in favor of rapid
prototyping. The planning
of software developed
using RAD is interleaved
with writing the software
itself.
Meaning
This is an organized set of
software development
methodologies based on the
iterative and incremental
development, where
requirements and solutions
evolve through collaboration
between self-organizing, crossfunctional teams. It promotes
adaptive planning, evolutionary
development and delivery; time
boxed iterative approach and
encourages rapid and flexible
response to change.
Disadvantages/ Weakness
When utilizing a series of mini-waterfalls for a small part of
the system before moving onto the next increment, there is
usually a lack of overall consideration of the business problem
and technical requirements for the overall system.
Each phase of an iteration is rigid and do not overlap each
other.
Problems may arise pertaining to system architecture
because not all requirements are gathered up front for the
entire software life cycle.
Since some modules will be completed much earlier than
others, well-defined interfaces are required.
It is difficult to demonstrate early success to management.
Disadvantages/ Weakness
It is challenging to determine the exact composition
of development methodologies to use for each
iteration around the Spiral.
It may prove highly customized to each project, and
thus is quite complex and limits reusability.
A skilled and experienced project manager is
required to determine how to apply it to any given
project.
No established controls exist for moving from one
cycle to another cycle. Without controls, each cycle
may generate more work for the next cycle.
There are no firm deadlines, cycles continue with no
clear termination condition leading to, inherent risk of
not meeting budget or schedule.
Features
6. Agile Methodologies
Advantages/ Strengths
Disadvantages/ Weakness
Fast speed and lower cost may affect adversely the system
quality.
The project may end up with more requirements than
needed (gold-plating).
Potential for feature creep where more and more features
are added to the system over the course of development.
It may lead to inconsistent designs within and across
systems.
It may call for violation of programming standards related
to inconsistent naming conventions and inconsistent
documentation,
It may call for lack of attention to later system
administration needs built into system.
Formal reviews and audits are more difficult to implement
than for a complete system.
Tendency for difficult problems to be pushed to the future
to demonstrate early success to management.
Since some modules will be completed much earlier than
others, welldefined interfaces are required.
Disadvantages/ Weakness
In case of some software deliverables, especially the large
ones, it is difficult to assess the efforts required at the
beginning of the software development life cycle.
There is lack of emphasis on necessary designing and
documentation.
Agile increases potential threats to business continuity and
knowledge transfer. By nature, Agile projects are extremely
light on documentation because the team focuses on verbal
communication with the customer rather than on documents
or manuals.
Agile requires more re-work and due to the lack of longterm planning and the lightweight approach to architecture,
re-work is often required on Agile projects when the various
components of the software are combined and forced to
interact.
The project can easily get taken off track if the customer
representative is not clear about the final outcome.
Agile lacks the attention to outside integration.
Meaning
Risk Associated
Preliminary Investigation
Systems Requirements Analysis
Systems Design
Determining and evaluating the strategic feasibility of the system and ensure that the solution fits the business strategy.
Systems Development
Developing the system as per the system designed in view of its adequate implementation to lead to fulfillment of requirements
to the satisfaction of all the stakeholders.
Systems Testing
Systems Implementation
Continuous evaluation of the system as it functions in the live environment and its updation / maintenance.
Operationalization of the developed system for the acceptance by management and user before migration of the system to the
live environment and data conversion from legacy system to the new system.
1. Preliminary Investigation
Steps Involved
Meaning
It aimed to determine and
analyze the strategic
benefits in implementing
the system through
valuation and
quantification of productivity gains; future
cost avoidance; cost
savings, and Intangible
benefits like improvement
in morale of employees.
Meaning
Objective
To determine stakeholders
expectations.
To detect and correct conflicts
and determine priorities.
To gather data or find facts.
To verify that the requirements
are complete, consistent,
unambiguous, verifiable etc.
To document activities such as
interview, questionnaires,
reports etc. and development of
a system (data) dictionary to
document the modeling
activities.
Feasibility Study
Others
It refers to a process of
evaluating alternative systems
through cost/benefit analysis
so that the most feasible and
desirable system can be
selected for development. It is
carried out by the system
analysts.
Evaluated under following
dimensions:
*Technical Feasibility
* Financial Feasibility
* Economic Feasibility
* Time Feasibility
* Resources Feasibility
* Operational Feasibility
* Behaviour Feasibility
* Legal Feasibility.
* Reporting To Management:
After the analyst articulates
the problem, defines the same
along with its scope, s/he
provides one or more solution
alternatives and estimates the
cost and benefits of each
alternative and reports these
results to the management.
* Internal Control Aspects: In
terms of system development,
controls need to be well in
place during the development
of system. In systems, it is not
possible to put in place
controls post development.
Fact Finding
Fact-finding
techniques/tools
are used by the
system analyst
for determining
needs/requireme
nts of
organization.
These tools are
Documents,
Questionnaires,I
nterviews,
Observations.
Analysis of
the Present
System
Detailed
investigation of
the present
system involves
collecting,
organizing and
evaluating facts
about the
system and the
environment in
which it
operates.
System
Analysis of
System
Roles
Proposed Development
Systems
Involved in
Systems
Tools
Specification SDLC of
After a
thorough
analysis of
each
functional
area of the
present
information
system, the
proposed
system
specifications
must be
clearly defined
, which are
determined
from the
desired
objectives set
forth at the
first stage of
the study.
At the end of
the analysis
phase, the
systems
analyst
prepares a
document
called Systems
Requirement
Specifications
(SRS) which
contains
Introduction,
Information
Description,
Functional
Description,
Behaviour
Description,
Appendices,
and SRS
Review.
Internal Controls
* Steering
Some of the key control
Committee
aspects at this stage may be
* Project
taken care by the following
Manager
queries:
* Project
Whether present system
Leader
analysis has been properly
* System
done?
Analyst
Whether appropriate
* Business
domain, were expert was
Analyst
engaged?
* Module
Whether all user
Leader
requirements of proposed
*Programmer/ system have been considered?
Developer
Whether SRS document has
* Database
been properly made?
Administrator
* Quality
Assurance
* Testers
* Domain
Specialist
* IS Auditor
User Interface
CASE tools which are used for typical representation, specifications and system modeling.
Structured
English
Flowcharts
Decision Tree
It is a support tool that uses a
tree-like graph or model of
decisions and their possible
consequences, including
chance event outcomes,
resource costs, and utility.
Decision Table
It is a table which may
accompany a flowchart,
defining the possible
contingencies that may be
considered within the
program and the
appropriate course of action
for each contingency.
System
Component
Matrix
CASE Tools
It highlights It refers to the
how the
automation of anything
basic
that humans do to
activities are develop systems and
accomplished support virtually phases
in an
of traditional system
information development process.
system.
Data
Dictionary
It is a computer
file that
contains
descriptive
information
about the data
items in the files
of a business
information
system.
3. System Design
Design of theDesign phase activity includes
Meaning
System Design involves first the logical
designing and then physical construction of
the system.
Architectural Design
Design phase documents/deliverables
Architectural design deals
include a blueprint for the design with the
with the organization of
necessary specifications for the hardware,
applications in terms of
software, people and data resources.
hierarchy of modules and
Objective is to design an Information System
sub-modules.
that best satisfies the users/managerial
The architectural design is
requirements.
made with the help of a tool
called Functional
Decomposition, which can
be used to represent
hierarchies.
Data /
Information
Flow
Design of
the UserDesign of the Database
interface
In designing
Design of the database
It involves
the data /
involves determining its
determining
information
scope ranging from local to the ways in
flow for the
global structure. The design which users
proposed
of the database involves
will interact
system, the
four major activities:
with a
inputs that are
system.
required are - * Conceptual Modeling
existing data / *Data Modeling
* Storage Structure Design
information
* Physical Layout Design.
flows,
problems with
the present
system, and
objective of the
new system.
System
Operating
Platform
Physical
Design
For the
physical
design, the
logical design
is transformed
into units,
which in turn
can be
decomposed
further into
implementati
on units such
as programs
and modules.
In some
cases, the
new system
requires an
operating
platform
including
hardware,
network and
system
software not
currently
available in
an
organization
.
Internal
Design
Controls
From internal
control point
of view, this
phase is also
an important
phase as all
internal
controls are
placed in
system during
this phase.
System Acquisition
Technical Specifications & Standards
Meaning
After a system is designed either partially or
fully, the next phase of the systems
development starts, which relates to the
acquisition of operating infrastructure
including hardware, software and services.
Such acquisitions are highly technical and
cannot be taken easily and for granted.
Thereby, technical specifications, standards
etc. come to rescue.
Acquisition Standards
Management should establish acquisition
standards that address the security and reliability
issues and focus on the following:
Ensuring security, reliability, and functionality.
Ensuring managers complete appropriate
vendor, contract, and licensing reviews.
Invitations-to-tender soliciting bids from
vendors.
Request-for-proposals soliciting bids
Establishing acquisition standards to ensure
functional, security, and operational
requirements to be accurately identified and
clearly detailed in request-for-proposals.
Program
Coding
Standards
The logic of the
program
outlined in the
flowcharts is
converted into
program
statements or
instructions at
this stage.
Programming
Language
Program
Debugging
Testing the
Programs
Application
programs are
coded in the form
of statements or
instructions and
the same is
converted by the
compiler to object
code for the
computer to
understand and
execute.
Debugging refers
to correcting
programming
language syntax
and diagnostic
errors so that the
program
compiles cleanly.
A careful and
thorough testing
of each program
including testing
of all the
possible
exceptions is
imperative to
the successful
installation of
any system.
Program
Documentat
ion
The writing of
narrative
procedures
and
instructions
for people,
who will use
software is
done
throughout
the program
life cycle.
Program
Maintenance
The requirements
of business data
processing
applications are
subject to periodic
change. This calls
for modification of
various programs.
5. System Testing
Testing is a process used to identify the correctness, completeness and quality of developed computer software. Testing should systematically
uncover different classes of errors in a minimum amount of time with a minimum amount of efforts.
Level of Testing
Integration Testing
System Testing
Unit Testing
Unit testing is a software verification and
validation method in which a programmer
tests if individual units of source code are fit
for use. The goal of unit testing is to isolate
each component of the program and show
that they are correct.
There are five categories of tests that a
programmer typically performs on a
program unit, which are :
Functional Tests: Functional Tests check
whether programs do, what they are
supposed to do or not.
Performance Tests: Performance Tests
should be designed to verify the response
time, the execution time,memory utilization
and the traffic rates on data channels and
communication links.
Stress Tests: Stress testing is a form of
testing beyond normal operational capacity
that is used to determine the stability of a
system or entity.
Structural Tests: Structural Tests are
concerned with examining the internal
processing logic of a software system.
Parallel Tests: In Parallel Tests, the same
test data is used in the new and old system
and the output results are then compared.
Such testing is normally conducted through execution of programs in operating conditions. Typical
techniques for dynamic testing and analysis include the following:
Black Box Testing: Black Box Testing takes an external perspective of the test object, to derive
test cases. These tests can be functional or non-functional, though usually functional. The test
designer selects typical inputs including simple, extreme, valid and invalid input-cases and executes
to uncover errors. This method of test design is applicable to all levels of software testing i.e. unit,
integration, functional testing, system and acceptance. If a module performs a function, which is
not supposed to, the black box test does not identify it.
White Box Testing: It uses an internal perspective of the system to design test cases based on
internal structure. It requires programming skills to identify all paths through the software. Since
the tests are based on the actual implementation, if the implementation changes, the tests
probably will need to change, too. It is applicable at the unit, integration and system levels of the
testing process, it is typically applied to the unit.
Gray Box Testing: It is a software testing technique that uses a combination of black box testing
and white box testing. In gray box testing, the tester applies a limited number of test cases to the
internal workings of the software under test. In the remaining part of the gray box testing, one
takes a black box approach in applying inputs to the software under test and observing the outputs.
6. System Implementation
The process of ensuring that the information system is operational and then allowing users to take over its operation for use and evaluation is called Systems Implementation.
Implementation includes all those activities that take place to convert from the old system to the new. Some of the generic activities involved in system implementation stage
are described briefly as follows:
Equipment Installation
The hardware required to
support the new system is
selected prior to the
implementation phase.
Major tasks are :
Site Preparation
Installation of New
Hardware / Software
Equipment Checkout
Training Personnel
Training is a major
component of systems
implementation. When a
new system is acquired,
which often involves new
hardware and software, both
users and computer
professionals generally need
some type of training.
Conversion or changeover is the process of changing over or shifting over from the old system
(may be the manual system) to the new system. The Four types of popular implementation
strategies are described as follows:
o Direct Implementation / Abrupt Change-Over: This is achieved through an abrupt takeover
an all or no approach i.e changeover is done in one operation, completely replacing the old
system in one go.
o Phased Changeover: With this strategy, implementation can be staged with conversion to the
new system taking place gradually.
o Pilot Changeover: With this strategy, the new system replaces the old one in one operation but
only on a small scale.
o Parallel Changeover: This is considered the most secure method with both systems running in
parallel over an introductory period, If all goes well, the old system is stopped and new system
carries on as the only system.
Maintaining the system is an important aspect of SDLC. Need for modification arises
from a failure to anticipate/capture all the requirements during system
analysis/design and/or from changing organizational requirements. Maintenance
can be categorized in the following ways:
Scheduled Maintenance: Scheduled maintenance is anticipated and can be
planned for operational continuity and avoidance of anticipated risks.
Rescue Maintenance: Rescue maintenance refers to previously undetected
malfunctions that were not anticipated but require immediate troubleshooting
solution.
Corrective Maintenance: Corrective maintenance deals with fixing bugs in the
code or defects found during the executions.
Adaptive Maintenance: Adaptive maintenance consists of adapting software to
changes in the environment, such as the hardware or the operating system.
Perfective Maintenance: Perfective maintenance mainly deals with
accommodating to the new or changed user requirements and concerns functional
enhancements to the system and activities to increase the systems performance or
to enhance its user interface.
Preventive Maintenance: Preventive maintenance concerns with the activities
aimed at increasing the systems maintainability, such as updating documentation,
adding comments, and improving the modular structure of the system.
Operation Module
It is typical users guide, also commonly known as Operations Manual. Moreover, it may be a technical communication document intended to give assistance to people using a
particular system. It is usually written by technical writers, although user guides are written by programmers, product or project managers, or other technical staff,
particularly in smaller companies. Operation manuals are most commonly associated with electronic goods, computer hardware and software. The section of an operation
manual will include the
following:
A cover page, a title page and copyright page;
A preface, containing details of related documents and information on how to navigate the user guide;
A contents page;
A guide on how to use at least the main functions of the system;
A troubleshooting section detailing possible errors or problems that may occur, along with how to fix them;
A FAQ (Frequently Asked Questions);
Where to find further help, and contact details;
A glossary and, for larger documents, an index.
IS Audit
The IS Audit of an Information
System environment may
include one or both of the
following:
Assessment of internal
controls within the IS
environment to assure validity,
reliability, and security of
information and information
systems.
Assessment of the efficiency
and effectiveness of the IS
environment.
The IS audit process is to
evaluate the adequacy of
internal controls with regard to
both specific computer program
and the data processing
environment as a whole.
IS Audit Process
Responsibility of Auditor
Category of IS Audit Functions of IS Auidit
Skills that is generally expected to be with an IS
auditor include:
Sound knowledge of business operations,
practices and compliance requirements;
Should possess the requisite professional
technical qualification and certifications;
A good understanding of information Risks
and Controls;
Knowledge of IT strategies, policy and
procedural controls;
Ability to understand technical and manual
controls relating to business continuity; and
Good knowledge of Professional Standards
and Best Practices of IT controls and security.
Standards
IIA (The Institute of Internal
Auditors) is an international
professional association. This
association provides dynamic
leadership for the global
profession of internal
auditing. IIA issued Global
Technology Audit Guide
(GTAG). GTAG provides
management of organisation
about information technology
management, control, and
security and IS auditors with
guidance on various
information technology
associated risks and
recommended practices.
Steps in IS Audit
Performing IS Audit
An IS Auditor uses the equivalent concepts of materiality (in financial audits) and significance (in performance audits) to plan both effective and efficient audit procedures.
Materiality and significance are concepts the auditor uses to determine the planned nature, timing, and extent of audit procedures.
Materiality and significance include both quantitative and qualitative factors in relation to the subject matter of the audit. Planning occurs throughout the audit as an iterative
process.
However, planning activities are concentrated in the planning phase, during which the objectives are to obtain an understanding of the entity and its operations, including its
internal control, identify significant issues, assess risk, and design the nature, extent, and timing of audit procedures. The auditor must devise an auditing testing plan and a testing
methodology to determine whether the previously identified controls are effective. The auditor also tests whether the end-user applications are producing valid and accurate
information. The auditor should also conduct several tests with both valid and invalid data to test the ability and extent of error detection, correction, and prevention within the
application. The auditor performs the necessary testing by using documentary evidence, corroborating interviews, and personal observation.
Basic Plan
Preliminary Review
The preliminary review of audit environment enables the auditor to gain understanding of the
business, technology and control environment and also gain clarity on the objectives of the audit
and scope of audit. The following are some of the critical factors, which should be considered by
an IS auditor as part of his/her preliminary review.
(i) Knowledge of the Business: Related aspects are given as follows:
General economic factors and industry conditions affecting the entitys business,
Nature of Business, its products & services,
General exposure to business,
Its clientele, vendors and most importantly, strategic business partners/associates to whom
critical processes have been outsourced,
Level of competence of the Top management and IT Management, and
Finally, Set up and organization of IT department.
(ii) Understanding the Technology: This could include consideration of the following:
Analysis of business processes and level of automation,
Assessing the extent of dependence of the enterprise on Information Technology to carry on its
businesses i.e. Role of IT in the success and survival of business,
Understanding technology architecture which could be quite diverse such as a distributed
architecture or a centralized architecture or a hybrid architecture,
Studying network diagrams to understand physical and logical network connectivity,
Understanding extended enterprise architecture wherein the organization systems connect
seamlessly with other stakeholders such as vendors (SCM), customers (CRM), employees (ERM)
The documentation of the audit plan is also a critical requirement. Every change and the government,
should be recorded with reason for change.
Knowledge of various technologies and their advantages and limitations is a critical
competence requirement for the auditor.
And finally, Studying Information Technology policies, standards, guidelines and procedures.
(iii) Understanding Internal Control Systems: For gaining understanding of Internal Controls
emphasis to be placed on compliance and substantive testing.
Audit
Audit
Documentation Limitation of
Digital
(iv) Legal Considerations and Audit Standards: Related points are given as follows:
Documentation
Evidence
by Auditor
Audit
Evidence
It refers to the * It acts as
* Use of special * The nature Documentary The auditor should carefully evaluate the legal as well as statutory implications on his/her audit
record of audit means to
audit
of financial
evidences also work.
The Information Systems audit work could be required as part of a statutory requirement in
procedure
control audit techniques,
reporting and include
performed,
work.
referred as
audit
evidences in which case he should take into consideration the related stipulations, regulations and guidelines
for conduct of his audit.
relevant audit * It is an
CAAT for
procedure.
electronic
The statutes or regulatory framework may impose stipulations as regards minimum set of
evidences
evdence of
documenting
* Limitation of from.
control objectives to be achieved by the subject organization.
obatined and
audit work
evidences.
time
The IS Auditor should also consider the Audit Standards applicable to his conduct and
cpnclusion the performed.
* Audit timing * Fraud,
performance of audit work.
auditor
* Information can also be so particularly
(v) Risk Assessment and Materiality: Risk Assessment is a critical and inherent part of the
reached.
about the
planned that
fraud
Information Systems Auditors planning and audit implementation. It implies the process of
business being auditor is able involving
identifying the risk, assessing the risk, and recommending controls to reduce the risk to an
audited.
to validate
senior
acceptable level, considering both the probability and the impact of occurrence. Risk assessment
transactions as management
allows the auditor to determine the scope of the audit and assess the level of audit risk and error
and when they or collusion
risk. Risks that affect a system and taken into consideration at the time of assessment can be
occur inti the
* The existece
differentiated as inherent risks, control risks and detection risks.
system.
and
completeness
of related
Category of Risks
party
Inherent Risk
Control Risk
Detection Risk
relationship
Inherent risk is the
Control risk is the risk that
Detection risk is the risk that the
and
susceptibility of information could occur in an audit area,
IT auditors substantive
transactions.
resources
or
resources
and
which
could
be
material,
procedures will not detect an
* Noncontrolled by the information individually or in combination error which could be material,
compliances
system to material theft,
with other errors, will not be
individually or in combination
with laws and
destruction,
disclosure,
prevented
or
detected
and
with other errors.
regulations.
unauthorized modification, or corrected on a timely basis by
other impairment, assuming the internal control system.
that there are no related
internal controls.
Internal controls are ignored
in setting inherent risk
because they are considered
separately in the audit risk
model as control risk.
(iii) System Control Audit Review File (SCARF): The SCARF technique involves embedding audit software modules within a host
application system to provide continuous monitoring of the systems transactions. The information collected is written onto a
special audit file- the SCARF master files. SCARF technique is like the snapshot technique along with other data collection
capabilities.
Auditors might use SCARF to collect the following types of information:
Application System Errors
Advantage of Concurrent or Continuous Audit Policy and Procedural Variances
Continuous auditing enables auditors to shift
System Exception
their focus from the traditional "transaction"
Statistical Sample
audit to the "system and operations" audit.
Snapshots and Extended Records
Some of the advantages of continuous audit
Profiling Data
techniques are given as under:
Performance Measurement
Timely, Comprehensive and Detailed Auditing
(iv) Continuous and Intermittent Simulation (CIS): This technique can be used to trap exceptions whenever the application
Surprise test capability
system uses a database management system. During application system processing, CIS executes in the following way:
Information to system staff on meeting of
The database management system reads an application system transaction. It is passed to CIS. CIS then determines whether it
objectives
wants to examine the transaction further. If yes, the next steps are performed or otherwise it waits to receive further data from
Training for new users
the database management system.
CIS replicates or simulates the application system processing.
Disadvantage of Concurrent or Continuous Audit Every update to the database that arises from processing the selected transaction will be checked by CIS to determine whether
Auditors should be able to obtain resources
discrepancies exist between the results it produces and those the application system produces.
required from the organization to support
Exceptions identified by CIS are written to a exception log file.
development, implementation, operation, and
The advantage of CIS is that it does not require modifications to the application system and yet provides an online auditing
maintenance of continuous audit techniques.
capability.
Continuous audit techniques are more likely to (v) Audit Hooks: There are audit routines that flag suspicious transactions. When audit hooks are employed, auditors can be
be used if auditors are involved in the
informed of questionable transactions as soon as they occur. This approach of real-time notification displays a message on the
development work associated with a new
auditors terminal.
application system.
Objective of Audit Trail
Audit trails are logs that can be designed to record
Auditors need the knowledge and experience of
Audit
trails
can be used to support security
working with computer systems to be able to use activity at the system, application, and user level. When properly
objectives
in
three ways:
implemented,
audit
trails
provide
an
important
detective
control
to
help
continuous audit techniques effectively and
accomplish
security
policy
objectives.
Audit
trail
controls
attempt
to
ensure
Detecting
unauthorized
access to the
efficiently.
system
Continuous auditing techniques are more likely that a chronological record of all events that have occurred in a system is
to be used where the audit trail is less visible and maintained. The accounting audit trail shows the source and nature of data
Facilitating the reconstruction of events
and processes that update the database. The operations audit trail maintains
the costs of errors and irregularities are high.
Promoting personal accountability
Continuous audit techniques are unlikely to be a record of attempted or actual resource consumption within a system.
Audit Trail:
sensitive,
Layer, where Layer, which includes
management. It includes the regulatory requirements with regards to fire
Data Coding Reasonablene critical forms
user access
supporting functions such as overall information security safety equipment, external inspection certificate
Controls, and
ss Verification Logging of
decisions are security administration. IT risk governance, security
and shortcomings pointed out by other
Validation
Edit Checks output program generally put management and patch
awareness, supporting
inspectors/auditors;
Controls.
Field
executions
in place.
management.
information security policies Power sources and conduct tests to assure the
Initialization Spooling/
Operational
At the tactical layer, security and standards, and the
quality of power, effectiveness of the power
Exception
queuing
Layer audit
administration is put in place. overarching an application
conditioning equipment, and generators. Also the
Reports
Controls over includes
This includes:
security perspective.
power supply interruptions must be checked to
printing
User
Timely updates to user
A comprehensive information test the effectiveness of the back-up power;
Report
Accounts and profiles
security programme fully
Environmental control equipment such as airdistribution and Access Rights IT Risk Management
supported by top
conditioning, dehumidifiers, heaters, ionizers etc;
collection
Password
Interface Security
management and
Compliant logs and maintenance logs to assess
controls
controls
Audit Logging and
communicated well to the
if MTBF and MTTR are within acceptable levels;
Retention
Segregation Monitoring
organization is of paramount and
controls
of Duites
importance to succeed in
Identify undesired activities such as smoking,
information security.
consumption of eatables etc.
Controls Objective
Protect itself from user;
Protect user from each
other;
Protect user from
themselves;
The operating system must
be protected from itself and
its environment.
Security Components
Log-in Procedure
Access Token
Access Control List
Discretionary Access Control
Phyical Security
Security required can be classified into :
* Accidental breach of security due to natural
calamities such as Fire Damage, Water Damage,
Power Supply Variation, Pollution Damage.
* Incidental breach is the fraudlent modification
or tampering of financial records maintained by
the company.
(ii) Preliminaries
Before proceeding with the audit, the auditor is expected to obtain the following information at the
audit location:
Location(s) from where Investment activity is conducted.
IT Applications used to manage the Insurers Investment Portfolio.
Obtain the system layout of the IT and network infrastructure.
Are systems and applications hosted at a central location or hosted at different office?
Previous Audit reports and open issues / details of unresolved issues.
Internal circulars and guidelines of the Insurer.
Standard Operating Procedures (SOP).
List of new Products/funds introduced during the period under review along with IRDA approval.
Scrip wise lists of all investments, fund wise, classified as per IRDA Guidelines, held on date.
IRDA Correspondence files, circulars and notifications issued by IRDA.
IT Security Policy.
Business Continuity Plans.
Network Security Reports pertaining to IT Assets.
System Control
System Audit
Banks require a separate IS Audit function within an Internal Audit department led by an
IS Audit Head reporting to the Head of Internal Audit or Chief Audit Executive (CAE).
Auditors will be required to be independent, competent and exercise due professional
care as they are part of Internal Audit functions.
To ensure independence for the IS Auditors, Banks should make sure that Auditors have
access to information and applications and Auditors have the right to conduct
independent data inspection and analysis.
IS Auditors should be professionally competent, having skills, knowledge, training and
relevant experience.Qualifications such as CISA (offered by ISACA),
DISA (offered by ICAI), or CISSP (offered by ISC2), along with two or more years of IS Audit
experience, are desirable.
IS Audits should also cover branches, with focus on large and medium branches, in areas
such as control of passwords, user ids, operating system security, antimalware, makerchecker, segregation of duties, physical security, review of exception reports or audit
trails, BCP policy and or testing.
System Audit
System Controls
Cyber Forensic
Cyber forensics is one of the latest scientific
techniques that has emerged due to the effect of
increasing computer frauds.
Cyber, means on The Net that is online. Forensics is
a scientific method of investigation and analysis
techniques to gather, process, interpret, and to use
evidence to provide a conclusive description of
activities in a way that is suitable for presentation in
a court of law.
Considering Cyber and Investigation together will
lead us to conclude that Cyber Investigation is an
investigation method gathering digital evidences to
be produced in court of law.
ISO 27001
ISO 27001 is the international best
practice and standard for an
Information Security Management
System (ISMS).
ISO 27001 defines how to organize
information security in any kind of
organization, profit or non-profit,
private or state-owned, small or
large. It is safe to say that this
standard is the foundation of
information security management.
Service Strategy
Service Strategy
deals with the
strategic
management
approach.
Service Design
ITIL Framework
Service Transition
Service Operation
Service Transition provides
guidance on the service
design and implementation,
ensuring that the service
delivers the intended strategy
and that it can be operated
and maintained effectively.
The Service Transition volume
provides guidance on the
development and
improvement of capabilities
for transitioning new and
changed services into
operations.
Service Transition provides
guidance on managing the
complexity of changes to
services and service
management processes to
prevent undesired
consequences whilst
permitting for innovation. It
provides guidance on
transferring the control of
services between customers
and service providers.
Section 3
Section 3A
Authentication of Electronic
Records
Electronic Signature
Section 4
Section 5
Section 6
Section 7
Section 7A
Section 8
Section 9
Section 10
Section 10A
Section 14
Section 15
Section 16
Security procedure to an
electronic record
Secure Electronic Signature
Power of the Central
Government to prescribe the
security procedure
Section 43
Section 44
Section 45
Section 65
Section 66
Section 66A
Section 66B
Section 66C
Section 66D
Section 66E
Section 66F
Section 67
Section 67A
Section 67B
Section 67C
Section 68
Section 69
Section 69A
Section 69B
Section 70
Section 70A
Section 70B
Section 71
Section 72
Section 72A
Section 73
Section 74
Section 75
Section 76
Section 79
Section 79A
Central Government to notify
Examiner of Electronic Evidence
[Chapter XIII] - Miscellaneous
Section 80
Section 81
Section 81A
Section 84C
Section 85
Cloud computing evolved from grid computing and provides on-demand resource provisioning. Grid computing may or may
not be in the cloud paradigm depending on what type of users are using it.
If the users are systems administrators and integrators, they care how things are maintained in the cloud. They upgrade,
install, and virtualized servers and applications. If the users are consumers, they do not care how things are run in the
system.
Grid computing requires the use of software that can divide and carve out pieces of a program as one large system image to
several thousand computers. If one piece of the software on a node fails, other pieces of the software on other nodes may
fail.
Front End Architecture: The front end of the cloud computing system comprises of the clients devices (or computer
network) and some applications needed for accessing the cloud computing system. All the cloud computing system donot
give the same interface to users. Web service like electronic mail program use some existing web browser such as Firefox,
Microsofts internet explorer or Appless Safari. Other type of systems has some unique application which provides network
access to its clients.
Back End Architecture: Back end refers to some service facilitating peripherals. In cloud computing, the back end is cloud
itself, which may encompass various computer machines, data storage systems and servers. Groups of these clouds make up
a whole cloud computing system. Theoretically, a cloud computing system can includes any type of web application program
such as video game to application for data processing, software development and entertainment. Usually, every application
would have its individual dedicated servers for services.
It is a category of cloud
services where the capability
provided to the cloud service
user is to use
network/transport connecting
services. NaaS involves
optimization of resource
allocation by considering
network and computing
resources as a whole.
Examples are: Virtual Private
Network, Mobile Network
Virtualization etc.
Public Cloud
Advantages:
* It is widely used in the development, deployment
and management of enterprise applications, at
affordable costs.
* It allows the organizations to deliver highly
scalable and reliable applications rapidly and at
more affordable costs.
Advantages:
* They improve average server utilization;
allow usage of low cost servers and hardware
while providing higher efficiencies; thus
reducing the cost that a greater number of
servers would otherwise entail.
* High level of automation is largely
responsible for reducing operations costs and
administrative overheads.
Major limitation is that IT teams in the
organization may have to invest in buying,
building and managing the clouds
independently.
Characterstics
High Scalability: Cloud environment enables servicing of business
requirements for larger audience, through high scalability.
Agility: The cloud works in the distributed mode environment. It
shares resources among users and tasks while improving efficiency
and agility (responsiveness)
High Availability and Reliability: Availability of servers is
supposed to be high and more reliable as the chances of
infrastructure failures are minimal.
Multi-sharing: With the cloud working in a distributed and shared
mode, multiple users and application can work more efficiently
with cost reduction by sharing common infrastructure.
Services in Pay-Per-Use Mode: SLAs between the provider and
the user must be defined when offering services in pay per use
mode. This may be based on the complexity of services offered.
Application Programming Interface (APIs) may be offered to the
users so they can access services on the cloud by using these APIs.
Virtualization: This technology allows servers and storage
devices to increasingly share and utilize application, by easy
migration from one physical server to another.
Performance: It is monitored and consistent and its loosely
coupled architecture constructed using web services as the system
interface enables high level of performance.
Maintenance: The cloud computing application are easier,
because they are not to be installed on each users computer and
can be accessed from different places.
Cloud Computing
Advantage
Cost Efficiency
Almost Unlimited Storage
Backup and Recovery
Automatic Software Integration
Easy Access to Information
Quick Deployment
Mobile Computing
Hybrid Cloud
Meaning:It is a combination of both at least
one private (internal) and at least one public
(external) cloud computing environments
usually, consisting of infrastructure,
platforms and applications. It is typically
offered in either of two ways. A vendor has a
private cloud and forms a partnership with a
public cloud provider or a public cloud
provider forms a partnership/ franchise with
a vendor that provides private cloud
platforms.
Challenges
Confidentiality
Integrity
Availability
Governance
Trust
Legal Issues and compliance
Privacy
Audit
Data Stealing
Architecture
Identity Management and Access Control
Incident Response
Software Isolation
Application Security
Social Media
A social network is usually created by a group of individuals, who
have a set of common interests and objectives. There are usually a
set of network formulators followed by a broadcast to achieve the
network membership. This happens both in public and private
groups depending upon the confidentiality of the network.
Web 2.0
Web 2.0 is the term given to describe a
second generation of the World Wide Web
that is focused on the ability for people to
collaborate and share information online.
Web 2.0 basically refers to the transition from
static HTML Web pages to a more dynamic
Web that is more organized and is based on
serving Web applications to users.
Green IT
Green IT refers to the study and practice of establishing / using
computers and IT resources in a more efficient and
environmentally friendly and responsible way. Computers consume
a lot of natural resources, from the raw materials needed to
manufacture them, the power used to run them, and the problems
of disposing them at the end of their life cycle.
Green computing is the environmentally responsible use of
computers and related resources. Such practices include the
implementation of energy-efficient Central Processing Units
(CPUs), servers and peripherals as well as reduced resource
consumption and proper disposal of electronic waste (e-waste).
One of the earliest initiatives toward green computing in the
United States was the voluntary labelling program known as
Energy Star. It was conceived by the Environmental Protection
Agency (EPA) in 1992 to promote energy efficiency in hardware of
all kinds.
It is largely taken as the study and practice of designing,
manufacturing, using, and disposing of computers, servers, and
associated subsystems peripheral devices efficiently and effectively
with highly mitigated negative impact on the environment. The
goals of green computing are similar to green chemistry; reduce
the use of hazardous materials, maximize energy efficiency during
the product's lifetime, and promote the recyclability or
biodegradability of defunct products and factory waste. Many
corporate IT departments have Green Computing initiatives to
reduce the environmental impacts of their IT operations and things
are evolving slowly but not as a revolutionary phenomenon.
Components
*Communities
*Blogging
*Wikis
*Folksonomy
*File Sharing/Prodcasting
*Mashups
Steps of Green IT