1

M3: MANAGEMENT INFORMATION SYSTEM

Chapter :1: Emerging Technology, E-business

Electronic or E-Commerce: “The process of buying, selling or exchanging of products,

services and information via computer networks.”
● E.g. Daraz, Ebay, AmazonIncludes buying, selling and also exchanging of products in
form of product-to-product like on a OLX,
● Daraz or Pakwheels.Buying, selling and exchanging of service-to-service like online
banking services, teaching services or warid and jazz exchange of services in the form
of shared services.
● Buying, selling and exchange of information like NADRA sells info, various companies’
buys info Google and Facebook exchanges info.

E-Commerce Perspective:
E-commerce is defined through these perspectives;
1. Communication perspective:
Delivery of info, payments, products or services over the
telephone lines, computer networks or any other electronic means.E.g. cable net, easy paisa or
TV cable.
2. Community perspective:
Same types of businesses merge through e-commerce which helps
them to make their community.
3. Business purpose perspective:
Application technology towards the automation of business
transactions & work flow.
E.g. ATM, use of barcodes, Uber, careem
4. Service Perspective:
Addresses the desire of firms, consumers, and management to cut
service costs while improving the quality of goods and increasing speed of delivery.
E.g. Online banking & teaching.
5. Online perspective:
Capability of buying and selling products and info on the internet and
other online networks.
6. Collaborative service:
Collaboration of business and consumers through social networking
sites like Facebook, Youtube,
and LinkedIn.

E-Business:
 2

A broader definition of E-commerce that includes not just the buying and selling of
goods and services but also serving the customers, collaborating with business partners and
conducting electronic transactions within an organization.
For example :
-Serving the Consumers:
CRM software is used to facilitate customers, used in banks, ATMs.
-Collaborating with business partners:
SCM automates the whole management process of supplying and distributing to wholesaler and
customer with the help of ERP and EDI.
-Conducting E-transactions:
EFT makes the process of transactions very easy and fast.
Pure VS Partial E-commerce:
EC takes several forms depending on the degree of digitization;
a) The product (or service) sold
B) The process
c) The delivery agent (or intermediary)
-Partial E-commerce:
Includes partially physical and partially online work process of E-commerce, like food delivery
app(food
Panda) or Online taxi service(Uber) where the process is online while the product or service is
physical.
-Pure E-Commerce:
In this whole process is electronic and digital where the product is also in digital form.
E.g. E-books, E-tickets etc.

Benefits to Organizations:
● Global Reach: business reaches all over by just using the internet and websites.
● Cost Reduction: cost reduced of physical outlets by opening digital outlets.
● Supply chain Improvement: supply chain method automated by software, order and
delivery time improved, which enhances the whole supply chain method.
● Extended Business Hours: 24/7 online business reached to maximum peoples
● Customization: independence to customers to order customizable by their own choices.
● New Business Models: SCM, ERP, CPM etc.

Benefits to Customers:
● Ubiquity: around the clock availability of business info and updates
● More products & Services: more choices
● Customized Products & Services: independence of customizing the order or service
● Cheaper Product & Services: more choices at cheap cost
● Instant Delivery: fast delivery options.

Benefits to Society:
● Telecommuting
 3

● Higher Standard of living

● Homeland Society
● Hope for Poor
● Availability of Public Services

E-commerce Risks:
Confidentiality:Potential customers are concerned about providing personal and sensitive
information to unknown vendors, as in every transaction between buyer and seller; the threat of
information being used wrongly is present like the theft of a credit card number.
IntegrityData both in-transit or in storage, could be at risk to unauthorized alteration or deletion
i.e.hacking
Availability: E-commerce nowadays, requires a business to be available on 24-hour, seven
days a week basis, so high availability is important otherwise any system failure or availability
issue could lead to loss of potential customers or business partners.
Authentication & Non-repudiation:Parties to an electronic transaction should be in a known
and trusted business relationship,requiring that they prove their respective identities through an
authentic medium. Then after that there must be some manner of ensuring that the parties
cannot deny the entering, completion and terms of the transaction.
Power shift to Customers:The internet gives consumers unparalleled access to vast market
information and makes it easier for them to shift between suppliers. Firms need to make their
offerings attractive and seamless in terms of service delivery.

B2B(Business-to-Business):
B-to-B e-commerce is the wholesale and supply side of the commercial
process, where businesses buy, sell or trade with other businesses. B-to-B relies on many
different technologies, most of which are implemented at e-commerce websites on the World
Wide Web
and corporate intranets and extranets.
B2B application includes;
● Electronic catalog systems such as exchange and auction portals.
● Electronic Data Interchange(EDI)
● Electronic funds transfer
E.g. Oracle, Alibaba, Qualcomm.

B2C(Business-to-Consumer):
The basic concept of this e-commerce model is to sell products only
to consumers. B2C is indirect trade between company and consumer, but it provides a direct
selling process through online. Businesses must develop attractive e-marketplaces to entice
and sell products or services to customers. They can offer:
● E-commerce websites that provide virtual storefront and multimedia catalogs.
● Interactive order processing
● Secure electronic payment systems
● Online customer support.
E.g. ebay, Amazon, Walmart.
 4

B2E(Business-to-Employees):
In this e-commerce model an org delivers services, products or info to
its employees by making portals to facilitate them. It may include automation of the attendance
system, work from home, updated info of employees and org on a portal which can be easily
accessible by them.

B2G(Business-to-Govt.):
The sale and marketing of goods and services to federal, state or local
agencies. Contracts will be signed between govt. and companies in response to a govt.
agency's request for proposal (RFP), on their respective websites. Businesses bid for contracts
by submitting RFP responses. The whole bidding The process took place online in real-time.
E.g. Govt. procurements of weapons, roads, buildings etc.

G2C(Govt.-to-consumer):
It is defined as govt. providing goods, services and info to consumers
online and making it easier for them to interact with the government. Consumers can easily
access their personal info, record or conduct transactions such as change in address or family
status or solution of disputes on govt. online advisory portals or websites.
E.g. Information technology commission, Pakistan Telecommunication Authority, Pakistan
Citizen Portal.

C2C(Consumer-to-Consumer):
In this e-commerce model consumers directly sell to other
consumers. It allows consumers to buy and sell with each other in an auction process at an
auction website like ebay. It involves electronically facilitated transactions between individuals,
often through a third party. A common example is of an online auction site, such as ebay where
individuals can list an item for sale and others can bid to purchase it. These auction sites
normally charge commission to the sellers using them.E.g. Upwork, Pakwheels, OLX.

ELECTRONIC DATA INTERCHANGE (EDI):

EDI is the computer to computer exchange of routine business information between trading
partners in a standard format. The standard format most widely used in the West and most of
the developed world, is the ANSI X12 standard which allows computers with installed EDI
software to share data in structural fashion.

EDI Layered Architecture

Application/Semantic Layer:
The application layer is also called the semantic layer. The
Semantic layer describes the Business application that is driving EDI. e.g. for a procurement
 5

application, this translates into requests for quotes, purchase orders, acknowledgements, and
invoices. This layer is specific to a company, and the software it uses.
Standard Layer:
Now an organization may raise an invoice in its own software and send it to
customers who may be using totally different software. To achieve the successful
communication resulting in understanding of data formats, the company needs to follow some
EDI standards. e.g. X.12 from ANSI, EDIFACT from UN
Transport Layer:
This Layer defines the type of communication service or protocol to be used.
E.g. E-mail, Point to Point, WWW
Physical Layer:
The physical layer of EDI is also called the infrastructure layer. This layer defines
the data transmission path(s) for EDI.transactions. Dial-up lines, Internet, WANs.

Open Systems Interconnection (OSI):

It is a framework for data communication over the
internet. (OSI) model is a standard description or “reference model” for how messages should
be transmitted between any two points in a telecommunications network.
It is composed of 7 layers:
1)Physical Layer: It converts data bits into electrical impulses or radio
signals. Example: Ethernet.
2)Data Link Layer:
It is responsible for intermediate connection, error control, error detection and
error rectification.
3)Network Layer:
It assigned the IP address to packets and found the best route for it.
4)Transport Layer:
This layer do the following things:
a) Flow of information
b) Error control
c) Retransmission ((segmentation) breaks files into packets and (assembly) then converts
packets into files) .
5)Session layer:
It do the following things:
a) Establishment of session
b) Managing the session
c) Termination of the session
d) Authentication(verifying /proof of the identity)

6)Presentation layer:
It transforms the data into the foam in which the application layer accepts.
7)Presentation Layer:
 6

It interacts with the end user. And convert msg to format which is able to
transport.

(Enterprise Resource Planning):

It is a single integrated information system with multiple
modules that fulfills the requirements of all the department/functional areas of business.

ERP Application Components:

Benefits of ERP:
1. Improvements in quality and efficiency
2. Significant reductions in transaction processing costs and IT support
3. Provides cross-functional information for making better decisions
4. ERP breaks down functional wall, making a more
Causes of ERP Failure:
1. Underestimating the complexity of planning, development and training
2. Failure to involve affected employees in planning and development
3. Trying to do too much too fast
4. Insufficient training in new work tasks
5. Failure to do enough data conversion and testing.

Cost of implementing a new ERP system:

Customer relationship management is a technology for managing all your company's

relationships and interactions with customers and potential customers. The goal is simple:
 7

Improve business relationships. It provides the frame of web-enabled software and databases
that integrate these processes with the rest of organization's process.
CRM Applications:
1)Contract and Account Management:
It helps in automation of sales, marketing and service
professionals.
2)Sales:
Provides the software tool and data they need to support and manage sales activities.
-CROSS-Selling; trying to sell a customer of one product with a related product.
-UP-Selling; trying to sell customers a better product than they are currently seeking.
3)Marketing and Fulfillment:
Capturing the targeted market segments(like safeguard targets
children).
4)Retention and Loyalty programs:
Help organizations to identify, reward and market their most loyal and
profitable customers.
Data mining tools and analytical software, customer data warehouse.
CRM Support Customer Life Cycle:

Customer life cycle: Three phases of the

Acquire – acquire new customers
Enhance – keep customers happy, cross sell and up
Retain – identify and reward most loyal and profitable customers

CRM Benefits:
● Identify and target best customers
● Real-time customization and personalization of products and services
● Track when customer contacts org
● Provide consistent customer experience, superior service and support.

Reasons for CRM Failures:

● Lack of understanding and preparation
 8

● Rely on application to first solve problem without changing the business process
● Business stakeholders not participating and not prepared.

Types of CRM:
There are 3 types of CRM:
1. Operational CRM: Capture details, generates
2. Analytical CRM: Data analysis.
3. Collaborative CRM: Feedback maintenance

Supply chain management is management of the flow of goods, data, and finances related to
a product or service, from the procurement of raw materials to the delivery of the product at its
final destination.

SCM life Cycle:

SCM Functional Process:
● Strategic Sourcing and Procurement: Sourcing refers to from which source you may buy
the raw material according to trends and needs, whereas procurement is the process
that includes activities to obtain items from suppliers for the whole purchase cycle.
● Forecast and Demand Planning: Helps forecasting the product demand, how much to
produce and adjusting according to demand of products.
● Customer Order Fulfillment/Service: Provide customization of products according to
customer's requirements and preferences.(collects cookies).
● Distribution Network and Warehouse: Helps in choosing best and nearest locations for
warehouses and distribution and supplying processes.
● Production Logistics: Makes easy access to products and services involved and required
during production.
● Transportation and Shipment Management:Helps manage the process of transportation
by identifying which product to choose and their best alternatives.

Causes of Problem in SCM:

1. Lack of proper demand-planning knowledge, tools and guidelines
2. Inaccurate or overoptimistic demand forecasts
3. Inaccurate production, inventory, and other data
 9

4. Lack of adequate collaboration within the company and between partners.

Goals and Objectives of SCM:

Upstream SCM :
The upstream portion of the supply chain includes the organization supplies
and the process for managing relations with them.
Downstream SCM:
It includes the process for distribution and delivery of products to the final
customers.

E-commerce Architecture:
E-commerce architecture refers to the overall structure and design
of an electronic commerce system. It involves various components and layers that work together
to facilitate online transactions.
Types of Architecture:
1)Single-Tier (Single-Layer) Architecture: In this type, all the components
of the e-commerce system are tightly integrated into a single unit.
Both the user interface and the data management functions reside on the same server.
2)Two-Tier Architecture: In a two-tier architecture, the system is divided into two main
components or tiers: the client or front-end and the server or back-end.
Client Tier: This is the user interface where interactions take place. It includes the presentation
logic and user interface components.
Server Tier: This tier manages the application logic and the database. It handles both business
processes and data storage.
3)Three-Tier Architecture:Three-tier architecture further separates the components, creating
three distinct tiers: presentation, application, and data.
Presentation Tier: Similar to the client tier in two-tier architecture, it deals with the user interface
and user interactions.
Application Tier: This tier, also known as the middleware, handles the application logic and
business processes. It acts as an intermediary between the presentation tier and the data tier.
Data Tier: Responsible for managing data storage, retrieval, and database interactions. It
focuses solely on handling data-related tasks.

Cloud Computing:
It is the delivery of computational services like servers, storages, network
connectivity, software operating systems,bandwidth connectivity, databases to help an
 10

organization to fulfill their business needs. These servers can be made available on demand
and can be accessed remotely also.
e:g Microsoft azure, Amazon aws(Amazon web service), Google drive, dropbox, IBM

Types of cloud computing:

1. Private cloud: It refers to cloud computing resources used solely by a single business or
organization,in which the services and infrastructure is maintained on a private network.
e:g HP data center, Microsoft azure stack.
2. Public cloud: It refers to cloud computing services which are available to the general
public. Anyone can use it without any charges. e:g Google drive, Microsoft azure Cloud
etc.
3. Hybrid cloud: Hybrid cloud is a combination of both public and private clouds. It allows
data and applications to be shared between them. By allowing data and applications to
move between private and public clouds, a hybrid cloud gives your business greater
flexibility, more deployment options and helps optimize your existing infrastructure,
security and compliance.e:g Amazon web services(AWS), Microsoft Azure arc, Google
anthos etc.

Types of cloud services:

1. Infrastructure as a Service (IaaS):It is the most basic category of cloud computing
services. With (IaaS) to rent virtual machines(vms), storage networks, operating
systems etc.
2. Platform as a service: (Paas) is a complete environment for development, testing,
delivering and managing software applications. It provides services like
development tools, utilities, libraries etc.
3. Server as a service(SaaS): It offers software applications over the internet on a
subscription basis. Users can access the software without worrying about
installation, maintenance, or updates.
4. Serverless computing : Server-less computing focuses on building functionality
by enabling developers to build applications faster by eliminating the need for
them to manage the servers and infrastructure.

Artificial intelligence (AI):

Artificial intelligence (AI) refers to the simulation of human intelligence
in machines that are programmed to think like humans and mimic their actions.
There are 2 categories of AI:
1. Weak artificial intelligence: It is designed to carry out one particular job. Weak AI
systems include video games such as the chess example from above and personal
assistants such as Amazon's Alexa and Apple's Siri.
2. Strong artificial intelligence: Systems that carry on the tasks considered to be
human-like. These tend to be more complex and complicated systems e:g self driving
cars, chat gpt.

Importance in Accounts, finance, taxation and IT

 11

Accounts: AI helps accountants by automating tasks like organizing financial data, reducing
errors, and generating reports efficiently. It's like having a virtual assistant.

Finance: For finance, AI contributes by managing risks, detecting fraud, and optimizing
investment portfolios.

Taxation: In taxation, AI ensures compliance with complex regulations by analyzing large

datasets, helping professionals navigate intricate rules effortlessly.

Information technology:AI is used for enhancing cybersecurity through rapid threat detection
and response.AI analyzes large datasets to uncover patterns and trends, aiding in strategic
decision-making for IT professionals

AI can be classified into three main groups of areas;

• Cognitive Science:
This area of AI is based on research in biology, neurology, psychology,
mathematics and other allied disciplines. It focuses on researching how the human brain works
and how humans think and learn. That is why developments in this system include expert
systems and knowledge-based systems as shown in the figure.
• Robotics:
Computer sciences, physiology and engineering are the basic disciplines of robotics.
This technology produces robot machines with computer intelligence and computer controlled
human-like physical capabilities. It gives robot machines the feeling of touch, visual perception,
dexterity(agility or skill to react), locomotion or the physical skill to move around etc.
• Natural interfaces:
It includes research in linguistics, psychology and other sciences,
considered as the most essential development in AI which includes development of natural
language and speech recognition, making computers and robots able to understand
conversation in human languages easily as humans do.
.

Chapter :2: INFRASTRUCTURE AND OPERATIONS

Management of IS operations:
IS management is responsible for all the operations carried out
within the IT department. It involves allocation of resources (align, plan, organize), adherence of
standard and procedures(deliver, service, support) and monitoring IS operation
process(monitor,evaluate, assess).

IT Service Management:
 12

IT service management is the implementation and management of IT

services (people, process, and information technology) to meet business needs.
ITSM focuses on the business deliverables and covers infrastructure management of IT
applications that support and deliver these IT services.
Information Technology Service Management includes following:
IT services support
• Help desk (service desk)
• Incident management
• Problem management
• Change management
• Release management
IT service delivery
• Service-level management
• Capacity management

Service Level Agreement (SLAs):

An SLA is an agreement between the IT organization and the
customer. It details the nature, type, time and other info of the services to be provided by the IT
service provider which could be an internal IT department or an external IT organization.
The SLA describes the services in non-technical terms from the customer's point of view. During
the terms it serves as standards for measuring and adjusting the services.
Service level management: The main process of SLM is to make sure that every IT service
presently being provided and planned for the future is delivered as per the previously agreed
upon service level target. The aim is to maintain customer satisfaction and improve service
levels.

Problem Management:
It is the process of identifying cases of an incident as well as identifying
the best method to eliminate that root cause. Once a problem is identified and the root cause
has been found out, the condition becomes the Known Error. A workaround can be developed
to address the error state and prevent the future occurrence of related incidents.
Problem escalation and resolution: The primary risk from unresolved problems would be the
interruption of business operations. An unresolved hardware or software problems could
potentially corrupt data. IS management should
develop operations documentation to ensure that procedures exist for escalation of unresolved
problems to a higher level of management.Problem escalation procedures generally include:
-Name, contact details of persons who can deal with specific problems
-Types of problems that require urgent solution
-Problems that can wait until normal working hour

Help Desk:
It is a centralized system that provides assistance and resolves technical issues for
users and customers.
The help desk personnel must ensure that:
 13

-All hardware and software problems that arise are fully documented.
-Problems are escalated based on priorities established by management.
-To be the first, single and central point of contact for users in any emergency.
-Follow up on unresolved problems and close out resolved problems.
Functions:
1. Troubleshooting
2. Resolve issues
3. User support
4. Documentation
5. Communication Bridge
6. Training and education

Release Management:
Release management is the process through which software is made
available to the user. The release will typically consist of a number of fixes and enhancements
to the service. A release of the new or changed software may consist of:
1. Major release:Normally contains a significant change or addition to new functionality. A
major upgrade or release usually supersedes all previous minor updates.
E.g. Windows 10 to Windows 11, Android 11 to Android 12 and Android to Harmony OS etc.
2. Minor release:Normally contains small enhancements or fixes. A minor upgrade or
release usually supersedes all preceding emergency fixes.
E.g. Windows 8 to 8.1 or ongoing security patches etc.
3. Emergency release:Normally contain the corrections to a small number of known
problems. Emergency releases are fixes that require implementation as quickly as
possible to prevent significant user downtime to business-critical functions.
E.g. high-priority security and critical bug fixes etc

Capacity Management Process:

Capacity management is the planning and monitoring of the
computer & network resources to ensure that the available resources are being used efficiently
and effectively. The expansion or reduction of resources take place in parallel with overall
business growth or reduction, so a capacity plan should be developed based on input from both
user and IS management to ensure that business goals are achieved in the most efficient and
effective manner.
Key points to the successful completion of this
task:
-CPU utilization
-Computer storage utilization
-Telecommunication and other network utilization
-Number of users
-New technologies and applications
 14

-SLAs
Capacity Planning & Monitoring Elements:
1. Development
2. Monitoring
3. Analysis
4. Tuning
5. Implementation
6. Modeling
7. Application sizing

Media Sanitization:
It is a process by which data is irreversibly removed from media or the
media is permanently destroyed to preserve the confidentiality of sensitive information stored.
Sanitization: Permanently deleting or destroying data from a storage device to ensure it cannot
be recovered.
E.g.: Media sanitization can be accomplished by data overwriting, disintegration, magnetic
degaussing,shredding and melting etc.

Network:
The connection of two or more computers or devices via certain media(cable, air,
space etc), to share the information or to share the resources.
E.g. TV cable network, Computer cable network, Wi-Fi, Bluetooth, Mobile network, Satellite.
The communication lines for networks can be classified into dedicated circuit(leased lines) and
switched circuit.
1. Dedicated Circuit: Dedicated circuit also known as leased line is a symmetric
telecommunication line connecting two or more locations. Each side of the line is permanently
connected to the other.
Dedicated circuits can be used for telephone, data or internet services.
*Leased Line is a private dedicated point to point connection provided by service provider
between
two or more locations(solely for use of an org).
2. Switched Circuit: A switched circuit does not permanently connect two locations and can be
set up on demand, based on the addressing method.
Circuit switching: Switched circuits allow data connection that can be initiated when needed and
terminated when communication is complete. The circuit switching mechanism is typically used
over the telephone network like.
Packet switching: Packet switching is a technology in which users share common carrier
resources (same network resource).It is a mode of data transmission in which the data breaks
down into thousands of small chunks called packets, which are transmitted using a common
carrier resource network between users, choosing the best free path through different routes
and reassembled as a data file at the destination. It allows carrier to make more efficient use of
its infrastructure, the cost to the customer is much lower than leased lines.
E.g. Wi-Fi, cloud storage etc.
 15

Methods for transmitting signals are either baseband or broadband;

Baseband: In this method only one signal can be transmitted at a time using a one way
communication channel (i.e. half duplex) , as the whole channel is reserved for transmitting the
single packet of data, although full duplex(two-way channel) modems are available now. It is
mostly used for digital signals.
Broadband: In this method multiple signals can be transmitted at a time in more than one
direction using two way communication channels (i.e. full duplex). It is mostly used to carry
analog signals.
*Half Duplex is one way channel communication of data. (TV, Radio)
*Full Duplex is two way channel communication of data. (Mobile phone)
*Bandwidth: The maximum amount of data transmitted over an internet connection in a given
amount of time. Bandwidth is often mistaken for internet speed when it's actually the volume of
information that can be sent over a connection
in a measured amount of time – calculated in megabits per second (Mbps). Bandwidth drops as
geographical area increases.

Types of Network:
There are three types of network:
Server-based network: In this setup, one or more servers provide services, resources, or data to
client devices connected to the network. Clients request access to these resources, and the
server responds accordingly. This architecture is common in enterprise environments where
centralized management and control are necessary.

Client-based network: This is similar to a server-based network, but with less reliance on
centralized servers. Instead, clients may communicate directly with each other or with
decentralized services. This model is often found in smaller-scale networks or in peer-to-peer
applications where each device acts as both a client and a server.

Peer-to-peer network (P2P): In a peer-to-peer network, all devices are considered equal peers
and can act both as clients and servers, sharing resources directly with each other without the
need for a centralized server. P2P networks are commonly used for file sharing, distributed
computing, and decentralized applications like cryptocurrency networks.

Classification of Networks:
The types of networks common to all organizations are:
Personal Area Networks (PANs): A micro computer network generally used for communications
among computer devices being used by an individual person. The extent of a PAN is typically
within a range of about 10 meters(33 ft). It may be wired with computer buses such as USB or
firewire and can be wireless (WPANs) made possible with IrDA or Bluetooth.
Local Area Networks (LANs): The network within a building or covers a limited area such as
home, office or campus. Characteristics of LAN are higher data transfer rate and smaller
geographic range. Ethernet and Wi-Fi (WLAN) are most common.
Media includes;
Cable: Coaxial (black TV cable)=185m & 500m
 16

Twisted pairs (blue computer wire)=100m

Air: Wi-Fi= 100m
Metropolitan Area Networks (MANs): The network within a city or a region is called Metropolitan
Area Network. Networks are connected with each other via radio modems or microwave dishes.
They are larger than LANs and smaller than WANs. They are characterized by a higher data
transfer rate than WANs. Media used is air.Devices include;
Radio modems signals=1km-40km(radio signals are distributed and moveable)
Microwave dishes=1km-40km(point-to-point facing each other at line of sight, in case of any
hindrance signals get weaker or breaks).
Wide Area Networks (WANs): The network which connects two or more LANs those are far
away from each other crossing the boundaries of a country, region or a continent by building the
international link between them using Routers, Switches and Satellites. Internet, 4G and 5G
broadband networks are most common.Storage Area Networks (SANs): SANs are dedicated to
connecting storage devices to servers and other computing devices. SAN
centralize the process of storage and administration of data; like NADRA, Google and
Wikipedia.
Network Standards and Protocols:
● HTTP- HyperText Transfer Protocol mostly includes unsecure browsing
● HTTPs- HyperText Transfer Protocol secure, secure browsing as it is encrypted.
● FTP- File Transferring Protocol, to upload and download the files.
● SMTP- Simple Mail Transferring Protocol, for sending mails.
● UDP- User Datagram Protocol, for audio and video transmission or calls.
● TCP- Transmission Control Protocol, for transmission of data.
● IP- Internet Protocol picks data from the sender and delivers it to the destination.
● TCP/IP Suite- a pack or suit which includes all the protocols (like MS office).

Intranet:
It is a privately owned network by an organization that is used to facilitate the
employees of the organization. It is not connected to the public nor accessible by the public. It
has all the services which are available over the internet. The services may include emailing,
downloading, uploading and virtual meeting etc.

Extranet:
It is a privately owned physical network by an organization that is used to facilitate the
stakeholders of the organization. The stakeholders can be supplier, producer, distributor, banks,
customers etc.

Virtual Private Network(VPN) :

It is a privately owned dedicated virtual network to facilitate the
employees as well as the stakeholders of the organization. It is less expensive as compared to
intranet and extranet. It Provides all those services available on intranet/extranet and on the
internet. Moreover the communication is encrypted over vpn. Furthermore, it dedicates a virtual
Chanel for the organization.
 17

CHAPTER :3: Information and Database

Database:
Database is the organized collection of data which is logically related and can be
accessed and controlled through computers. e:g NADRA, Bank, FBR systems have a large
amount of data which is logically related.
Some control functions of an effective database includes:
1. Create backup to recover
2. Avoid use of unauthorized system tool
3. Prevent unauthorized person access
4. Keep it accurate, complete and
5. Performance monitoring

Database Management System (DBMS):

It is a software which is used to create, design, edit,
delete, process, take backups, resolve a query, update the data in the database.
e:g Ms access, Sage oracle, Mysgl, pl, sql.
DBMS can control user access to a database for example a user can access which database or
can visit which data field.
 18

Database Modeling:
Data modeling is a technique to create a specific data model or structure
for an information system. It specifies what data is used or produced and how data is organized
and connected to each other and how they are processed and stored inside the system.

Database Structures(Types of database):

1)Hierarchical Database Model:

A data model in which data is stored and organized in a hierarchy
of parent and child data segments. It is a one-to-many relationship in which the parent can have
many child's but the child can have only one parent. The parent record at the top of the
database is called root record. This model is easy to implement and organize but doesn't
support high level queries. It is one of the oldest models.

2)Network database model:

It is very similar to a hierarchical database model but in this model the
child can have many parents thus making it more flexible because more relationships can be
established. Thus a child which is called a member can reach through more than one parent
which is called owner.

,3) Relational Database Model(RDBMS):

RDBMS is used in the current information systems; it
has a tabular form rather than the old hierarchical structure. In a relational database, each row
in the table is a record with a unique ID called the key. The columns of the table hold attributes
of the data, and each record usually has a value for each attribute, making it easy to establish
the relationships among data points.

Entity Relationship Diagram:

It is the name of a standard diagram to represent database
design. A diagram that represents relationships among entities in a database.
3 steps in (ERD):
1. Understand the requirements
2. Make ERD design according to need.
3. And then make tables.

Essentials for making ERD:

1) Entity: It is an object about which an organization desires to collect data.
2) Attributes: These are the characteristics of an entity in which an organization is
interested.
3) Types of attributes: a)Single valued attributes b) Multi valued attributes c) Unique valued
attributes
 19

4) Relationships: It is the association between two parties or link between two parties.
5) Degree of relationship: It shows how many entities are involved in a relationship. 1
entities = urinary relationship, 2 entities = Binary relationship, 3 entities = Trinary
relationship, 4 entities = Ternary relationship, 5 entities =Pentary relationship.

3 types of languages used for programing:

1. Data manipulation language(DML):It is used to perform the following operations
over the database: a) Adding the data, b) Modifying the data, c) Deleting the
data.
2. Data control language(DCL): It is used to control the access to the data in the
database. e:g grant and revoke.
3. Data definition language(DDL):It is a programming language used to create and
modify database objects. For example: a) Tables b) Users c) Index.

Data dictionary/ Mets data repository:

It is the data about the data. It is the master of all entities,
their attributes, relationships etc.

Redundancy:
A system design in which a component is duplicated so if it fails there will be a
backup.

Master file and transaction file:

Any data which is not interrupted or permanently the same is
called a master file. e:g name, ID etc.
Any data which changes frequently. e:g electricity bills.

Data warehouse:
It is designed to support business analysis and help in management decision
making. It extracts data from various sources specifically from the operational database then
filters and stores the data so it could be easy to interpret and do analysis.

Data mining:
The process of finding trends and patterns in large data to identify relationships
between them and help business analysis.

Office automation systems (OAS):

An office automation system is like a digital assistant for work
tasks. It includes tools for emailing, organizing documents, automating repetitive jobs, managing
projects, handling customer info, taking care of HR tasks, scheduling appointments, managing
finances, and more. These tools make work smoother, save time.

Transaction processing system (TPS):

 20

In the Transaction processing system transactions are

recorded and processed on a daily basis. It stores and collects data about transactions and
sometimes controls decisions while automating the whole process of transaction.
e:g credit card, barcode reader, atm machine etc.
There are two types of processes in TPS:
a) Real time processing: It includes recording and processing of a transaction immediately
at the same time it happens. It is also called online transaction processing(OLTP). e:g
atm machine, barcode reader.
b) Batch processing: In this method the information for every transaction is recorded but
processed later after a certain time or when a sufficient transaction is recorded. e:g
cheque's clearance or payroll entries.
Management Information System(MIS):
MIS extracts, processes and summarizes data from
TPS, generates periodic reports which helps management to monitor the organization's
operations. It helps managers and employees in making timely and effective decisions.

Decision support system:

A decision support system (DSS) is a computer program application that
analyzes business data and presents it so that users can make business decisions more easily.

Benefits:
1. Improves personal efficiency
2. Speed up the process of decision making
3. Increases organizational control
4. Encourages exploration and discovery on the part of the decision maker
5. Speeds up problem solving in an organization.

Information systems categories and their uses:

Levels of hierarchy:
Management information systems (MIS) can be viewed as being constructed
to serve various levels and aspects of management activities in the organizational hierarchy by
providing effective support to each level so that they can do informed decision making.

The levels represent the three types of decision made in organizations:

Strategic planning decisions: where the decision maker develops objectives and allocates
resources to achieve these objectives.
Managerial control decisions: Deal with the use of resources in the organization and often
involve personnel or financial problems.
For example, an accountant may try to determine
the reason for a difference between actual and budgeted costs.
Operational control decisions: Deal with the day-to-day problems of the organization. These
 21

decisions are structured or programmed.

CHAPTER:4: SOFTWARE DEVELOPMENT LIFE

CYCLE(SDLC)

SDLC:
Software development life cycle is a well-structured flow of phases that help an
organization to quickly produce high-quality software which is well-tested and ready for
production use.

Phases of SDLC:
1)System planning(feasibility):
In this pre development phase a feasibility study is
being conducted to assess how it would benefit the company and does it fulfill the needs of the
organization. It is categorized in:
a) Economical feasibility: Does a cost and benefit analysis to identify that this software
output is more than input or not. And also conclude that the company should buy, make
or outsource the software.
b) Technological feasibility: In this study they find that will this software run in the company,
can our employees use this easily and does the company own system be outdated or
can work for a longer time.
c) Organizational feasibility: This is also called organizational feasibility In this study they
assess how this software performs to solve business problems and user requirements.
d) Social feasibility: one of the feasibility studies where the acceptance of the people is
considered regarding the product to be launched. And also analyzed that this software
will run in our company environment.
 22

2)System Analysis(requirement definition):

To conduct analysis of the system to identify and specify
the business technological requirements, business rules and modules of the system,which
includes consulting with end users and other stakeholders to determine their requirements. After
that a report is made which has all the requirements and is called software requirements
specification(SRS) .
Types of requirements:
1. Functional requirements: These are those functions which are related to its operations.
e:g cash withdrawal, fund transfer.
2. Non functional requirements: These are those functions which state how functions
should be performed. e:g security, reliability.
3)System Design:
After the system analysis a detailed physical design is created based on
financial requirements and non financial requirements also called It includes designing the
architecture, components, modules, interfaces, and data for the system. When the design is
made another report is made which is called software development specifically document(SDS).

Configuration: It consist of defining, tracking and controlling changes in a purchased system

to meet business needs. System configuration is supported by the change management policies
and processes.

Software creeping: It means that no more requirements will be fulfilled because if the customer
is continuously changing the requirements then in that case the software can never be made.

Baselining:Baselining refers to establishing a reference point or benchmark against which future

changes or performance can be measured and compared.

4)System development:
The detail design which was developed in the previous phase is being
used to begin coding. This phase is purely done by the developers and system analysts who are
building the system.

Programming language: Different programming languages are used for programming. Some of
its types are below:
1. Java: Known for its portability
2. Python: Valued for its readability
3. JavaScript: Crucial for web development
4. C++: Preferred for system-level programming
5. SQL: crucial for database interactions.
6. HTML/CSS:they are essential for front-end web development.
 23

Program debugging: It is used to detect and fix or remove coding errors. It not only helps fixing
errors in a program but also gives an idea of how errors can affect a program overall.

5)Software testing:
It is an essential part of the development phase it do 2 thing :
1. Verification: Software meets all business requirements mentioned in the software
requirement specification document(SDS).
2. Validation: Ensure that software has no bugs.
Test plans:
Bottom up: Testing begins with atomic(small) units, and work upward until complete
system testing has been done.
Top down: Following the opposite path, tests begin with big units downward to the atomic units.
By testing major functions first.
UNIT testing: Testing of an individual program or module to check the functionality of an
individual unit.
Integration Testing: A hardware or software test that evaluates the data flow and communication
between different modules.
System Testing:Evaluating the entire system's functionality against the specified requirements.
Identifying defects that may arise from the integration of components.

Final Acceptance Testing: Final testing has two major parts:

1. Quality assurance test(QAT) : QAT provides assurance on how to best approach
developing a high-quality product that meets its design specifications, quality standards,
is bug-free, and is fit for the purpose it's intended for.
2. User acceptance test(UAT): It focuses on functional aspects of the application.UAT
supports the process of ensuring that the system is ready for production and satisfies
user's all requirements, It may include:
• Definition of test strategies and procedures
• Design of test cases and scenarios

Other tests:
Alpha and Beta Testing: Software goes through two stages of testing before it is considered
finished. The first stage, called alpha testing, is often performed only by users within the
organization developing the software (i.e., systems testing). The second and normally last
stage, called beta testing, a form of user acceptance testing, generally involves a limited
number of external users.

Some other tests

Pilot Testing: It involves releasing the software to a limited group of end-users before the
full-scale deployment.
White Box Testing: White box testing, also known as clear box or glass box testing, involves
examining the internal logic, structure, and code of the software.
Black Box Testing: Black box testing focuses on evaluating the software's functionality without
knowledge of its internal code or structure.
 24

Validation Testing: Validation testing confirms that the software meets the specified
requirements and fulfills the intended purpose.
Regression Testing: Regression testing involves re-executing previously conducted tests to
ensure that new changes or modifications haven't adversely affected existing functionalities.
Parallel Testing: Parallel testing involves running two versions of a system simultaneously – one
is the existing or old system, and the other is the new or modified system and then compares
the results.
Sociability Testing: Purpose of this test is to confirm that the new or modified system can
operate in its target environment without adversely impacting existing systems.(corruption of
data etc).

After testing there are end user training and data conversion:

End user training: Develop training plans educate all the stakeholders including managers,
users and all related staff on how the new technology will impact the business operations.

Data conversion/Migration/Implementation: Migration of the software from the development

environment to production environment.
It have four methods:
1. Pilot conversion: In this approach the new system is run in only one specific location and
then deployed at other branches/places.
2. Parallel conversion: In this approach the new and old system runs parallel. And after
gaining the confidence in the new system the old system is then removed.
3. Phase conversion: Phase conversion means that the modules of the software is
deployed as they are made they do not wait to make the whole software and then deploy
it.
4. Intermediate/Direct cutover conversion: In this approach the new system is deployed and
the older system is removed quickly. This approach is used in businesses which are
small.

5)System/Post Maintenance Phase:

The maintenance phase comes after the deployment phase when
the software is operational. Maintenance includes the following:
1. Fix bugs and logical errors.
2. Add a new feature
3. Try to reduce chances of failures
4. Want improvement in performance

Other software development processes:

1. Waterfall Approach: In waterfall approach the system is divided into a number of
sequential stages. The whole process runs in sequence. Each stage is linked with the
next stage so the next stage cannot be started before the completion of the previous
 25

stage. The decision made in one stage cannot be change after progressing towards the
next stage.
2. Spiral Model: The spiral model looks like a coil with many loops. The number of loops
varies based on each project. Its main purpose is to mitigate the risks and do risk
analysis before starting any new phase. The model has 4 quadrants: a) Top left:
Analyze and design. b) Top right: Construct first, second, third and fourth prototype.
c) Bottom right: Test and integrate. d) Bottom left : Plan next iteration
3. Prototyping: Prototyping is a development approach where a preliminary version of a
system is created to test ideas, gather feedback, and refine the final product. It has two
types : a) Throwaway prototype: Develop a quick, often simplified prototype with the
expectation that it will be discarded after obtaining insights.
b) Evolutionary prototype: Begin with a basic prototype and gradually enhance it based
on user feedback and changing requirements. In some cases the customers like the
prototype so much that they are ready to buy the prototype in case the prototype is being
sold.
4. Agile model: In Agile model the system does not plan the software at once but plan it in
phases and divide software life in phases which means that the planning, acquisition,
monitoring and reviewing is also done in phases. In the Agile model they make small and
smart teams avoid large teams and formulate teams according to need. It is very flexible
to change and user friendly. Agile approaches: a) extreme programing b) scrum and
scrum ban c) Canban.

Change Management Process:

The process of planning, implementing and controlling change to an
organization's process or system. Its priorities are to bring legitimate changes and prevent
unauthorized change.
Some steps in change manage process:
1. Recognize the need for change
2. Request for change
3. Request analyzed by change control board(CCB)
4. Approved
5. Implement the change and stick to it.
6. Analyze, review and correct

Library control software(LCS):

When a software is made the software company keeps the
source code of software in library control software(LCS) to keep it safe. If someone wants to
access it the LCS will require authorization

Computer aided software engineering(CASE):

Computer aided software engineering is the implementation and
use of computer technology and tools in software development.
 26

Upper case tools: Those tools which are used in the planning, analysis and design stages of
SDLC. e:g software planning, prototype development, GUI design, process design
Lower case tools: Those tools which are used in testing, implementing and maintenance.
e:g change management, software testing, library control software.
Integrated case tools: These are those tools which can be used in all stages of SDLC.

Capability Maturity model integration(CMMI):

To help organizations improve their processes and systems. It
provides a set of best practices for development, maintenance, and service delivery, allowing
organizations to assess and enhance their capabilities.
CMMI Maturity Levels include:
• Maturity level 1(Initial) - Bugs and errors are identified.
• Maturity level 2(Managed) - Bugs are being resolved.
• Maturity level 3(Defined) - All activities are better processed.
• Maturity level 4(Quantitatively managed) - Quantitative evaluation according to the need and
desire.
• Maturity level 5(Optimizing) - Continuous improvement, highest quality of processes and
lowest risk.
 27

CHAPTER :5: Project Management

Project Management :
A project can be defined simply as an activity, which has a start, middle
and end, and consumes resources. It will:
1. have a specific objective
2. have a defined start and end date (timescale)
3. consume resources
4. be unique
5. have cost constraints that must be clearly defined and understood to ensure the project
remains viable
6. require organization

Project Management Process:

1. Project Initiation:
A project is initiated by a project manager or sponsor stating the problems or
goals and gathering the information required to gain approval for the project to be created.
Approval of a project initiation document (PID) or a project request document (PRD) is the
authorization for a project to begin.
The project initiation document (PID), should contain at least the following sections:
1. Purpose statement – explains why the project is being undertaken.
2. Scope statement – puts boundaries to the project by outlining the major activities.
3. Deliverables – tend to be tangible elements of the project, such as reports, assets and
other outputs.
4. Cost and time estimates – budget is necessary to give a starting point for planning, but
can be modified later in the project.
5. Objectives – a clear statement of the mission, critical success factors (CSFs) and
milestones of the project.
 28

6. Stakeholders – a list of the major stakeholders in the project and their interest in the
project.
7. Chain of command – a statement (and diagram) of the project organization structure.

2. Project Planning:
The project planning steps include the determination of:
1. Various tasks that need to be performed.
2. Sequence of activities.
3. Duration of each task.
4. Priority for each task.
5. Budget or costing for each of these tasks.

Software size estimation:

Software size estimation relates to determining the relative physical
size of the application; it also includes the allocation of resources and to judge time and cost
required for its development.

Function Point Analysis (FPA): The function point analysis (FPA) is the process of sizing
software based on the number of business functions an application must accomplish.

Gantt Charts: It is constructed to help in scheduling the activities and how many activities to be
performed. Identify which activities depend upon each other so it could be carried in sequential
form and which activities do not depend upon each so it could be performed in parallel.

Critical Path Methodology (CPM): It is used to create a project schedule and estimate the total
duration of a project by Determining critical path and slack time. This path is important because,
if everything goes according to schedule and there are no obstacles, its length provides the
shortest possible time to complete the overall project. Activities that are not in the critical path
have time slack.

Program Evaluation Review Technique (PERT):

Program Evaluation Review Technique (PERT) is a project management planning tool used to
calculate the amount of time it will take to realistically finish a project. It uses three different
estimates of each activity duration. The first is the most optimistic time (if everything went well),
the second is the most likely scenario which is based on experience obtained from projects
similar in size and scope and the third is the pessimistic or worst case scenario.
To calculate the PERT time estimate for
Each activity, the following calculation is applied:[Optimistic + Pessimistic + 4(most likely)]/6.

Time box management: It is the time period in which the output must be produced. The deadline
is fixed and cannot be changed. You can raise resources but the deadline will not be
compromised.
 29

3. Project execution:
Project execution means putting your plans into action and to achieve the
project objectives. It involves coordinating people and resources, managing tasks, and
addressing any challenges that may arise during the project's implementation.

4. Project control:
Project control involves monitoring, measuring, and regulating various aspects
of a project to ensure it stays on track in terms of scope, schedule, budget, and quality.
Different management controls:
1. Management of scope changes
2. Management of resource usage
3. Management of risk

5. Closing a project:
this stage it is ensured that the project has delivered its planned outputs, all
project activities are satisfactorily completed and after meeting stakeholders the outputs of the
project are successfully transferred/handed over to the project’s client/user.

Best Project Management Practices are:

•PRISM Planning Tool for Resource Integration, Synchronization, and Management
•IPMA International Project Management Association
•PRINCE/PRINCE 2 a project planning and management methodology
•PMI Project Management Institute..
 30

CHAPTER:6: Process of Audit Information System

Auditing:
It is a process in which a competent and vigilant person examines the financial
information, systems, or processes to ensure accuracy, compliance, and reliability. And form an
opinion about it.
Auditor's Characteristics:
• Independent (Not come under any influence)
• Impartial (Neutral/unbiased)
• Competent
• Vigilant (Sharp observation skills)
• Diplomatic (Evaluate a situation before speaking or acting)
• Assertive (Can convince others)
• Decisive
• Good documentation skills.

IS Audit:
It is a process in which a competent and vigilant person specifically focuses on
assessing the controls and security measures of an organization's information technology
infrastructure to safeguard data integrity, confidentiality, and availability.

Audit Charter:
An audit charter is a formal document that outlines the purpose, authority, and
responsibilities of an audit function within an organization.

Internal Audit:
The main objective of internal auditing is to confirm the efficiency and effectiveness of
operations and their contribution to the achievement of organizational goals. Internal auditor:
•Ensure adequate internal control
•Review the reliability of records
•Prevent and detect fraud.

External Audit:
 31

The main objective of external audit is an independent examination to express an opinion

whether the organization system and financial reporting is in accordance with their respective
standards. The external auditor examines whether:
•Transactions that should have been recorded are actually reported in the financial statements
•The assets and liabilities reported in the financial statements existed at the balance sheet
•There are no fraudulent transactions reported in the financial statements.

Types of Audits:
The various types of audits that can be performed, internally or externally are:
1. Compliance audit: Compliance audit includes verifying that a company adheres to
relevant laws, regulations, and industry standards. e:g assessing tax compliance or data
protection regulations.
2. Financial audits: The purpose of a financial audit is to assess the accuracy of financial
statements and transactions to ensure accuracy and compliance with accounting
standards.
3. Operational audit: An operational audit is designed to evaluate the efficiency and
effectiveness of an organization's operational processes, such as supply chain
management or production workflows.
4. Integrated audit: An integrated audit combines financial and operational audit steps. It is
performed to assess the overall objectives within an organization, related to financial
information and assets’ safeguarding, efficiency and compliance
5. Administrative audit: An administrative audit is specifically relates to the audit of higher
management level i.e. Board of Directors and senior management.
6. Information System Audit: It is a process in which a competent and vigilant person
specifically focuses on assessing the controls and security measures of an
organization's information technology infrastructure to safeguard data integrity,
confidentiality, and availability.
7. Specified Audit: It is the examination of particular areas such as internal controls of
services performed by third parties.
8. Forensic Audit: Forensic Audits: An examination and evaluation of a firm’s financial and
operational information for discovering, disclosing and following up on fraud and crimes.
e.g. assessment of financial information to detect corporate fraud or analysis of
electronic devices to detect cybercrime activities.

Audit risks:
Audit risks can be defined as the potential errors or misstatements in financial or
information reports that auditors may fail to detect. *Non materialistic error-small issues (not
recorded in audit report)
*Material error-big issues (recorded in audit report)
The three main types of audit risks:
 32

1. Inherent Risk: These are those risks which arise from the nature of the client's business,
industry, and environment. It is influenced by factors like complexity, transaction volume,
and management integrity.
2. Control Risk: It relates to the risk that internal controls in place fail to prevent or detect
material misstatements.It depends on the effectiveness of the client's internal controls.
3. Detection Risk: These are those risks which the auditor couldn't be able to detect
because of using Inadequate tests procedures.
4. 0verall Risks: It is the combination of all individual categories of audit risks i.e.
information or financial reports may contain material errors and that the auditor may not
detect an error that has occurred.

Risk Analysis:
Risk analysis is a part of audit planning that helps in identification of risks and Its
probability or likelihood of occurrence. It also helps in determining the frequency of occurrence
and its impact on the system.

Risk can be commonly defined by IT industry as:

“Adverse impact(s) that could occur to organizational operations (including mission, functions,
image, reputation), organizational assets, use of disclosure, disruption, modification, or
destruction of organization’s data and/or information systems.”

Risk Management:
Risk management is a systematic process of identifying, assessing,
prioritizing, and mitigating risks to achieve organizational objectives.
Risk management process involves the following steps:
1. Risk Identification: Identify potential risks that could impact the achievement of
objectives.
2. Risk Assessment: Evaluate the likelihood and potential impact of each identified risk.
3. Risk Prioritization: Prioritize risks based on their significance, considering their potential
impact on objectives and the likelihood of occurrence.
4. Risk Mitigation or Control: Develop and implement strategies to reduce or eliminate the
impact of identified risks.
5. Monitoring and Review: Continuously monitor the risk to identify new risks or changes in
existing ones.
6. Communication and Reporting: Maintain clear communication channels to ensure that
relevant stakeholders are aware of the identified risks and the mitigation strategies in
place.
7. Documentation: Document the entire risk management process, including identified
risks, assessments, mitigation strategies, and outcomes.

Risk Treatment:
1. Risk mitigating: Implementing measures to reduce the likelihood or impact of the risk.
2. Risk Avoidance: Eliminating or avoiding the activities or conditions that could lead to the
identified risk.
 33

3. Risk Acceptance: The risk and loss is accepted and no action is taken to prevent it. This
strategy is used when the cost of treatment is greater than the potential impact.
4. Risk Transfer: The risk and the loss is transferred to a third party usually through
insurance or contracts.

Risk based Audit Approach:

A risk-based audit approach is a method where auditors prioritize
their efforts based on the assessment of risks associated with various areas of an organization.
It's process is given below:
Gather information and plan:
- Knowledge of business and industry
- Prior year’s audit results
- Recent financial information
Obtain understanding of internal controls:
- Control environment
- Control procedures
- Detection risk assessment
Perform compliance test:
- Identify key controls to be tested
- Perform tests on reliability, risk prevention and adherence to organization policies and
procedures
Perform substantive test:
- Analytical procedures
- Detailed tests of account balances
- Others substantive audit procedures
Conclude the audit:
- Create recommendations
- Write audit report

Internal Controls:
The policies, practices and organizational structures, implemented to reduce
the risk. They are designed to provide reasonable assurance to management that business
objectives will be achieved
and that undesired events will be prevented or detected and corrected.
Objectives of IS Control:
1. Safeguarding Assets
2. Ensuring Accuracy in Financial Reporting
3. Promoting Operational Efficiency
4. Ensuring Compliance
5. Preventing and Detecting Fraud
6. Enhancing Accountability
 34

Control Classification:
1. Preventive Controls: Aimed at preventing errors or irregularities before they
occur.Examples include security measures, training programs, and access restrictions.

2. Detective Controls: Designed to identify errors or irregularities after they have

occurred.Examples include audits, monitoring systems, and reconciliations.

3. Corrective Controls: Implemented to rectify and mitigate the impact of identified errors or
issues.Examples include error correction procedures, process improvements, and
incident response plans.

COBIT 5:
Cobit 5(Control Objectives for Information and Related Technologies) is a framework
for the governance and management of enterprise IT. Developed by the Information Systems
Audit and Control Association (ISACA) and the IT Governance Institute (ITGI), COBIT 5
provides a comprehensive set of guidelines and practices to help organizations achieve their
strategic goals through effective and efficient IT governance.

•Principle-1: Meeting stakeholder needs

•Principle-2: Covering the enterprise end-to-end
•Principle-3: Applying a single integrated framework
•Principle-4: Enabling the holistic approach
•Principle-5: Separating governance from management

General Controls:
General controls in Information Systems refer to the policies, procedures, and
technical measures that establish a secure and reliable computing environment.

1. Operational control that is concerned with the day-to-day operations, functions and
activities.
2. Administrative controls that are concerned with operational efficiency in a functional area
and adherence to management policies.
3. Procedures and practices to ensure adequate safeguards over access to the system.
4. Physical and logical security policies for all facilities, data centers and IT resources.
5. Internal accounting controls that are primarily directed at accounting operations.

Audit Methodology and Phases:

It is a systematic procedure which involve the following steps:
1. Define the Audit objectives: The purpose of audit
2. Define the Audit area: It means which domains. e:g software development, database
development, ERP implementation.
3. Define the scope: It means which department and what is the time limit.
4. Perform the Pre-Audit planning:The following are done in Pre-Audit planning:
 35

a)Do Document verification. b) Important tools and resources to be identified.

c) Audit working paper. d) Communication and Coordination.
5. Perform the audit: The following steps are followed while doing audit:
a) Audit opening meeting. b) Evidence Collection: (There are two ways of evidence
collection: Compliance testing and substance testing) .
c) Audit closing meeting.
6. Judging the materiality of the audit findings: assessing the importance of identified
issues, errors, or discrepancies in the context.
7. Audit report: a) Give a brief review of procedure and operational efficiency.
b) Review and evaluate the correction of documents, policies and procedures.
8. Audit presentation: The audit is presented in the board meeting after some days of audit
and analysis.

Evidence:
data, or documentation that auditors gather and analyze to support their conclusions
and opinions about the effectiveness, efficiency, and security of an organization's information
systems.
Reliability of Evidence: Auditors assess the reliability of evidence based on factors such as its
source, accuracy, completeness, and relevance.
Sampling: Due to the vast amount of data in information systems, auditors often use sampling
techniques to gather evidence
Third-Party Reports: Reports from external parties, such as security assessments, penetration
testing, or compliance audits, can provide additional evidence
Confirmation: Obtaining confirmations from relevant parties, such as system administrators or
users, can validate information obtained during the audit.

Sampling:
It involves selecting a subset of data or transactions from a larger population to draw
conclusions about the entire population. It is impractical to examine every item in a population,
so auditors use sampling:
Statistical Sampling : It involves using mathematical techniques to
select a sample from a population and using the laws of probability to evaluate the results. e:g
Random sampling, stratified sampling
Non-Statistical (Judgmental) Sampling: Non-statistical sampling relies on the auditor's judgment
rather than mathematical techniques.
Attribute Sampling: Attribute sampling is used to estimate the proportion of a population with a
specific characteristic (attribute).
1. Attribute sampling or frequency estimating sampling : used to estimate the rate (percent)
of occurrence of a specific quality (attribute) in a population.
2. Stop-or-go sampling: Helps in preventing excessive sampling of an attribute at the
earliest possible moment.
3. Discovery sampling: Used when the expected occurrence rate is extremely low, to detect
fraud, violations of regulations or other irregularities.
 36

Variable Sampling: Variable sampling is used to estimate the numerical value of a characteristic
in a population, such as the average or total dollar amount.
1. Stratified mean per unit: Statistical sampling that involves the division of a population into
smaller subgroups known as strata.
2. Un-stratified mean per unit: Statistical sampling in which a sample mean is calculated
and projected as an estimated total.
3. Difference estimation: Statistical sampling used to estimate the total difference between
audited values and book (unaudited) values.

Computer Assisted audit Techniques (CAATs):

Computer-Assisted Audit Techniques (CAATs) refer to
the use of computer programs and tools to support auditors in their examination and analysis of
financial information and data. These techniques enhance the efficiency, effectiveness, and
thoroughness of audits. CAATs are particularly useful for auditing large volumes of data and
conducting in-depth analysis.

Example: Example of CAATs:

–ACL (Audit Control Language)
–IDEA (Interactive Data Extraction and Analysis)
–Auto Audit
–Galileo
–Pentana
–GAS (generalized audit software).

Advantages of CAAT:
1. Population based Audit
2. Global Compliance picture
3. Increased productivity
4. Enhance quality of audit
5. Management reliable assurance.
Disadvantages of CAAT:
1. It is very costly
2. Technical skills are required to operate
3. Might face organizational inertia
4. Demoralization of company employees
5. Acceptability issues

Generalized Audit Software (GAS):

GAS refers to standard software that has the capability to directly read and access data
from various database platforms, flat-file systems and ASCII formats. It perform the following
functions:
1. File access
2. File reorganization
3. Data selection
 37

4. Statistical functions
5. Arithmetical functions

Control Self-Assessment (CSA): It is a process in which individuals and departments within an

organization assess their own control processes and practices. It is a proactive approach to
internal control evaluation that involves employees, managers, and other stakeholders in
identifying, evaluating, and improving the effectiveness of controls.

Tools Used in Control Self-Assessment (CSA):

1. Questionnaires and Surveys
2. Workshops and Focus Groups
3. Interviews
4. Control Assessment Templates

Advantages:
1. Timely Risk Identification
2. Cost-Effective
3. Continuous Improvement
4. Cultural Integration

Disadvantages:
1. Time and Effort
2. Resistance Possible
3. Opinions Vary
4. Skill Differences
 38

CHAPTER :7: BUSINESS CONTINUITY AND DISASTER

RECOVERY

Business continuity planning (BCP): It involves creating a strategy to ensure that essential
business functions can continue during and after a disaster or disruption.
It typically includes risk assessment, developing recovery strategies, establishing emergency
response procedures, and maintaining communication channels.
BCP aims to minimize downtime and financial loss in the event of unexpected events such as
natural disasters, cyberattacks, or other disruptions. Regular testing and updates are essential
for an effective BCP.

Disasters:
Disasters are disruptions that affect critical information assets and the continuity of
business for a period of time, adversely impacting organizational operations. The disruption
could be a few minutes to several months, depending on the extent of damage to the
information resource. Most importantly, disasters require recovery efforts to restore operational
status.
Types/causes of disasters are:
1. Natural calamities: Such as earthquakes, floods, tornados, severe thunderstorms and
fire, which cause extensive damage to the processing facility and the locality in general.
2. Downfall of expected services: Disruption in supply of electrical power,
telecommunications, natural gas or other delivery services being supplied to the
company.
3. Man Made disaster: Such as terrorist attacks, hacker attacks, viruses or human error.
4. Other disruptions in services: Caused by system malfunctions, accidental file deletions,
untested application releases, loss of backup, network denial of service (DoS) attacks,
intrusions and viruses.

Pandemic Planning:
Pandemics can be defined as outbreaks of infectious diseases such as
Swine-Flu or COVID in humans that have the ability to spread rapidly over large areas, possibly
worldwide. Pandemic planning presents
Unlike natural disasters, technical disasters, malicious acts or terrorist events, the impact of a
pandemic is much more difficult to determine because of the anticipated difference in scale and
duration as compared to traditional business disasters. So, the IS auditor should evaluate an
organization’s preparedness for pandemic outbreaks.

Business Continuity planning Process:

Stages of BCP:
The following five simple steps can help implement a solid business continuity strategy that will
keep the organization’s critical operations functioning in the
 39

S1: Get started: executives are required to provide necessary financial resources to start the
plan, keep the business up and running, and serve customers and clients.

S2: Identify business requirements:Document the core functions that must run to prevent
disruption by asking department leaders
what is the longest = amount of time they can run core functions without business systems (this
value is known as maximum tolerable down

S3: Determine recovery speed: Determine how long it would take to restore the system to
working order (this value known as recovery time objective - RTO).

S4: Deal with the gaps: Management should look the cases where MTD is less than RTO,
ensure
the numbers by talking to department leaders and asking to technologists for making changes to
procedures (if possible) that would allow them to recover a given system before reaching th
MTD.

S5: Maintain the program: Evolve business continuity plans as the needs of the business and
capabilities of technology change.

Business Continuity planning life cycle:

1. BCP policy formation
2. Identification of critical Asset/services
3. Business impact Analysis(BIA)
4. Identifying the recovery alternative and its selection
5. Testing the BCP plan
6. Awareness and training
7. Audit the BCP
8. Improve BCP

Business Continuity planning life cycle:

"An iterative process divided in a number of phases to establish an
appropriate business continuity plan”.

Business Continuity Policy:

 40

A business continuity policy is a document approved by top

management that defines the extent and scope of the business continuity effort (a project or an
ongoing program). It should be proactive.
The business continuity policy can be broken into two parts on purpose basis: public
and internal:
Its internal portion is a message to internal stakeholders (i.e., employees,
management, BOD).
Its public portion is a message to external stakeholders (i.e. shareholders, regulators,
authorities,etc.

Business Continuity planning incident management:

Incidents are unexpected events and are dynamic in nature. They evolve, change
with time and circumstances, and are often rapid and unforeseeable. So, the management must
be proactive, well documented and dynamic too.
Depending on an estimation of the level of damage to the organization, incidents are
categorized
into following:
1. Negligible incidents are those that cause no detectable or significant damage (windows
crashes but with full recovery option of information).
2. Minor incidents are those that are not negligible but still produce no negative material or
financial impact.
3. Major incidents are those that cause a negative material impact on business processes
and may affect other systems, departments or even outside clients.
4. Crisis is a major incident that can have a serious material impact on the continued
functioning of the business and may adversely impact other systems or third parties.

Business Impact Analysis (BIA): It is a critical component of business continuity planning. It

involves assessing the potential impact of disruptions on business operations. The goal of BIA is
to identify and prioritize critical business functions, processes, and systems, as well as the
resources required to support them. By conducting a BIA, organizations can determine the
potential financial, operational, and reputational consequences of disruptions, allowing them to
allocate resources effectively and develop appropriate recovery strategies. Key elements of a
BIA typically include identifying dependencies, assessing recovery time objectives (RTOs) and
recovery point objectives (RPOs), and evaluating potential financial and non-financial impacts.

Critical recovery time period:

The critical recovery time period is the length of time in which business
processing must be resumed before suffering significant or unrecoverable losses. The length of
the time period for recovery depends on the nature of the business or service being disrupted.
For instance, financial institutions, such as banks and brokerage firms, usually will have a much
shorter critical recovery time period than manufacturing firms.
To make decisions, there are two independent cost factors to consider;
1. The downtime cost of a disaster is the money a company loses when its operations are
disrupted. This includes lost sales, extra expenses to recover, and damage to its
 41

reputation. It's important to estimate these costs to plan how to minimize them during
emergencies.
2. Cost of the alternative corrective measures the implementation, maintenance and
activation of the BCP. This cost decreases with the target chosen for recovery time.

Classifying services ranking:

1. Critical: These are those services whose downtime cannot be tolerated more than 4
days and there is no alternative for them.
2. Vital: Those services whose downtime can be tolerated for 15 days. These functions can
be performed manually but only for a brief period of time.
3. Sensitive: These can be performed manually for a long period of time and its downtime
can be tolerated for a month.
4. Non-sensitive: These functions may be interrupted for an extended period of time and its
downtime can be tolerated for an indefinite period of time.

Recovery Point Objective & Recovery Time Objective:

1. Recovery Point Objective: It is determined based on the acceptable downtime in case of
disruption/discontinuity in business operations. It is the earliest time by which services
shall be resumed after a disaster.
2. Recovery Time Objectives: It is determined based on the acceptable amount of data loss
in case of disruption in business operations. It is the earliest time the data backup shall
be taken.

Disaster Recovery Planning:

Disaster Recovery Planning (DRP) is the next phase in the continuity plan
development after BCP. It is established to manage availability, restore critical processes in the
event of disruption.
The critical processes are determined through BIA and the recovery point objective (RPO) and
recovery time objectives (RTO) are assigned to identify recovery strategies. After identification
of various recovery strategies, the most appropriate one is selected for recovering from a
disaster.

In addition to RTO and RPO, there are some additional parameters that are important in
defining the recovery strategies. These include:
Interruption window: Maximum time an organization can wait from point of failure till the
restoration of critical services.
Service delivery objective (SDO): Level/quality of services that must be maintained during the
alternate mode of operation and before going into the normal state.
Maximum tolerable outage: It is the maximum amount of time an organization can support to
execute in alternate mode.

Recovery Strategies:
 42

A recovery strategy identifies the best way to recover a system in case of

disaster and provides guidance based on which detailed recovery procedures can be
developed. The selection of a recovery strategy would depend upon:
1. The criticality of the business process and the applications supporting the processes
2. Cost
3. Time required to recover
4. Security
There are various strategies for recovering critical information resources. The most ap
alternative, in terms of speed to recover and recovery cost, should be selected based on the
relative risk level identified in the business impact analysis (BIA).

Recovery Alternatives:
1. Mirror site: Mirror sites are used when RTO is in hours. These sites are fully equipped
and redundant with real time replication of data. I had a complete physical infrastructure.
2. Hot sites: Hot sites are used when RTO is between 5 and 7 hours. These sites have less
staff than mirror sites but are fully furnished with all the furniture needed. Data replication
is near to real time and the most recent backup copies of data may be available.
3. Warm sites: These are backup facilities that are partially equipped with IT infrastructure,
requiring additional setup before becoming fully operational. They offer a balance
between cost and recovery time objectives.
4. Cold sites: Cold sites are facilities that are essentially empty shells, lacking IT
infrastructure and very basic equipment. It is cost effective but requires a very high time
of recovery.
5. Mobile sites: Mobile sites are versions of websites optimized for viewing and interaction.
Mobile sites are mounted on transportable vehicles and kept ready to be delivered and
set up at a location upon activation.
6. Reciprocal Agreement: When two or more organizations agree to mutual sharing or
promotion of each other's content, typically through backlinks, social media mentions, or
other forms of collaboration. Reciprocal agreements can be beneficial for both parties by
increasing visibility and traffic.

Application Resiliency:
Application resilience is the ability of an application to react to
problems in its components and still provide the best possible service.

Clustering: Clustering is a method of turning multiple computers networked into a cluster (a

group of computers that acts like a single system). It is a type of software(agent) that is installed
on every server(node) in which the application runs and includes management software that
permits control of and tuning the cluster behavior. If one machine goes down , a (software
agent) informs the agent on the other machine to become active.
There are two types of application clusters:
1) Active-Passive clusters: In active-passive clusters, the application runs on only one
(active) node, while other (passive) nodes are used only if the application fails on the
 43

active node. In this case, cluster agents constantly watch the protected application and
quickly restart it on one of the remaining nodes. This type of cluster does not require any
special setup.
2) Active-Active clusters: In active-active clusters, the application runs on every node of the
cluster. With this setup, cluster agents coordinate the information processing between all
of the nodes, providing load balancing and coordinating data access. When an
application in such a cluster fails, users normally do not experience any downtime at all.

Data Storage Resiliency:

Data resiliency relates to digitally preserving organizational assets in the event
of a natural disaster or data center corruption by means of redundant components and data
availability.

Redundant Array of Independent (or Inexpensive) Disks (RAID): (RAID) is the most common
method of protection against single point failure in the context of the data. It is a hardware +
software solution and is the best solution. It is fraud tolerant. These systems provide the
potential for cost effective mirroring offside for data backup.
RAID 1-Mirroring:
It consists of two drives in which data from the original drive is the array.
Mirroring is the key feature that ensures realIn case that a drive fails, data can easily be
restored from the mirrored one and just has to be copied onto a replacement drive.
RAID 5-Stripe set with Parity:
A minimum of three to maximum of seven drives are required for this configuration. It provides
data striping, a storage method to break down whole data in blocks and store information into
fragments across the disks in the array. Further utilizing distributed parity, if one drive fails it
continue processing and on the replacement recover the data strip of that drive with the help of
data stripes of other drives.

Telecommunication Networks Resilience:

Telecommunication networks are susceptible to the same natural disasters as
data centers but also are vulnerable to several disastrous events unique to telecommunications.
These include central switching
office disasters, cable cuts, communication software glitches, errors and security breaches. It is
the responsibility of the organization to ensure constant communication capabilities.
Methods for network protection are:
1. Redundancy:Providing extra capacity with a plan to use the surplus/duplicate capacity
when the normal primary transmission capability is not available. A set of duplicate
cables and devices could be installed through an alternate route for use in the event the
primary cable is damaged.
2. Alternative Routing:The method of routing information via an alternate medium such as
copper cable and an alternate i.e. fiber optics. This involves use of alternative networks,
circuits or end points when the normal network is unavailable.
 44

3. Diverse Routing: The method of routing traffic through split cable facilities or duplicate
cable facilities (ways). This can be accomplished with different and/or duplicate cable
sheaths (covering). (duplicate the facilities by having alternate routes)
4. Long-haul Network protection: Long haul network diversity provides redundancy for long
distance availability. Using ISDN or VPN along with routers (for WANs)
5. Last-mile Network protection:Last mile circuit protection provides redundancy for local
communication loops. Using Radio modems or Microwave dishes. (for MANs)
6. Voice recovery: Alternate for voice communications for organizations relying on it. Using
mobile network, POTS or VoIP (Voice over Internet Protocol).

Backup and Restoration:

To ensure that the critical activities of an organization (and supporting
applications) are not interrupted
in the event of a disaster; secondary storage media are used to store software application files
and associated data for backup purposes. These secondary storage media are removable
media (tape cartridges, CDs, DVDs) or mirrored disks (local or remote) or network storage
(SAN). Typically, the removable media are recorded in one facility and stored in one or more
remote physical facilities (referred to as offsite libraries).

Offsite Library Controls:

When disaster strikes, the offsite storage library often becomes the only remaining copy of the
organization’s data. To ensure that these data are not lost, it is very important to implement strict
controls over the data, both physical and logical.
Controls over the offsite storage library include:
1. Securing physical access to library contents only authorized personnel access.
2. Encrypting backup media especially when it is in transit.
3. Ensuring that physical construction can resist fire/heat/water.
4. Locating the library away from the data center, to avoid the risk of a disaster affecting
both facilities.
Types of Backup devices and Media:
There are a lot of different devices and media types available. The technology chosen must be
adequate to the business needs.
• Removable Media includes;
▪ CD/DVD data backup
▪ USB
▪ SD cards
▪ Pocket drives
▪ External HDD
• Non-Removable Media includes;
▪Tape Drives are;
—Standalone
—Network based;
- SCSI (Small computer system interface)
- Fiber channel (Latest technology, high data transfer rate)
 45

▪Disk Drives are; heed

— Virtual tape libraries (VTLs)
— Host based replication (Clustering)
— Disk based replication (RAID)
— Disk snapshots

Disk-based backup systems:

• Virtual tape libraries (VTLs):
These systems consist of disk storage and software that control backup and
disaster recovery purposes the contents of a VTL are replicated from primary site to a backup
site using the hardware-based replication provided by a disk array.
• Host-based replication:
This replication is executed at the hos
the target server. It can occur in real mode).
• Disk-array replication:
It is the same as host-based replications; however the replication can be completely hidden
from servers and applications. The replication can be completed via SAN or LAN to offsite
storage.
• Snapshots:
This technology is very flexible, allowing making different types of momentary copies of volumes
or file systems. Depending upon types of snapshots, either full copy is created each time or only
the changed blocks of data or files are stored.

Backup Schemes:
There are three main schemes for backup: full, incremental and differential.
Each one has its advantages and disadvantages. Usually, the methods are combined, in order
to complement each other.

1)Full backup : This type of backup scheme copies all files and folders to the backup media,
creating one backup set (with one or more media, depending on media capacity). The main
advantage is having a unique repository in case of restoration, but it requires more time and
media capacity.
2)Differential Backup: Differential Backup:
A cumulative backup of all files and folders that have been added or changed since a full
backup
was performed, i.e., the differences since the last full backup. It requires more storage and cost.
Its restoration requires only one backup and its restoration time is very less but more backup
time. Types of Backup devices and Media:
 46

There are a lot of different devices and media types available. The technology chosen must be
adequate to the business needs.
3) Incremental Backup: Incremental Backup:
A backup of the latest copies of files and folders that have been changed or new since the last
incremental or full backup. It requires less storage and cost. It's restoration requires all backup
and also it's restoration time is high but less backup time.

Methods of Rotation:
The most accepted technique is referred to as the Grandfather backups (son) are made over
the course of a week. The final backup taken during the week becomes backup for that week
(father). At the end of the month, the final weekly backup is retained as the backup for that
month (grandfather).

Components of a business Continuity Plan:

Depending on the size and/or requirements of an organization, a BCP may consist of
components
as follows:
Business Continuity Plan (BCP): Provide procedure in advance to maintain continuity of critical
business operations in the event of a disruption and to survive a disastrous interruption to
activities.
Continuity of Operations Plan (Coop): Provides procedures and guidance to ensure
sustainability of mission essential functions (MEFs) of an organization, at an alternate site for up
to 30 days.
Crisis Communication Plan: provides procedures or steps to take for communicating or
disseminating critical status information and control rumors with personnel and public.(not
IS-focused though.
Critical Infrastructure Protection (CIP)plan:Provides policies and procedures about protection of
national critical infrastructure components supported by an agency or organization
Cyber Incident Response plan: Provides procedures for mitigating and correcting a Cyber-
attack, such as data breach, ransomware attack, virus, worm and Trojan horse etc., by
mitigation
and isolation of affected systems, cleanup and minimizing loss of information.
Disaster Recovery Plan (DRP): Provides policies and procedures after major system
disruptions for relocating information systems operations to an alternate location.
Information System Contingency Plan (ISCP): Provides procedures and capabilities for the
recovery of information systems, operations, and data after a disruption, addressing a "plan-B"
i.e.
recovery at current or an alternative location.
Occupant Emergency Plan (OEP): Provides coordinated procedures for minimizing loss of life
or injury and protecting property damage (personnel and property particular to the specific
location) in response to a physical threat or emergency.(not business operations or IS-focused)

Insurance:
 47

The plan should contain key information about the organization’s insurance. The IT
processing
insurance policy is usually a multi-risk policy designed to provide various types of IT coverage.
Specific types of coverage available are:
• IT equipment and facilities: Provides coverage for physical damage to the IPFs(Information
process facilities) and owned equipment.
• Media (software) reconstruction: Covers damage to IT media for on-premises, off-premises or
in-transit situations and covers the actual reproduction cost of the property.
• Extra expense: Designed to cover the extra costs of continuing operations following damage or
destruction at the IPF.
• Business interruption: Covers the loss of profit due to the disruption of the activity of the
company caused by any malfunction of the IT organization.
• Valuable papers and records: Covers the actual cash value of papers and records against
direct physical loss or damage.
• Errors and omissions: Provide legal liability protection in the event that the professional
practitioner commits an act, error or omission that results in financial loss to a client.
• Fidelity coverage: Covers loss from dishonest or fraudulent acts by employees.
• Media transportation: Provides coverage for potential loss or damage to media in transit to
off-premises IPFs.
Test Execution:
. To perform testing, each of the following test phases should be completed:
• Pretest: the set of actions necessary to set the stage for the actual test. This includes placing,
transporting or installing proper equipment in the operations recovery area. These activities are
outside the realm of those that would take place in the case of a real emergency, just the
preparatory actions.
• Test: this is the real action of the business continuity test. Actual operational activities are
executed to test the specific objectives of the BCP. Evaluators review staff members as they
perform the designated tasks. This is the actual test of preparedness to respond to an
emergency.
• Posttest: the process of returning from backup recovery area to original. This phase includes
returning all resources to their proper place, disconnecting equipment and deleting all company
data from third-party systems.
addition, the following types of tests may be performed:
• Desk-based evaluation/paper test: a paper walk-through of the plan, involving major
personnel in the plan’s execution whom walk-through the entire plan or just a portion which help
in evaluating their knowledge about it.
• Preparedness test: usually a localized version of a full test, wherein actual resources are
expended in the simulation of a system crash. This test is performed on different aspects of the
plan to obtain evidence about how good the plan is.
• Full operational test: this is one step away from an actual service disruption. The organization
have tested the plan by creating a disaster themselves before real shut down of operations
 48

CHAPTER:8: INFORMATION SECURITY MANAGEMENT

Importance of ISM:
Recent developments in the current environment such and directly with
customers, use of remote access facilities, and high viruses, intrusions, etc.) have raised the
profile of information and privacy risk and the need for effective information security
management.Security objectives to meet organization’s business requirements include the
following:
• Continued Availability of information systems and data
• Integrity of stored and in-transit information.
• Confidentiality of stored and in-transit sensitive data
• Adherence to laws, regulations and standards
• Adherence to privacy policy and applicable rules
• Adequate Protection of sensitive data

Key elements of ISM:

 49

• Commitment and support from senior management are important for successful establishment
and continuance of an information security management program.
• The policy framework should be established with a concise top management declaration of
direction.
• The information security policy should have clearly defined guidance on the allocation of
security roles and responsibilities in the organization, for the protection of critical resources.
• Users should receive appropriate training and regular updates to foster security awareness
and compliance with written security policies and procedures.
• Processes should be in place to identify,assess, respond to and mitigate risk to information
assets.
• Monitoring of compliance to applicable laws and regulations.
• Handling and response to incidents which includes loss of confidentiality of information,
compromise of integrity of information, denial of service, unauthorized access, misuse of
systems or information, theft and damage to systems.

System Access Permission:

System access to computerized information resources is
established, managed and controlled at the physical and/or logical level.
Physical access controls: Restrict the entry and exit of personnel to an area such as an office
building, suite, data center or room containing information processing equipment such as a local
area network (LAN) server.
Logical system access controls: logical system access control lists to manage and regulate user
access to computer systems and digital resources. It includes methods such as passwords,
role-based access control, and encryption to ensure only authorized users can access
information while maintaining confidentiality, integrity, and availability.

Mandatory access controls (MACs) are logical access control filters used to validate access
credentials that cannot be controlled or modified by normal users or data owners; they act by
default.
Discretionary access controls (DACs) are logical access controls that may be configured or
modified by the users or data owners.

Computer Crime Issues:

Computer systems can be used to fraudulently obtain money, goods,
software or corporate information. Crimes can also be committed when the computer application
process or data are manipulated to accept false or unauthorized transactions.
simple, nontechnical method of computer crime could be stealing computer equipment.
Committing crimes exploit the computer and include following threats to business:
1. Financial loss: these losses can be direct, through loss of electronic funds, or indirect,
through the costs of correcting the exposure.
2. Legal repercussions: there are numerous privacy and human rights laws that can protect
the organization but also can protect the hacker from prosecution. In addition, not having
proper security measures could expose the organization to lawsuits from investors and
insurers.
 50

3. Loss of credibility or competitive edge:Many organizations, especially service firms need

credibility and public trust to maintain a competitive edge. Damage to credibility could
result in loss of business and prestige.
4. Blackmail/industrial espionage/organized crime: A hacker can extort payments or
services from an organization by threatening to publicly disclose the confidential
information or the hacker could obtain proprietary information and sell it to a competitor.
5. Disclosure of confidential, sensitive or embarrassing information: A hacker by disclosure
of confidential information can damage an organization’s credibility and its means of
conducting business.
6. Sabotage: Some perpetrators (hackers) are not looking for financial gain. They merely
want to cause damage due to a dislike of the organization or for self-gratification.
7. Hackers/Crackers: Persons with the ability to explore the details of programmable
systems and the knowledge to stretch or exploit their capabilities, whether ethical or not.
Hackers are typically attempting to test the limits of access restrictions to prove their
ability to overcome the obstacles. Crackers are persons who try to break the security of
system and gain access without being invited to do so.
8. Script Kiddies: Individuals who use scripts and programs written by others to perform
their intrusions and are often incapable of writing similar scripts on their own.
9. Employees (authorized or unauthorized):Individuals, affiliated with the organization and
given system access based on job responsibilities. can cause significant harm to an
organization
10. IT personnel: Individuals having the easiest access to computerized information, being
the custodians of this information. Logical access controls, good SoD and supervision
help in reducing logical access violations by them.
11. End users: Often have broad knowledge of the information within the organization and
have easy access to internal resources.
12. Former Employees: Employees who left on unfavorable terms may have access if it not
immediately removed at the time of termination or if the system has “back doors.”

Some others are:

Interested or educated outsiders: competitors, terrorists, organized criminals, crackers, hackers
looking for a challenge, exploits and script kiddies for the purpose of curiosity, joyriding and
testing their newly acquired tools/scripts, phreakers (hackers attempting access into the
telephone/communication system).
Nations: nations attack each other's key organizations and businesses rely on the Internet.
Part-time temporary employees: facility contractors such as office cleaners often have a great
deal of physical access and could perpetrate a computer crime.
Third-parties—vendors, visitors, consultants or other third parties who, through projects, gain
access to the organization’s resources and could perpetrate a crime.
Opportunists:where information is inadvertently left unattended or left for destruction, a
passerby can access the same.
Accidental unaware:someone who unknowingly perpetrates a violation.

Logical Access; Attack methods and techniques:

 51

Logical access is defined as the interaction with hardware through remote access.
Technical exposures are types of exposure that exist due to accidental or intentional exploitation
of logical access control weaknesses. Intentional exploitation of technical exposures might lead
to computer crime.
1. Eavesdropping: Intercepting and listening to private communications, such as data
transmission over a network, without the knowledge or consent of the parties involved.
Eavesdropping can lead to unauthorized access to sensitive information.
2. Masquerading: Pretending to be someone else or impersonating a legitimate user or
system to gain unauthorized access to resources or to deceive users into disclosing
sensitive information.
3. Denial-of-Service (DoS) Attack: Flooding a network, system, or service with excessive
traffic or requests to overwhelm its resources, causing it to become unavailable to
legitimate users. This attack disrupts normal operations and can result in downtime or
service degradation.
4. Virus: A type of malicious software that infects a computer or system by attaching itself
to legitimate programs or files. Viruses can replicate and spread to other computers,
causing damage to files, software, and hardware.
5. Worm: A self-replicating type of malware that spreads across networks and systems
without requiring user interaction. Worms exploit vulnerabilities to propagate rapidly and
can cause widespread damage by consuming network bandwidth or disrupting services.
6. Spyware/Malware: Software designed to secretly monitor and collect information about a
user's activities, such as browsing habits, keystrokes, or personal data, without their
knowledge or consent. Spyware can be used for surveillance, identity theft, or
unauthorized access to sensitive information.
7. Email Spamming: Sending unsolicited and bulk emails, often containing advertisements,
scams, or malicious links, to a large number of recipients. Email spamming clogs mail
servers and inboxes, reduces productivity, and poses security risks.
8. Phishing: A type of cyber attack that involves tricking users into disclosing sensitive
information, such as login credentials or financial data, by impersonating legitimate
entities through fraudulent emails, websites, or messages.
9. Pharming: Redirecting users from legitimate websites to fraudulent or malicious websites
without their knowledge or consent. Pharming attacks exploit DNS vulnerabilities or
manipulate hosts files to hijack web traffic and steal sensitive information.
10. Trojan Horses: Malicious software disguised as legitimate programs or files to deceive
users into executing them. Once installed, Trojan horses can perform various malicious
actions, such as stealing data, compromising security, or providing backdoor access to
attackers
11. Trap Doors: Hidden or undocumented features or vulnerabilities intentionally inserted
into software or systems by developers, allowing privileged access to unauthorized
users.
12. Logic Bombs: Code or scripts embedded in software or systems to execute malicious
actions when specific conditions are met, such as triggering data deletion or system
disruption at a predetermined time or event.
 52

Some other attacks are:

1)Alteration Attack: Occurs when unauthorized modifications affect the integrity of the data or
code Cryptographic hash is a primary defense against alteration attacks.
2)Botnets: A collection of compromised computers (called zombie computers) running software,
usually installed via worms, Trojan horses or back doors.
Examples: DoS attacks, adware, spyware and spam.
3)Brute Force Attack: Launched by an intruder, using many of the password-cracking tools
available at little or no cost, on encrypted passwords and attempts to gain unauthorized access
to an organization’s network or host-based systems.
4)Man-in-middle Attack: Attacker establishes a connection or interferes while the devices are
establishing a connection to connect to both devices and pretending to each of them to be the
other device, now the attacker can interact with the devices. To successfully execute this attack,
both devices have to be connectable.
5)Social Engineering: the human side of breaking into a computer system. This situation may
happen if an employee unknowingly gives away confidential information (e.g., passwords and IP
addresses) by answering questions over the phone or replying to an email message from an
unknown person. Some examples of social engineering include impersonation through a
telephone call, dumpster diving and shoulder surfing.
6)Data Diddling:an attack involves an attacker who gains access and modifies the information in
a database, it requires limited technical knowledge and occurs before computer security can
protect data.
7)Salami swindle attack:an attack on a computer network which involves the intruder drawing off
small amounts of money from a computerized transaction or account (bank accounts) and
placing them in another file that he or she can access.
8)Data Leakage: involves unauthorized transmission of data from within an organization to an
external destination or recipient. Data leakage threats usually occur via the web and email, but
can also occur via mobile data storage devices such as optical media, USB keys, and laptops.

Paths of logical Access:

Access or points of entry to an organization’s IS infrastructure can be
gained through several avenues.
Each avenue is subject to appropriate levels of access security. General modes of access into
this infrastructure occur through the following:
Network Connectivity: Access is gained by linking a PC to a segment of an organizations’
network infrastructure, either through a physical or a wireless connection. Other modes of
access into the infrastructure can also occur through network management devices, such as
routers and firewalls, which should be strictly controlled.
Remote Access:A user connects remotely to an organization’s server, which generally requires
the user to identify and authenticate him/herself to the server for access to specific functions
that can be performed remotely. Complete access to view all network resources usually requires
a virtual private network (VPN), which allows a secure authentication and connection into those
resources where privileges have been granted.

Identification and Authentication:

 53

Identification and authentication (I&A) is logical access control software;

the process of establishing
and proving one’s identity.
Identification is the process of claiming/presenting legitimate identity and the credentials, while
Authentication is the verification of claim, which validates both pieces of information.
I&A is a critical building block of computer security because it is needed for most types of
access control and is necessary for establishing user accountability. I&A is the first line of
defense because it prevents unauthorized people (or unauthorized processes) from entering a
computer system or accessing an information asset.
Some of I&A’s more common vulnerabilities that may be exploited to gain unauthorized system
access include:
—Weak authentication methods (simple or easily guessed passwords)
—The potential for users to bypass the authentication mechanism
—The lack of encryption of information transmitted over a network
—The lack of confidentiality and integrity for the stored authentication information
—The user’s lack of knowledge on the risk associated with sharing authentication elements
(passwords, security keys, tokens).

Features of Passwords: A password provides individual authentication. It should be easy for the
user to remember, but difficult for an intruder to determine.
—Initial passwords should be allocated by the security administrator, when the user logs on for
the first time, the system should force a password change to improve confidentiality.
—If the wrong password is entered a predefined number of times (e.g. 3 times), the logon ID
should be automatically locked out.
—Users that have forgotten their password must notify a security administrator. This is the only
person with sufficient privileges to reset the password.
—Passwords should be hashed (a type of one-way encryption) and stored using a sufficiently
strong algorithm.
—Passwords should be changed on a regular basis (e.g., every 30 days).
—Special treatment should be applied to supervisor or administrator accounts. These accounts
frequently allow full access to the system.

Password syntax (format) rules: —Ideally, passwords should be a minimum of six to eight
characters in length, twelve characters length
is adequate.
—Passwords should require a combination of at least three of the following characteristics:
alphanumeric, upper and lower case letters and special characters.
—Passwords should not be particularly identifiable with the user (such as first name, last name,
spouse name, pet’s name, etc).
—The system should enforce regular password changes every 30 days and not permit previous
password(s) to be used for at least a year after being changed.

Token Devices, One-time Passwords: A two factor authentication technique in which, the user is
assigned a microprocessor-controlled smart card, USB key or mobile-device application with a
 54

specific authentication system. It generates one-time passwords that are valid for only one login
session. Users enter this password along with a password they have memorized to gain access
to the system.

Biometrics: A user's identity based on unique, measurable attribute or trait for verifying the
identity of a human being.

Physically oriented biometrics:

● Palm-based biometric devices analyze physical characteristics associated with the palm
such as ridges and valleys.
● Hand geometry is concerned with measuring the physical characteristics of the users’
hands and fingers from a three-dimensional perspective. • An iris, has patterns
associated with the colored portions surrounding the pupils, is unique for every individual
having over 400 characteristics, approximately 260 are used to generate the template.
● Retina scan uses optical technology to map the capillary pattern of the eye’s retina. The
patterns of the retina are measured at over 400 points to generate a 96-byte template.
● Fingerprint access control is commonly used; the user places his/her finger on an optical
device or silicon surface to get his/her fingerprint scanned.
● In Face-recognition biometric devices, the biometric reader processes an image
captured by a video camera.

Behavior-oriented biometrics:
Signature Recognition: Verifies identity based on unique signature characteristics like stroke
patterns and directions, stroke length and the points in time when the pen is lifted from the
paper. Used for authenticating signatures on documents and transactions.
Voice Recognition: Identifies individuals based on unique vocal characteristics like pitch and
tone.Used for voice authentication in devices and systems.
Single Sign-on: SSO is defined as the process for consolidating all organization platform-based
administration, authentication and authorization functions into a single centralized administrative
function.

LAN Security:
Risk associated with use of LANs includes:
- Loss of data and program integrity through unauthorized changes
- Lack of current data protection
- Virus and worm infection
- Illegal access by impersonating or masquerading as a legitimate LAN user
- Internal user’s sniffing
- Internal user’s spoofing (reconfiguring a network address to pretend to be a different address)
- Destruction of the logging and auditing data
Commonly available network security administrative capabilities include:
- Declaring ownership of programs, files and storage
- Limiting access under the principle of least privilege (read only)
- File locking to prevent simultaneous update
 55

- Enforcing user ID/password sign-on procedures, including the rules relating to

password-length, format and change frequency
- Using switches to implement port security rather than hubs or routers
- Encrypting local traffic using IPSec protocol (like VPN)

Commonly available network security administrative capabilities include:

- Declaring ownership of programs, files and storage
- Limiting access under the principle of least privilege (read only)
- File locking to prevent simultaneous update
- Enforcing user ID/password sign-on procedures, including the rules relating to
password-length, format and change frequency
- Using switches to implement port security rather than hubs or routers
- Encrypting local traffic using IPSec protocol (like VPN)

Virtualization:
Virtualization provides an enterprise with a significant opportunity to increase
efficiency and decrease costs in its IT operations. Virtualization creates a layer between the
hardware and the guest OSs to manage shared processing and memory resources on the host.
Often, a management console provides
administrative access to manage the virtualized system

Wireless security threats & Risk mitigation:

The classification of security threats may be segmented into nine categories:
- Errors and omissions
- Fraud and theft committed by authorized or unauthorized users of the system
- Employee sabotage
- Loss of physical and infrastructure support
- Malicious hackers
- Industrial espionage
- Malicious code
Security requirements include the following:
 56

• Authenticity—a third party must be able to verify that the content of a message has not been
changed in transit.
• Non-repudiation—the origin or the receipt of a specific message must be verifiable by a third
party.
• Accountability—the actions of an entity must be uniquely traceable to that entity.
• Network availability—the IT resource must be available on a timely basis to meet mission

Network security threats:

By inquiring network information, the intruder obtains network
information that can be used to target a particular system or set of systems during an attack.
• Passive Attacks: Examples of passive attacks that gather network information include social
engineering, eavesdropping and data diddling.
• Active Attacks: The intruder will launch an actual attack against a targeted system to either
gain complete control over that system or enough control to cause certain threats to be realized.
Common forms of active attacks are masquerading, phishing, Denial of Service (DoS), Email
spamming, Email spoofing.
Causal factors for Internet attack: Generally, Internet attacks of both a passive and active nature
occur for a number of reasons including:
—Availability of tools and techniques on the Internet or as commercially available software that
an intruder can download easily. Such as strobe, netcat, jakal, nmap or Asmodeous (Windows),
John the Ripper and L0phtCrack.
—Lack of security awareness and training.
—Exploitation of known security vulnerabilities in network- and host-based systems.
—Inadequate security over firewalls and host-based OSs allowing intruders to view internal
addresses and use network services.

Internet Security Controls:

- Risk assessments
- Firewall standards and security
- Intrusion detection standards and security
- Security awareness and training for employees
- Monitoring Internet activities for unauthorized usage
- Remote access for coordinating on the internet via corporate resources.

Firewall Security systems:

A network device installed at the point where network connections enter a site, where it
monitors incoming and outgoing network traffic and decides whether to allow or block specific
traffic based on a defined set of security rules. Firewalls are hardware and software
combinations that are built using routers, servers and a variety of software. Most commercial
firewalls are built to handle the most commonly used Internet protocols.
Firewall general features: They separate networks from each other and screen the traffic
between them. Thus, along with other types of security, they control the most vulnerable point
between a corporate network and the Internet.
There are many different features they enable organizations to, most common are:
 57

- Block access to particular websites.

- Limit traffic on relevant addresses and ports.
- Prevent certain users from accessing certain servers or services.
- Monitor and record communications between an internal and an external network.
- Investigate network penetrations or detect internal subversion, while monitoring
communications.
- Encrypt packets, sent between different physical locations within an organization by creating a
VPN over the Internet (i.e., IPSec or VPN tunnels)

Types of firewalls:
1)Packet Filtering Firewalls:
Packet filtering firewalls examine incoming and outgoing packets of
data based on predetermined rules. These rules typically include criteria such as source and
destination IP addresses, ports, and protocols.
Each packet is compared against the firewall's rule set, and if it matches an allowed rule, it is
permitted to pass through the firewall. If it matches a denied rule, it is blocked.
The advantages of this type of firewall are its simplicity and generally stable performance as the
filtering rules are performed at the network layer.
Its simplicity is also a disadvantage, because as direct exchange of packets is permitted so it is
vulnerable to attacks tunneled over permitted services or improperly configured.

2)Application Firewall Systems:Application firewall systems, also known as layer 7 firewalls,

operate at the application layer of the OSI model. They inspect and filter traffic based on specific
applications or protocols, allowing for more granular control over network traffic.
Application firewalls analyze data packets at the application layer to identify and control traffic
associated with specific applications or services, such as HTTP, FTP, or DNS.
Advantages are that they provide security for commonly used protocols and generally hide the
internal network from outside unreliable networks.
Disadvantages are poor performance and scalability as Internet usage grows.

3)State Inspection Firewalls: State inspection firewalls, also known as stateful firewalls, maintain
state information about active network connections to make more informed decisions about
allowing or blocking traffic.
Instead of just examining individual packets, state inspection firewalls keep track of the state of
each connection, such as whether it is new, established, or related to an existing connection.

Firewall issues: Issues related to implementing firewalls include:

- False sense of security exists where management feels no security checks and controls are
needed.
- The evasion of firewalls through the use of modems may connect users directly to ISPs.
- Misconfigured firewalls may allow unknown and dangerous services to pass through freely.
- What constitutes a firewall may be misunderstood (e.g., companies claiming to have a firewall
merely have a screening router).
- Monitoring activities may not occur on a regular basis.
 58

- Firewall policies may not be maintained regularly.

- Most firewalls operate at the network layer; therefore, they may not stop any application-based
or input-based attacks.

Best firewall: CISCO's Pix firewall

Intrusion Detection System (IDS):

IDS is a device or software that works in conjunction with routers and
firewalls by monitoring a network for malicious activity or policy violations. It protects a
company’s IS resources from intrusions (external) as well as misuse (internal). IDS operate
continuously on the system, running in the background and notifying administrators when it
detects a perceived threat, using a security information and event management (SIEM) system.
The IDS is not a substitute for a firewall, but it complements the function of a firewall.
Components of IDS are;
- Sensors that are responsible for collecting data i.e. network packets, log files, system call
traces, etc.
Analyzers that receive input from sensors and determine intrusive activity
- An administration console
- A user interface

Features: The features available in IDS include:

- Intrusion detection
- Gathering evidence on intrusive activity
- Automated response (i.e., termination of connection, alarm messaging)
- Security policy
- Interface with system tools
- Security policy management

Broad categories of IDSs include:

1. Network-based IDSs:They identify attacks within the monitored network traffic and issue
a warning to the operator. (where configured covers that whole network)
2. Host-based IDSs:They are configured for a specific environment and mainly monitor
various internal resources of the OS to warn of a possible attack.

Types of IDSs include:

1. Signature-based: these IDS systems protect against detected intrusion patterns, but
only those which are stored as it is impossible to detect new attacks, for which no pattern
is available.
2. Statistical-based: these systems protect against a comprehensive definition of the
known and expected behavior of systems. They may report many events outside of the
defined normal activity.
3. Neural networks: IDS with this feature monitors the general patterns of activity and traffic
on the network and creates a database. This is similar to the statistical model but with
added self-learning functionality.
 59

Limitations: IDS cannot help with the following weaknesses:

- Weaknesses in the policy definition
- Application-level vulnerabilities
- Back doors into applications
- Weaknesses in identification and authentication schemes

Intrusion Prevention Systems (IPSs):

An IPS is a network security and threat prevention technology that
examines network traffic flows in order to detect and prevent vulnerability exploits. The IPS often
sits directly behind the firewall.
IPSs are closely related to IDSs but not only detect attacks, but also prevent the intended victim
hosts from being affected by the attacks. Some IPSs can also reconfigure other security
controls, such as a firewall or router, to block an attack.

Honey pots and Honey nets:

A honeypot is a software application
the Internet to lure attackers. It is an intentionally compromised security mechanism allows
attackers to exploit vulnerabilities so you can study them to improve your security
targeted by an intruder, the more valuable it becomes.
There are two basic types of honeypots:
• High-interaction—Give hackers a real environment to attack.
• Low-interaction—Emulate production environments and provide mo
A honeynet is a set of multiple, linked honeypots that simulate a larger network installation.
Hackers penetrate the honeynet, which allows investigators to observe their actions using a
combination of surveillance technologies.

Encryption:
Encryption is the process of converting a plaintext message into a secure
cipher text, which cannot be understood without converting it back via decryption (the reverse
process) to plaintext. This is done via a mathem
called the key.
 60

-Deter and detect accidental or intentional alterations of data

- Verify authenticity of a transaction or document

Key elements of encryption systems include:

1. Encryption algorithm: A mathematical function that encrypts/decrypts data (steps to
encrypt/decrypt)
2. Encryption keys: A piece of information that is used by the encryption algorithm to make
the encryption or decryption process is unique. Similar to passwords, a user needs to
provide the correct key to access or decrypt a message. The wrong key will decipher the
message into an unreadable form.
3. Key Length: A predetermined length for the key. The longer the key, the more difficult it is
to compromise in a brute force attack.

There are two types of encryption processes:

1. (Private) Symmetric Key Cryptographic Systems:It uses a secret key to encrypt the
plaintext to text to the corresponding plaintext. In this case, the key is said to be
symmetric because the encryption key is the same as the decryption key.The most
common symmetric key cryptographic system used
Examples: DES algorithm (56), AES algorithm (128, 256), 3DES algorithm- DES stands for
Data encryption standard- AES stands for Advanced Encryption Standard
2. (Public) Asymmetric Key Cryptographic Systems:Two keys work together as a pair using
different keys for encryption and decryption, one of the keys is kept private while the
other one is publicly disclosed.
Examples: RSA (1024 to 4096), DH (2048)
– RSA algorithm: Rivest Shamir Adleman
– DH algorithm: Diffie Hellman

Other advanced processes include:

Digital Signature: A digital signature is an electronic identification of a person or entity created
by using a public (asymmetric) key algorithm. In this process a cryptographic hashing algorithm
is computed against the entire message or electronic document, which generates a small fixed
string message, usually about 128 bits length. This process also referred to as digital certificate
algorithm
Public Key Infrastructure (PKI): Itis a framework of hardware, software, policies, and procedures
used to create, manage, distribute, use, store, and revoke digital certificates and public-private
key pairs. PKI enables secure communication and authentication over insecure networks like
the internet.

Virus/Malware:
 61

A variety of malicious computer programs that are self-replicating programs that

attach themselves to legitimate files or programs and spread when the infected file is executed.
They can corrupt or delete files, steal personal information, and cause system instability or
crashes.
Generally, virus attacks four parts of the computer:
• Data files
• Executable program files (.exe)
• Boot and system areas, which are needed to start the computer (Control panel)
• The file-directory system, which track location of all computers’ files (File
manager/Mycomputer)

There are two major ways to prevent and detect viruses that infect computers and network
systems. The first is having sound policies and procedures in place (preventive controls) and
the second is by technical means (detective controls), including anti-virus software. Neither is
effective without the other.

Management Procedural (Preventive) Controls:

• Install any system from original, clean master copies.
• Allow no media (hard/flash drives) to be used until they have been scanned from a system,
only used for this purpose.
• Have vendors run demonstrations on their own machines first. (to see if there is no virus)
• Scan new software before installation because commercial software occasionally includes a
Trojan horse (viruses or worms).
• Insist that field technicians scan their disks on a test machine before they use any of their
disks on the system.
• Update virus software scanning definitions frequently.
• Ensure all servers are equipped with an activated current release of the virus-detection
software.
• Ensure bridge, router and gateway updates are authentic.
• Enforce a rule of not using (freeware) shareware without first scanning it thoroughly for virus.
• Ensure the network administrator uses workstation and server's anti-virus software.

Technical (Detective) Controls:

Technical methods of preventing viruses can be implemented through hardware
and software means. The
following are hardware tactics that can reduce the risk of infection:
• Use boot virus protection (i.e., built-in, firmware-based virus protection).
• Use remote booting (e.g., diskless workstations).
• Use a hardware-based password. (hardware security)
• Protect removable media against theft and hazards.
• Ensure that insecure protocols are blocked by the firewall from external segments and the
Internet.
 62

Anti-virus software is the most common anti-virus tool and is considered as the most effective
means of protecting networks and host-based computer systems against viruses. It is both a
preventive and a detective control. Unless updated periodically, anti-virus software will not be an
effective tool against malware.
There are different types of anti-malware software.
1. Scanner: A scanner is a component of anti-malware software that scans files, programs,
and system memory for known malware signatures or suspicious patterns. It compares
files against a database of known malware signatures to detect and remove malicious
software.
2. Active Monitors: Active monitors, also known as real-time protection or on-access
scanners, continuously monitor system activity and incoming files for signs of malware.
They intercept and scan files in real-time as they are accessed or executed to detect and
block malware before it can infect the system.
3. Integrity CRC Checking: Integrity CRC (Cyclic Redundancy Check) checking is a
technique used to verify the integrity of files and detect tampering or corruption. A CRC
value is calculated for a file, and if the file is modified or corrupted, the CRC value
changes, indicating potential tampering or data corruption.
4. Behavior Blocking: Behavior blocking, also known as behavior-based detection, is a
proactive security technique that monitors the behavior of software and processes on the
computer to detect and block suspicious activities indicative of malware infections. It
analyzes program behavior, such as file modifications, registry changes, and network
activity, to identify and stop malware before it can cause harm.
5. Immunizers: Immunizers, also known as vaccine or protective features, are components
of anti-malware software that proactively protect against known malware threats by
immunizing the system against specific malware strains or vulnerabilities. They prevent
infection by creating a protective shield around the system or files, making them resistant
to known malware attacks.

Environmental Exposures:
Environmental exposures are due primarily to naturally occurring events. The result of such
conditions can lead to many types of problems. Generally, power failures can be grouped into
four distinct categories, based on the duration and relative severity of the failure:
• Total failure (blackout)—a complete loss of electrical power, which may span from a single
building to an entire geographical area, may be caused by bad weather conditions (storm,
earthquake) or due to inability of the electric supply company.
• Severely reduced voltage (brownout)—this is also the failure of an electrical utility company to
supply power within an acceptable range (i.e., 200-220 volts). Such failure can damage the
equipment or at least interrupt the critical business operations.
• Sags, spikes and surges—temporary and rapid decreases (sags) or increases (spikes and
surges) in voltage levels. It can cause loss of data, network transmission errors or physical
damage to hardware devices.
• Electromagnetic interference (EMI)—caused by electrical storms or noisy electrical equipment
(e.g., motors, fluorescent lighting, and radio transmitters), may cause computer systems to hang
or crash as well as damages similar to those caused by sags, spikes and surges.
 63

Controls for environmental exposures:

• Alarm Control Panels
• Fireproof Walls, Floors and Ceilings of the Computer Room
• Uninterruptible Power Supply (UPS)/Generator
• Power Leads from Two Substations (Two PMTs)
• Wiring Placed in Electrical Panels and Conduit (fire resistant)
• Water Detectors, in the computer room placed under raised floors and near drain holes.
• Handheld Fire Extinguishers should be in strategic locations throughout the facility.
• Manual Fire Alarms should be placed strategically throughout the facility or located near exit
doors to ensure personal safety.
• Smoke Detectors, installed above and below the ceiling tiles throughout the facilities and
below the raised computer room floor.
• Fire Suppression Systems:
These systems are designed to automatically activate immediately after detection of high heat,
usually generated by fire. The medium for fire suppression varies, but is usually one of the
following: ▪ Water-based systems
▪ Dry-pipe sprinkling systems
▪ Halon systems
▪ FM-200
▪ Argonite®
CO2 systems
• Strategically Locating the Computer Room, to reduce the risk of flooding, should not be
located in
the basement or top most floors.
• Regular Inspection by Fire Department, to ensure that all fire detection systems comply with
building codes.
• Electrical Surge Protectors(stabilizers), reduce the risk of damage to equipment due to power
spikes.
• Emergency Power-off Switch to immediately shut off power to the computer and peripheral
devices.

Auditing Environmental Controls:

When this facility is outsourced to a third party, a contractual right of
audit may be required.
• Water and Smoke Detectors—visual verification of the presence of water and smoke detectors
in
The computer room is needed.
• Handheld fire extinguishers—should be in strategic highly visible locations throughout the
facility
• Fire Suppression Systems—are expensive to test and, therefore, the IS auditor’s ability to
determine operability is limited. He just reviews the documents and general controls.
• Regular Inspection by Fire Department—ensures and inspect whether or not regular
inspection
 64

• Fireproof Walls, Floors and Ceilings of the Computer Room—assistance of building

management, walls should have at least a two-hour fire resistance rating.
• Electrical Surge Protectors—presence of electrical surge protectors on sensitive and
expensive computer equipment should be visually observed.
• Power Leads from Two Substations—along with assistance of building management,
documentation of placement of redundant power lines into the IPF should be located.
• Wiring Placed in Electrical Panels and Conduit—wiring in the IPF should be placed in
fire-resistant
panels and conduit.
• UPS/Generator—most recent test date should be determined and the test reports should be
reviewed.
• Documented and Tested Emergency Evacuation Plans—a copy of the emergency evacuation
plan should be obtained, which should determine whether it describes how to leave the IPFs in
an organized manner that does not leave the facilities physically insecure.
• Humidity/Temperature Control—the IPF should be visited on regular intervals to determine
whether temperature and humidity are adequate.

Physical Access Exposures:

Exposures that exist from accidental or intentional violation of these access paths include:
- Unauthorized entry
- Damage, vandalism or theft to equipment or documents
- Copying or viewing of sensitive or copyrighted information
- Alteration of sensitive equipment and information
- Public disclosure of sensitive information
- Abuse of data processing resources (damaging)
- Blackmail
- Embezzlement (stealing or fraud)
Possible perpetrators include employees with authorized or unauthorized access who are:
- Disgruntled (upset by or concerned about some action by the organization or its management)
- On strike (if their concerns are not considered)
- Threatened by disciplinary action or dismissal
- Addicted to a substance or gambling
- Experiencing financial or emotional problems
- Notified of their termination
Other possible perpetrators could include:
- Former employees
- Interested or informed outsiders such as competitors, thieves, organized crime and hackers
- An accidental ignorant (e.g., someone who unknowingly perpetrates a violation)

PHYSICAL ACCESS CONTROLS:

Physical access controls are designed to protect the organization from
unauthorized access, limiting access to only those individuals authorized by management.
• Bolting door locks—require the traditional metal key to gain entry.
• Combination door locks (cipher locks)—use a numeric keypad or dial to gain entry, should be
 65

changed at regular intervals.

• Electronic door—locks use a magnetic or embedded chip-based plastic card key or token
entered into a sensor reader to gain access.
• Biometric door locks—are activated by an individual’s unique body features, such as voice,
retina, fingerprint, hand geometry or signature.
• Manual logging—means all visitors are required to sign a visitor’s log indicating their name,
reason for visiting, person to see and date and time of entry and departure.
• Electronic logging—a feature of electronic and biometric security systems. All access can be
logged, with unsuccessful attempts being highlighted (record of regular visitors).
• Identification badges (photo IDs)—should be worn and displayed by all personnel, can also be
used as electronic card keys.
• Video (CCTV) cameras—should be located at strategic points and monitored by security
guards.
• Security guards—are very useful if supplemented by video cameras and locked doors.
• Controlled visitor access—means all visitors should be escorted by a responsible employee.
• Bonded personnel—all service contract personnel, such as cleaning people and offsite storage
services.
• Dead-man doors—also referred to as a mantrap or airlock entrance uses two doors. For the
second door to operate, the first entry door

Penetration Testing:
Combinations of procedures, whereby an IS auditor uses the same
techniques as a hacker, are called penetration tests, intrusion tests or ethical hacking. IS auditor
or cyber-security expert attempts to find and exploit vulnerabilities in a computer system.
There are several types of penetration tests depending upon the scope, objective and nature of
the test.
Common types are:
• External testing—refers to attacks and attempts on the target’s network perimeter from outside
the target’s system (i.e., usually the Internet),
• Internal testing—refers to attacks and control circumvention attempts on the target from within
the perimeter (within the org from organization's network),
• Blind/Grey box testing—refers to the condition of testing when the penetration tester is
provided
with limited or no knowledge of the target’s information systems.
• Double blind/Black box testing—refers to an extension of blind testing, where the administrator
and security staffs at the target are also not aware of the test.
• Targeted/White box testing—refers to attacks and attempts on the target, while both the
target’s IT team and penetration testers, with information related to target and network design
are aware of the testing activities.
 66

CHAPTER :9:SYSTEM CONCEPTS, DIGITAL

TRANSACTIONS, FINTECH
Hardware:
Consists of electronic devices, you can see & touch.
Term "device" refers to any piece of hardware used by a computer such as keyboard, mouse,
monitor etc."Peripheral devices are those which are not directly attached to computers."
Hardware categorized as:
1. Processor: Processor or C.P.U consists of one or more chips attached to the motherboard.
Processing is the procedure that transforms raw data into useful information; this function is
divided between computer's processor
and memory.
P-IV = 1.6 to 3.2 GHz
Dual core = (2) processors of 3.2 GHz
Core to duo= 2 core
Multi core = Core I3, Core I5, Core I7
2. Memory: A set of chips attached to the motherboard to store data temporarily and
permanently, like RAM ROM.
-RAM is a volatile memory meaning it holds data only when power is turned on, when power is
turned off it loses its contents.
SIMM=Single In-line Memory Module (1MB)
DIMM=Dual In-line Memory Module (4-32MB)
SDRAM=Synchronous dynamic RAM (32-512 MB)
DDR1, DDR2, DDR3, DDR4=Double Data Rate
The smallest usable unit of measurement for memory is the byte, computer work with larger
chunks of data, measured in multiple bytes:
1024 byte=1 KB
1024 KB=1MB
1024 MB=1GB
1024 GB=1TB
1024 TB=1 Pata byte
-ROM is non-volatile memory; it holds data even when power is turned off.
BIOS=Basic Input and Output System, ROM, EROM, EEPROM=Electrically Erasable
Programmable ROM, USB, SD card
3. Input/output Devices: Input devices are those which accept data and instructions from a user
and another computer Output devices are those which return processed data back to the user
or another computerCommunication devices perform both input and output functions like ATM,
Mobile phones etc.
4. Storage Devices: Holds data not currently being used by the C.P.U, data is commonly stored
on magnetic or optical disk.
Each data uses a special medium for storing data on its surface.
 67

-Magnetic Storage Devices:A device that reads data from magnetic plates and writes to a disk in
the form of binary numbers with the help of headers upon each of them.
E.g. floppy, hard disk, tape drive etc.
-Optical Storage Devices: Optical disks read data from a sensor of a glass lens by burning the
tiny holes on the disk.Most common are CD, DVD, and Blue-Ray.
-Solid State Drive: SSDs store data permanently inside an integrated circuit, typically using flash
memory. The flash memory inside an SSD means data is written, transferred, and erased
electronically and silently
Boundary and Interfaces:
boundary" refers to the delineation between a system and its
environment. It defines what is included within the system and what lies outside of it. The
boundary helps in understanding and defining the scope of the system, including its inputs,
outputs, and interactions with the external environment.
interface" in system concepts refers to the point of interaction or communication between
different components or systems. Interfaces allow for the exchange of data, commands, or
signals between different parts of a system or between separate systems. Interfaces can be
physical, such as connectors or ports, or they can be logical, involving protocols or APIs
(Application Programming Interfaces).

Environment:
"environment" refers to the external context in which a system operates. The
environment encompasses all the factors, entities, and conditions that can influence or be
influenced by the system.
Internal environmental factors:They originate within the organization, like culture and resources,
religion, cross border
External environmental factors: external factors come from outside, such as rules and
regulations from the government.

Control:
The process of regulating or influencing system behavior to achieve desired outcomes.
Control mechanisms monitor system performance, compare it to desired standards or goals,
and make adjustments as necessary.
Types of Controls.
1) Feedback Control: The process of management using historical data to improve present
and future performance.
Steps in feedback control: 1) Monitoring
2) Comparansency
3) Analysis
4) Correction
2) Feed forward Control: It is a proactive approach in which the current situation is analyzed to
predict upcoming problems
Steps in feed forward control: 1) Anticipation
2) Planning
3) Implementation
 68

4) Monitoring

Synergy:
When two or more departments/organizations collectively make a plan and implement
it for the benefits of both org/dept. It's benefit is more in collective working than in doing it
individually.

Coupling:
The degree of interdependence between different components or modules within a
system. It measures how closely connected or reliant one part of the system is on another.
There are several types of coupling:
Tight Coupling: In tight coupling, components are highly dependent on each other, meaning
changes to one component often require corresponding changes to others.
Loose Coupling: Loose coupling indicates a lower level of interdependence between
components. Changes to one component have minimal impact on others

Cohesion:
The degree to which the elements within a module or component are related to each
other. It measures how strongly the responsibilities of the elements within a module are related
to each other.
There are several types of cohesion:
1. Functional Cohesion: When components are integrated because they have to work on
one task.
2. Communicational Cohesion: When two or more components interact with each other to
share and store data.
3. Prosecutorial Cohesion: They are independent components and are a part of a larger
process.
4. Temporal Cohesion: When components of system are related and work at one time
5. Logical Cohesion: When all components are working on similar platforms/dates.

Fintech:
It is the combination of finance and technology that means using technology to provide
financial services.
Fintech Infrastructure: Fintech infrastructure is the technological backbone that facilitates the
delivery of financial services through digital channels.
This infrastructure is comprised of various components, including:
1) Payment Systems: These systems enable the transfer of funds between individuals,
businesses, and financial institutions. They include traditional payment networks like
credit/debit card networks, Automated Clearing House (ACH) systems
2) Banking APIs: Application Programming Interfaces (APIs) provided by banks and
financial institutions allow fintech startups to securely access banking data and services.
3) Blockchain Networks: Blockchain technology provides decentralized, transparent, and
secure transaction processing.
 69

4) Data Analytics Platforms: Data analytics tools and platforms enable fintech startups to
analyze vast amounts of financial data to derive insights, identify patterns, and make
data-driven decisions.
5) Cybersecurity Measures: With the increasing digitization of financial services, robust
cybersecurity measures are essential to protect sensitive financial data and prevent
unauthorized access, fraud, and cyberattacks

Fintech startups: Fintech startups leverage this infrastructure to develop innovative solutions
that address various challenges and inefficiencies in the financial industry. These startups often
focus on disrupting traditional financial services by offering:
1) Digital Banking: Fintech startups develop mobile banking apps, digital-only banks, and
non banks that provide convenient, user-friendly, and cost-effective alternatives to
traditional brick-and-mortar banks.
2) Payments and Remittances: Startups create peer-to-peer payment apps, mobile wallets,
and cross-border remittance platforms that enable users to send and receive money
quickly, securely
3) Lending and Credit: Fintech startups offer online lending platforms, peer-to-peer lending
marketplaces, and alternative credit scoring algorithms that streamline the lending
process
4) Investment and Wealth Management: Startups develop robo-advisors, automated
investment platforms, and social trading networks that use algorithms and artificial
intelligence to provide personalized investment advice, portfolio management, and
trading services at lower fees than traditional financial advisors.
5) Insurtech: Fintech startups in the insurance technology (insurtech) space leverage
technology to digitize insurance processes, offer innovative insurance products, and
improve underwriting, claims processing, and risk management.

Key technological Pillars:

● Block Chain
● Artificial intelligence
● Big Data analysis
● Cloud Computing
● Application Programing Interfaces(API)
● Mobile Technology
● Biometric and Authentication
● Regulatory Technology

Automation and artificial intelligence (AI):Automation and artificial intelligence have proven to
be highly effective in various domains, including finance, healthcare, manufacturing, customer
service, and many others. Some key benefits of automation and AI include:
● Increased Efficiency
● Cost Savings
● Enhanced Accuracy
 70

● Improved Customer Experience

● Innovation and New Opportunities
● Risk Reduction

Big Data:
It refers to large volumes of structured, semi-structured, and unstructured data that are
generated at high velocity and vary in variety. These datasets are too complex and massive to
be processed and analyzed using traditional data processing techniques. Big Data typically
exhibit the following characteristics, known as the 3Vs:
Volume: Big Data involves vast amounts of data, often ranging from terabytes to exabytes in
size, generated from various sources such as sensors, social media, transactional systems, and
digital devices.
Velocity: Data is generated and collected at high speeds, requiring real-time or near-real-time
processing and analysis to derive timely insights and actions.
Variety: Big Data encompasses diverse types of data, including structured data (e.g., databases,
spreadsheets), semi-structured data (e.g., XML, JSON), and unstructured data (e.g., text,
images, videos).

Application of Big Data and data analytics in accountancy and audit can significantly improve
effectiveness in several ways:
1) Enhanced Risk Assessment: Big Data analytics enable auditors to analyze large
volumes of financial and non-financial data to identify patterns, anomalies, and potential
risks.
2) Improved Fraud Detection: Big Data analytics can help auditors identify suspicious
transactions, irregular patterns, and potential fraud indicators that may go unnoticed with
traditional audit methods.
3) Real-time Monitoring: Big Data technologies enable real-time monitoring of financial
transactions and business processes, allowing auditors to detect issues and anomalies
as they occur.
4) Predictive Analytics: Big Data analytics can be used for predictive modeling and
forecasting to anticipate future trends, risks, and opportunities.
5) Automation and Efficiency: Big Data technologies automate data collection, processing,
and analysis, reducing manual efforts and improving audit efficiency.

Blockchain:
Design: Blockchain is a decentralized, distributed ledger technology that records
transactions across a network of computers in a secure and immutable manner. Each
transaction is stored in a "block" that is linked to the previous block, forming a chain of blocks.
Uses: Blockchain technology is used in various applications, including cryptocurrency
transactions, supply chain management, voting systems, digital identity verification, smart
contracts, and decentralized finance (DeFi).
 71

Limitations: Some limitations of blockchain include scalability issues, high energy consumption
(in proof-of-work consensus mechanisms), regulatory uncertainties, potential security
vulnerabilities in smart contracts.

Cryptocurrencies:
Design: Cryptocurrencies are digital or virtual currencies that use
cryptography for secure and decentralized transactions. They are typically based on blockchain
technology and operate independently of central banks or governments.
Uses: Cryptocurrencies are used for various purposes, including peer-to-peer transactions,
remittances, online purchases, investment and speculation, fundraising.
Limitations: Some limitations of cryptocurrencies include price volatility, lack of regulation and
consumer protection, potential for fraud and scams, scalability challenges.

Crowdfunding:
Design: Crowdfunding is a method of raising funds from a large number of
people (the "crowd") through online platforms. It typically involves soliciting small contributions
from a large number of individuals to finance a project, business, or cause.
Uses: Crowdfunding is used for various purposes, including startup financing, product
development, creative projects (e.g., films, music albums), charitable donations, and community
initiatives.
Limitations: Some limitations of crowdfunding include regulatory constraints (e.g., limitations on
who can invest, crowdfunding platform requirements), competition for attention and funding,
risks of project failure or fraud.

Other Alternative Finance Technologies:

Design: Other alternative finance technologies include peer-to-peer lending
(P2P lending), equity crowdfunding, decentralized finance (DeFi) platforms, digital wallets,
payment processing solutions, and robo-advisors.
Uses: These technologies offer alternative methods of accessing financing, investing,investment
portfolios, and automate financial management processes and managing financial assets.
Limitations: Limitations vary depending on the specific technology but may include regulatory
challenges, liquidity risks, counterparty risks, platform reliability and security concerns, lack of
investor protection.

Key features of Block chain:

1. Decentralization: Blockchain operates on a decentralized network of computers (nodes)
2. Immutability: Once data is recorded on the blockchain, it cannot be altered or tampered
3. Transparency: Transactions on the blockchain are transparent and visible
4. Security: Blockchain uses cryptographic techniques to secure transactions and prevent
unauthorized access.
5. Consensus Mechanisms: Blockchain employs consensus mechanisms (e.g.,
proof-of-work, proof-of-stake) to validate and confirm transactions.

Applications of Block chain:

 72

1. Cryptocurrencies: Blockchain technology powers cryptocurrencies like Bitcoin and

Ethereum.
2. Smart Contracts: Blockchain-based smart contracts are self-executing contracts with
predefined conditions and automated enforcement
3. Supply Chain Management: Blockchain can be used to track and trace products
throughout the supply chain, providing transparency, traceability and Accountability.
4. Digital Identity Verification: Blockchain enables secure and decentralized digital identity
verification, allowing individuals to control their personal data
5. Voting Systems: Blockchain-based voting systems provide secure and transparent voting
processes
6. Financial Services
7. Real Estate

Accounting for cryptocurrencies:

It involves recording, reporting, and analyzing transactions
involving digital assets such as Bitcoin, Ethereum, and other cryptocurrencies. Here's how
accounting principles are applied to cryptocurrencies:
1. Recognition: Cryptocurrencies are recognized as assets on the balance sheet at their
fair market value on the date of acquisition
2. Valuation: Cryptocurrencies are valued at fair market value, which is typically determined
based on the exchange rate prevailing at the transaction date.
3. Measurement: Transactions involving cryptocurrencies are measured and recorded in
the organization's accounting records. This includes purchases, sales, exchanges, and
transfers of cryptocurrencies
4. Recording Transactions: When a transaction occurs involving cryptocurrencies, such as
the purchase of goods or services using Bitcoin, the transaction is recorded in the
accounting system.
5. Recognition of Gains and Losses: Gains or losses resulting from changes in the value of
cryptocurrencies are recognized in the income statement.
6. Impairment: If the fair value of a cryptocurrency asset declines below its carrying
amount, an impairment loss is recognized in the income statement
7. Disclosure: Entities are required to disclose information about their holdings of
cryptocurrencies, including the nature and extent of their exposure to cryptocurrencies
8. Taxation: Entities should comply with relevant tax regulations and report cryptocurrency
transactions accurately to tax authorities.