IT Strategy Planning Three level of managerial activity in an enterprise: 1) Strategic Planning: It is the process by which top management determines overall organizational purposes & objectives & how they are to be achieved. 2) Management Control: It is defined as the process by which managers assure that resources are obtained & used effectively. 3) Operational Control: It is defined as the process of assuring that specific tasks are carried out effectively & efficiently. IT Strategy planning in an enterprise classified into 4 categories: Strategic Planning refers to the planning undertaken by top mgt. towards meeting long-term objectives of the enterprise. 1) Enterprise Strategic Plan: i) It provides the overall charter of the enterprises under which all units, including the information systems function must operate. ii) It is the primary plan prepared by top management that guides the long run development of the enterprise. iii) It includes: a) Statement of mission, b) Specification of strategic objectives, c) Assessment of environmental & organization factors d) Statement of strategies for achieving the objectives, e) Listing of priorities. 2) Information Systems Strategic Plan: i) It focuses on striking an optimum balance of IT opportunities & IT business requirements. ii) Enablers of the IS Strategic plan are: f) Enterprise business strategy, g) Definition of how IT supports the business objectives, h) Inventory of technological solutions & current infrastructure, i) Monitoring the technology markets, j) Timely feasibility studies & reality checks, k) Existing systems assessments, l) Enterprise position on risk, time-to-market, quality, m) Need for senior management buy-in, support & critical review. 3) Information Systems Requirements Plan: i) Every enterprise needs to have clearly defined information architecture with the objective of optimizing the organization of the information systems. ii) This requires creation & continuous maintenance of a business information model. iii) Key enablers of the information architecture: a) Automated data repository & dictionary, b) Data syntax rules, c) Data ownership & criticality/security classification, d) An information model representing the business, & e) Enterprise information architectural standards. 4) Information Systems Applications & Facilities Plan: i) On the basis of the information systems architecture management can develop an information systems applications & facilities plan. ii) This plan includes: a) Specific application systems to be developed & an associated time schedule, b) Hardware & Software acquisition/development schedule, c) Facilities required, d) Organization changes required. IT Strategic Planning Process: 1) It has to be dynamic in nature. 2) Process owners should ensure a process is in place to modify the IT long-range plan in a timely & accurate manner. 3) Mgt. should establish a policy for developing & maintaining such short-range plans. www.akpune.com © Compiled By: Akshay R Yadav 5 88881 44446 98817 51563
4) Process owners should ensure that the IT long-range plan is regularly translated into IT short- range plans. 5) Such short-range plans should ensure that appropriate IT function resources are allocated on a basis consistent with the IT long-range plan. 6) Short-range plans should be reassessed periodically & amended. Objective of IT Strategy: Primary objective of IT strategy is: - To provide a holistic view of the current IT environment - To set the future direction, - To take initiatives required to migrate to the desired future environment - To enable nimble, reliable & efficient response to strategic objectives. Key Management Practices for Aligning IT Strategy with Enterprise Strategy: 1) Understand enterprise direction: Consider current enterprise environment as well as enterprise strategy & future objectives. 2) Assess the current environment, capabilities & performance: Assess the performance of current internal business & IT capabilities & external IT services. 3) Define the target IT capabilities: Define the target business & IT capabilities & required IT services. 4) Conduct a gap analysis: Identify the gaps b/w the current & target environments & consider the alignment of assets with business outcomes to optimize investment. 5) Define the strategic plan & road map: Create a strategic plan that defines, in cooperation with relevant stakeholders, how IT- related goals will contribute to the enterprise’s strategic goals. 6) Communicate the IT strategy & direction: Create awareness & understanding of the business & IT objectives & direction, as captured in the IT strategy, through communication to appropriate stakeholders. Key management practices, which need to be implemented for evaluating ‘Whether business value is derived from IT’, (MT: EDM) (N17) 1) Evaluate Value Optimization: Continually evaluate the portfolio of IT enabled investments, services & assets to determine the likelihood of achieving enterprise objectives. 2) Direct Value Optimization: Direct value management principles & practices to enable optimal value realization from IT enabled investments throughout their full economic life cycle. 3) Monitor Value Optimization: Monitor the key goals to determine the extent to which the business is generating the expected value from IT-enabled investments Success of the process of ensuring business value from use of IT can be measured by evaluating the benefits realized from IT enabled investments & & the how transparency of IT costs, benefits & risk is implemented. Some of the key metrics, which can be used for such evaluation, are: 1) % of IT enabled investments where benefit realization monitored through full economic life cycle. 2) % of IT enabled investments where claimed benefits met/exceeded. 3) % of investment business cases with clearly defined & approved expected IT related costs & benefits. 4) % of IT services with clearly defined & approved operational costs & expected benefits. 5) % of IT services where expected benefits realized. 6) Satisfaction survey of key stakeholders regarding the transparency, understanding & accuracy of IT financial information. www.akpune.com © Compiled By: Akshay R Yadav 6 88881 44446 98817 51563
Risk Management Effective IT governance helps to ensure close linkage to the enterprise risk management activities, including ERM & IT Risk Management. A) Information Systems Risks & Risk Management: Risk is the possibility of something adverse happening, resulting in potential loss/exposure. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level & maintaining that level of risk. Auditors are required to evaluate whether the available controls are adequate & appropriate to mitigate the risks. If controls are unavailable/inadequate/inappropriate, then there would be a control weakness, which has to be reported to auditee mgt. with appropriate recommendations to mitigate them. B) Risk: (MTP15 - M4) Risk can be defined as the potential harm caused if a particular threat exploits a particular vulnerability to cause damage to an asset. Risk analysis is defined as the process of identifying security risks & determining their magnitude & impact on an organization. 1) Risk assessment includes the following: i) Identification of threats & vulnerabilities in the system. ii) Potential impact on the CIA. iii) Identification & analysis of security controls for IS. 2) Risks lead to a gap b/w Need to protect systems & Degree of protection applied. There are many direct & indirect risks relating to the IS. These risks have led to a gap b/w the Need to protect systems & Degree of protection applied The gap is caused by: (MTP N16) i) Widespread use of technology. ii) Interconnectivity of systems. iii) Elimination of distance, time & space as constraints. iv) Unevenness of technological changes. v) Devolution of management & control. vi) Attractiveness of conducting unconventional electronic attacks against organizations. vii) External factors such as legislative, legal & regulatory requirements. 3) It means there are new risk areas that could have a significant impact on critical business operations, such as: i) External dangers from hackers, leading to denial of service & virus attacks. ii) Growing potential for misuse & abuse of IS. iii) Increasing requirements for availability & robustness. 4) Sources of Risk (MT: NEP TC MIH) 1) Commercial & Legal Relationships, 2) Economic Circumstances, 3) Human Behavior, 4) Natural Events, 5) Political Circumstances, 6) Technology & Technical Issues, 7) Management Activities & Controls, 8) Individual Activities. 5) Characteristics of Risk: 1) Loss potential that exists as the result of threat/vulnerability process. 2) Uncertainty of loss expressed in terms of probability. 3) Probability that a threat agent mounting a specific attack against a particular system. C) Metrics of Risk Management: 1) % of critical business processes, IT services covered by risk assessment. 2) No. of significant IT related incidents not identified in risk Assessment. 3) % of enterprise risk assessments. 4) Frequency of updating the risk profile. www.akpune.com © Compiled By: Akshay R Yadav 7 88881 44446 98817 51563
D) Related Terms: 1) Asset: Asset can be defined as something of value to the organization. E.g. Information in electronic/physical form, software systems, employees. Characteristics of Assets : i) They are recognized to be of value to the organization. ii) They are not easily replaceable without cost, skill, time, resources. iii) They form a part of the organization’s corporate identity. iv) Their Data Classification would normally be Proprietary, Highly confidential. 2) Vulnerability: It is the weakness in the system safeguards that exposes system to threats. E.g. 1) Leaving door unlocked makes the house vulnerable to unwanted visitors. 2) Short passwords make the automated IS vulnerable to password cracking. 3) Threat: Any entity, circumstance with the potential to harm the software system through its unauthorized access, destruction, modification, &/or denial of service is called a Threat. 4) Exposure: It is the extent of loss the enterprise has to face when a risk materializes. E.g. Loss of business, loss of reputation, violation of privacy. 5) Likelihood: It is the estimation of the probability that the threat will succeed in achieving an undesirable event. 6) Attack: It is an attempt to gain unauthorized access to the system’s services. In software terms, an attack is a malicious intentional fault, usually an external fault that has the intent of exploiting vulnerability. 7) Counter Measure: An action, device, procedure, technique that reduces the vulnerability of a system/component is referred as Counter Measure. E.g. Well known threat ‘spoofing the user identity’, has two countermeasures: i) Strong authentication protocols to validate users. ii) Passwords should not be stored in configuration files instead some secure mechanism should be used. 8) Residual Risk: Any risk remaining after the counter measures are analyzed & implemented is called Residual Risk. Key Governance Practices of Risk Management: (MT: EDM) (RTP-M15, N16/17, MTP-16) 1) Evaluate Risk Management: Continually examine & make judgment on the effect of risk on the current & future use of IT in the enterprise. 2) Direct Risk Management: Direct the establishment of risk management practices so to ensure that the actual IT risk does not exceed the board’s risk appetite. 3) Monitor Risk Management: Monitor the key goals of the risk management processes & establish how deviations/problems will be identified, tracked & reported. Key Management Practices of Risk Management: (M18) 1) Collect Data: Identify & collect relevant data to enable effective IT related risk identification, analysis & reporting. 2) Analyse Risk: Develop useful information to support risk decisions. 3) Maintain a Risk Profile: Maintain an inventory of known risks & risk attributes, including expected frequency, potential impact, & responses. 4) Articulate Risk: Provide information on the current state of IT- related exposures & opportunities in a timely manner to all required stakeholders for appropriate response. 5) Define a Risk Management Action Portfolio: Manage opportunities & reduce risk to an acceptable level. 6) Respond to Risk: Respond in a timely manner with effective measures to limit the magnitude of loss from IT related events. www.akpune.com © Compiled By: Akshay R Yadav 8 88881 44446 98817 51563
E) Risk Management Strategies: (MT: TOTe TraTe Turn) (RTP M17/18, MTP N18) 1) Tolerate/Accept the risk: Some risks may be minor because their impact & probability of occurrence is low. In this case, consciously accepting the risk as a cost of doing business is appropriate. 2) Terminate/Eliminate the risk: It is possible risk to be associated with use of a particular technology, supplier /vendor. Risk can be eliminated by replacing the technology with more robust products. 3) Transfer/Share the risk: Risk mitigation approaches can be shared with trading partners & suppliers. E.g. Outsourcing infrastructure management. 4) Treat/mitigate the risk: Where other options have been eliminated, suitable controls must be devised & implemented to prevent the risk from manifesting itself. 5) Turn back: Where the probability/impact of the risk is very low, then mgt. may decide to ignore the risk. COBIT 5 Business Framework: Governance & Management of Enterprise IT COBIT is a set of best practices for Information Technology management developed by ISACA & IT Governance Institute in 1996. COBIT 5 is the only business framework for the governance & management. As per COBIT 5, Information is the currency of the 21st century enterprise. Information, & the technology that supports it, can drive success, but it also raises challenging governance & management issues. It explains the need for using the approach & latest thinking for reviewing & implementing governance & management of enterprise IT. A) Need for Enterprises to Use COBIT 5: 1) Enterprises depend on good, reliable, repeatable data, on which they can base good business decisions. 2) COBIT 5 is a set of globally accepted principles, practices, analytical tools that can be customized for enterprises of all sizes, industries. 3) COBIT 5 provides the tools necessary to understand, utilize, implement & direct important IT related activities. 4) COBIT 5 is intended for enterprises of all types & sizes, including non - profit & public sector & is designed to deliver business benefits to enterprises. B) Integrating COBIT 5 with Other Frameworks: (*TOGAF: The Open Group Architecture Framework) COBIT 5 is based on an enterprise view & is aligned with enterprise governance best practices such as ITIL, TOGAF*, ISO 27001, ISO/IEC 38500:2008. COBIT 5 acts as the single overarching framework, which serves as a consistent & integrated source of guidance. C) Components in COBIT 5: (Nov 2017) 1) Framework: Organize IT governance objectives & good practices by IT domains & processes, & links them to business requirements. 2) Process Descriptions: Processes map to responsibility areas of plan, build, run & monitor. 3) Control Objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process. 4) Management Guidelines: Help assign responsibility, agree on objectives, measure performance, & illustrate interrelationship with other processes. 5) Maturity Models: Assess maturity & capability per process & helps to address gaps. www.akpune.com © Compiled By: Akshay R Yadav 9 88881 44446 98817 51563
D) Benefits of COBIT 5: (M18, RTP-M16/17) 1) COBIT 5 enables enterprises in achieving their objectives for the governance & mgt. of enterprise IT. 2) COBIT 5 enables IT to be governed & managed in a holistic manner. 3) COBIT 5 enables clear policy development & good practice for IT management 4) COBIT 5 Help enterprises to create optimal value from IT. 5) COBIT 5 helps enterprises to manage IT related risk & ensures compliance, continuity, security & privacy. 6) Useful for enterprises of all sizes, whether commercial, not-for-profit. 7) COBIT 5 supports compliance with relevant laws, regulations, & policies. E) Customizing COBIT 5 as per Requirement: COBIT 5 can be tailored to meet an enterprise’s specific business model, technology environment, location & corporate culture. Because of its open design, it can be applied to meet needs related to: 1) Information security, 2) Risk management, 3) Governance & management of enterprise IT, 4) Assurance activities, 5) Legislative & regulatory compliance, 6) Financial processing. F) Five Principles of COBIT 5: (MT: MC AES) Principle 1: Meeting Stakeholder Needs: Enterprises exist to create value for their stakeholders. COBIT 5 provides processes & other enablers to support business value creation. Enterprise can customize COBIT 5 to suit its own objectives. Principle 2: Covering the Enterprise End-to-End: COBIT 5 integrates IT governance of enterprise into enterprise governance. It covers all functions & processes within the enterprise. It considers all IT related governance & management enablers to be enterprise-wide & end-to-end. Principle 3: Applying a Single Integrated Framework: COBIT 5 is a single & integrated framework. It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards & practices used. Principle 4: Enabling a Holistic Approach: Efficient & effective governance of enterprise IT require a holistic approach. COBIT 5 defines a set of enablers to support the implementation of governance & mgt. system for enterprise IT. Principle 5: Separating Governance from Management: COBIT 5 makes a clear distinction between governance & management. G) COBIT 5 Process Reference Model: COBIT 5 includes a Process Reference Model, which describes in detail a number of governance & management processes of enterprise IT into two main process domains - Governance & Mgt. COBIT 5 enabler model includes total 37 governance & management processes: Governance Processes: Evaluate, Direct & Monitor Practices (EDM) – 5 processes (EDM01 to EDM05) Management Processes: Align, Plan & Organize (APO) - 13 processes (APO01 to APO13) Build, Acquire & Implement (BAI) - 10 processes (BAI01 to BAI10) Deliver, Service & Support (DSS) - 6 processes (DSS01 to DSS06) Monitor, Evaluate & Assess (MEA) - 3 processes (MEA01 to MEA03) www.akpune.com © Compiled By: Akshay R Yadav 10 88881 44446 98817 51563
H) Seven Enablers of COBIT 5: (N16, RTP-N16/M18) 1) Principles, Policies & Frameworks are the vehicle to translate the desired behaviour into practical guidance for day-to-day management. 2) Processes describe an organized set of practices & activities to achieve certain objectives. 3) Organizational structures are the key decision-making entities in an enterprise. 4) Culture, Ethics & Behavior of individuals & enterprise is very often underestimated as a success factor in governance. 5) Information is pervasive throughout any organization & includes all information produced & used by the enterprise. 6) Services, Infrastructure & Applications provide the enterprise with information technology processing & services. 7) People, Skills & Competencies are linked to people & are required for successful completion of all activities & for making correct decisions. I) Risk Management in COBIT 5: 1) COBIT framework provides excellent guidance on risk management strategy & practices from governance & management practice. 2) Governance domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: “EDM03: Ensure risk optimization”. 3) This process ensures that enterprise’s risk appetite & tolerance are understood, & communicated. 4) This process provides guidance on how to ensure that IT-related enterprise risk does not exceed risk appetite & tolerance. J) Using COBIT 5 Best Practices for GRC: A) GRC program implementation requires the following: a) Defining clearly what GRC requirements are applicable. b) Identifying regulatory & compliance landscape. c) Reviewing current GRC status. d) Determining the most optimal approach. e) Setting out key parameters on which success will be measured. f) Using a process oriented approach. g) Adapting global best practices. h) Using uniform & structured approach which is auditable. B) Success of a GRC program can be measured by using the following goals & metrics: a) Reduction of redundant controls & related time to execute. b) Reduction in control failures in all key areas. c) Reduction of expenditure relating to legal, regulatory & review areas; d) Reduction in overall time required for audit for key business areas; e) Improvement through streamlining of processes & automation of control & compliance measures. f) Improvement in timely reporting of regular compliance issues. g) Dashboard of compliance status & key issues to senior management on a real-time basis. www.akpune.com © Compiled By: Akshay R Yadav 11 88881 44446 98817 51563
IT Compliance Review Following are some of the regulatory/legal requirements for GRC (Governance, Risk Management & Compliance) in an enterprise: 1) In the US, Sarbanes Oxley Act has been passed to protect investors by improving the accuracy & reliability of corporate disclosures. 2) In India, Clause 49 of listing agreement issued by SEBI mandates similar implementation of enterprise risk management & internal controls. 3) Information Technology Act provides legal recognition for electronic records & also mandates responsibilities for protecting information. The Act also identifies various types of cyber-crimes & has imposed specific responsibilities on corporate. 4) In USA, the Public Company Accounting Oversight Board (PCAOB) has come out with detailed guidelines on Compliance by Auditors & Companies under the Act. Compliance in COBIT 5: 1) Management domain of “Monitor, Evaluate & Assess (MEA)” contains a compliance focused process: “MEA03 Monitor, Evaluate & Assess Compliance with External Requirements”. 2) Governance activities related to GEIT are covered in the 5 processes of the Governance domain. Key Management Practices of IT Compliance provided by COBIT 5: (RTP-N18) 1) Identify External Compliance Requirements: On a continuous basis, identify & monitor the changes in local & international laws, regulations that have to comply from IT perspective. 2) Optimize Response to External Requirements: Review & adjust policies, principles, standards, procedures & methodologies to ensure that legal, regulatory & contractual requirements are addressed & communicated. 3) Confirm External Compliance: Confirm compliance of policies, principles, standards, procedures & methodologies with legal, regulatory & contractual requirements. 4) Obtain Assurance of External Compliance: Obtain & report assurance of compliance & adherence with policies, principles, standards, procedures & methodologies. Key Metrics for Assessing Compliance Process: 1) Compliance with External Laws & Regulations: a) Cost of IT non-compliance, including settlements & fines. b) No. of IT related non-compliance issues reported. c) No. of non-compliance issues relating to contractual agreements. d) Coverage of compliance assessments. 2) IT Compliance with Internal Policies: a) No of incidents related to non-compliance to policy. b) Percentage of stakeholders who understand policies. c) Percentage of policies supported by effective standards & working practices. d) Frequency of policies review & updates. www.akpune.com © Compiled By: Akshay R Yadav 12 88881 44446 98817 51563
Information System Assurance Management to ensure effective use of information & technology investments & related IT for not only supporting enterprise goals but also to maintain compliance. This dynamic changing environment provides a challenge for Chartered Accountants to provide assurance with the required level of confidence. However, with the right type of skills & toolsets, this provides an excellent opportunity for Chartered Accountants to act as consultants. Key component of this knowledge base is usage of globally accepted good practices & frameworks. A) Using COBIT 5 for Information System Assurance: 1) Auditors have to understand the business processes, enterprise’s policies, procedures & practices as implemented. 2) Enterprise executes its business operations through its staff. Thus staffs needs to have defined job responsibilities. 3) COBIT 5 has been engineered to meet expectations of multiple stakeholders. 4) It is designed to deliver benefits to both internal as well as external stakeholders. 5) It is written in a non-technical language. 6) It is therefore, usable for all people understanding &addressing IT related issues. 7) COBIT has been widely used with COSO by management, IT professionals, regulators & auditors. 8) COBIT has been used as an umbrella framework under which other standards & approaches have been integrated. B) Evaluating IT Governance Structure & Practices by Internal Auditors: (RTP-M16/18) (Or Activities performed by an internal Auditors as suggested by IIA) 1) Leadership: a) Evaluate the relationship b/w IT objectives & the current/strategic needs of the org. b) Assess the involvement of IT leadership in the development & execution of org. strategic goals. c) Review how roles & responsibilities are assigned within the IT organization. d) Review the role of senior management in maintaining strong IT governance. 2) Organizational Structure: a) Review how management & IT personnel are interacting & communicating current & future needs. b) This should include the existence of necessary roles & reporting relationships to allow IT to meet the needs of the organization. 3) Processes: a) Evaluate IT process activities & the controls in place to mitigate risks to the org. b) What processes are used by the IT organization to support the IT environment? 4) Risks: a) Review the processes used by the IT org. to identify, assess, & monitor/mitigate risks. b) Determine the accountability that personnel have within risk management. 5) Controls: a) Assess key controls that are defined by IT to manage its activities. b) Ownership, documentation & reporting of self-validation aspects should be reviewed. c) Control set should be robust (Strong) enough to address identified risks. 6) Performance Measurement/Monitoring: a) Evaluate the framework & systems in place to measure & monitor organizational outcome. C) Sample Areas of Review of Assessing & Managing Risks: It considers whether the enterprise is engaging itself in IT risk-identification & impact analysis, involving multi-disciplinary functions & taking cost-effective measures to mitigate risks. Specific areas evaluated are: a) Risk management ownership & accountability. b) Different kinds of IT risks (technology, security, continuity, regulatory, etc.); c) Defined & communicated risk tolerance profile. d) Root cause analyses & risk mitigation measures; e) Quantitative &/or qualitative risk measurement; f) Risk assessment methodology. g) Risk action plan & Timely reassessment. www.akpune.com © Compiled By: Akshay R Yadav 13 88881 44446 98817 51563
D) How to Evaluate & assess the system of internal control: COBIT 5 has specific process: “MEA 02 Monitor, Evaluate & Assess the System of Internal Control”, which provides guidance on evaluating & assessing internal controls implemented in an enterprise. Objective of such a review is to: i) Continuously monitor & evaluate the control environment. ii) Enable management to identify management deficiencies & inefficiencies & to initiate improvement actions. iii) Plan, organize & maintain standards for internal control assessment & assurance activities. E) Sample Areas of GRC for Review by Internal Auditors: (N17) 1) Scope: Internal audit activity must evaluate & contribute to the improvement of governance, risk management & control processes using a systematic approach. 2) Governance: Internal audit activity must assess & make appropriate recommendations for improving the governance process. 3) Evaluate Enterprise Ethics: Internal audit activity must evaluate the design, implementation, & effectiveness of the organization’s ethics programs & activities. 4) Risk Management: Internal audit activity must evaluate the effectiveness & contribute to the improvement of risk management processes. 5) Interpretation: Determining whether risk management processes are effective based on the internal auditor’s assessment. 6) Risk Management Process: Internal audit activity may gather information to support this assessment during multiple engagements. 7) Evaluate Risk Exposures: Internal audit activity must evaluate risk exposures relating to the organization’s governance, operations & information systems. 8) Evaluate Fraud & Fraud Risk: Internal audit activity must evaluate the potential for the occurrence of fraud & how the organization manages fraud risk. F) Key management practices complying with COBIT 5 for assessing & evaluating the system of internal controls in an enterprise: (N14, M17, RTP N17, M18) 1) Monitor Internal Controls: Continuously monitor, benchmark & improve the IT control environment to meet organizational objectives. 2) Review Business Process Controls Effectiveness: Review the operation of controls including a review of monitoring & test evidence to ensure that controls within business processes operate effectively. 3) Perform Control Self-assessments: Encourage management to take positive ownership of control improvement through a continuing program of self-assessment. 4) Identify & Report Control Deficiencies: Identify control deficiencies & analyse & identify their underlying root causes. 5) Ensure that assurance providers are independent & qualified: Ensure that the entities performing assurance are independent from the function, groups or organizations in scope. 6) Plan Assurance Initiatives: Plan assurance initiatives based on enterprise objectives & conformance objectives, assurance objectives & strategic priorities, inherent risk resource constraints. 7) Scope assurance initiatives: Define & agree with management on scope of assurance initiative, based on assurance objectives. 8) Execute assurance initiatives: Execute the planned assurance initiative. Report on identified findings. Provide positive assurance opinions, where appropriate, & recommendations for improvement. www.akpune.com © Compiled By: Akshay R Yadav 14 88881 44446 98817 51563
Chapter 3: Protection Of Information Systems Need for Protection of Information Systems: Information security failures may result in both financial losses &/or intangible losses such as unauthorized disclosure of competitive or sensitive information. That is why Protection of Information Systems has become a need for organisations. There are many direct & indirect risks relating to the IS. These risks have led to a gap b/w the Need to protect systems & Degree of protection applied. (already cover in Chapter 1 Page 7) The gap is caused by: (already cover in Chapter 1 Page 7) i) Widespread use of technology. ii) Interconnectivity of systems. iii) Elimination of distance, time & space as constraints. iv) Unevenness of technological changes. v) Devolution of management & control. vi) Attractiveness of conducting unconventional electronic attacks against organizations. vii) External factors such as legislative, legal & regulatory requirements. What form of Threats arises to Information Systems: Threats to IS may arise from intentional/unintentional acts & may come from internal or external sources. Threats may emanate from, among others, a) Technical conditions (program bugs, disk crashes), b) Natural disasters (fire, flood), c) Environmental conditions (electrical surges), d) Human factors (lack of training, errors, & omissions), e) Unauthorized access (hacking), or viruses. Information System Security: Information security refers to the protection of valuable assets against loss, disclosure, or damage. . Information System Security Objective: (RTP-M15) “Protection of the interests of those relying on information, & protect the information systems & communications that deliver the information from harm resulting from failures of confidentiality, integrity, & availability”. For any organization, the security objective comprises 3 universally accepted attributes: a) Confidentiality: Prevention of the unauthorized disclosure of information b) Integrity: Prevention of the unauthorized modification of information c) Availability: Prevention of the unauthorized withholding of information. What Information is Sensitive? Following examples highlight some of the factors, necessary for an organization to succeed. 1) Strategic Plans: Most of the organizations readily acknowledge that strategic plans are crucial to the success of a company. But many of them fail to really make an effort to protect these plans. E.g. Competitor learns that a company is testing a new product line in a specific geographic location. 2) Business Operations: Business operations consist of an organization’s process & procedures, most of which are deemed to be proprietary. They provide a market advantage to the organization. 3) Finances: Financial information, such as salaries & wages, are very sensitive & should not be made public. While general salary ranges are known within industry, precise salary information can provide a competitive edge. www.akpune.com © Compiled By: Akshay R Yadav 15 88881 44446 98817 51563
Information Security Policy It is the statement of intent by the mgt. about how to protect a company’s information assets. It is a formal statement of the rules, which give access to people to an organization's technology & information assets, & which they must abide. An information security policy should be in written form. Information Security policy invariably includes rules intended to: a) Preserve & protect information from any unauthorized modification, access/disclosure. b) Limit/eliminate potential legal liability from employees/third parties. c) Prevent waste/inappropriate use of the resources of an organization. Tools to Implement Policy: Standards, Guidelines, & Procedures: Standards specify technologies & methodologies to be used to secure systems. Guidelines help in smooth implementation of information security policy. Procedures are more detailed steps to be followed to accomplish particular security related tasks. Information security policy should at least address the following Issues: (M16, MTP N16) 1) Definition of information security, 2) Reasons why information security is important to the org, & its goals & principles, 3) Brief explanation of security policies, principles, standards & compliance requirements, 4) Definition of all relevant information security responsibilities, 5) Reference to supporting documentation. Members of Security Policy: Security policy comprises the following 3 groups of management: a) Management members who have budget & policy authority, b) Technical group who know what can & cannot be supported, c) Legal experts who know the legal ramifications of various policy charges. Information Security Policies & their Hierarchy: A) User Security Policies: These include User Security Policy & Acceptable Usage Policy. i) User Security Policy: This policy sets out responsibilities & requirements for all IT system users. ii) Acceptable Usage Policy: This sets out the policy for acceptable use of email, Internet services. B) Organization Security Policies: These include Organizational Information Security Policy, Network & System Security Policy & Information Classification Policy. i) Organizational Information Security Policy: This policy sets out the Group policy for security of its information assets & IT systems. ii) Network & System Security Policy: This policy sets out detailed policy for system & network security. iii) Information Classification Policy: This policy sets out the policy for the classification of information. C) Conditions of Connection: This policy sets out the Group policy for connecting to the network. It applies to all organizations connecting to the Group, & relates to the conditions that apply to different suppliers’ systems. Components of the Security Policy: 1) Purpose & Scope of the Document & the intended audience. 2) Security Infrastructure. 3) Security policy document maintenance &compliance requirements. 4) Incident response mechanism & incident reporting. 5) Inventory & Classification of assets. 6) Physical & Environmental Security. 7) Identity Management & access control. 8) IT Operations management. 9) IT Communications. 10) System Development & Maintenance Controls. 11) Business Continuity Planning (BCP) 12) Monitoring & Auditing Requirements. www.akpune.com © Compiled By: Akshay R Yadav 16 88881 44446 98817 51563
Information Systems Controls Control is defined as Policies, procedures, practices & enterprise structure that……………..(refer below) A) Need for Controls in Information Systems: (MTP1 N16- 4 Marks) ◄ Today’s dynamic global enterprises need information integrity, reliability & validity for timely flow of accurate information throughout the organization. ◄ Goals to reduce the probability of organizational costs of data loss, computer loss, computer abuse, incorrect decision making & to maintain the privacy; an organization’s management must set up a system of internal controls. ◄ Safeguarding assets to maintain data integrity to achieve system effectiveness & efficiency is a significant control process. ◄ IS control procedure may include - Strategy & direction. General Organization & Management. Access to IT resources, including data & programs. System development methodologies & change control. Operation procedures. Physical Access Controls. BCP & DRP. Protective & detective mechanisms against internal/external attacks etc. B) Objectives of Controls: ◄ Control is defined as Policies, procedures, practices & enterprise structure that are designed to provide reasonable assurance that business objectives will be achieved & undesired events are prevented, detected & corrected. ◄ Objective of controls: 1) To reduce/if possible eliminate the causes of the exposure to potential loss. 2) Exposures are potential losses due to threats materializing. All exposures have causes. ◄ Categories of exposures are: 1) Errors/omissions in data, procedure, processing, judgment & comparison. (4P) 2) Improper authorizations & improper accountability with regards to 4P. 3) Inefficient activity in 4P. ◄ Critical control lacking in a computerized environment: 1) Lack of management understanding of IS risks & related controls. 2) Absence/inadequate IS control framework. 3) Absence/weak general controls & IS controls. 4) Lack of awareness & knowledge of IS risks & controls amongst the users. 5) Complexity of implementation of controls in distributed computing environments. 6) Lack of control features in highly technology driven environments. 7) Inappropriate technology implementations ◄ Control objectives serve 2 main purposes: 1) Outline the policies of the organization as laid down by the management. 2) A benchmark for evaluating whether control objectives are met. C) Impact of Technology on Internal Controls: (PM, M16, RTP-M16, MTP1-N15/M16) 1) Competent & Trustworthy Personnel: Personnel should have proper skill & knowledge to discharge their duties. 2) Segregation of Duties: In a computerized system, the auditor should be concerned with the segregation of duties within the IT department. Staffs know the interrelationship b/w the source of data, how it is processed & distribution & use of output. Examples of Segregation of Duties are as follows: a) Database administration group from other data processing activities. b) Computer hardware operations from the other groups. www.akpune.com © Compiled By: Akshay R Yadav 17 88881 44446 98817 51563
3) Authorization Procedures: In computer systems, authorization procedures often are embedded within a computer program. E.g: In on-line transaction systems, written evidence of individual data entry authorisation. 4) Adequate Documents & Records: In computer systems, documents might not be used to support the initiation, execution, & recording of some transactions. Thus, no visible audit trail would be available to trace the transactions. 5) Physical Control over Assets & Records: It is critical in both manual systems & computer systems. In the manual systems, protection from unauthorised access was through the use of locked doors & filing cabinets. Computerised financial systems have not changed the need to protect the data. 6) Adequate Management Supervision: In computer system, data communication facilities can be used to enable employees to be closer to the customers they service. Management’s supervision & review helps to deter & detect both errors & fraud. 7) Independent Checks on Performance: If the program code in a computer system is authorized, accurate, & complete, the system will always follow the designated procedures in the absence of some other type of failure. 8) Comparing Recorded Accountability with Assets: Data & the assets that the data purports to represent should periodically be compared to determine whether incompleteness or inaccuracies in the data exist or whether shortages/excesses in the assets have occurred. 9) Delegation of Authority & Responsibility: In a computer system, delegating authority & responsibility in an unambiguous way might be difficult because some resources are shared among multiple users. Classification of Information Systems Controls Classification on the basis of “Objective of Controls”: A) Preventive Controls: Preventive Controls are those inputs, which are designed to prevent an error, omission or malicious act occurring. E.g. Use of passwords to gain access to a financial system. i) Characteristics of preventive controls: a) Understanding the vulnerabilities of asset. b) Understanding probable threats. c) Provision of necessary controls for probable threats. ii) Examples of preventive controls: v) Training & retraining of staff. i) Employing qualified personnel. vi) Authorization of transaction. ii) Segregation of duties. vii) Firewalls. iii) Access control. viii) Passwords. iv) Documentation. B) Corrective Controls: These are designed to reduce the impact/correct an error once it has been detected. i) Characteristics of Corrective controls: a) Minimizing the impact of threat. b) Identifying the cause of problem. c) Providing Remedy to the problems discovered by detective controls. d) Getting feedback from preventive & detective controls. e) Correcting error arising from a problem. f) Modifying the processing systems to minimize future occurrences of the incidents. ii) Examples of Detective controls: iii) Rerun procedures. i) Contingency planning. iv) Investigate budget variance & report violations. ii) Backup procedure. www.akpune.com © Compiled By: Akshay R Yadav 18 88881 44446 98817 51563
C) Detective Controls: (N16, RTP M16/17, MTP M16+N16) These controls are designed to detect errors, omissions/malicious acts that occur & report the occurrence. E.g. Use of automatic expenditure profiling where management gets regular reports of spend to date against profiled spend. i) Characteristics of Detective controls: a) Clear understanding of lawful activities so that anything which deviates from these is reported as unlawful, malicious. b) Established mechanism to refer the reported unlawful activities to the appropriate person/group. c) Interaction with the preventive control to prevent such acts from occurring. d) Surprise checks by supervisor. ii) Examples of Detective controls: v) Periodic performance reporting with variances. i) Hash totals. vi) The internal audit functions. ii) Check points in production jobs. vii) Cash counts & bank reconciliation. iii) Error message over tape labels. viii) Monitoring expenditures against budgeted amount. iv) Duplicate checking of calculations. D) Compensatory Controls: Controls are basically designed to reduce the probability of threats, which can exploit the vulnerabilities of an asset & cause a loss to that asset. While designing the appropriate control one thing should be kept in mind – “The cost of the lock should not be more than the cost of the assets it protects.” Classification on the basis of “Nature of Information System Resources”: A) Environmental Controls: Controls relating to IT environment such as power, air-conditioning, Un-interrupted Power Supply (UPS), smoke detection, fire extinguishers, dehumidifiers etc. i) Environmental Issues & Exposures: Environmental exposures are primarily due to elements of nature. However, with proper controls, exposures can be reduced. Other environmental issues & revelations include the following: 1) Is the power supply to the compiler equipment properly controlled so as to ensure that it remains within the manufacturer’s specification? 2) Are the air conditioning, humidity & ventilation control systems protected against the effects of electricity using static rug or anti-static spray? 3) Is consumption of food, beverage & tobacco products prohibited, by policy, around computer equipment? 4) Are backup media protected from damage due to variation in temperatures or are they guarded against strong magnetic fields & water damage? 5) Is the computer equipment kept free from dust, smoke & other particulate matter? From the perspective of environmental exposures & controls, Information systems resources may be categorized as follows (with the primarily focus on facilities): 1) Hardware & Media: This includes Computing Equipment, Communication equipment, & Storage Media. 2) Information Systems Supporting Infrastructure/Facilities: This typically includes Physical Premises like Computer Rooms, Cabins, Server Rooms, 3) Documentation: Physical & geographical documentation of computing facilities with emergency excavation plans & incident planning procedures. 4) Supplies: Third party maintenance procedures viz. air-conditioning, fire safety, & civil contractors whose entry & assess with respect to their scope of work assigned are to be monitored & logged. 5) People: Employees, contract employees, visitors, supervisors & third party maintenance personnel are to be made responsible & accountable for environmental controls in their respective Information Processing Facility (IPF). www.akpune.com © Compiled By: Akshay R Yadav 19 88881 44446 98817 51563
ii) Controls for Environmental Exposures: Environmental Control for Environmental Exposures Exposures Fire Damage Some of the major ways of protecting the installation against fire damage are as follows: Both automatic & manual fire alarms may be placed at strategic locations. (RTP-M17) Less Wood & plastic should be in computer rooms. Regular Inspection by Fire Department should be conducted. It is a major Fire repression systems should be supplemented & not replaced by smoke detectors. threat to the Use a gas based fire suppression system. physical Manual fire extinguishers can be placed at strategic locations. security of a computer All staff members should know how to use the system such as Fire Alarms, Extinguishers etc. installation. Control panel may be installed for power & automatic fire suppression system. Water Damage Water Detectors: These should be placed under the raised floor, near drain holes & 1) Water damage near any unattended equipment storage facilities. to a computer installation can Strategically Locating the Computer Room: To reduce the risk of flooding, the be the outcome of computer room should not be located in the basement/ground floor of a multi-storey water pipes burst. building. 2)Water damage Other major ways of protecting the installation against water damage: may also result a) Wherever possible have waterproof ceilings, walls & floors. from other b) Ensure an adequate positive drainage system exists. resources such as c) Install alarms at strategic points. cyclones, d) Water proofing. tornadoes, floods. e) Water leakage Alarms. Power Spikes Some of the major ways of protecting the installation against power spikes as follows: Risk of damage due to power spikes can be reduced to a great extent using Electrical This is caused due to a very Surge Protectors that are typically built into the Uninterruptible Power System (UPS). short pulse of Uninterruptible Power System (UPS)/Generator: In case of a power failure, the energy in a power line. UPS provides the back up by providing electrical power from the battery to the computer for a certain span of time. Power Supply Variation: Voltage regulators & circuit breakers protect the hardware from temporary increase/decrease of power. Emergency Power-Off Switch: When the need arises for an immediate power shut down during situations like a computer room fire or an emergency evacuation, an emergency power-off switch at the strategic locations would serve the purpose. Pollution Major pollutant in a computer installation is dust. Dust caught b/w the surfaces of Damage magnetic tape/disk & the reading & writing heads may cause either permanent & others damage to data or read/write errors. Documented & Tested Emergency Evacuation Plans: Relocation plans should emphasize human safety, but should not leave information processing facilities physically unsecured. Procedures should exist for a controlled shutdown of the computer in an emergency situation. Power Leads from Two Substations: Electrical power lines that are exposed to many environmental dangers such as water, fire, lightning, cutting due to careless digging etc. To avoid these types of events, redundant power links should feed into the facility. Interruption of one power supply does not adversely affect electrical supply. Prohibitions against Eating, Drinking & Smoking within the Information Processing Facility: These activities should be prohibited from the information processing facility. This prohibition should be clear, e.g. a sign on the entry door. www.akpune.com © Compiled By: Akshay R Yadav 20 88881 44446 98817 51563
B) Physical Access Controls: These are the controls relating to physical security of the tangible IS resources & intangible resources stored on tangible media etc. Such controls include Access control doors, Security guards, door alarms, restricted entry to secure areas, visitor logged access, CCTV monitoring etc. i) Physical Access Issues & Exposures: Results due to accidental/intentional violation of the access paths: Abuse of data processing resources. Blackmail. Embezzlement. Damage, vandalism or theft to equipment’s or documents. Public disclosure of sensitive information. Unauthorized entry. a) Possible perpetrators: Perpetrations may be because of employees, who are: Accidental ignorant-someone who outrageously violates rules. Addicted to a substance or gambling. Discontented. Experiencing financial or emotional problems. Former employee. Interested or informed outsiders, such as competitors, thieves, organized crime & hackers. Notified for their termination. On strike. Threatened by disciplinary action or dismissal. Exposures to confidential matters may be in form the unaware, accidental or anonymous persons, although the greatest impact may be from those with malicious intent. Other areas of concern include the following: How far the hardware facilities are controlled to reduce the risk of unauthorized access? Are the hardware facilities protected against forced entry? Are intelligent computer terminals locked or otherwise secured to prevent illegal removal of physical components like boards, chips & the computer itself? When there is a need for the removal of computer equipment from its normal secure surroundings, are authorized equipment passes required for the removal? Facilities that need to be protected from the auditor’s perspective are - i) Communication channels ii) Off-site backup file storage facility iii) Computer room iv) Portable equipment v) Telephone lines vi) Power sources vii) Local area networks viii) Programming area ix) Micro-computers x) Storage rooms & supplies xi) Minicomputer establishments xii) Telecommunications equipment’s. ii) Controls for Physical Access Exposures: Physical access controls are designed to protect the organization from unauthorized access. Some of common access control techniques are categorically as follows: a) Locks on Doors: i) Cipher locks (Combination Door Locks): To enter, a person presses a 4 digit no. & the door will unlock for a predetermined period ii) Bolting Door Locks: A special metal key is used to gain entry when the lock is a bolting door lock. iii) Electronic Door Locks: A magnetic/embedded chip-based plastics card key may be entered into a reader to gain access in these systems. www.akpune.com © Compiled By: Akshay R Yadav 21 88881 44446 98817 51563
Advantages of electronic door locks over bolting & combinational locks: i) Through the special internal code, cards can be made to identity the correct individual. ii) Individuals access needs can be restricted through the special internal code & sensor devices. Restrictions can be assigned to particular doors /to hours of the day. iii) Degree of duplication is reduced. iv) Card entry can be easily deactivated in the event an employee is terminated/a card is lost/stolen. If unauthorized entry is attempted alarms can be automatically activated. v) An administrative process, which may deal with Issuing, accounting for & retrieving the card keys, are also, parts of security. vi) Biometric Door Locks: These locks are extremely secure where an individual’s unique body features, such as voice, retina, fingerprint. b) Physical Identification Medium: i) Personal Identification numbers (PIN): A secret no. will be assigned to the individual. The visitor will be asked to log on by inserting card in device & then enter their PIN for authentication. ii) Plastic Cards: These cards are used for identification purposes. Customers should safeguard their card so that it does not fall into unauthorized hands. iii) Identification Badges-Special identification badges can be issued to personnel as well as visitors. For easy identification purposes, colour of badge can be changed. c) Logging on Facilities: i) Manual Logging: All visitors should be prompted to sign a visitor’s log indicating their name, purpose of visit, & person to see. ii) Electronic Logging: This feature is a combination of electronic & biometric security systems. The users logging can be monitored & the unsuccessful attempts being highlighted. d) Other means of Controlling Physical Access: i) Video Cameras: Cameras should be placed at specific locations & monitored by security guards. Video supervision recording must be retained for possible future play back. ii) Security Guards: Extra security can be provided by appointing guards aided with CCTV feeds. iii) Controlled Visitor Access: A responsible employee should escort all visitors. Visitors may be friends, maintenance personnel, computer vendors. iv) Bonded Personnel: All service contract personnel, such as cleaning people & off-site storage services, should be asked to sign a bond. v) Dead Man Doors: The first entry door must close & lock, for the second door to operate, with the only one person permitted in the holding area. vi) Non–exposure of Sensitive Facilities: There should be no explicit indication such as presence of windows of directional signs hinting the presence of facilities such as computer rooms vii) Computer Terminal Locks: These locks ensure that the device to the desk is not turned on or disengaged by unauthorized persons. viii) Controlled Single Entry Point: All incoming personnel can use controlled Single Entry Point. A controlled entry point is monitored by a receptionist. ix) Alarm System: Illegal entry can be avoided by linking alarm system to inactive entry point & the reverse flows of enter/exit only doors, so as to avoid illegal entry. x) Perimeter Fencing: Fencing at boundary of the facility may also enhance the security mechanism. xi) Control of out of hours of employee-employees: Employees who are out of office for a longer duration during the office hours should be monitored carefully. xii) Secured Report/Document Distribution Cart: Secured carts, such as mail carts, must be covered & locked & should always be attended. www.akpune.com © Compiled By: Akshay R Yadav 22 88881 44446 98817 51563
C) Logical Access Controls: These are the controls relating to logical access to information resources such as operating systems controls, application software boundary controls, networking controls, access to database objects, encryption controls etc. Assessing logical access controls involves evaluating the following critical procedures: a) Logical access controls restrict users to authorized transactions & functions. b) There are logical controls over network access. c) There are controls implemented to protect the integrity of the application. i) Logical Access Paths: a) Online Terminals: To access an online terminal, a user has to provide a valid login-ID & password. Operator Console: It is one of the crucial places where any intruders can play havoc. Hence, access to operator console must be restricted. This can be done by: a) Keeping the operator console at a place, which is visible, to all? b) By keeping the operator console in a protected room accessible to selected personnel. b) Dial-up Ports: Using a dial up port, user at one location can connect remotely to another computer present at an unknown location via a telecommunication media. c) Telecommunication Network: In a Telecommunication network, a number of computer terminals, Personal Computers etc. are linked to the host computer through network or telecommunication lines. ii) Logical Access Issues & Exposures: (Not IMP – Please ignore) Controls that reduce the risk of misuse, theft, alteration/destruction should be used to protect unauthorized & unnecessary access to computer files. ACM should be applied not only to computer operators but also to end users programmers, security administrators or any other authorized user/s. Access control mechanisms should provide security to the applications like:- Access control software; Application software; Data; Data dictionary/directory; Dial-up lines; Libraries; Logging files; Procedure libraries; System software; Telecommunication lines; & Utilities. iii) Issues & Revelations related to Logical Access: a) Technical Exposures: It includes unauthorized implementation/modification of data & software. Technical exposures include the following: i) Data Diddling: Data diddling involves change of data before/after they entered into system. Limited technical knowledge is required to data diddle. ii) Bomb: (May 2017-4M) Bomb is a piece of bad code deliberately planted by an insider. The bombs explode when the conditions of explosion get fulfilled. iii) Trojan Horse: (PM, May 2018) These are malicious programs that are hidden under any authorized program. A Trojan horse is an illicit coding contained in a legitimate program. A Trojan may: a) Change/steal the password or b) May modify records in protected files or c) May allow illicit users to use the systems. Trojans cannot copy themselves to other systems. iv) Worm: (PM) Worm program copies itself to another machine on the network. Worms are stand-alone programs & they can be detected easily. E.g. Existential Worm, Alarm clock Worm etc. Existential worm does not cause damage to the system, but only copies itself to several places in a computer network. Alarm Clock worm places wake-up calls on a list of users. www.akpune.com © Compiled By: Akshay R Yadav 23 88881 44446 98817 51563
v) Rounding Down: Refers to rounding of small fractions of a denomination & transferring these small fractions into an authorized account. vi) Salami Techniques: This involves slicing of small amounts of money from a computerized transaction/account. E.g. Rs.21,23,456.95 is being written as Rs.21,23,456. vii) Trap Doors: Trap doors allow insertion of specific logic, such as program interrupts that permit a review of data. b) Computer Crime Exposures: (PM, Nov 15, MTP2 N16) Computer systems are used to steal money, goods, software/corporate information. Financial Loss: Direct like loss of electronic funds or indirect like expenditure towards repair of damaged electronic components. Legal Repercussions: An organization has to adhere to many laws. The organizations will be exposed to lawsuits from investors & insurers if there have no proper security measures. Loss of Credibility/Competitive Edge: For maintaining competitive edge firms needs credibility & public trust. This credibility will be shattered resulting in loss of business & prestige. Blackmail/Industrial Espionage: By knowing the confidential information, perpetrator can obtain money from the organization by threatening & exploiting the security violation. Disclosure of Confidential, Sensitive or Embarrassing Information: These events can spoil the reputation of the organization. Sabotage: People, who may not be interested in financial gain but who want to spoil the credibility of the company. They do it because of their dislike towards the organization. c) Asynchronous Attacks: (PM, RTP N14/16, MTP2 M16+M17) Data that is waiting to be transmitted are liable to unauthorized access called asynchronous attack. Forms of asynchronous attacks: Data Leakage: It involves dumping files to paper/stealing computer reports & tape. Wire-tapping: This involves spying on information being transmitted over telecommunication network. Piggybacking: This is the act of following an authorized person through a secured door/electronically attaching to an authorized telecommunication link. This involves intercepting communication between the OS & user. Shutting Down of the Computer/Denial of Service: This is initiated through terminals or microcomputers that are directly or indirectly connected to the computer. d) Ways to control remote & distributed data processing applications: i) Remote access to computer & data files through the network should be implemented. ii) Having a terminal lock can assure physical security to some extent. iii) Remote applications should be controlled appropriately. iv) Computer operations at remote locations should be monitored carefully for violations. v) Proper control mechanisms over system documentation & manuals. vi) Data transmission over remote locations should be controlled. vii) Ensure that duplicate data does not exist. Logical Access Violators: (MTP May 2017) Hackers: Hackers try their best to overcome restrictions to prove their ability. Employees: (authorized or unauthorized). IS Personnel: They have easiest to access to computerized information. Former Employees: should be cautious of former employees who have left the organization on unfavourable terms. End Users; Interested/Educated Outsiders, Competitors. Organized Criminals; Crackers; Part-time & Temporary Personnel; www.akpune.com © Compiled By: Akshay R Yadav 24 88881 44446 98817 51563
iv) Logical Access Control across the System: Purpose of logical access controls is to restrict access to information assets/resources. It should be just sufficient for one to perform one’s duty without any problem/restraint. The data an information asset, can be: Used by an application (Data at Process); Stored in some medium (Back up) (Data at Rest); Or it may be in transit (being transferred from one location to another). logical access controls: Table 3.6.2 (Page 30) Pending: Please refer extra sheet after reading the all ISCA Chapters. Classification on the basis of “Audit Functions”: A) Managerial Controls: Managerial controls that must be performed to ensure the development, implementation, operation & maintenance of IS in a planned & controlled manner in an organization. Types of Management Subsystem & their description: (MTP2-N15) Management Subsystem Description of Subsystem Top Management It is responsible primarily for long – run policy decisions on how Information Systems Mgt. Information Systems will be used in the org. Systems Development Mgt. It has overall responsibility for the planning & control of all IS activities. Programming Mgt. It is responsible for the design, implementation, & maintenance of Data Administration application systems. It is responsible for programming new system; maintain old systems & Quality Assurance Mgt. providing general systems support software. It is responsible for addressing planning & control issues in relation to use Security Administration of an organization’s data. Operations Management It is responsible for ensuring information systems development; implementation, operation, & maintenance conform to established quality standards. It is responsible for access controls & physical security over the IS function. It is responsible for planning & control of the day-to-day operations of IS. B) Application Controls: Objective of application controls is to ensure that data remains complete, accurate & valid during its input, update & storage. Types of Application Subsystem & their description: Application Subsystem Comprises Description of Subsystem Boundary the Input Establish the interface b/w user & system. components Capture, prepare, & enter commands & data into the system. Communication that Transmit data among subsystems & systems. Perform decision making, computation, classification, ordering, & Processing summarization of data in the system. Define, add, access, modify, & delete data in the system. Database Retrieve & present data to users of the system. Output Managerial Controls & their Categories Please refer extra sheet after reading the all ISCA Chapters www.akpune.com © Compiled By: Akshay R Yadav 25 88881 44446 98817 51563
Application Controls & their Categories 1) Boundary Controls: (PM, M15/17, RTP N14) Major controls of the boundary system are access control mechanisms (ACM). ACM has 3 steps of identification, authentication & authorization. Major Boundary Control techniques: . i) Cryptography: It deals with programs for transforming data into cipher text that are meaningless to anyone, who does not possess the authentication to access the respective system resources. ii) Passwords: User identification by an authentication mechanism with personal characteristics like name, birth date, employee code, function, or a combination of two or more of these can be used as a password boundary access control. iii) Personal Identification Numbers (PIN): PIN is similar to a password assigned to a user by an institution a random number stored in its database independent to a user identification details. iv) Identification Cards: Identification cards are used to store information required in an authentication process. v) Biometric Devices: Biometric identification e.g. thumb and/or finger impression, eye retina etc. 2) Input Controls: Input controls are responsible for ensuring the accuracy & completeness of data & instruction input into an application system. Input controls are divided into the following broad classes: a) Source Document Control, b) Data Coding Controls, c) Batch Controls, d) Validation Controls. a) Source Document Controls: ► In systems that use physical source documents to initiate transactions, careful control must be exercised over these instruments. ► To control against this type of exposure, the org. must implement control procedures over source documents to account for each document, as described below: i) Use pre-numbered source documents: Source documents should come pre-numbered from the printer with a unique sequential number on each document. ii) Use source documents in sequence: Source documents should be distributed to the users & used in sequence. iii) Periodically audit source documents: Missing source documents should be identified by reconciling document sequence numbers. b) Data Coding Controls: 2 types of errors can corrupt a data code & cause processing errors. 1)Transcription Errors: These fall into 3 classes: i) Addition errors occur when an extra digit/character is added to the code. E.g. Inventory item number 83276 is recorded as 832766. ii) Truncation errors occur when a digit/character is removed from the end of a code. E.g. Inventory item number 83276 would be recorded as 8327. iii) Substitution errors are the replacement of one digit in a code with another. E.g. Inventory item number 83276 is recorded as 83266. 2)Transposition Errors: There are 2 types of transposition errors. i) Single transposition errors occur when 2 adjacent digits are reversed. E.g. 12345 are recorded as 21345. ii) Multiple transposition errors occur when nonadjacent digits are transposed. E.g. 12345 are recorded as 32154. www.akpune.com © Compiled By: Akshay R Yadav 26 88881 44446 98817 51563
c) Batch Controls: Batching is the process of grouping together transactions that bear some type of relationship to each other. Various controls can be exercises over the batch to prevent/detect errors/irregularities. 2 types of batches occur: (RTP-N16) i) Physical Controls: These controls are groups of transactions that constitute a physical unit. E.g. Source documents might be obtained via the email, assembled into batches, spiked & tied together, & then given to a data-entry clerk to be entered into an application system at a terminal. ii) Logical Controls: These are group of transactions bound together on some logical basis, rather than being physically contiguous. E.g. different clerks might use the same terminal to enter transaction into an application system. d) Validation Controls: Input validation controls are intended to detect errors in the transaction data before the data are processed. There are 3 levels of input validation controls: i) Field Interrogation: It involves programmed procedures that examine the characters of the data in the field. a) Limit Check: It may be applied to both the input & output data. The field is checked by the program against predefined limits. b) Picture Checks: These check against entry into processing of incorrect/invalid characters. c) Valid Code Checks: Checks are made against predetermined transactions codes, tables/order data to ensure that input data are valid. d) Check Digit: One method for detecting data coding errors is a check digit. The check digit can be located anywhere in the code, as a prefix, a suffix. e) Arithmetic Checks: Arithmetic is performed in different ways to validate the result of other computations of the values of selected data fields. f) Cross Checks: may be employed to verify fields appearing in different files to see that the result tally. ii) Record Interrogation: a) Reasonableness Check: Whether the value specified in a field is reasonable for that particular field. b) Valid Sign: Contents of one field may determine which sign is valid for a numeric field. c) Sequence Check: If physical records follow a required order matching with logical records. iii) File Interrogation: (N16 – 6 Marks) a) Version Usage: Proper version of a file should be used for processing the data correctly. In this regard it should be ensured that only the most current file be processed. b) Internal & External Labeling: Labeling of storage media is important to ensure that the proper files are loaded for process. Where there is a manual process for loading files, external labeling is more important. Where there is an automated tape loader system, internal labeling is more important. c) Data File Security: Unauthorized access to data file should be prevented, to ensure its confidentiality, integrity & availability. d) Before & after Image & Logging: Application may provide for reporting of before & after images of transactions. e) File Updating & Maintenance Authorization: Sufficient controls should exist for file updating & maintenance to ensure that stored data are protected. f) Parity Check: When programs/data are transmitted, additional controls are needed. 3) Communication Controls: 3 major types of exposure arise in communication subsystem: i) Transmission impairments can cause difference b/w the data sent & data received. ii) Data can be lost/corrupted through component failure. iii) A hostile party could seek to subvert data that is transmitted through the subsystem. www.akpune.com © Compiled By: Akshay R Yadav 27 88881 44446 98817 51563
a) Physical Component Controls: These controls incorporate features that mitigate the possible effects of exposures. Physical Components affecting reliability of Communication subsystem Transmission It is a physical path along which a signal can be transmitted b/w sender & receiver. It is Media of two types: Guided/Bound Media: In which the signals are transported along an enclosed physical Communication Lines path like – Twisted pair, coaxial cable, & optical fiber. Unguided Media: Signals propagate via free-space emission like – satellite microwave, Modem radio frequency & infrared. Port Protection Reliability of data transmission can be improved by choosing a private communication Devices line rather than a public communication line. Multiplexers & Increases the speed Concentrators Reduces the number of line errors that arise through distortion if they use a process called equalization. Reduces the number of line errors that arise through noise. These device performs various security functions to authenticate users. These allow the band width/capacity of a communication line to be used more effectively. b) Line Error Control: Whenever data is transmitted over a communication line, recall that it can be received in error because of attenuation distortion that occurs on the line. These errors must be detected & corrected. i) Error Detection: The errors can be detected by either using a loop check or building some form of redundancy into the message transmitted. ii) Error Correction: When line errors have been detected, they must then be corrected using either forward error correcting codes or backward error correcting codes. c) Flow Controls: Flow controls are needed because 2 nodes in a network can differ in terms of the rate at which they can send, received, & process data. d) Link Controls: In WANs, line error control & flow control are important functions in the component that manages the link b/w 2 nodes in a network. e) Topological Controls: A communication network topology specifies the location of nodes within a network, the ways in which these nodes will be linked, & the data transmission capabilities of the links b/w the nodes. i) Local Area Network Topologies: Local Area Networks tend to have 3 characteristics: 1) They are privately owned networks 2) They provide high-speed communication among nodes 3) They are confined to limited geographic areas They are implemented using four basic types of topologies: 1) Bus topology, 2)Tree topology 3) Ring topology 4) Star topology. ii) Wide Area Network Topologies: Wide Area Networks have the following characteristics: 1) They often encompass components that are owned by other parties. 2) They provide relatively low-speed communication among nodes. 3) They span large geographic areas. f) Channel Access Controls: 2 different nodes in a network can compete to use a communication channel. Whenever the possibility of contention for the channel exists, some type of channel access control technique must be used. These techniques fall into two classes: Polling methods & Contention methods. 1) Polling: Polling techniques establish an order in which a node can gain access to channel capacity. 2) Contention Methods: Using contention methods, nodes in a network must compete with each other to gain access to a channel. g) Internetworking Controls: (PM, MTP N15) Internetworking is the process of connecting two or more communication net-works together to allow the users to communicate with each other. www.akpune.com © Compiled By: Akshay R Yadav 28 88881 44446 98817 51563
Following 3 types of devices are used to connect sub-networks in an internet. Device Functions Bridge A bridge connects similar local area networks. Router A router performs all functions of a bridge. In addition, it can connect heterogeneous Local Area Networks Gateway & direct network traffic over the fastest channel b/w two nodes that reside in different sub-networks. Primary function is to perform protocol conversion to allow different types of communication architectures to communicate with one another. (i.e. Discuss any 3 interlinking devices – PM, MTP2-N15) 4) Processing Controls: Processing subsystem is responsible for computing, sorting, classifying, & summarizing data. i) Processor Controls: The processor has 3 components: a) A Control unit, which fetches programs from memory & determines their type. b) An Arithmetic & Logical Unit, which performs operations. c) Registers that are used to store temporary results & control information. Four types of controls that can be used to reduce expected losses from errors & irregularities associated with Central processors are: Control Explanation Error Detection Occasionally, processors might malfunction. The causes could be design errors, & Correction manufacturing defects, damage, fatigue, electromagnetic interference, & ionizing radiation. Multiple It is important to determine the no. of & nature of the execution states enforced by Execution the processor. This helps auditors to determine which user processes will be able to carry out unauthorized activities, such as gaining access to sensitive data maintained States in memory regions assigned to the operating system. Timing Controls An operating system might get stuck in an infinite loop. In the absence of any control, the program will retain use of processor & prevent other programs from undertaking their work. Component In some cases, processor failure can result in significant losses. Redundant processors Replication allow errors to be detected & corrected. ii) Real Memory Controls: This comprises the fixed amount of primary storage in which programs/data must reside for them to be executed/referenced by the central processor. Real memory controls seek to detect & correct errors that occur in memory cells & to protect areas of memory assigned to a program from illegal access by another program. iii) Virtual Memory Controls: Virtual Memory exists when addressable storage space is larger than the available real memory space. a) Access Control Mechanisms: It is associated with identified, authorized users the resources they are allowed to access. Mechanism processes the users request for Real time Memory & Virtual Memory resources in 3 steps: 1) Identification: Users have to identify themselves. 2) Authentication: Users must authenticate themselves & the mechanism must authenticate itself. 3) Authorization: Users request for specific resources, their need for those resources & their areas of usage of these resources. There are 2 approaches to implementing the authorization module: a) Ticket-oriented approach: ACM assigns users, a ticket for each resource they are permitted to access. Ticket oriented approach operates via a row in the matrix. b) List-oriented approach: Mechanism associates with each resource a list of users who can access the resource & the action privileges that each user has with respect to the resource. List oriented approach operates via a column in the matrix. www.akpune.com © Compiled By: Akshay R Yadav 29 88881 44446 98817 51563
iv) Data Processing Controls: These perform validation checks to identify errors during processing of data. They are required to ensure both the completeness & the accuracy of data being processed. Various processing controls are given as follows: Run-to-run Totals: These help in verifying data that is subject to process through different stages. If the current balance of an invoice ledger is Rs.1,50,000 & the additional invoices for the period total Rs.20,000 then the total sales value should be Rs.170,000. A specific record probably the last record can be used to maintain the control total. Reasonableness Verification: Two or more fields can be compared & cross verified to ensure their correctness. Edit Checks: Edit checks similar to the data validation controls can also be used at the processing stage to verify accuracy & completeness of data. Field Initialization: Data overflow can occur, if records are constantly added to a table or if fields are added to a record without initializing it, i.e. setting all values to zero/blank before inserting the field/record. Exception Reports: Exception reports are generated to identify errors in the data processed. 5) Database Controls: Protecting the integrity of a database when application software acts as an interface to interact b/w the user & the database, are called update controls & report controls. A) Major update controls: (MT: SE PM) i) Sequence Check b/w Transaction & Master Files: Synchronization of processing b/w master file & transaction file is critical to maintain the integrity of updating, insertion/deletion of records in master file. ii) Ensure All Records on Files are processed: While processing, transaction file records mapped to respective master file, & end-of-file of the transaction file with respect to end-of-file of master file is to be ensured. iii) Process multiple transactions for a single record in the correct order: Multiple transactions can occur based on a single master record. E.g. dispatch of a product to different distribution centers. iv) Maintain a suspense account: When mapping b/w master record to transaction record results in a mismatch due to failure in the corresponding record entry in the master record; then these transactions are maintained in a suspense account. B) Major Report controls: i) Standing Data: Application programs use many internal tables to perform various functions like gross pay calculation, billing calculation based on a price table, bank interest calculation etc. Maintaining integrity of the pay rate table, price table & interest table is critical within an org. ii) Print-Run-to Run control Totals: Run-to-Run control totals help in identifying errors/irregularities like record dropped erroneously from a transaction file. iii) Print Suspense Account Entries: Suspense account entries are to be periodically monitors with respective error file & action taken on time. iv) Existence/Recovery Controls: Back-up & recovery strategies together encompass the controls required to restore failure in a database. Recovery strategies involve roll-forward/roll-back methods. 6) Output Controls: (PM, N14-6M) Output controls ensure that the data delivered to users will be presented, formatted & delivered in a consistent & secured manner. Output can be in any form, it can either be a printed data report or a CD-ROM or a Word document. Various Output Controls are given as follows: i) Storage & logging of sensitive, critical forms: Pre-printed stationery should be stored securely to prevent unauthorized destruction/removal & usage. ii) Logging of output program executions: When programs used for output of data are executed, these should be logged & monitored. www.akpune.com © Compiled By: Akshay R Yadav 30 88881 44446 98817 51563
iii) Spooling/queuing: “Spool” is an acronym for “Simultaneous Peripherals Operations Online”. This is a process used to ensure that the user is able to continue working, while the print operation is getting completed. iv) Controls over printing: Outputs should be made on the correct printer & it should be ensured that unauthorized disclosure of information printed does not take place. v) Report distribution & collection controls: Distribution of reports should be made in a secure way to prevent unauthorized disclosure of data. vi) Retention controls: Retention controls consider the duration for which outputs should be retained before being destroyed. Information Technology General Controls (ITGCs) ITGCs are the basic policies & procedures that ensure: i) That an org’s information systems are properly safeguarded, ii) That application programs & data are secure, iii) That computerized operations can be recovered in case of unexpected interruptions. ITGCs provide the assurance that systems operate as intended & that output is reliable. ITGCs may also be referred to as General Computer Controls (GCC). ITCSs defined as: Controls, other than application controls, which relate to the environment within which computer-based application systems are developed, maintained & operated. The most common ITGCs: i) Logical access controls over infrastructure, applications & data. ii) System development life cycle controls. iii) Program change management controls. iv) System & data backup & recovery controls. v) Computer operation controls. Controls over Data Integrity & Security (Or Classification of information or what is information classification or 5 scale of classification of information): (PM, N15-4M) (Refer Chapter 5) Classification of information is essential to understand & differentiate b/w the value of an asset & it’s sensitive & confidential. 5 scale grade classification of information: 1) Top Secret: a) Highly sensitive internal information. It must be protected at all times. b) E.g. Pending mergers/acquisitions, Investment strategies, Plans/designs c) Security at this level should be the highest possible. 2) Highly Confidential: a) Information that, if made public could seriously impede the org.’s operations. b) E.g. Accounting information, business plans, & patient’s medical records. c) Security at this level should be very high. 3) Proprietary: a) Information of a proprietary nature defines the way in which organization operates. It can be assessable only to authorized personnel. b) E.g. Operational work routines, project plans. c) Security at this level should be high. 4) Internal Use only: a) Information not approved for general circulation where its loss would inconvenience the org. but not financial loss/serious damage to credibility. b) E.g. Internal memos, minutes of meetings. c) Security at this level should controlled but normal. 5) Public Documents: a) Information in public domain b) E.g. Annual reports, Press statements. c) Security at this level should minimal. www.akpune.com © Compiled By: Akshay R Yadav 31 88881 44446 98817 51563
A) Data Integrity: Primary objective of data integrity control techniques is to prevent, detect, & correct errors in transactions as they flow through various stages of a specific date processing program. Assessing data integrity involves evaluating the following critical procedures: a) Virus detection & elimination software is installed & activated. b) Data integrity & validation controls are used to provide assurance that the information has not been altered. There are six categories of integrity controls: Control Category Threats/Risks Controls Source data control Invalid, incomplete data a) Forms design Input validation input b) sequentially pre numbered forms routines c) segregation of duties, Invalid or inaccurate data d) visual scanning On-line data entry in computer processed e) check-digit verification controls transaction files a) Edit programs check key data fields using these edit Data processing & Invalid or inaccurate checks, sequence, field, sign, validity, limit, range, storage controls transaction input entered through online terminals b) Enter exceptions in an error log. Output controls c) Investigate, correct, & resubmit them on time. Inaccurate or incomplete d) Prepare a summary error report. Data transmission data in computer- Controls a) User-ids & passwords. processed master files b) Compatibility tests. c) Transaction log maintained by the system. Inaccurate or incomplete computer output Policies & procedures: a) Data security & confidentiality, Unauthorized access to b) Audit trails, & confidentiality, data being transmitted c) Monitoring & expediting data entry by data control personnel, d) Reconciliation of database totals with externally maintained totals, e) Exception reporting, a) Procedures to ensure that: System outputs conform to org.’s integrity objectives, reconciliation of batch totals; b) Proper distribution of output; c) Confidential outputs being delivered are protected from unauthorized access, modification, & misrouting. Monitor network: a) To detect week points, b) Backup components, c) Multiple communication paths b/w network components, d) Preventive maintenance B) Data Integrity Policies: (PM, N14, RTP-N14, MTP1-M/N16) i) Virus-Signature Updating: Virus signatures must be updated automatically when they are made available from the vendor. ii) Software Testing: All software must be tested in a suitable environment before installation on production systems. iii) Division of Environments: The division of environments into Development, Test, & Production is required for critical systems. iv) Offsite Backup Storage: Backups must be sent offsite for permanent storage. v) Quarter-End & Year-End Backups: Quarter-end & year-end backups must be done separately from the normal schedule for accounting purposes. vi) Disaster Recovery: Comprehensive DRP must be used to ensure continuity of business. www.akpune.com © Compiled By: Akshay R Yadav 32 88881 44446 98817 51563
C) Data Security: (May 2017-6M) Data security encompasses the protection of data against accidental/intentional disclosure to unauthorized persons as well as the prevention of unauthorized modification & deletion of the data. IS auditor evaluate while reviewing the adequacy of data security controls:(M17-6M) 1) Who is responsible for the accuracy of the data? 2) Who is responsible for determining who can read & update the data? 3) Who controls the security of the data? 4) Who is permitted to update data? 5) Who is permitted to read & use the data? 6) If the IS system is outsourced, what security controls & protection mechanism does the vendor have in place to secure & protect data? 7) Contractually, what penalties/remedies are in place to protect the tangible & intangible values of the information? 8) The disclosure of sensitive information is a serious concern to the organization. Financial Controls (ABCDD SSSI) (PM, MTP2-N16) These controls are generally defined as the procedures exercised by the system user personnel over source, or transactions origination, documents before system input. Financial control techniques: 1) Authorization: This entails obtaining the authority to perform some act. 2) Budgets: These estimates of the amount of time/money expected to be spent during a particular period. 3) Cancellation of documents: This marks a document in such a way to prevent its reuse. E.g. Invoices marking with “paid” or “processed” stamp. 4) Dual control: This entails having 2 people simultaneously access an asset. E.g. ATM machines are emptied/filled with money in presence of 2 people. 5) Input/output verification: This entails comparing the information provided by a computer system to the input documents. 6) Safekeeping: This entails physically securing assets, such as computer disks, desk drawer, file cabinet storeroom, or vault. 7) Sequentially numbered documents: These are working documents with pre-printed sequential numbers, which enables the detection of missing documents. Personal Computers Controls (PM, Nov14) A) Related risks are given as follows: i) Personal computers are small in size & easy to connect & disconnect, they are easily even taken outside the organization for theft of information. ii) Pen drives can be very conveniently transported from one place to another, as a result of which data theft may occur. iii) PC is basically single user oriented machine & hence, does not provide inherent data safeguards. iv) Segregation of duty is not possible, owing to limited number of staff. v) The operating staff may not be adequately trained. vi) Weak access control over personal computers. B) Security Measures that could be exercised to overcome these aforementioned risks are given as follows: i) Physically locking the system. ii) Proper logging of equipment shifting must be done. iii) Centralized purchase of hardware & software. iv) Standards set for developing, testing & documenting. v) Uses of antimalware software. vi) Use of disc locks that prevent unauthorized access. www.akpune.com © Compiled By: Akshay R Yadav 33 88881 44446 98817 51563
Cyber Frauds With the advancements in the technology, cyber frauds are increasing day-by-day. Major reasons behind the rise of cyber frauds: a) Failure of internal control system, b) Failure of organizations to update themselves to new set of risk, c) Smart fraudsters: These are people who are able to target the weaknesses in system. The most common form is online credit card theft. On the basis of the functionality, these are of two types: a) Pure Cyber Frauds: Frauds, which exists only in cyber world. E.g.: Website hacking. b) Cyber Enabled Frauds: Frauds, which can be committed in physical world but with use of technology. E.g.: Withdrawal of money from ATM by stealing PIN numbers. A) Cyber Attacks: (MTP-M17) 1) Phishing: It is the act of attempting to acquire information such as usernames, passwords, & credit card details by masquerading as a trustworthy entity in an electronic communication. 2) Network Scanning: It is a process to identify active hosts of a system, for purpose of getting information about IP addresses etc. 3) Virus/Malicious Code: As per Section 43 of the Information Technology Act, 2000, \"Computer Virus\" means any computer instruction, information, data/program that destroys, damages, degrades or adversely affects the performance of a computer resource. 4) Spam: E-mailing the same message to everyone on one or more Usenet News Group or LISTSERV lists is termed as spam. 5) Website Compromise/Malware Propagation: It includes website defacements. Hosting malware on websites in an unauthorized manner. 6) Others: a) Cracking: Crackers are hackers with malicious intentions. b) Eavesdropping: It refers to the listening of the private voice or data transmissions using a wiretap. c) E-mail Forgery: Sending e-mail messages that look as if someone else sent it is termed as E-mail forgery. d) E-mail Threats: Sending a threatening message to try & get recipient to do something that would make it possible to defraud him is termed as E-mail threats. e) Scavenging: This is gaining access to confidential information by searching corporate records. B) Impact of Cyber Frauds on Enterprises: (Or repercussions of Cyber Frauds on Enterprises) (PM, N14/16, MTP1&2-M16) ------- [Answer points same as computer crime exposures] 1) Financial Loss: Cyber frauds lead to actual cash loss to target company/org. E.g. wrongfully withdrawal of money from bank accounts. 2) Legal Repercussions: Entities hit by cyber frauds are caught in legal liabilities to their customers. Section 43A of the Information Technology Act, 2000, fixes liability for companies/organisations having secured data of customers. 3) Loss of credibility/Competitive Edge: News that an organisations database has been hit by fraudsters, leads to loss of competitive advantage. This also leads to lose credibility. 4) Disclosure of Confidential, Sensitive or Embarrassing Information: Cyber-attack may expose critical information in public domain. 5) Sabotage: Above situation may lead to misuse of such information by enemy country. www.akpune.com © Compiled By: Akshay R Yadav 34 88881 44446 98817 51563
C) Techniques to Commit Cyber Frauds: (PM, M16,RTP-M15, MTP2-M16) 1) Hacking: It refers to unauthorized access & use of computer systems. Normally, hackers do not intend to cause any damage. (RTP N15) 2) Cracking: Crackers are hackers with malicious intentions, which means, un-authorized entry. Un- ethical hacking is classified as Cracking. (RTP N15) 3) Data Diddling: Changing data before, during, or after it is entered into the system in order to delete, alter, or add key system data is referred as data diddling. 4) Data Leakage: It refers to unauthorized copying of company data such as computer files. 5) Denial of Service (DoS) Attack: It refers to series of actions that prevents access to a software system by its authorized users. 6) Internet Terrorism: It refers to using Internet to disrupt electronic commerce & to destroy entities communications. 7) Logic Time Bombs: These are the program that lies idle until some specified circumstances trigger it. Once triggered, the bomb sabotages the system by destroying programs, data or both. 8) Masquerading/Impersonation: Perpetrator gains access to system by pretending to be an authorized user. 9) Password Cracking: Intruder penetrates a system’s defence, steals the file containing valid passwords, decrypts them & then uses them to gain access to system. 10) Piggybacking: It refers to the tapping into a telecommunication line. 11) Round Down: Computer rounds down all interest calculations to 2 decimal places. Remaining fraction is placed in account controlled by perpetrator. 12) Scavenging/Dumpster Diving: It refers to the gaining access to confidential information by searching corporate records. 13) Social Engineering Techniques: Perpetrator tricks an employee into giving out the information needed to get into the system. 14) Super Zapping: It refers to the unauthorized use of special system programs to bypass regular system controls & performs illegal acts. 15) Trap Door: Perpetrator enters in the system using a back door that bypasses normal system controls & perpetrates fraud. www.akpune.com © Compiled By: Akshay R Yadav 35 88881 44446 98817 51563
Chapter 5: Acquisition, Development & Implementation of Information systems Question 1: key characteristics of Waterfall Model & its major weaknesses. Or Excise Q1: What is waterfall model of system development? Also discuss its major strengths. Waterfall model: It is a traditional development approach in which each phase is carried in sequence. These phases include requirements analysis, specifications & design requirements, coding, final testing & release. Key characteristics: 1) Project is divided into sequential phases, with some overlap & splash back acceptable b/w phases. 2) Emphasis is on planning, time schedules, target dates, budgets & implementation of an entire system at one time. 3) Tight control is maintained over the life of the project through the use of extensive written documentation, as well as through formal reviews & approval/signoff. Strengths: 1) It is ideal for supporting less experienced project teams & project managers/project teams. 2) Orderly sequence of development steps help to ensure quality, reliability, adequacy & maintainability of the developed software. 3) Progress of system development is measurable. 4) It enables to conserve resources. Weaknesses: (RTP-M15, MTP-N16) 1) It is criticized to be inflexible, slow, costly, & cumbersome. 2) Project progresses forward, with only slight movement backward. 3) There is a little to iterate, which may be essential in situations. 4) It depends upon early identification & specification of requirements, even if the users may not be able to clearly define ‘what they need early in the project’. 5) Requirement inconsistencies, missing system components & unexpected development needs are often discovered during design & coding. 6) Problems are often not discovered until system testing. 7) System performance cannot be tested until the system is almost fully coded. 8) It is difficult to respond to changes. 9) It leads to excessive documentation. 10) Written specifications are often difficult for users to read & thoroughly appreciate. 11) It promotes the gap b/w users & developers with clear vision of responsibility. Question 2: Describe the prototyping model of system development explaining the generic phases of this model. Prototyping Model: (N16) Traditional approach sometimes may take years to analyze, design & implement a system. More so, many a times we know a little about the system until & unless we go through its working phases, which are not available. In order to avoid such bottlenecks & overcome the issues, organizations are increasingly using prototyping techniques to develop smaller systems such as DSS, MIS & Expert systems. Goal of prototyping approach is to develop a small or pilot version called a prototype of part or all of a system. Prototype is a usable system or system component that is built quickly & at a lesser cost, & with the intention of modifying/replicating/expanding or even replacing it by a full-scale & fully operational system. Finally, when a prototype is developed that satisfies all user requirements, either it is refined & turned into the final system or it is scrapped. Generic phases of this model:- 1) Identify IS Requirements: Under prototype approach, the design team needs only fundamental system requirements to build the initial prototype, the process of determining them can be less formal & time-consuming than when performing traditional systems analysis. 2) Develop the Initial Prototype: Designers create an initial base model & give little or no consideration to internal controls. These characteristics enable users to interact with tentative versions of data entry display screens, menus, input prompts, & source documents. www.akpune.com © Compiled By: Akshay R Yadav 36 88881 44446 98817 51563
3) Test & Revise: After finishing the initial prototype, designers first demonstrate the model to users & then give it to them to experiment & ask users to record their likes & dislikes about the system & recommend changes. Using this feedback, the design team modifies the prototype as necessary. 4) Obtain User Signoff of the Approved Prototype: Users formally approve the final version of the prototype, which commits them to the current design & establishes a contractual obligation about what the system will, & will not, do or provide. Question 3: Describe major strengths of Prototyping model. (RTP-M14) Answer: Major strengths of prototyping model are given as follows: 1) It improves both user participation in system development & communication among project stakeholders. 2) It is especially useful for resolving unclear objectives; developing & validating user requirements; experimenting with or comparing various design solutions, or investigating both performance & the human computer interface. 3) Potential exists for exploiting knowledge gained in an early iteration as later iterations are developed. 4) It helps to easily identify, confusing or difficult functions & missing functionality. 5) It enables to generate specifications for a production application. 6) It encourages innovation & flexible designs. 7) It provides for quick implementation of an incomplete, but functional, application. 8) It typically results in a better definition of users’ needs & requirements than traditional systems development approach. 9) A very short time is normally required to develop & start experimenting with a prototype. This short period allows system users to immediately evaluate proposed system changes. 10) Since system users experiment with each version of the prototype through an interactive process, errors are hopefully detected & eliminated early in the developmental process. Thus, the IS ultimately implemented should be more reliable & less costly to develop than when traditional systems development approach is employed. Weaknesses: (RTP-M14) 1) Approval process & control are not strict. 2) Incomplete/inadequate problem analysis may occur whereby only the most obvious & superficial needs will be addressed. 3) Requirements may frequently change significantly. 4) Identification of non-functional elements is difficult to document. 5) Designers may prototype too quickly, without sufficient upfront user needs analysis, resulting in an inflexible design with narrow focus that limits future system potential. 6) Prototype may not have sufficient checks & balances incorporated. 7) Prototyping can only be successful if the system users are willing to devote significant time in experimenting with the prototype & provide the system developers with change suggestions. 8) Interactive process of prototyping causes the prototype to be experimented with quite extensively. 9) Prototyping may cause behavioral problems with system users. Question 4: Explain major strengths & weaknesses of Spiral model. a) Major strengths of Spiral model are given as follows: 1) It enhances risk avoidance. 2) It is useful in helping for optimal development of a given software with iterations based on project risk. 3) It can incorporate Waterfall, Prototyping, & Incremental methodologies as special cases in the framework, & provide guidance as to which combination of these models best fits a given software iteration, based upon the type of project risk. E.g. a project with low risk of not meeting user requirements but high risk of missing budget or schedule targets would essentially follow a linear Waterfall approach for a given software iteration. Conversely, if the risk factors were reversed, the Spiral methodology could yield an iterative prototyping approach. www.akpune.com © Compiled By: Akshay R Yadav 37 88881 44446 98817 51563
b) Major weaknesses of Spiral model are given as follows: 1) It is challenging to determine the exact composition of development methodologies to use for each iteration around the Spiral. 2) It may prove highly customized to each project, & thus is quite complex & limits reusability. 3) Skilled & experienced project manager is required to determine how to apply it to any given project. 4) No established controls exist for moving from one cycle to another cycle. Without controls, each cycle may generate more work for the next cycle. 5) There are no firm deadlines, cycles continue with no clear termination condition leading to inherent risk of not meeting budget or schedule. Question 5: What do you understand by agile model of software development? Also, explain its major strengths & weaknesses in brief. Or Question 23: Define the Agile model of software development &, discuss its strengths. Or Excise Q3: Agile methodology is one of the popular approaches of system development. What are the weaknesses of this methodology in your opinion? Agile Model: This is an organized set of software development methodologies based on the iterative & incremental development, where requirements & solutions evolve through collaboration between self- organizing, cross-functional teams. Strengths: Major strengths of agile model identified by the experts & practitioners include the following: 1) Agile methodology has the concept of an adaptive team, which enables to respond to changing requirements. 2) The team does not have to invest time & efforts & finally find that by the time they delivered the product, the requirement of the customer has changed. 3) Face to face communication & continuous inputs from customer representative leaves little space for guesswork. 4) The documentation is crisp & to the point to save time. 5) The result is generally the high-quality software in least possible time duration & satisfied customer. Weaknesses: Major weaknesses identified by the experts & practitioners include the following: 1) In case of some software deliverables, especially large ones, it is difficult to assess the efforts required at the beginning of the software development life cycle. 2) There is lack of emphasis on necessary designing & documentation. 3) Agile increases potential threats to business continuity & knowledge transfer. By nature, Agile projects are extremely light on documentation because the team focuses on verbal communication with the customer rather than on documents or manuals. 4) Agile requires more re-work & due to lack of long-term planning & the lightweight approach to architecture, re-work is often required on Agile projects when the various components of the software are combined & forced to interact. 5) Project can easily get taken off track if the customer representative is not clear about the outcome. 6) Agile lacks attention to outside integration. Question 6: State & briefly explain the stages of System Development Life Cycle (SDLC). Or Question 22(ii): Write short note on: System Development Life Cycle (SDLC) SDLC provides system designers & developers to follow a sequence of activities. It consists of a generic sequence of steps or phases in which each phase of the SDLC uses the results of the previous one. These phases are given as under: Phase Phase name Nature of activity 1. Preliminary Determining & evaluating the strategic feasibility of the system & ensure that Investigation the solution fits the business strategy 2. Systems Analyzing the typical system requirements, in view if its functionalities, Requirements Analysis deliverables etc. www.akpune.com © Compiled By: Akshay R Yadav 38 88881 44446 98817 51563
Designing the system in terms of user interface, data storage & data 3. Systems Design processing functions on the basis of the requirement phase by developing the system flowcharts, system & data flow diagrams, screens & reports 4. Systems Systems Acquisition Acquisition of Operating infrastructure including Acquisition hardware, software & services. 5. Systems Developing the system as per the system designed in view of its adequate Development implementation to lead to fulfillment of requirements to the satisfaction of all the stakeholders. 6. Systems Testing Requisite testing to ensure the valid & reliable implementations. 7. Systems Operationalization of the developed system for the acceptance by Implementation management & user before migration of the system to the live environment & data conversion from legacy system to the new system. 8. Post Implementation Continuous evaluation of the system as it functions in the live environment & Review & Maintenance its updation/maintenance. Question 7: The top management of company has decided to develop a computer IS for its operations. Is it essential to conduct the feasibility study of system before implementing it? If answer is yes, state the reasons. Also, discuss three different angles through which feasibility study of the system is to be conducted. Or Excise Q4: What do you understand by feasibility study? Explain various types of feasibility studies in detail. Answer: Yes, it is essential to carry out the feasibility study of the project before its implementation. After possible solution options are identified, project feasibility i.e. likelihood that these systems will be useful for the organization is determined. Feasibility study refers to a process of evaluating alternative systems through various angles so that the most feasible & desirable system can be selected for development. Feasibility Study of the system is undertaken from three angles i.e. Technical, Economic & Operational. a) Technical Feasibility: It may try to answer, whether implementation of the project viable using current technology? Technical issues usually raised during the feasibility stage of investigation include: 1) Does the necessary technology exist to do what is suggested ? 2) Does the proposed equipment have the technical capacity to hold the data required to use the new system? 3) Can the proposed application be implemented with existing technology? 4) Will the proposed system provide adequate responses to inquiries, regardless of the no or location of users? 5) Can the system be expanded if developed? 6) Are there technical guarantees of accuracy, reliability, ease of access, & data security? b) Financial Feasibility: Solution proposed may be prohibitively costly for the user org. c) Economic Feasibility: It includes an evaluation of all the incremental costs & benefits expected if the proposed system is implemented. Financial & economic questions raised by analysts during the preliminary investigation are for the purpose of estimating the following: a) Cost of conducting a full systems investigation; b) Cost of hardware & software for the class of applications being considered; c) Benefits in the form of reduced costs or fewer costly errors; & d) Cost if nothing changes (i.e. the proposed system is not developed). After possible solution options are identified, an analyst should make a primary estimate of each solution's costs & benefits. d) Schedule/Time Feasibility: Schedule feasibility involves the design team’s estimating how long it will take a new or revised system to become operational. www.akpune.com © Compiled By: Akshay R Yadav 39 88881 44446 98817 51563
e) Resources Feasibility: This focuses on human resources. Implementing sophisticated software solutions becomes difficult at specific locations because of the reluctance of skilled personnel to move to such locations. f) Operational Feasibility: It is concerned with ascertaining the views of workers, employees, customers & suppliers about the use of computer facility. System can be highly feasible in all respects except the operational & fails miserably because of human problems. Some of the questions, which help in testing the operational feasibility of a project, may include the following: 1) Is there sufficient support for the system from management & from users? 2) Are current business methods acceptable to users? 3) Have the users been involved in planning & development of the project? 4) Will the proposed system cause harm? Will it produce poorer results in any respect or area? Will loss of control result in any areas? Will accessibility of information be lost? 5) Will individual performance be poorer after implementation than before? g) Behavioral Feasibility: It refers to the systems, which is to be designed to process data & produce the desired outputs. However, if the data input for the system is not readily available or collectable, then the system may not be successful. h) Legal Feasibility: Legal feasibility is largely concerned with whether there will be any conflict between a newly proposed system & the organization’s legal obligations. Any system, which is liable to violate the local legal requirements, should also be rejected. E.g. a revised system should comply with all applicable statutes about financial & statuary reporting requirements, as well as the company’s contractual obligations. Question 27: Feasibility Study is an important aspect of System Development Life Cycle (SDLC). Explain the dimensions, which are evaluated for this study. Answer: Feasibility Study is an important aspect of System Development Life Cycle (SDLC). The dimensions under which Feasibility Study of a system is evaluated are as follows: 1) Technical Feasibility : Is the technology needed available? 2) Financial Feasibility : Is the solution viable financially? 3) Economic Feasibility : Return on Investment? 4) Schedule/Time Feasibility : Can the system be delivered on time? 5) Resources : Are human resources reluctant for the solution? 6) Operational Feasibility : How will the solution work? 7) Behavioral Feasibility : Is the solution going to bring any adverse effect on quality of work life? 8) Legal Feasibility : Is the solution valid in legal terms? Question 8: What are the possible advantages of SDLC from the perspective of IS Audit? Answer: From the perspective of the IS Audit, following are the possible advantages of SDLC: 1) IS auditor can have clear understanding of various phases of the SDLC. 2) IS Auditor on the basis of his/her examination, can state in his/her report about the compliance by the IS management of the procedures, if any, set by the management. 3) IS Auditor, if has a technical knowledge & ability of different areas of SDLC, can be a guide during the various phases of SDLC. 4) IS auditor can provide an evaluation of the methods & techniques used through the various development phases of the SDLC. www.akpune.com © Compiled By: Akshay R Yadav 40 88881 44446 98817 51563
Question 9: What are the major aspects that need to be kept in mind while eliciting information to delineate scope? Answer: Major aspects that need to be kept in mind while eliciting information to delineate scope are given as follows: 1) Different users may represent the problem & required solution in different ways. System developer should elicit the need from the initiator called champion or executive sponsor of the project, on the basis of the scope. 2) While the initiator of the project may be a member of the senior management, the actual users may be from the operating levels in an organization. 3) While presenting the proposed solution for a problem, the development organization has to clearly quantify the economic benefits to the user organization. 4) It is also necessary to understand the impact of the solution on the organization. Solutions, which have a wide impact, are likely to be met with greater resistance. 5) While economic benefit is a critical consideration when deciding on a solution, there are several other factors that have to be given weightage too & to be considered from the perspective of the user management & resolved. Question 10: A Company is offering a wide range of products & services to its customers. It relies heavily on its existing IS to provide up to date information. The company wishes to enhance its existing system. You being an IS auditor, suggest how the investigation of the present information system should be conducted so that it can be further improved upon. Or Excise Q6: What do you understand by “Requirement analysis”? What is the significance of analyzing the present system & how is it carried out? Explain briefly. Answer: Detailed investigation of the present system involves collecting, organizing & evaluating facts about the system & the environment in which it operates. The following areas may be studied: 1) Reviewing Historical Aspects: A brief history of the organization is a logical starting point for an analysis of the present system. 2) Analyzing Inputs: A detailed analysis of present inputs is important since they are basic to the manipulation of data. Source documents are used to capture the originating data for any type of system. 3) Reviewing Data Files: Analyst should investigate the data files maintained by each department, noting their no. & size, where they are located, who uses them & no. of times per given time interval, these are used. 4) Reviewing Methods, Procedures & Data Communications: Methods & procedures transform input data into useful output. A method is defined as a way of doing something; a procedure is a series of logical steps by which a job is accomplished. 5) Analyzing Outputs: Outputs or reports should be scrutinized carefully by the system analysts in order to determine ‘how well they will meet the organization’s needs. 6) Reviewing Internal Controls: A detailed investigation of the present IS is not complete until internal control mechanism is reviewed. 7) Modeling the Existing System: As the logic of inputs, methods, procedures, data files, data communications, reports, internal controls & other important items are reviewed & analyzed in a top down manner; the processes must be properly documented. 8) Undertaking Overall Analysis of the Existing system: Based upon the aforesaid investigation of the present IS, the current personnel requirements; the present costs-benefits Each of these must be investigated thoroughly. Question 11: Explain two primary methods, which are used for the analysis of the scope of a project in SDLC. Answer: Two primary methods, which are used for the analysis of the scope of a project in SDLC are given as follows: a) Reviewing Internal Documents: Analysts conducting the investigation first try to learn about the organization involved in, or affected by, the project. b) Conducting Interviews: Written documents tell the analyst how the systems should operate, but they may not include enough details to allow a decision to be made about the merits of a systems proposal, nor do they present users' views about current operations. www.akpune.com © Compiled By: Akshay R Yadav 41 88881 44446 98817 51563
Question 12: What are the major objectives of system requirements analysis phase in the SDLC? Answer: Major objectives of system requirements analysis phase in the SDLC are given as follows: 1) To identify & consult the stake owners to determine their expectations & resolve their conflicts. 2) To analyze requirements to detect & correct conflicts & determine priorities; 3) To gather data or find facts using tools like - interviewing, questionnaires, observations. 4) To verify that the requirements are complete, consistent, modifiable, testable & traceable; 5) To model activities such as developing models to document Data Flow Diagrams. 6) To document activities such as interview, questionnaires, reports etc. Question 13: If you are the Project Manager of a Software Company with the responsibility for developing a break-through product, combining state of the art hardware & software; will you opt for prototyping as a process model for a product meant for the intensely competitive entertainment market? Answer: Prototyping as a process model will be inappropriate & hence inadvisable for the following reasons: 1) Prototyping requires user involvement. Here, users are consumers of the product who are diffused & may not be inclined to join in. 2) When we try to test the product with the involvement of customers, confidential information might get leaked to the competitors on our line of thinking. 3) The element of surprise & also the opportunity to capture the market will be lost. 4) Prototyping requires significant time for experimenting. Since the product is meant for the intensely competitive entertainment market, the project manager may not have that much time to experiment, & the competitor may capture the market by entering the market in advance. Question 14: Describe briefly four categories of major tools that are used for system development. Answer: Major tools used for system development can be grouped into four categories based on the systems features each document has. These are: 1) Components & flows of a system, 2) User interface, 3) Data attributes & relationships, & 4) Detailed system process. Each of these categories is briefly discussed below: 1) System Components & Flows: These tools help the system analysts to document the data flow among the major resources & activities of an IS 2) User Interface: Designing the interface b/w end users & the computer system is a major consideration of a system analyst while designing the new system. 3) Data Attributes & Relationships: Data resources in IS are defined, catalogued & designed by this category of tools. A Data Dictionary catalogs the description of the attributes (characteristics) of all data elements & their relationships to each other as well as to external systems. 4) Detailed System Processes: These tools are used to help the programmer to develop detailed procedures & processes required in the design of a computer program. Question 15: Bring out the reasons as to why organizations fail to achieve their Systems Development Objectives? Or Question 24: Many-a-time organizations fail to achieve their system development objectives. Justify the statement giving reasons. Answer: Some of the most notable reasons for this are as follows: i) User Related Issues: (RTP-N15) It refers to those issues where user/customer is reckoned as the primary agent. Some of the aspects with regard to this problem are mentioned as follows: a) Shifting User Needs: User requirements for IT are constantly changing, more requests for Information systems development. b) Resistance to Change: People have a natural tendency to resist change. c) Lack of Users’ Participation: Users must participate in the development efforts to define their requirements, feel ownership for project success, & work to resolve development problems. d) Inadequate Testing & User Training: New systems must be tested before installation to determine that they operate correctly. Users must be trained to effectively utilize the new system. www.akpune.com © Compiled By: Akshay R Yadav 42 88881 44446 98817 51563
ii) Developer Related Issues: (RTP-N16) It refers to the issues & challenges with regard to the developers. Some of the critical bottlenecks are mentioned as follows: a) Lack of Standard Project Management & System Development Methodologies: Some organizations do not formalize their project management & system development methodologies, thereby making it very difficult to consistently complete projects on time or within budget. b) Overworked/Under-Trained Development Staff: In many cases, system developers often lack sufficient educational background & requisite state of the art skills. iii) Management Related Issues: It refers to the bottlenecks with regard to organizational set up, administrative & overall management to accomplish the system development goals. Some of such bottlenecks are mentioned as follows: a) Lack of Senior Management Support & Involvement: Developers & users of information systems watch senior management to determine ‘which systems development projects are important’ & act accordingly by shifting their efforts away from any project, which is not receiving management attention. b) Development of Strategic Systems: Because strategic decision making is unstructured, the requirements, specifications, & objectives for such development projects are difficult to define. iv) New Technologies: When an organization tries to create a competitive advantage by applying advance technologies, it generally finds that attaining system development objectives is more difficult because personnel are not as familiar with the technology. Question 16: Discuss major characteristics of a good coded program in brief. Answer: A good coded program should have the following characteristics: 1) Reliability: It refers to the consistency with which a program operates over a period of time. 2) Robustness: It refers to the applications’ strength to uphold its operations in adverse situations. 3) Accuracy: It refers not only to ‘what program is supposed to do’, but should also take care of ‘what it should not do’. 4) Efficiency: It refers to the performance per unit. 5) Usability: It refers to a user-friendly interface & easy-to-understand internal/external documentation. 6) Maintainability: It refers to the ease of maintenance of program even in the absence of the program developer. Question 17: Describe the categories of tests that a programmer typically performs on a program unit. Or Testing a program unit is essential before implementing it. Explain the tests; a programmer typically performs on a programmable unit. Unit Testing: Unit testing is a software verification & validation method in which a programmer tests if individual units of source code are fit for use. A unit is the smallest testable part of an application, which may be an individual program, function, procedure, etc. or may belong to a base/super class, abstract class or derived/child class. There are five categories of tests that a programmer typically performs on a program unit. Such typical tests are described as follows: a) Functional Tests: Functional Tests check ‘whether programs do, what they are supposed to do or not’. b) Performance Tests: Performance Tests should be designed to verify the response time, the execution time, the throughput, primary & secondary memory utilization & the traffic rates on data channels & communication links. c) Stress Tests: Stress testing is a form of testing that is used to determine the stability of a given system/entity. It involves testing beyond normal operational capacity, often to a breaking point, in order to observe the results. d) Structural Tests: Structural Tests are concerned with examining the internal processing logic of a software system.E.g. if a function is responsible for tax calculation, the verification of the logic is a structural test. e) Parallel Tests: In Parallel Tests, the same test data is used in the new & old system & the output results are then compared. www.akpune.com © Compiled By: Akshay R Yadav 43 88881 44446 98817 51563
Question 18: Explain the following testing techniques: i) Black Box Testing: Black Box Testing takes an external perspective of the test object, to derive test cases. These tests can be functional or non-functional, though usually functional. Test engineer has no prior knowledge of the test object’s internal structure. Test designer selects typical inputs including simple, extreme, valid & invalid input-cases & executes to obtain assurance or uncover errors. This method of test design is applicable to all levels of software testing i.e. unit, integration, functional testing, system & acceptance. ii) White Box Testing: It uses an internal perspective of the system to design test cases based on internal structure. It requires programming skills to identify all paths through the software. Tester chooses test case inputs to select paths through the code & determines the appropriate outputs. It is applicable at the unit, integration & system levels of the testing process, it is typically applied to the unit. iii) Gray Box Testing: It is a software testing technique that uses a combination of black box testing & white box testing. In gray box testing, the tester applies a limited no. of test cases to the internal workings of the software under test. Question 19: Explain different changeover strategies used for conversion from old system to new system. Or Excise Q10 (vi): Write short notes on Parallel Running Implementation Answer: Conversion/changeover is the process of changing over or shifting over from the old system to the new system. 4 types of popular implementation strategies are as follows: (PM, M07/09, RTPM15, M16, M14)) a) Direct Implementation/Abrupt Change-Over: With this strategy, the changeover is done in one operation, completely replacing the old system in one go. b) Phased Changeover: With this strategy, implementation can be staged with conversion to the new system taking place gradually. c) Pilot Changeover: With this strategy, the new system replaces the old one in one operation but only on a small scale. E.g. in one divion. d) Parallel Changeover: (RTP M14) This is considered the most secure method with both systems running in parallel over an introductory period. Old system remains fully operational while the new systems come online. With this strategy, the old & the new system are both used alongside each other, both being able to operate independently. Question 20: Discuss briefly, various activities that are involved for successful conversion with respect to a computerized IS. Answer: Changeover or Conversion includes all those activities, which must be completed to successfully convert from the previous system to the new IS. Fundamentally these technical activities can be classified as follows: (PM, M10, N07/10, RTP-M15) 1) Procedure Conversion: ● Operating procedures should be carefully completed with sufficient-enough documentation for the new system. ● It applies to both computer operations & functional area operations. 2) File Conversion: (RTP-N16) ● Large files of information must be converted from one medium to another. ● In order for the conversion to be as accurate as possible, file conversion programs must be thoroughly tested. 3) System conversion: (M13, RTP-N16) ● After on-line & off-line files have been converted & the reliability of the new system has been confirmed for a functional area, daily processing can be shifted from the existing IS to the new one. 4) Scheduling Personnel & Equipment: ● Scheduling data processing operations of a new IS for the 1st time is a difficult task for the system manager. ● As users become more familiar with the new system, the job becomes more routine. www.akpune.com © Compiled By: Akshay R Yadav 44 88881 44446 98817 51563
Question 21: Explain corrective & adaptive maintenance, in brief. Answer: Refer Question no. 26 on page no. Question 22 Write short note on the following: i) Design of database: Answer: The designing of a database involves four major activities, which are given as follows: 1) Conceptual Modeling: These describe application domain via entities/objects, attributes & static & dynamic constraints, attributes & their relationships. 2) Data Modeling: Conceptual Models need to be translated into data models so that they can be accessed & manipulated by both high-level & low-level programming languages. 3) Storage Structure Design: Decisions must be made on how to linearize & partition the data structure so that it can be stored on some device. 4) Physical Layout Design: Decisions must be made on how to distribute the storage structure across specific storage media & locations. ii) System Development Life Cycle (SDLC): Answer: Refer Question no. 6 on page no. Question 23: Define the Agile model of software development &, discuss its strengths. Answer: Refer Question no. 5 on page no. Question 24: Many-a-time organizations fail to achieve their system development objectives. Justify the statement giving reasons. Answer: Refer Question no. 15 on page no. Question 25: Discuss the factors to be considered to validate a vendor’s proposal at the time of software acquisition. Answer: Contracts & software licensing process consists of evaluating & ranking the proposals submitted by vendors & is quite difficult, expensive & time consuming. . Following factors have to be considered towards rigorous evaluation. a) Performance capability of each proposed System in Relation to its Costs. b) Costs & Benefits of each proposed system. c) Maintainability of each proposed system. d) Compatibility of each proposed system with Existing Systems. e) Vendor Support. Question 26: Maintaining the system is an important aspect of system development. Elaborate the various categories of system maintenance. Or Question 21: Explain corrective & adaptive maintenance, in brief. Or Excise Q10 (v): Write short notes on Preventive Maintenance Answer: Maintaining the system is an important aspect of System Development. Maintenance can be categorized in the following ways: 1) Scheduled Maintenance: Scheduled maintenance is anticipated & can be planned for operational continuity & avoidance of anticipated risks. 2) Rescue Maintenance: Rescue maintenance refers to previously undetected malfunctions that were not anticipated but require immediate troubleshooting solution. 3) Corrective Maintenance: Corrective maintenance deals with fixing bugs in the code or defects found during the executions. (MTP N15-3M) 4) Adaptive Maintenance: Adaptive maintenance consists of adapting software to changes in the environment, such as hardware or operating system. (MTP N15-3M) 5) Perfective Maintenance: Perfective maintenance mainly deals with accommodating to the new or changed user requirements & activities to increase the system’s performance or to enhance its user interface. 6) Preventive Maintenance: Preventive maintenance concerns with the activities aimed at increasing the system’s maintainability, such as updating documentation, adding comments, & improving the modular structure of the system. www.akpune.com © Compiled By: Akshay R Yadav 45 88881 44446 98817 51563
Question 28: You have been associated with a system analysis team. Describe the important factors that you will consider while designing user input forms. Answer: Important factors that should be considered by the system analyst while designing user input/output forms. 1) Content: It refers to actual pieces of data to be gathered to produce the required output to be provided to users. 2) Timeliness: It refers to when users need outputs, which may be required on a regular, periodic basis. 3) Format: Input format refers to the way data are physically arranged. Output format refers to the arrangement referring to data output on a printed report. 4) Media: Input-output medium refers to the physical device used for input, storage/output. 5) Form: Form refers to the way the information is inputted in the input form & the content is presented to users in various output forms - quantitative, non-quantitative, text, graphics, video & audio. 6) Input Volume/Output Volume: Input volume refers to the amount of data that must be entered in the computer system at any one time. The amount of data output required at any one time is known as output volume. Exercise 1) What is waterfall model of system development? Also discuss its major strengths. Answer: Refer Question no. 1 on page no. 2) What is Rapid Application Development (RPD) ? Discuss its strengths & weaknesses in brief. Rapid Application Development (RPD): RAD refers to a type of software development methodology; which uses minimal planning in favor of rapid prototyping. Planning of software developed using RAD is interleaved with writing the software itself. Lack of extensive pre-planning generally allows software to be written much faster, & makes it easier to change requirements. Strengths: 1) Operational version of an application is available much earlier than with Waterfall, Incremental, or Spiral frameworks. 2) Because RAD produces systems more quickly & to a business focus, this approach tends to produce systems at lower cost. 3) Quick initial reviews are possible. 4) Constant integration isolates problems & encourages customer feedback. 5) It holds a great level of commitment from stakeholders, both business & technical, than Waterfall, Incremental, or spiral frameworks. Users are seen as gaining more of a sense of ownership of a system, while developer are seen as gaining more satisfaction from producing successful systems quickly. 6) It concentrates on essential system elements from user viewpoint. 7) It provides for the ability to rapidly change system design as demanded by users. 8) It leads to a tighter fit between user requirements & system specifications. Weaknesses: 1) Fast speed & lower cost may affect adversely the system quality. 2) The project may end up with more requirements than needed (gold-plating). 3) Potential for feature creep where more & more features are added to the system over the course of development. 4) It may lead to inconsistent designs within & across systems. 5) It may call for violation of programming standards related to inconsistent naming conventions & inconsistent documentation, 6) It may call for lack of attention to later system administration needs built into system. 7) Formal reviews & audits are more difficult to implement than for a complete system. 8) Tendency for difficult problems to be pushed to the future to demonstrate early success to mgt. 9) Since some modules will be completed much earlier than others, well–defined interfaces are required. 3) Agile methodology is one of the popular approaches of system development. What are the weaknesses of this methodology in your opinion? Answer: Refer Question no. 5 on page no. www.akpune.com © Compiled By: Akshay R Yadav 46 88881 44446 98817 51563
4) What do you understand by feasibility study? Explain various types of feasibility studies in detail. Answer: Refer Question no. 27 on page no. 5. System Analysts use various fact-finding techniques for determining the needs/ requirements of a system to be developed. Explain these techniques in brief. Fact Finding: Every system is built to meet some set of needs, E.g. Need of the organization for lower operational costs, better information for managers, better levels of services to customers. Various fact-finding techniques/tools: 1) Documents: Document means manuals, input forms, output forms, diagrams of how the current system works, job descriptions for the people, etc. Documents are a very good source of information about user needs & the current system. 2) Questionnaires: Users & managers are asked to complete questionnaire about the information systems when the traditional system development approach is chosen. Main strength of questionnaires is that a large amount of data can be collected through a variety of users quickly. 3) Interviews: Users & managers may also be interviewed to extract information in depth. Interviews also give analyst the opportunity to observe & record first-hand user reaction & to probe for further information. 4) Observation: In general & particularly in prototyping approaches, observation plays a central role in requirement analysis. Only by observing how users react to prototypes of a new system, the system can be successfully developed. 6. What do you understand by “Requirement analysis”? What is the significance of analyzing the present system & how is it carried out? Explain briefly. Answer: Refer Question no. 10 on page no. 7. What is SDLC? Explain the key activities performed in the Requirements Analysis phase. Answer: Key activities, which are performed in the ‘Requirements Analysis Phase’, are given as follows: 1) To identify and consult the stakeholders to determine their expectations and resolve their conflicts; 2) To analyze requirements to detect and correct conflicts and determine priorities; 3) To verify the requirements to be complete, consistent, unambiguous, verifiable, modifiable, testable & traceable; 4) To gather data or find facts using tools like - interviewing, research/document collection, questionnaires, observation; 5) To model activities such as developing models to document Data Flow Diagrams, E-R Diagrams; 6) To document activities such as interview, questionnaires, reports etc. & development of a system (data) dictionary to document the modeling activities. 8. Discuss the roles of the following with reference to SDLC: (i) Steering Committee: Steering Committee: It is a special high power committee of experts to accord approvals for go- ahead and implementations. Some of the functions of Steering Committee are given as follows: 1) To provide overall directions and ensures appropriate representation of affected parties; 2) To be responsible for all cost and timetables; 3) To conduct a regular review of progress of the project in the meetings of steering committee, which may involve co-ordination and advisory functions; 4) To undertake corrective actions like rescheduling, (ii) System Analyst/Business Analyst: The systems analysts’ main responsibility is to conduct interviews with users & understand their requirements. S/he is a link b/w the users & the designers/programmers, who convert the users’ requirements in the system requirements & plays a pivotal role in the Requirements analysis & Design phase. (iii) Database Administrator The data in a database environment has to be maintained by a specialist in database administration so as to support the application program. The DBA handles multiple projects; ensures the integrity & security of information stored in the database & also helps the application development team in database performance issues. www.akpune.com © Compiled By: Akshay R Yadav 47 88881 44446 98817 51563
(iv) IS Auditor: IS Auditor: As a member of the team, IS Auditor ensures that the application development also focuses on the control perspective. S/he should be involved at the Design Phase & the final Testing Phase to ensure the existence and the operations of the Controls in the new software. 9. Discuss Final Acceptance Testing in brief. Answer: It is conducted when the system is just ready for implementation. During this testing, it is ensured that the new system satisfies the quality standards adopted by the business and satisfies users. Thus, final acceptance testing has two major parts: 1) Quality Assurance Testing: It ensures that the new system satisfies the prescribed quality standards and the development process is as per the organization’s quality assurance policy, methodology and prescriptions. 2) User Acceptance Testing: It ensures that functional aspects expected by users have been well addressed in the new system. There are two types of user acceptance testing: Alpha Testing and Beta Testing. 10. Write short notes on the following: (i) Data Dictionary Answer: A data dictionary contains descriptive information about the data items in the files of a business IS. Thus, a data dictionary is a computer file about data. Each computer record of a data dictionary contains information about a single data item used in a business IS. (ii) Static Testing: Answer: 1) Static Analysis Tests are conducted on source programs and do not normally require executions in operating conditions. 2) Typical static analysis techniques include: Desk Check, Structured Walk Through & Code Inspection. (iii) Regression Testing: Answer: 1) In the context of the integration testing, the regression tests ensure that changes or corrections have not introduced new faults. 2) The data used for the regression tests should be the same as the data used in the original test. (iv) System Testing: Answer: 1) It is a process in which software & other system elements are tested as a whole. 2) System testing begins either when the software as a whole is operational or when the well- defined subsets of the software's functionality have been implemented. 3) The types of testing that might be carried out are: a) Recovery Testing b) Security Testing c) Stress or Volume Testing d) Performance Testing (v) Preventive Maintenance Answer: Refer Question no. 26 on page no. (vi) Parallel Running Implementation Answer: Refer Question no. 19 on page no. www.akpune.com © Compiled By: Akshay R Yadav 48 88881 44446 98817 51563
(vii) Weaknesses of Incremental Model Incremental Model: It is a method of software development where the model is designed, implemented & tested incrementally (a little more is added each time) until the product is finished. Weaknesses: 1) When utilizing a series of mini-waterfalls for a small part of the system before moving onto the next increment, there is usually a lack of overall consideration of the business problem & technical requirements for the overall system. 2) Each phase of an iteration is rigid & do not overlap each other. 3) Problems may arise pertaining to system architecture because not all requirements are gathered up front for the entire software life cycle. 4) Since some modules will be completed much earlier than others, well-defined interfaces are required. 5) It is difficult to demonstrate early success to management. (viii) Accountants’ involvement in development work: Accountants’ Involvement in Development Work: An accountant can help in various related aspects during system development; some of them are as follows: (i) Return on Investment (referred as RoI): This defines the return, an entity shall earn on a particular investment i.e. capital expenditure. For this analysis, following data needs to be generated. (a) Cost: This includes estimates for typical costs involved in the development, which are Development Costs, Operating Costs, and Intangible Costs. (b) Benefits: The benefits, which result from developing new or improved information systems that can be subdivided into tangible and intangible benefits. (ii) Computing Cost of IT Implementation and Cost Benefit Analysis: For analysis of RoI, accountants need the costs and returns from the system development efforts. www.akpune.com © Compiled By: Akshay R Yadav 49 88881 44446 98817 51563
Chapter 7: Information Technology Regulatory Issues Objectives of the Act: (N18, MTP-N18) 1) To grant legal recognition For transactions carried out by means of electronic commerce in place of paper based methods of communication. To Digital signatures for authentication of any information For keeping of books of accounts by banker’s in electronic form. 2) To facilitate electronic Filing of documents with Government departments. Storage of data. 3) To facilitate & give legal sanction to electronic fund transfers between banks & FI. 4) To amend the: Indian Penal Code, Indian Evidence Act, 1872, Banker’s Book Evidence Act, 1891, Reserve Bank of India Act, 1934. Key Issues of electronic information impacting enterprises & auditors are: 1) Authenticity: How do we implement a system that ensures that transactions are genuine & authorized? 2) Reliability: How do we rely on the information, which does not have physical documents? 3) Accessibility: How do we gain access & authenticate this information, which is digital form? IT Act extends to whole of India & also applies to any offence/contravention there under committed outside India by any person {section 1 (2)} read with Section 75. Key Definitions: Access means gaining entry into, logical, arithmetical, or memory function resources of a computer, computer system or computer network. Addressee means a person who is intended by the originator to receive the electronic record but does not include any intermediary. Asymmetric Crypto System means a system of a secure key pair consisting of a PRIVATE KEY for creating a digital signature & a PUBLIC KEY to verify the digital signature. (PM) Certification Practice Statement means a statement issued by a Certifying Authority to specify the practices that Certifying Authority uses in issuing Electronic Signature Certificates. Communication Device means Cell Phones, Personal Digital Assistance or any other device used to communicate, send/transmit any text, video, audio, or image. Computer means any electronic, magnetic, optical or other high-speed data processing device which performs logical, arithmetic, & memory functions & includes all input, output, processing, storage, computer software, or communication facilities connected to it. Computer Network means the interconnection of one or more Computers or Computer systems or Communication device through- 1) Use of satellite, microwave, wire, wireless & 2) Terminals consisting of 2 or more interconnected computers or communication device. Computer Resource means computer, communication device, computer system, computer network, data, computer database/software. (Nov 2017) Computer System means a device or collection of devices, including input & output support devices & excluding calculators which are not programmable which contain computer programmes, electronic instructions, input data, & output data, that performs logic, arithmetic, data storage & retrieval, communication control & other functions. www.akpune.com © Compiled By: Akshay R Yadav 50 88881 44446 98817 51563
Cyber Cafe means any facility from where access to the internet is offered by person in ordinary course of business. Cyber Security means protecting information, equipment, devices, computer, computer resource, communication device & information stored therein from unauthorized access, use, disclosure, modification etc. Data means a representation of information, knowledge, facts, concepts or instructions which are being prepared in a formalized manner & processed in a computer system or computer network & may be in any form or stored internally in the memory of the computer. Digital Signature means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the section 3. (PM, Nov 2017) Digital Signature Certificate means a Digital Signature Certificate issued u/s 35(4) Electronic Form means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film. (PM) Electronic Record means data, record/data generated, image/sound stored, received/sent in an electronic form. (Nov 2017) Electronic signature means authentication of any electronic record by a subscriber by means of the electronic technique specified in the 2nd schedule & includes digital signature. Electronic Signature Certificate means an Electronic Signature Certificate issued u/s 35. Information includes data, message, text, images, sound, voice, codes, computer programmes, software & databases/micro film/computer generated micro fiche. Intermediary means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record. Key Pair, in an asymmetric crypto system, means a private key & its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key. (PM) Originator means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary. Private Key means the key of a key pair used to create a digital signature. (Nov 2017) Public Key means the key of a key pair used to verify a digital signature. (N17) Secure System means computer hardware, software, & procedure that -: a) are reasonably secure from unauthorized access & misuse b) provide a reasonable level of reliability & correct operation c) are reasonably suited to performing the intended functions & d) adhere to generally accepted security procedures (Nov 2017) Verify in relation to a digital signature means to determine whether a) Initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber. b) Initial electronic record is retained intact or has been altered since such electronic record was so affixed with the digital signature. www.akpune.com © Compiled By: Akshay R Yadav 51 88881 44446 98817 51563
Chapter-II: Digital Signature & Electronic Signature Section 3: Authentication of Electronic Records (ER): [PM, M17] 1) Subject to the provisions of this section any subscriber may authenticate an ER by affixing his Digital Signature. 2) Authentication of ER shall be effected by the use of asymmetric crypto system & hash function. 3) Any person by the use of public key of the subscriber can verify the ER. 4) Private Key & Public Key are unique to the subscriber. Section 3A: Electronic Signature (ES): [PM] 1) NWAC in section 3, but subject to the provisions of sub-section (2) a subscriber may authenticate any ER by such electronic signature which- a) is considered reliable b) may be specified in the 2nd Schedule 2) Electronic signature shall be considered reliable if- a) Signature creation data linked to the signatory. b) Signature creation data, at the time of signing, under the control of the signatory. c) Any alteration to the ES is detectable. d) Any alteration to the information is detectable. e) It fulfills such other conditions which may be prescribed. 3) CG may prescribe procedure for the purpose of ascertaining whether ES is that of the person by whom it is supposed to be authenticated. 4) CG may, by notification in the OZ, add to or omit any ES from 2nd Schedule. 5) Every notification issued under sub-section (4) shall be laid before each \"House of Parliament”. Chapter - III: Electronic Governance Section 4: Legal Recognition of Electronic Records: Where any law provides that information shall be in writing/printed form, then, NWAC in such law, such requirement shall be deemed to have been satisfied if such information- a) Made available in an e-form; b) Accessible so as to be usable for a subsequent reference. Section 5: Legal recognition of Electronic Signatures: [MTP1-N18] Where any law requires that any information be authenticated by affixing the signature then, NWAC in such law, such requirement shall be deemed to have been satisfied if such information is authenticated by means of ES affixed in such manner as may be prescribed by the CG. Section 6: Use of Electronic Records & Electronic Signatures in Govt. & its agencies [PM] 1) Where any law provides for - a) Filing of any form, application/any other document with Govt. in a particular manner, b) Issue/grant of any license, permit, sanction, c) Receipt/payment of money. then, NWAC in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such activity is effected by means of such E-form as may be prescribed by the appropriate Govt. Section 6A: Delivery of services by Service Provider: 1) Appropriate Govt. may, for efficient delivery of services to the public through electronic means authorize, by order, any service provider to setup, maintain & upgrade the computerized facilities & perform such other services as it may specify by notification in the OZ. 2) Service provider can collect service charges from the person availing such service. Provided that appropriate Govt. may specify different scale of service charges for different services. www.akpune.com © Compiled By: Akshay R Yadav 52 88881 44446 98817 51563
Section 7: Retention of Electronic Records: [M15/16, RTP-N15, MTP-M15, N15/16,M16/17] 1) Where any law provides that documents, records/information shall be retained for any specific period, then, such requirement shall be deemed to have been satisfied if such documents, records/information are retained in the electronic form, if - a) Information contained therein remains accessible. b) Electronic record is retained in the format in which it was originally generated, c) Details which will facilitate the identification of the origin, destination, date & time of dispatch- receipt of such electronic record are available in the E-record: Provided that this clause does not apply to any information which is automatically generated solely for the purpose of enabling an E-record to be dispatched /received. 2) Nothing in this section shall apply to any law that expressly provides for the retention of documents, in the form of E-records. Section 7A: Audit of Documents, etc. maintained in E-form: (MTP2-N18) Provision for audit of documents shall also be applicable for audit of documents processed & maintained in E-form. Section 8: Publication of rules, regulation, etc., in Electronic Gazette: Where any law provides that any rule, regulation, order, bye-law, notification shall be published in the OG, then, such requirement shall be deemed to have been satisfied if such rule, regulation, order, bye-law, notification is published in the OG/E-Gazette: Sec 9: Sec. 6, 7 & 8 not to confer right to insist document should be accepted in e-form: Nothing contained in sections 6, 7 & 8 shall confer a right upon any person to insist that any govt. should accept, issue, create, retain & preserve any document in e-form. Section 10: Power to make rules by CG in respect of Electronic Signature (ES): (PM, RTP-M16) CG may, by rules, prescribe a) Type of ES; b) Manner & format in which the Electronic Signature shall be affixed; c) Manner/procedure which facilitates identification of the person affixing ES; d) Control processes & procedures to ensure adequate integrity, security & confidentiality of electronic records/payments; e) Any other matter which is necessary to give legal effect to ES. Section 10A: Validity of contracts formed through electronic means: Where in a contract formation, communication, acceptance, revocation of proposals, are expressed in electronic form, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form/means was used for that purpose. Chapter V: Secure Electronic Records & Secure Electronic Signatures Section 14: Secure Electronic Record: Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to time of verification. Section 15: Secure Electronic Signature: Electronic signature shall be deemed to be a secure electronic signature if- i) Signature creation data, at the time of affixing signature, was under the exclusive control of signatory. & ii) Signature creation data was stored & affixed in manner as may be prescribed. Section 16: Security Procedures & Practices: CG may, for the purposes of sec. 14 & 15, prescribe the security procedures & practices. www.akpune.com © Compiled By: Akshay R Yadav 53 88881 44446 98817 51563
Chapter IX: Penalties, Compensation & Adjudication Section 43: Penalty & Compensation for damage to computer, computer system, etc. If any person without permission of the owner/any other person who is in-charge of a computer, computer system or computer network, a) Accesses/secures access to such computer, b) Downloads, copies or extracts any data, computer data base from such computer c) Introduces/causes to be introduced any computer virus into any d) Damages/causes to be damaged any system e) Disrupts/causes disruption of any or f) Denies/causes the denial of access to any person authorized to access any g) Provides any assistance to any person to facilitate access to a computer h) Charges the services availed of by a person to the account of another person by network. tampering with/manipulating any i) Destroys, deletes/alters any information residing in a j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source with an intention to cause damage, (refer Sec 65) in con t raven t ion of t h e p ro visi on s o f t h is Act , ru les/reg u lat i on s. in contravention of the provisions of this Act, rules/regulations. Section 43A: Compensation for failure to protect data: [May 2018] Where a body corporate, possessing, dealing or handling any sensitive personal data/information in a computer resource which it owns, controls/operates, is negligent in implementing & maintaining reasonable security practices & procedures & thereby causes wrongful loss/wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. Section 44: Penalty for failure to furnish information return, etc.: [M18, RTP M17] If any person who is required under this Act/any rules/regulations made thereunder to – he shall be liable to a penalty 1) Furnish any document, return/report fails to furnish the same, not exceeding Rs.1,50,000 for to the Controller/Certifying Authority, each such failure. File any return/furnish any fails to file return/furnish the not exceeding Rs.5000 for every 2) information, books/other documents same within the time day during which such failure within the time specified therefor in specified therefor in the continues; the regulations regulations, not exceeding Rs.10,000 for every 3) Maintain books of account or records, fails to maintain the same, day during which the failure continues. Section 45: Residuary Penalty: Whoever contravenes any rules/regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable ……..to pay compensation not exceeding Rs.25,000 to the person affected by such contravention or ……..Penalty not exceeding Rs.25,000. www.akpune.com © Compiled By: Akshay R Yadav 54 88881 44446 98817 51563
Search
Read the Text Version
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
