Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Information Systems
Control & Audit
***
A system can be described by specifying its parts, the way in which they are related and the
goals which they are expected to achieve.
2. Types of System
Abstract Systems, also known as conceptual system, are an orderly arrangement of inter-
dependent ideas or constructs. They do not display any activity or behavior. They include
design & drawings containing set of ideas or planning. They are non-working system,
ultimately converted into physical system
Open System is a system that interacts freely with the environment by taking input and
returning output. Open systems interact with elements that exists and influence fro outside
the system boundary. They are adaptable to change and are costly to develop & maintain.
They have longer life span than closed system and require more maintenance than closed
system
Closed System is a system that does neither interact with the environment nor changes
with the change in the environment. They are not normally developed for business
organizations. They are easy to manage & inexpensive to develop and have a shorter life
span than open system
Organizations are considered to be relatively open systems as they continuously interact
with the external environment, by process or transformation of inputs into useful output.
Relatively Closed Systems are those systems which are relatively isolated from the
environment but not completely closed in the physical sense. They have controlled and
well-defined inputs and outputs. They minimize unwanted disturbances
Manual Systems are the systems where data collection, manipulation, maintenance and
final reporting are carried out absolutely by human efforts.
Automated systems are systems where computers are used to carry out all the above
mentioned tasks.
01 INFORMATION SYSTEM CONCEPTS
Clustering is the main method of simplification. It is a collection of sub-systems of similar
nature.
Deterministic System account for past data as input and provide exact output. They
operate in a predictable manner and have less chances of error in the outputs. The
interaction among parts is known with certainty
Probabilistic System take into account expected data for future transactions and provide
expected output. They operate in a probable manner and contain a certain degree of error
exists
4. System Concepts
System Environment is the external world which is outside the system boundary. These
are the components outside the system boundary with which the system interacts. System
can accept inputs from & provide outputs to the environment.
System Boundaries are the features that define and delineate a system. The system is
inside its boundary, while the environment is outside the boundary. Boundary represents
the periphery or limit within which system components work together.
Subsystems are the parts of a system. A complex system is divided into various sub-
systems which help in easy development & management of the complex system. It is
derived by the process of decomposition. The use of subsystems as building blocks is
basic to analysis and development.
4
01 INFORMATION SYSTEM CONCEPTS
- A standard Decoupling mechanism is to reduce the need for communication and close
connection among database maintained by the administrator and allow the use of the
database without tedious and time consuming checking with other subsystems. When a
system functions independent of other systems, then that concept is known as
decoupling.
A Supra System refers to the entity formed by a system and other equivalent systems with
which it interacts. The various functional areas (sub-systems) of an organization are
elements in the same supra system of the organization.
Stress is a force transmitted by a system’s supra system, that causes a system to change,
so that the supra system can better achieve its goals.
Systems accommodate the stress through a Change that can be structural change or a
change in the processes.
5. Information is processed data. The data which has some value for its receiver is information.
Information Systems are developed to process the data & provide information which help in
decision-making process.
Attributes of Information:
Types of Information
- Internal Information can be defined as information that has been generated from the
operations of the organization at various functional areas. The internal information gats
processed and summarized from junior to top most level of management.
5
01 INFORMATION SYSTEM CONCEPTS
Implications of Information Systems in business
The grouping or clustering of several functional units on the basis of related activities into a
subsystem is termed as Operational Function. The information requirements of different
operational functions vary not only in content but also in characteristics. The content of the
information depends upon the activities performed under an operational function.
Types of Decisions.
- Non Programmed decisions are those which are made on situations and problems
which are novel and non repetitive and about which not much knowledge and
information are available. They are made by reference to managerial intelligence,
experience, judgment and vision to tackling problems and situations.
- Tactical level decisions are made to implement strategic decisions. A single strategic
decision calls for a series of tactical decisions, which are of a relatively structured
nature. They are specific and functional, made in relatively closed setting, more easily
available and digestible and less surrounded by uncertainty and complexity.
- Operational level is the lowest level in managerial hierarchy wherein the managers
coordinate the work of others, who are not themselves managers.
6
01 INFORMATION SYSTEM CONCEPTS
8. Computer Based Information Systems (CBIS) are complementary networks of hardware /
software that people and organizations use to collect, filter, process, create and distribute data.
Characteristics of CBIS
- All systems work for predetermined objectives and the systems are designed and
developed accordingly.
- A system has a number of interrelated and interdependent subsystems or components.
No subsystem can function in isolation; it depends on other systems for inputs.
- If one subsystem or component of a subsystem fails, in most cases, the whole system
does not work.
- The way a subsystem works with another subsystem is called interaction. Different
subsystems interact with each other to achieve the goal of the system.
- Work done by individual subsystems is integrated to achieve the central goal of the
system. Goal of individual subsystem if of lower priority than goal of entire system.
Components of CBIS
- Hardware
- Software
- Data
- Procedures: Policies and rules which govern the functioning of the CBIS
- People
9. Areas of CBIS
The main goal of Finance & Accounting subsystem is to ensure financial viability of the
organization, enforce financial discipline and plan & monitor financial budget.
The objective of Marketing & Sales subsystem is to maximize sales and ensure customer
satisfaction. The marketing system facilitates the chances of order procurement.
The objective of Production & Manufacturing is to optimally deploy men, machine and
material to maximize production or service. The system is used to regulate maximum and
minimum levels of stock and provide important information for production schedules.
Human Resource Management aims to utilize human resource in most effective and
efficient manner by ensuring fewer disputes, right utilization of manpower and quiet
environment in this area.
7
01 INFORMATION SYSTEM CONCEPTS
Technical dimension. Technical characteristics are evaluated in terms of security, access
control & availability to user when required.
Categories
13. Transaction Processing System (TPS) is used to process transactions & provide routine &
regular reports. Business activities involve transactions and these transactions are to be
organized and manipulated to generate various information products for external use. TPS
records and manipulates data into useful information.
TPS is known as basic information system & it acts as a base to other IS like MIS & EIS. It
automates the routine procedures of transaction-processing which helps to provide the
required outputs in an efficient manner. TPS is developed using SDLC Methodology & is
known as Life-cycle system.
- Revenue
- Expenditure
- Production
- Finance
- Entry of data
- Processing of details
- Search & presentation of data/ information
Features of TPS
14. Management Information System (MIS) is an integrated user machine system designed for
providing information to support operational control, management control and decision making
functions in an organization. It is an extension of TPS.
MIS provides some value-added reports by using operational database of TPS. It provides
reports based on exceptions & mathematical sign principles which help in management
decision making. It is also based on a life cycle system & it is extensively used in various
management functions.
It is designed to provide accurate, relevant and timely information to managers at different
levels and in different functional areas throughout the organization for decision making
purposes.
Components of MIS
- Information could be defined as a set of facts, figures and symbols processed for
current decision making situation.
- System is defined as a set of related components, interacting together so as to
accomplish some common objectives.
Functions of a MIS
9
01 INFORMATION SYSTEM CONCEPTS
Characteristics of a Good MIS
- Management-oriented
- Management-directed
- Need-based
- Exception-based
- Integrated
- Common data flow
- Common database
- Modularity
- Comprehensive
- Capable of updating
- Heavy planning element
- Flexible
Pre-Requisites Of MIS
- Database is a super file which consolidates data records formerly stored in many data
files.
- Qualified system and management staff
- Support of top Management
- Control & maintenance of MIS
Evaluation of MIS
- Examining whether enough flexibility exists in the system to cope with any expected or
unexpected information requirement in the future
- Ascertaining the views of users and designers about the capabilities and deficiencies of
the system
- Guiding the appropriate authority about the steps to be taken to maintain effectiveness
of MIS
- Non availability of experts, who can diagnose the objectives of the organization and
provide a desired direction for installing and operating system
10
01 INFORMATION SYSTEM CONCEPTS
- Experts usually face the problem of selecting the sub system of MIS to be installed and
operated upon
- Due to varied objectives of business, the approach adopted by experts for designing
and implementing MIS is a non standardized one
Limitations of MIS
15. Enterprises Resources Planning System (ERP) is a fully integrated business Management
system that integrates the core business and Management processes to provide an
organization a structured environment in which decisions concerning demand, supply,
operational, personnel, finance, logistics etc., are fully supported by accurate and reliable real
time information.
Objectives
Myths on ERP
- ERP, a computer system is a myth. ERP is primarily a enterprise wide system which
encompasses corporate mission, objectives, attitudes and people who make the
organization
- ERP is relevant for manufacturing organizations is a myth
11
01 INFORMATION SYSTEM CONCEPTS
Characteristics of ERP
Features of ERP
Benefits of ERP
Limitations of ERP
- An ERP system provides current status only. Managers need to look beyond current
status to aid better decision making
- The methods used in ERP applications are not integrated with other organizational sub
divisions
16. Management Support Systems (MSS) focus on the managerial uses of information resources
and provide information to managers for planning and decision making. The information
provided by these systems is based on both internal and external data using various data
analysis tools.
Categories
12
01 INFORMATION SYSTEM CONCEPTS
17. Decision Support System (DSS) is a system that provides tools to managers to assist them
in solving semi structured and unstructured problems in their own way. A DSS is not intended
to make decisions for managers, but rather to provide managers with a set of capabilities that
enables them to generate the information required in decision making.
DSS are knowledge-based system. These systems allow its users to apply his knowledge for
solution of problems by using “what-if analysis”.
Systems that replace human decision making rather than supporting it are called
Programmed Decision Systems. Here, the focus is on doing things more efficiently.
- Lack of structure
- High degree of uncertainty
- Future-oriented
- Obtained from informal source & by observing broad trend
Characteristics of DSS
- They support both semi structured and Un- structured decision making. Semi structured
and Un- structured decisions are those, for which information obtained from a computer
system is only a portion of the total knowledge needed to make the decision.
- They are flexible enough to respond to changing needs of decision makers. Managers
do not know, usually, in advance what information they need and even if they do, this
information needs keep changing constantly.
- They are easy to use. DSS employs tools which are user oriented like grids, graphics,
non procedural languages etc., thus making it easy for users to conceptualize and
perform decision making process.
Components of DSS
- Users do not need computer background to use a DSS for problem solving. The most
important knowledge is through understanding of problem and the factors to be
considered in finding a solution.
13
01 INFORMATION SYSTEM CONCEPTS
Managers are users who have basic computer knowledge & want the DSS to be very
user friendly. Analysts are people who are more details oriented and willing to use
complex system in their day to day work.
- DSS include one or more Database that contains both routine and non routine data
from both internal and external sources. This component is used to provide inputs for a
DSS problem. DSS users may construct additional databases themselves.
User Database: includes data or inputs collected by user from various sources.
Corporate Database: includes data values provided by organization’s operational
database.
At Physical Level, involving the implementation of the database on the hard disk
At External Level, where the logical level defines schema which is divided into
smaller units known as sub schemes.
- Planning Language provides GUI for structuring of problems or creating model base.
They provide various functions & features for efficient solution of problems. There are
two types of planning languages:
General Purpose Planning Language provides general functions & features to solve
general purpose semi-structured or ad-hoc problems. They are used for those
problem’s solutions which have low data volumes. These are languages that allow
users to perform many routine tasks. These languages enable users to tackle a
broad range of budgeting, forecasting and other worksheet oriented programs.
Special Purpose Planning Languages are used for solution of problems which have
large data volume. It provides special functions & features which help to solve
complex functions or procedures. They are more limited in what they can do, but
they usually do certain jobs better than GPPL.
- Model Base is the most important component of DSS. It is also known as brain of DSS.
It provides the structure of the problem to be solved by DSS. It performs data
manipulations and computations with the data provided to it by the user and the
database. The analysis provided by the routines in the model base is the key to
supporting user decisions.
14
01 INFORMATION SYSTEM CONCEPTS
- Statistical Software-Process
- Graphical Software-Output
18. Executive Information System (EIS) is a DSS that is designed to meet the special needs of
top level managers. EIS incorporates additional capabilities like email.
An executive can probably be described as a manager at or near the top of the organizational
hierarchy who exerts a strong influence on the course taken by the organization.
Characteristics of EIS
- EIS is a CBIS that serves the information needs of the top executives
- EIS enables users to extract summary data and model complex problems without the
need to learn query languages, statistical formulas or high computing skills
- EIS provide rapid access to timely information and direct access to management reports
- EIS is capable of accessing both internal & external data
- EIS provide extensive online analysis tools
- EIS can easily be given a DSS support for decision making
- Strategic Planning involves determining the general, long range direction of the
organization. Strategic planning addresses the general concerns of the firm.
- Tactical planning refers to how, when, where and what issues involved with carrying out
the strategic plan.
- Major problems arise sometimes that must be resolved by someone at the executive
level. Other possible Fire Fighting activities will call for key alterations in plans.
Executives take decisions that are broad and based on a vision they have, regarding what it
will take to make their company successful. Executives rely much more on their own
intuition rather than on sophisticated analytical skills. The intuitive character of executive
decision making is reflected strongly in types of information found useful to executives.
- Lack of structure
- High degree of uncertainty
- Future oriented
15
01 INFORMATION SYSTEM CONCEPTS
- Informal source
- Low level of detail
Purpose of EIS
Contents of EIS
A practical set of principles to guide the design of measures and indicators to be included in
an EIS is presented below:
- EIS measures must be easy to understand & collect
- EIS measures must be based on a balanced view of the organization’s objectives
- Performance indicators in an EIS must reflect everyone’s contribution in a fair and
consistent manner
- EIS measures must encourage management and staff to share ownership of the
organization’s objectives
- EIS information must be available to everyone in the organization
- EIS measures must evolve to meet the changing needs of the organization
19. Expert System is a highly developed DSS that utilizes knowledge generally possessed by an
expert to solve a problem. They are software systems that imitate the reasoning process of
human experts and provide decision makers with the type of advice they would normally
receive from such Expert Systems.
It provides tools, information and methods for decision making in specific areas and systems to
support training in specialized areas. A characteristic of the Expert System is the ability to
declare or explain the reasoning process that was used to make decisions.
- Expert labour is expensive and scarce and companies are faced with shortage of talent
in key positions
- Even knowledgeable people can handle only few factors at a time
16
01 INFORMATION SYSTEM CONCEPTS
Properties potential applications must posses to qualify for Expert System development
- Availability of one or more experts, capable of communicating how they go about solving
the problem to which the Expert System will be applied
- Solution of the problems for which the expert system will be used is a complex task that
requires logical interface planning
- The domain or subject area of the problem is relatively small and limited to a relatively
well defined problem area
- The solution process must be capable enough to cope with ill structured, uncertain,
missing and conflicting data & dynamic problem solving situations
Levels of expertise
- Assistant level
- Peer level
- True expert
- Knowledge Base stores the rules data and relationships that are used to solve problems
and contain specific facts about the expert area. A set of rules must be developed to
bridge the knowledge bases and resolve any conflicts. The power of a system tends to
be related to the depth and breadth of the knowledge in the knowledge base
- Interface Engine is the main processing element consisting of the system of programs
that request data from the user manipulate the knowledge base and provides a decision
to the user. Interface engine is the active component of an expert system since it steers
through knowledge and progresses he whole interaction. The interface engine chooses
rules from the agenda to fire.
A Forward chaining mechanism first examines the knowledge base and the
problems at hand, then, it attempts to discover a solution
In Backward chaining, the interface engine starts with a hypothesis or goal, which, it
then checks against the facts and rules in the knowledge base
01 INFORMATION SYSTEM CONCEPTS
- Knowledge Acquisition Subsystem is the software component of an expert system that
enables the knowledge engineer to build and refine an expert system’s knowledge base
- User Interface is the method by which an expert system interacts with a user and is
highly interactive
20. Office Automation Systems (OAS) are among the newest and most rapidly expanding CBIS.
Different office activities can be broadly grouped into the following types: Document capture,
Document creation, Receipts & Distribution; filing, search, retrieval & follow up; calculations &
recording; utilization of resources
Benefits of OAS
- Text processing systems are the most commonly used components of the OAS. They
automate the process of developments of documents. They reduce keying efforts and
minimizes the chances of errors in the documents
- Electronic Message Communication Systems offer a lot of economy not only in terms of
reduced time in sending or receiving messages
Electronic mail
Facsimile (Fax)
Voice mail
***
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
1. System Development is that process which takes place in an organization whenever that
organization wants to convert an old system into a new system or wants to upgrade or change
the existing system. It refers to the process of examining a business situation with the intent of
improving it through better procedures and methods. It has 2 major components, System
Analysis & System Design
System Analysis is the process of gathering & interpreting facts, diagnosing problems and
using the information to recommend improvements to the system
System Design is the process of planning a new business system or one to replace or
compliment an existing system
3. The System Development Team in the organization is responsible for system development.
The steering committee ensures that ongoing systems development activities are consistently
aimed at satisfying the information requirements of users & managers within the organization.
System Analysts are subsequently assigned to determine user requirements, design the
system and assist in development and implementation activities.
Most Accountants are uniquely qualified to participate in systems development because they
may be among the few people in an organization who can combine knowledge of IT, business,
accounting, internal control, behavior and communications, to ensure that new systems meet
the needs of the user and poses adequate internal controls
The project is divided into a number of identifiable processes and each process has a
starting point and ending point.
Specific reports, called Deliverables, are produced periodically during system development
to make development personnel accountable for faithful execution of system development
tasks.
Users, managers and auditors are required to participate in the project, to provide
approvals, often called Signoffs at pre established management control points. Signoffs
signify approval of the system development process and the system being developed
19
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
System must be tested thoroughly prior to implementation to ensure that it meets user’s
needs
A training plan is developed for those who will operate and use the system
A post implementation review of all developed systems must be performed to assess the
effectiveness and efficiency of the new system and of the development process
Project is divided into sequential phases, with some overlap ad splash back acceptable
between phases
Emphasis is on planning, time schedules, target dates, budgets and implementation of an
entire system at one time
Tight control is maintained over the life of the project through the use of extensive written
documentation and through formal reviews and signoff by the user
Popular and usable approach. Used primarily to develop large & complex IS
All steps of SDLC are followed as it is
Initial traditional approach was based on principle that there will be no error in previous step
of SDLC
Later, the old approach was modified to include feedback to rectify errors in previous
phases
Latest traditional approach has been further modified to simultaneously starting 2 or more
phases to cut time
Also known as WATER FALL APPROACH
7. The goal of Prototyping approach is to develop a small or pilot version called prototype of the
past or all of a system. A prototype is a usable system or system component that is built
quickly and at a lesser cost and with the intention of modifying or replacing it by full scale and
fully operational system. When a prototype is developed to satisfy all user requirements, either
it is refined & turned into final system or it is scrapped.
20
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
Prototyping can be viewed as a series of four steps, wherein implementation & maintenance
phases take place once the prototype model is tested and found to meet user’s requirements.
The steps are:
- Time consuming
- Causes inefficient System Development
- Disappointment to user
- Diffused users
- Level of confidentiality required is high
- Time factor
8. The Increment Model is a method of software development where the model is designed,
implemented and tested incrementally until the product is finished. The product is defined as
finished when it satisfies all of its requirements
9. The Spiral Model is a software development process combining elements of both design and
prototyping in stages, in an effort to combine advantages of Top down and Bottom Up
concepts. It is a system development model (SDM) which combines the features of prototyping
model and the waterfall model and is intended for large, expensive & complicated projects.
A preliminary design is created for the new system. Here, all possible alternatives, that can
help in developing a cost effective project are analyzed and strategies are decided to use
them
A First Prototype of the new system is constructed from the preliminary design
A Second Prototype is then evolved by evaluating the first prototype, defining further
requirements and planning, designing, constructing & testing it
21
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
TOP DOWN APPROACH BOTTOM UP APPROACH
Those systems, which satisfy organization Those systems, which help operational
objectives or which help top management in executives in day to day operations, are
working, are procured first procured first
Top management is involved in System Operational executives help in System
Development Development
Once system is developed for top
management, the system is extended to Once system is developed, it is extended
satisfy requirements of operational to satisfy requirements of top management
executives
10. In End User Approach, the User specifies requirements from system and accordingly, user
procures or develops system. It is Low cost & easy to use. Disadvantages include the fact that
user cannot specify all requirements and lack of integration among all systems in organization
and lack of complete use of new system
11. SD Approach in Small Organizations is an easy to use and low cost approach. Following are
the steps to be used:
* Users
* Analysts
* Developers
* Computer Aided Software Engineering (CASE) tools
* Previously developed applications
22
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
b. These components help to develop applications rapidly by using the following process
Assumptions of RAD
Components of RAD
Limitations of RAD
- RAD can be applied only in the construction of applications that are highly interactive
and have clearly defined user groups
- RAD techniques cannot be used for large & distributed systems
- RAD causes duplication of corporate information and inconsistency in the way that it is
held
- RAD applications tend to be inefficient in their use of IT hardware
- The inherent risk involved in RAD is that system controls might be overlooked or
compromised in the interests of expediency
13. Systematic Approach to system development is suitable to small firms and own work areas. It
consists of the following steps
23
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
14. Agile Software movements provide a conceptual framework for undertaking software
engineering projects. Agile Methods attempt to minimize risks by developing software in short
time boxes called Iterations. Each one is like a miniature software project of its own and
includes all of the tasks necessary to release the mini – increment of the new functionality.
Characteristics of Agile methodology
Iterative with short cycles, enabling fast verifications and corrections
Time bound iterative cycles
Modularity at development process levels
People oriented
Collaborative and communicative working style
Incremental and convergent approach that minimizes risks and facilitates functional
additions
15. System Development Life Cycle (SDLC) framework provides system designers and
developers to follow a sequence of activities. SDLC is document driven, which means that at
crucial stages during the process, documentation is produced. A phase of the SDLC is not
complete until the appropriate documentation is produced. These are known as deliverables. A
Deliverable may be a substantial written document, a software art craft, a system test plan or
an object that has been ordered and delivered.
SDLC emphasizes the parallel nature of some of the activities and presents activities such as
system maintenance as an alternative to a complete redesign of an existing system.
Advantages of SDLC
- The Information Systems Auditor can have clear understanding of the various phases in
the SDLC on the basis of detailed documentation created
- The Information Systems Auditor on the basis of examination, can state in his report
about the compliance by the Information System management of procedures set, if any
- The Information Systems Auditor, if technically qualified, can be a guide during the
various phases of SDLC
- The Information Systems Auditor can provide an evaluation of the methods and
techniques used through the various development phases of SDLC
24
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
SDLC can be thought as a set of activities that analysts, designers and users carry out to
develop and implement an Information System.
a. Preliminary Investigation involves determining and evaluating the strategic benefits of the
system and ensuring that solution fits the business strategy. It also includes cost benefit
analysis of the proposed system
b. Systems Requirement Analysis analyses the type of the system on the basis of the user
requirements
c. Systems Design involves designing in terms of user interface, data storage and data
processing functions on the basis of the requirement phase by developing the system
flowcharts, system and data flow diagram, screens and reports
e. System Testing involves conducting various kinds of tests before the developed system is
implemented
f. System Implementation means final testing and quality of controls audit, acceptance by
management and users before migration of the system to the live environment and data
conversion from legacy system to the new system
g. Post Implementation Review and Maintenance involves continuous evaluation of the
system as it functions in the live environment and its updation. Maintenance includes
continuous evaluation of the system as it functions in the live environment and its
updations.
Objective is to determine and analyze the strategic benefits in implementing the system
through evaluation & quantification of related factors.
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
Steps in Preliminary Investigation
- Identification of purpose
- Identification of objectives
- Delineation of scope
- Feasibility Study
Identification of Problem is to define the problem clearly and precisely and is done only
after several rounds of discussions with the user group. The purpose of preliminary
investigations is to evaluate the project request. It is neither a designed study nor it includes
the collection of details to completely describe the business system. It relates to collection
of information that permits committee members to evaluate the merits of the project request
and make an informed judgment about the feasibility of the project.
After the identification of the problem, it is easy to work out the Objectives of the proposed
solution. The analyst working on the preliminary investigation should accomplish the
following objectives:
Delineation of Scope. The scope of a solution defines its boundaries. It should be clear &
comprehensible to the user, management; stating what will be addressed by the solution
and what will not. The following questions should be answered while stating the scope:
- Functionality requirement
- Data to be processed
- Control requirements
- Performance requirements
- Constrains
- Interfaces
- Reliability requirements
26
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
Feasibility Study refers to a process of evaluating alternative systems through cost benefit
analysis so that the most feasible and desirable system can be selected for development.
Project feasibility is the likelihood that these systems will be useful for the firm. System
analysts conduct a feasibility study to see whether the systems developed serve these
purposes.
Costs
↓ ↓ ↓
Development Operating Intangible
↓ ↓ ↓
Includes costs of Includes hardware, software Costs that cannot be
development process and rental, maintenance of assets easily measured. They
other start up costs etc. are difficult to measure
but related to system
18. SYSTEM REQUIREMENT ANALYSIS
Objective includes a thorough and detailed understanding of the current system, identify
the areas that need modification to solve the problem, the determination of user
requirements and to have a fair idea about various system development tools
Fact Finding Techniques. Every system is built to meet some set of needs. To asses
these needs, the analysts often interact extensively with the people, who will be benefited
from the system, in order to determine their requirements.
- Documents
- Questionnaires
- Interviews
- Observations
Analysis of the Present System involves collecting, organizing and evaluating facts about
the system and the environment in which it operates. There should be enough information
assembled so that a qualified person can understand the present system without visiting
any operating departments. The following areas should be studied in depth:
27
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
- Review historical aspects
- Analyze inputs
- Review data files maintained
- Review methods, procedures and data communications
- Analyze outputs
- Review internal controls
- Model the existing physical system and logical systems
- Undertake overall analysis of the present system
- Outputs Produced, with great emphasis on timely managerial reports that utilize the
“management by exception” principle
- Database maintained with great accent on online processing capabilities
- Input data
- Methods & procedures
- Work volumes and timings, carefully considered for present and future periods, including
peak periods
The future workload of the system must be defined for inputs, database and output in terms
of average and peak loads, cycles & trend
a) Conceptualize, clarify, document and communicate the activities and resources involved
in the organization and Information System
b) Analyze present business operations, management decision making and information
processing activities of the organization
c) Propose and design new or improves Information System to solve business problems
or pursue identified business opportunities
System components and flows help the system analysts to document the data flow
among the major resources and activities of an Information System.
28
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
User interface. Designing the interface between end users and the computer system is a
major consideration of a system analyst while designing the new system.
Data attributes and relationships. The data resources in Information System are defined,
catalogued and designed by this category of tools.
¤ Data Dictionary catalogs the description of the attributes of all data elements and their
relationships to each other as well as to external systems
¤ Entity relationship diagrams are used to document the number and type of relationship
among the entities in the system
¤ File layout forms document the type, size and names of the data elements in the system
¤ Grid charts help in identifying the use if each type of data element in input / output or
storage media of a system
Detailed systems processes are used to help the programmer develop detailed
procedures and processed required in the design of a computer program.
Structured English also known as Program Design Language or Pseudo Code is the use
of English language with the syntax of structured programming. It aims at getting
benefits of both the programming logic and natural language. Program logic helps attain
precision and natural language helps in getting the convenience of spoken language. It
consists of the following elements:
Flowchart is a graphic technique that can be used by analysts to represent the inputs,
outputs and processes in a pictorial form. The categories include Document Flowchart,
Data Flowchart, System Flowchart and Program Flowchart
Data flow diagrams use few simple symbols to illustrate the flow of data among external
entities, processing activities and data storage elements. A DFD is composed of four
basic elements
People and organizations that send to and receive data from the system are
represented by square boxes called Data Sources & Destinations
Data Flow represents the flow of data into or out of a process by lines with arrows
29
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
The processes that transform data from inputs to outputs are represented by circles
and are known as Transformation Processes
Data Stores handles storage of the data and is represented by two horizontal lines
Decision tree is a support tool that uses a tree like graph or model of decisions and their
possible consequences, including chance event outcomes, resource costs and utility.
Decision table is a table which may accompany a flowchart, defining the possible
contingencies that may be considered with the program and the appropriate course of
action for each contingency. The parts of a decision table are as follows:
CASE tools refer to the automation of anything that humans do to develop systems and
support virtually all phases of traditional system development process. An ideal CASE
system would have an integrated set of tools and features to perform all aspects in the
life cycle.
Data dictionary is a computer file that contains descriptive information about the data
items in the files of a business Information System. A data dictionary is a computer file
about data.
Accountants and auditors can also make good use of data dictionary. A data dictionary
can help establish an audit trail because it can identify the input sources of data items,
the computer programs that modify particular data items and the managerial reports on
which of the data items are output. When an accountant is participating in the design of
a new system, a data dictionary can also be used to plan the flow of transaction data
through the system.
Layout form and Screen Generator are for printed report, used to format or paint the
desired layouts and contact without having to enter complex formatting information.
30
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
Menu generator outlines the functions which the system is aimed to accomplish. Report
Generator has the capacity of performing similar functions as found in screen
generators. Code generator allows the analyst to generate modular units of source code
from the high level specifications provided by the system analyst and play a significant
role in the system development process.
SRS review reflects how the development team understands of the existing processes.
2) Project manager is normally responsible for delivery of the project within time and budget
and periodically reviews the progress of the project
3) Project leader is dedicated to a project and has to ensure its completion and fulfillment of
its objectives
4) Systems / Business analysts’ main responsibility is to conduct interviews with the users
and understand their requirements and plays a vital role in requirements analysis and
design phase
5) A project is divided into several manageable modules, and the development responsibility
for each module is assigned to Module / Team leaders. They are responsible for the
delivery of tested modules within stipulated time and cost.
6) Programmer / Coder / Developer is an individual who converts designs into programs by
coding using the programming language and tests the program for debugging
31
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
7) Database Administrator is a specialist who maintains the data in a database environment.
He handles multiple projects, ensures the integrity and security of the information stored
and helps the application development team in database performance issues.
8) Quality assurance team sets the standards for development and checks compliance with
these standards by project teams on periodic basis.
9) Tester is a junior level quality assurance personnel attached to a project who tests
programs and subprograms as per the plan given by module leaders and prepare test
reports
10) Domain specialist helps the project team to develop new applications in a field that is new
to them. He need not have the knowledge of software system.
11) Information Systems Auditor ensures that the application development also focuses on
the control perspective. He is involved in the design phase as well as the testing phase to
ensure existence and operations of the controls in the new software.
This phase describes the parts of the system and their interactions, sets out how the
system shall be implemented using the chosen hardware, software and network facilities,
specifies the program and database specifications and the security plan and further specify
the change control mechanism to prevent uncontrolled entry of new requirements.
Objective is to design an Information System that best satisfies the user’s requirements.
Activities include describing inputs and outputs; determining the processing steps and
computation rules for the new solution; determining database system design; preparing
program specifications and internal & external controls.
System design involves first Logical Design and then Physical Construction of a system.
The Logical Design of an Information System is like an engineering blueprint; it shows
major features of the system and how they are related to one another. Physical construction
produces the program software, files and a working system.
- Architectural design;
- Design of data / information flow;
- Design of database;
- Design of user interface;
32
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
- Physical design; and
- Design and acquisition of the hardware / software system platform
In Designing the data / information flow for the proposed system, the inputs that are
required are – existing data / information flow, problems with the present system and
objective of the new system.
Design of database involves determining its scope ranging from local to global structures.
The scope is decided on the basis of interdependence among organizational units. The
design of database involves four major activities. They are:
Conceptual modeling, describes the application domain via objects, attributes of these
objects, static and dynamic constrains of these objects and their relationships
Conceptual models need to be translated into Data models so that they can be
accessed and manipulated by both high level and low level programming languages
Storage structure design. Decisions must be made on how to classify and partition the
data structure so that it can be stored on some device.
Physical layout design. Decisions must be made on how to distribute the storage
structure across specific storage media and locations.
Design of user interfaces involves determining the ways in which users will interact with
the system. Designing computer output should be proceeded in an organized, well thought
out manner. The right output must be developed while ensuring that each output element is
designed so that users will find the system easy to use.
Input design objectives consist of developing specifications and procedures for data
preparation, developing steps which are necessary to put transactions data into usable form
for processing and data entry.
Output design objectives include conveying information about past activities & current
status or projections of the future; signal important events, opportunities, problems or
warnings; trigger an action and confirmation of an action.
33
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
Important factors in Input / Output Design
Content refers to the actual pieces of data to be gathered to produce the required output
to be provided to users
Timeliness refers to when users need outputs, which may be on a regular periodic basis
Input Format refers to the manner in which data are physically arranged and Output
Format refers to the arrangement referring to data output on a printed report or screen
Input – Output Media / Medium refers to the physical device used for input & storage of
output
Form refers to the way the information is inputted in the input form and the content is
presented to users in various output forms
Input / Output Volume refers to the amount of data that has been entered in the
computer system or the amount of data output required at any one time
For the Physical Design, the logical design if transformed into units, which in turn can be
decomposed further into implementation units such as programs and modules. During
physical design, the primary concern of the auditor is effectiveness and efficiency issues.
The auditor should seek evidence that designers follow some type of structured approach
to access their relative performance via stimulations when they undertake practical design.
Design Principles:
- Design two or three alternatives and choose the best one on pre-specified criteria
- Design should be based on analysis
- Software functions designed should be directly relevant to business activities.
- Design should follow standards laid down
- Design should be modular
A Module is a manageable unit containing data and instructions to perform a well defined
task. Interaction among modules is based on well defined interfaces. Modularity is
measured by two parameters. Cohesion – the manner in which elements within a module
are linked, and Coupling – the measure of interconnection between modules. In good
modular design, cohesion will be high and coupling low
The new Hardware / System Software Platform required to support the application
system will then have to be designed. Auditors should be concerned about the extent to
which modularity and generality are preserved in the design of the hardware / system
software platform.
34
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
22. SYSTEM ACQUISITION
Acquiring hardware and software is critical to the success of the system development
project.
- In case of Hardware Acquisition, the management can rely on time tested selection
techniques. The management depends upon the vendor for support services, education
& training etc.
- Contracts between an organization and a vendor should clearly describe the rights and
responsibilities of the parties to contract. The use of unlicensed software or violations of
a licensing agreement expose organizations to possible litigations.
- Evaluating the vendor’s proposals is necessitated by the fact that each vendor offers
different configuration. The following factors should be considered towards rigorous
evaluation:
- Rapid implementation
- Low risk
- Reliable quality
- Low cost
35
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
23. DEVELOPMENT: PROGRAMMING TECHNIQUES AND LANGUAGES
- Reliability refers to the consistence maintained by the program over a period of time
- Robustness refers to the process of taking into account all possible inputs and outputs
of a program
- Efficiency refers to performance which should not be unduly affected by with increase in
inputs
- High level languages general purpose programming languages lice COBOL and C
language
- Object oriented languages like C++, Java
- Scripting languages like JAVA script, VB script
- Decision support or expert system languages like PROLOG
Program debugging is the most primitive form of testing activity which refers to correcting
programming language syntax and diagnostic errors so that the program compiles cleanly.
Debugging consists of the following four steps:
36
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
- Inputting the source program to the compiler;
- Letting the compiler find errors in the program;
- Correcting the lines of code that are erroneous; and
- Resubmitting the corrected source program as input to the compiler
Testing the program should include the testing of all possible exceptions. A log of test
results and all conditions successfully tested should be kept.
Program documentation should be carefully reviewed to ensure that the software and the
system behave as the documentation indicates. It should also be reviewed for
understandability.
Testing is a process used to identify the correctness, completeness and quality of developed
computer software. Testing should systematically uncover different classes of errors in a
minimum amount of time and with a minimum amount of effort. Test also enables the user to
judge the reliability and quality of the software developed.
The process of ensuring that the Information System is operational and then allowing the users
to take over its operation for use and evaluation is called System Implementation. It includes all
those activities that take place to convert from the old system into the new system.
37
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
‡ Site preparation infers the setting up of requisite infrastructure at a predetermined
location
‡ Installation of hardware & software
‡ Equipment checks out infers that the equipment must be turned on for testing under
normal operating conditions.
‡ Pilot implementation ensures that the new system replaces the old system in one
operation but only on a small scale.
‡ File conversion should be started long before programming and testing are
converted because of its large volume. File conversion must be thoroughly tested in
order to ensure accurate conversion.
‡ System conversion infers conversion of daily processing routines from the old to the
new system. All transactions initiated after this time are processed on the new
system.
‡ Scheduling personnel and equipment of a new system for the first time is a difficult
task for the system manager. Schedules should be set up by the system manager of
operational units serviced by the equipment.
38
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
26. POST IMPLEMENTATION REVIEW AND SYSTEM MAINTENANCE
A Post Implementation Review (PIR) answers to the question “Did we achieve what we
set to do in business terms?” PIR ascertains the degree of success from the project, the
extent to which it met its objectives and addressed the specific requirements as planned.
It should be scheduled some time after the solution has been deployed. Information system
is to be evaluated on two dimensions, whether the newly developed system is operating
properly and whether the user is satisfied with the Information System with regard to reports
supplied by it.
Evaluation of systems
‡ Development evaluation is primarily concerned with whether the system was developed
a schedule and within budget.
‡ Operation evaluation pertains to whether the hardware, software and personnel are
capable of performing their duties. It is relatively straight forward if evaluation criteria are
established in advance
‡ Corrective maintenance deals with fixing bugs in the code or defects found.
39
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
Line Management Structure: The Information System management sub systems in the
organization attempt to ensure that the development, implementation, operation and
maintenance of information system proceed in a planned and controlled manner. Levels in
line management structure include
¤ Top management of the must ensure that the data processing installation is well
managed and is primarily responsible for long run policies that affect the future of the
computers in the organization
¤ Information System management has overall responsibility for planning and control if all
computer activities and also provides inputs to top management’s long run policy
decision making
¤ Data administration is responsible for the control and use of an organization’s data
including the database and library applications of the system.
¤ Security administration is responsible for the physical security of the data processing
and Information System programs
¤ Operations management controls the day to day operations of the data processing
systems.
40
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
¤ Quality assurance management undertakes an in-depth quality assurance review of
data processing in each application system. He review involves a detailed check of the
authenticity, accuracy and completeness of input, processing and output.
Project Management Structure: Project requests are submitted to and prioritized by the
steering committee. The project manager should be given complete control of the project
and be allocated the resources for successful completion of the project.
Information processing is primarily concerned with the operation aspect of the information
processing environment and includes computer operations and related functions
Data entry supervisor is responsible for ensuring whether the data is authorized,
accurate and complete when entered into the system.
File librarian is responsible for recording, issuing, receiving and safeguarding all
programs and data files that are maintained on the database
Control group manages the flow of data and is responsible for the collection, conversion
and control of input, and balancing the distribution of output to the user community
Operations management is responsible for the daily running of hardware and software
facilities so that the production application system can accomplish their work and the
development staff can design, implement and maintain the systems
Physical security ensures a reliable and complete protection from possible attacks to the
database and storage devices
Production work flow control in an Information System is the responsible of the control
section. It manages the flow of data between users and the Information System and
between data preparation and the computer room
41
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
Quality assurance group is responsible for testing and verifying whether the program
changes and documentation adhere to standards and naming conventions before the
programs are moved into protection
System analysts are responsible for interpreting the needs of the user, determining the
programs and programmers necessary to create a particular application.
Applications programmers are responsible for developing new systems and for
monitoring systems in production
Systems programmers are responsible for maintaining the systems software including
the operating systems
Local area network (LAN) administrator is responsible for technical and administrative
control over the LAN
Help desk administrator is responsible for monitoring, improving and controlling system
performance in mainframe, server hardware and software.
***
42
03 CONTROL OBJECTIVES
1. Definitions
Control
Checks or management tools which are implemented to ensure that process or system
will work as per its intended purpose
Benefits of Control are the difference of expected losses with & without controls. Business
continuity requirements may require that the controls exist even if their cost is more than
expected benefits
Adequate Control means the control which provides reasonable assurance of reliable &
effective working of IS
Data Integrity refers to error-free data audit trail each stage of data
Audit Trail is existence of transaction path from beginning to end. Its existence is vital to
financial audits. It is a log that is designed to record user activities on system &
applications.
2. Classification of controls
General Controls: those controls which are applicable to overall system components,
processes & data for a given organization or systems environment. Include data centers &
networking operations, system development & acquisition, system change & maintenance
access & computer processing.
3. Importance of Control
43
03 CONTROL OBJECTIVES
4. Effects of computers on Internal Audit
Reasons for changes in audit trail in computerized system compared to manual system are:
Personnel
Segregation of duties
Authorization procedures
Record-keeping
Access to assets & controls
Management & supervision & review
System-generated transactions
Systematic errors
44
03 CONTROL OBJECTIVES
5. Responsibilities for implementing controls
The management is responsible for establishing and maintaining controls to achieve the
objectives of effective and efficient operations and reliable information systems. Management
should consistently apply the internal control standards to meet each of the internal control
objectives and to asses the internal control effectiveness.
appropriate cost effective
Developing & implementing
Take corresponding
Assess adequacy of
Regularly report on
internal controls in
corrective actions
Separately assess
internal controls
security policy
documents
statement
Long range planning includes documenting goals and objectives, explaining how strengths
will be used and how weakness will be compensated for or corrected
The Information System managers must take systematic and proactive measures to
develop and implement appropriate, cost effective internal control for result oriented
management; assess the adequacy of internal control in programs and operations and
separately assess and document internal control over Information System consistent with
information security policy of the organization
Short range planning or tactical planning of the functions and activities performed every day
and are established to meet long term goals
COBIT is the most popular control framework for IS Resources. It provides framework for:
- Management
- Users
- Auditors
45
03 CONTROL OBJECTIVES
COBIT provides a set of generally accepted indicators, processes & best practices to assist
them in maximizing benefits derived through use of IT. It helps in appropriate IT governance
& controls in a company. It provides balance between risk & control investment in the IS
environment.
8. IS Control Techniques
46
03 CONTROL OBJECTIVES
9. Audit Trails are logs that can be designed to record activity audit trail the system, application
& user level. They provide an important detective control to help accomplish security policy
objectives.
Audit trails attempt to ensure that a chronological record of all events that have occurred in
a system is maintained.
There are two types of audit trail:
Accounting audit trail shows the source & nature of data & processes that update the
database
Operations audit trail maintains a record of attempted or actual resource consumption
within a system
Logs also provide valuable evidence for assessing the adequacies of controls in place &
need for additional controls
10. User Information Manuals (UIM) defines responsibilities & actions for:
Input controls (that identify all data entering the processing cycle)
Processing controls (that includes edit, error-handling, audit trails, master-file changes)
Output controls (that define how to verify correctness of reports)
Separation of duties between preparing input & balancing output
There are 3 major threats to system development & acquisition. These threats can lead to
huge wastage of money:
47
03 CONTROL OBJECTIVES
- Use project control techniques:
System authorization
User involvements
Technical design
Testing
Internal auditor’s involvement
User acceptance & testing
Response time
Utilization
Stress test
Throughput
Post-implementation review
Once system is developed & ready, User Acceptance Test is carried out. Its aim is to
confirm that:
Acceptance testing is a complete end-to-end test of the operational system, including all
manual procedures, which are carried out in a live environment with adequate time frame.
It includes:
- Performance testing
- Volume testing
- Stress testing
- Security testing
- Procedure testing
- Back-up & recovery
- Parallel operation
48
03 CONTROL OBJECTIVES
Principles relating to Testing Controls:
- Identifying defects
- Designed for demonstration & testing errors
Regression Testing: If a defect is identified & subsequently rectified, the system will need
to be re-tested to ensure that the correction/ change have not triggered other unforeseen
problems. This is known as Regression Testing
Audit helps to ensure that system implementation is complete & users have accepted new
systems of use. Auditor has to ensure & verify that:
PIR must evaluate whether the implemented system has met its:
Following controls should be used for control over system & program changes:
- Change management controls refer to the formal control policies & procedures, which
are used to properly control information changes.
- Authorization controls ensure all information & data used in processing is authorized
by management & representative of events that actually occurred.
49
03 CONTROL OBJECTIVES
- Quality Controls refer to operational techniques & activities that are used to fulfill
requirements for quality & are concerned with confirming that the products fit for their
intended purpose.
Elements of QC are:
Formal reviews
Walkthrough
Testing
inspection
1) Top secret
2) Highly confidential
3) Proprietary
4) ‘for internal use’
5) Public documents
Data integrity aims to prevent, detect & correct errors in transactions as they flow through
various stages of data processing. Further, data integrity helps protect data from malicious
or accidental data alteration or destruction & provide assurance about quality & integrity of
information to the users.
Logical access
Physical access
16. Logical Access Controls (LAC) are system-based mechanisms used to designate rights to
have access to specific system resources & the type of transactions & functions that are
permitted.
50
03 CONTROL OBJECTIVES
Objectives:
- Online terminals
- Operation console (directly connected to servers)
- Dial-up ports (providing remote access)
- Telecommunication links (providing LAN & WAN services)
- Batch processing
‡ Data leakage
‡ Wire-tapping
‡ Denial of Service
‡ Piggy Backing (following an authorized person through a secured door)
- Loss of exposures
- Financial loss
- Legal battles
- Loss of credibility
- Industrial espionage
- Leakage of confidential information
- Sabotage
51
03 CONTROL OBJECTIVES
LAC violators:
- Hackers
- IS Personnel
- End users
- Former employees
- Interested or educated outsiders
- Competitors & crackers
- Part-time & temporary personnel
Types of LAC
- Ignorant employees
- Former employees
- Striking employees
- Interested or informed outsiders
52
03 CONTROL OBJECTIVES
Audit of physical access controls:
- Fire damage
- Water damage/ flooding
- Power strike
- Electrical shock
- Natural disasters
- Equipment failure
- AC failure
- Bomb threat/ attack
- Cryptosystems
- Data Encryption Standards
- Private Key Encryptions
- Public Key Infrastructure
- Firewalls
20. Cryptosystems refer to a set of algorithms used for encryption & decryption of data. It consists
of 3 algorithms:
21. Data Encryption Standards is a mathematical algorithm for encrypting & decrypting
information. The encrypting process converts data in to an unintelligible form & decrypting
process converts data back into its original form (called Plain Text).
Data Encryption is mainly used as a control for safety of data transmitted over a
communication channel.
22. Private Key Encryptions: in this, both sender & receiver use the same key for encryption &
decryption.
23. Public key infrastructure: normally considered a better method of data encryption. Here, a
key pair (private key & public key) is used for data encryption & decryption.
53
03 CONTROL OBJECTIVES
24. Firewall
A computerized system installed between organization’s private network & public network
to protect against unauthorized access.
Like an insulator, this insulates organization’s private network from invaders coming from
public network.
Acts as a security between private & public networks & it checks data packets for
authentication & authorization.
Network level or Packet Filtering Firewalls check source address of incoming data
packets to find out whether they are authorized to enter private network. It maintains a list
of authorized sources.
Proxy Server Firewall places spam/ junk type of malicious content to separate location.
Application Level Firewall provides higher level of network security. It is very complex &
expensive.
25. Virtual Private Network (VPN) is a collection of technologies that creates a secured
connection over regular internet lines that can be easily used by employees & trusted
customers from anywhere.
Key advantages of VPN are:
Universal connectivity
Security
Low cost
26. Data Privacy refers to relationship between technology & legal rights to public expectation of
data privacy. The most common sources of data that are affected by data privacy issues are:
Health information
Financial information
Genetic information
Location information
The challenge in data privacy is to share data while protecting the personal identifiable
information.
54
03 CONTROL OBJECTIVES
Technologies addressing privacy protection issues fall in to 2 categories:
Communication
Enforcement
28. Hacking is an act of penetrating computer systems to gain access of communication channels
for theft & manipulation of data. There are many ways to hack a system. Some are as follows:
‡ NetBIOS
‡ Internet Control Message Protocol ‘Ping’
‡ File Transfer Protocol
‡ RPC Standard
‡ Hyper-text Transfer Protocol
The Audit of an Information System environment to evaluate the systems, practices and
operations may include one or both of the following:
Assessment of internal control within the Information System environment to assure validity,
reliability and security information
The Information System audit process is to evaluate the adequacy of internal controls with
regard to both specific computer programs and data processing environment as a whole.
30. The set of skills that is generally expected of an Information Systems Auditor include:
55
03 CONTROL OBJECTIVES
31. Information technology auditor is the translator of business risk, as it relates to the use of
information technology, to management, someone who can check the technicalities well
enough to understand the risk and make a sound assessment and present risk oriented advice
to the management.
32. The information technology auditors review risks relating to information technology systems
and processes. Some of them are:
Systems and applications: an audit to verify that systems and applications are appropriate,
efficient and are adequately controlled to ensure valid, reliable, timely and secure input,
processing and output audit trail all levels of system’s activity
Information processing facilities: an audit to verify that the processing facility is controlled to
ensure timely, accurate and efficient processing of applications under normal and
potentially disruptive conditions
System development: an audit to verify that the systems under development meet the
objectives of the organization and to ensure that the systems are developed in accordance
with generally accepted standards for system development
Telecommunications, intranets and extranets: an audit to verify that controls are in place on
the client, the server, and on the network connecting the clients and servers
Scoping and pre audit survey: Here, the auditors determine the main area of focus.
Information sources audit trail this stage include background reading and web browsing,
previous audit reports, pre audit interview, observations and sometimes subjective
impressions that simply deserve further investigation
Planning and preparation during which the scope is broken down in to greater levels of
detail, usually involving the generation of an audit work plan or risk control matrix
56
03 CONTROL OBJECTIVES
Analysis. This step involves desperately sorting out, reviewing and trying to make sense of
all the evidence gathered earlier. SWOT technique can be used for analysis
Reporting to the management is done after analysis of data gathered and analyzed
Closure involves preparing notes for future audits and following up with management to
complete the actions they promised after previous audits
Application
SDLC
Organizational
BCP Controls
controls
controls
Financial
controls
controls
Logical
access
Physical
controls
controls
Controls
controls
Users
Controls
environment
Data
processing
Access
‡ Use of IS resources
‡ Physical, data & online security
‡ Reviewing, evaluating & purchasing hardware & software
‡ System development methodology &
‡ Application program changes
Job descriptions
Segregation of duties
57
03 CONTROL OBJECTIVES
37. Management Control is to ensure that the IS function correctly & that they meet strategic
business objectives. The controls to be considered when reviewing the organization &
management controls in an IS system shall include:
38. Financial Control Techniques are the procedures exercised by the system user personnel over
source / transactions origination documents before system input. These areas exercise control
over transaction processing. A few financial control techniques are:
Authorization
Budgets
Cancellation of documents (to prevent reuse)
Documentation
Dual control
Input/ output verification
Safekeeping
Segregation of duties
Sequentially numbered documents
Supervisory review
39. Data Processing Environment Controls are hardware & software related & includes procedures
exercised in software programming, online transaction systems, database administration etc.
40. Physical Access Controls are personnel-related & include procedures exercised on access by
employers/ outsiders to IT resources. They relate to establishing appropriate physical security
& access control measures for IT facilities
41. Logical Access Controls are software-related & include procedures exercised in the IS software
through access controls through system software & application software. They are
implemented to ensure that access to systems, data & programs is restricted to authorized
users so as to safeguard information against unauthorized use, modification or loss.
Key factors in designing LAC include:
58
03 CONTROL OBJECTIVES
42. SDLC Controls are functions & activities generally performed manually that control the
development of application systems, either through in-house design & programming or
purchase. These procedures establish control functions in each phase of SDLC
43. BCP Controls relate to having an operational and tested IT continuity plan, which is in line with
the overall business continuity plan, and its related business requirements so as to make sure
IT services are available as required and to ensure a minimum business impact in the event of
a major disruption.
44. An operational & tested IT Continuity plan so as to ensure availability of IT Services & to
ensure minimum impact on business in event of a major disruption. The controls include:
Criticality classification
Alternative procedures
Back-up & recovery
Systematic & regular testing & training
Business continuity activation
Fallback & resumption plans
45. Application Control Techniques include the programmatic routines within the application
program code. The objective is to ensure that data remains complete, accurate & valid during
its input, update & storage. Any function or activity that works to ensure the processing
accuracy of the application can be considered as an application control
Applications represent the interface between the user and the business functions. From the
point of view of the users, it is the applications that drive the business logic. The following are
the user controls that are to be exercised for system effectiveness and efficiency
↓ ↓ ↓ ↓ ↓
Input
Boundary Processing Output Database
Controls
Controls Controls Control Controls
47. Boundary controls establish interface between the user of the system and the system itself.
The system must ensure that it has an authenticated user and users must ensure that they are
given authentic resources and their usage of resources is restricted.
The major controls of boundary controls are the access controls mechanisms. They link the
authentic users to the authorized resources the users are permitted to access. The steps in
this mechanism are Identification, Authentication and Authorization.
The user can provide three classes of input information for the authentication process and
gain access control to his required resources. The three classes are Personal Information,
Personal Characteristics and Personal Objects.
59
03 CONTROL OBJECTIVES
Boundary control techniques include:
- Cryptography deals with programs for transforming data in to codes that are
meaningless to anyone who does not posses authentication to access the respective
system or file
- Personal Identification Numbers are similar to passwords and issued based on user
characteristics and using a cryptographic algorithm
48. Input controls are responsible for ensuring the accuracy and completeness of data and
instruction input in to an application system. They are important since input involves human
intervention. Auditors should evaluate the quality of coding systems to analyze their impact on
the integrity and accurateness of data keyed in to the system.
Data coding errors include addition or omission of character in code; recording wrong
characters, reversing adjacent characters etc.
49. Check Digits are redundant digits that help verify the accuracy of other characters in the code
that is checked. The program recalculates the check digits and compares with the check digit
in the code when it is entered to verify if the code is correct. They may be prefixes or suffixes to
the actual data
50. Processing controls perform validation checks to identify errors during processing of data.
They are required to ensure both completeness and the accuracy of the data being processed.
They are enforced through database management system that stores the data.
Run to run totals help in verifying data that is subject to process through different stages
Reasonableness verification compare and cross verify two or more fields to ensure their
correctness
Edit checks are similar to data validation controls and can be used to verify accuracy and
correctness of data
60
03 CONTROL OBJECTIVES
Field initialization ensures initializing of the record, i.e., setting all values to zero before
inserting a field in to a record
Exception reports are generated to identify errors in data processed. Such errors give the
transaction code and reason as to why the particular transaction was not processed
51. Output controls ensure that the data delivered to users will be presented, formatted and
delivered in a consistent and secure manner. They ensure the integrity, confidentiality and
consistency of the output. They have to be enforced both in batch processing environment as
well as in an online environment.
Spooling and queuing. Spool is a process used to ensure that the user is able to continue
working, even before the print operation is completed. A Queue is the list of documents
waiting to be printed on a particular printer. This should not be subject to unauthorized
modifications.
Report distribution and collection controls will prevent unauthorized disclosure of data
Retention controls consider the duration for which outputs should be retained before being
destroyed
Existence / Recovery controls are needed to recover the output in the event of its loss or
destruction
52. Database controls. Protecting the integrity of a database with application software acts as an
interface to interact between the user and the database are called Update controls and Report
controls
Sequence check transaction and master files is critical to maintain the integrity of updation,
insertion or deletion of records in the master file with respect to the transaction records
Ensure all record files are processed
Process multiple transactions for a single record in the correct order
Maintain a suspense account or mismatched transactions
61
03 CONTROL OBJECTIVES
Report controls are:
- Standing data
Print run to run control totals
Print suspense account entries
Existence / Recovery controls
54. Preventive controls are those inputs, which are designed to prevent an error, omission or
malicious act from occurring. The broad characteristic of preventive controls are:
55. Detective controls are designed to detect errors, omissions or malicious acts that occur and
report the occurrence. The main characteristic of such controls are:
Clear understanding of lawful activities so that anything which deviates from these is
reported
An established mechanism to refer the reported unlawful activities to the appropriate person
or group
Interaction with the preventive control to prevent such acts from occurring
Surprise checks by supervisors
56. Corrective controls are designed to reduce the impact or correct an error once it has been
detected. A business continuity plan is considered to be a significant corrective control. The
main characteristics of the corrective controls are:
62
03 CONTROL OBJECTIVES
57. Compensatory controls are basically designed to reduce the probability of threats, which can
exploit the vulnerabilities of an asset and cause a loss to the asset.
58. Environmental controls relate to housing IT resources such as power, air conditioning etc.
59. Physical Access controls relate to physical security of the tangible Information System
resources and intangible resources stored on tangible media
60. Logical Access controls relate to logical access to information resources such as operating
systems controls, application software boundary controls, networking controls and access to
database objects
63. SDLC controls relate to planning, design, development, testing, implementation and post
implementation, change management of changes to applications and other software
64. Internal accounting controls are intended to safeguard the client’s assets and ensure the
reliability of financial records
65. Operational controls deal with day to day operations, functions and activities to ensure that the
operational activities are contributing to business objectives
66. Administrative controls are concerned with ensuring efficiency and compliance with
management policies, including operational costs
67. Quality Control management is a process that impacts the effectiveness, efficiency, integrity
and availability of Information Systems and involve IT resources that include people,
applications, technology and facilities. It describes the controls over the IT process of
managing quality that meets business requirements.
63
03 CONTROL OBJECTIVES
68. Quality Standards enable implementation of quality management controls. The best practices
that identify the quality and assurance are governed by two key standards:
9000 Quality Management and Quality Assurance Standards (ISO); defines quality control
as the operational techniques and activities that are used to fulfill requirements for quality
Management of the change process runs parallel to all the phases of SDLC. The complexity
of hardware, software and application relationships in the operating environment needs well
defined, planned, coordinated, tested and implemented change management. It involves
the following tasks:
Other controls
Controls Descriptions Auditor’s Role
Evaluate quality of decisions
Change control process of a
made with respect to project
system under development is
management and change
System change to address the problems not
facilitation
controls detected during system design
Verify authorization and
or testing and change in user
documentation of changes made
requirements
to systems and programs
Ensure maintenance of software
Implementing controls over the program code libraries
modification of application Appropriate backups of the
Program change software programs is to ensure system’s data and programs to
controls that only authorized programs store various versions of files
and authorized modifications Thorough testing before any new
are implemented software release is applied in a
production environment
They ensure all information Determine if proper level of
and data entered or used in management is authorizing the
Authorization processing is authorized by transaction activity
controls management, and responsible Identify any allowable overrides
representatives of events that or bypasses of data validation
actually occurred and edit checks
64
03 CONTROL OBJECTIVES
Review by IT management to
monitor and approve all changes
to hardware, software and
personnel responsibilities
Assessing documentation involves
evaluating the change boards
Documentation contains efforts to complete the following
descriptions of the hardware, critical procedures:
software, policies, standards, There is sufficient
Documentation
procedures and approvals documentation that explains how
controls
related to the system and software / hardware is to be
formalize the system’s security used
controls There are documented formal
security and operational
procedures
Testing commences during the design phase, during which,
designs and specifications should be subject to quality reviews
and continues during the system development and acceptance
testing phases of SDLC
Testing and
The overall objective of testing is to ensure that the delivered
quality controls
system is of adequate quality.
The requirement to demonstrate that a system is reliable implies
that it should be tested, not to demonstrate that it works, but to
uncover as many defects as possible
Install and accredit solutions and changes is the high level functional area that captures the
greatest number of features representing the activities related to SDLC or release
management.
71. Control process Acquire and Implement 7(AI7), issued by the IT Governance institute states
that:
New systems need to be made operational once development is complete. This requires
proper testing in a dedicated environment with relevant test data, definition of rollout and
migration instructions, release planning and actual promotion to production, and a post
implementation review. This assures that operational systems are in line with agreed
expectations and outcomes.
65
03 CONTROL OBJECTIVES
72. Controls over the system development phases and auditor’s role
The SDLC phases define an agenda of issues that stakeholders in the system development process must address. The quality of system
development will depend on how well the stakeholders come to grip with the issues in the context of the project. The following are some
important controls:
66
03 CONTROL OBJECTIVES
The specific techniques used Change proposed is not imposed
Technical feasibility
to evaluate the feasibility of on the stakeholders?
Entry and feasibility Operational feasibility
systems depend on the type Behavioral impact on the users and
assessment Economic feasibility
and size of the system being the problems that arise in proposed
proposed Behavioral feasibility
system
The need to study aspects of the
present organizational structure
Context in which the decisions for
Analysis shall include a study The organizational structure gives an
the new proposed systems were
Analysis of the of the existing organizational idea of the power equations within
made
existing system history, structure, culture and the organization
Evaluate quality of methodologies
existing information flows
used
Usage of high quality tools in
analysis and documentation
Evaluate the quality of SRS Design
Also called Systems
work
Requirements Specification, Align the business requirements with
The feasibility of system-design
Formulation of document identifies the the preview of management’s
proposed
strategic perceived deficiencies in the objectives, user’s goals and
requirements existing system of the existing Assess the identified procedures
elicitation of the requirements and
or perceived new system are and substantial behavioral impact
system-design work concurrently
evaluated on the users within the proposed
system
Adapting the organizational Roles and responsibilities of the
structures and job users of the system are to be defined Assess the assigned responsibility
responsibility with respect to using formal traditional mechanisms and process used to resolve
Organizational and the proposed system often or open ended structures to facilitate conflicts
job design leads to behavioral problems adaption Assess control risk associated with
among its stakeholders and Clear design of responsibilities in responsibilities during SDLC with
may result in implementation initial design phase is critical in substantive testing
failure achieving the goals
67
03 CONTROL OBJECTIVES
Hardware / Software: Design and Evaluate appropriateness of
The reliability of the controls
requirement to meet the application requirements elicitation strategy in
Information designed in to the system are
system. Modularity and generality of the scope of the stakeholders
processing system to be evaluated to meet
future change Design and quality of user interface
design strategic requirements of the
proposed system User interface: Using source needs to follow best design
documents of data reports practices
Information and system requirement Highlight risks before vendor
need to meet business and system contract or a software agreement
Application software goals contract is signed
Application software may be
acquisition / selection Feasibility analysis to define Collect information through his own
bought or developed in house
process constrains or limitations for each source on vendor viability, support
alternative system from technical as infrastructure
well as business perspective Ensure legal scrutiny of contracts
Scanners are basic software used to check memory, disk boot sectors and executables
Active monitor and Heuristic Scanner looks for critical interrupt calls and OS functions which resemble virus action
Integrity Checkers detect any unauthorized changes to files on the system
The integrity checker’s software performs a “take stock” of all files resident on the system and computes a binary check data called the CRC.
When a program is called for execution, the software computes the CRC again and checks with the parameters stored on the disk. In this
manner, any unauthorized changes to the files on the system can be detected.
***
68
04 TESTING – GENERAL & AUTOMATED CONTROLS
Testing is a process to verify correctness, completeness & quality of developed software or any
other product. It is known as criticism or comparison. It helps to verify that developed software or
product would be working, as it is intended to.
Testing objectives
- Errors identification
- Software operation
- Quality assurance
04 TESTING – GENERAL & AUTOMATED CONTROLS
Starting time of test
- Should start as early as possible in life cycle as early testing helps to reduce errors
(helps in reducing errors & lowering costs)
Cause of bugs
Testing costs
- Costs increase manifold if bugs not detected on time. Fixing bugs at early stages of life
cycle will cost less.
Test plan is derived from test approach and contains requirements, project plan, functional
specifications and design specifications. It details out project specific test approach and lists
out high level test case areas. It includes testing risk assessment and primary test schedules. It
also lists resource requirements.
Test plan includes systematic & documented steps which are performed at different stages of
IS Development.
70
04 TESTING – GENERAL & AUTOMATED CONTROLS
Levels of Test Plan
Includes
Includes
Includes testing
testing
testing procedures &
procedures & Includes
procedures & types of tests
types of tests testing
types of tests for integrated
for entire procedures
for individual modules & its
system by and types of
modules or interfaces
developer tests to be
programs. What: internal/
before its performed by
What: Basic external links/
implementation users for
input & output interfaces
What: Testing entire system
activities are Sequence:
all initial before its
tested. Arranged
requirements, acceptance &
Sequence: based on
covers use
+ve tests & -ve dependencies
functionality of
tests between
entire project.
modules
Static testing (Verification Activities): used for verification activities. To check whether
work being done is as per is as per set standards of organization.
Dynamic testing (Validation Activities): involves working with software, giving input
values & checking if output is as expected. Includes validation activities, unit tests etc.
04 TESTING – GENERAL & AUTOMATED CONTROLS
5. Black Box Testing aims to derive sets of inputs that will fully exercise all the functional
requirements of the system.
Treats software as a “black box, without any knowledge of internal implementation”
Valid & invalid inputs selected to determine accuracy of outputs
Mainly concerned with correct acceptance of inputs & relevant outputs
Applicable to all levels of testing
Can cover unimplemented parts also
Testing method includes:
- Equivalence partitioning
- Boundary value analysis
- Cause effect graphics techniques
Equivalence Partitioning: software testing technique that divides input data of software
unit into partition of data from which test cases can be derived. Tries to define test cases
that uncover classes of errors. Its goals are: 1) to reduce number of test cases to necessary
minimum & 2) to select right test cases to cover all possible scenarios. It uses fewest test
cases to cover maximum requirements.
Boundary Value Analysis (BVA): since more application errors occur at boundary levels
of input domain, BVA is used to identify errors at boundaries rather than finding them in
center of input domain. Test cases are selected at edges of equivalence classes.
6. White Box Testing is a test case design method which uses the control structure of the
procedural design to derive test cases.
Used when tester has access to internal data structure & algorithms & also access to
implement these algorithms
72
04 TESTING – GENERAL & AUTOMATED CONTROLS
Types of tests used:
- Basis path testing: every path of program is derived & tested. Ensures that every
statement is executed & tested at least once, takes help of flow graphs to simplify
derivations of each path.
- Loop testing: focuses exclusively on validity of loop constructs. There are four different
classes of loops: simple loop, nested loop, concatenated loop & unconstructed loop.
- Condition Testing: executes & verifies all the logical conditions in a program.
- Dataflow Testing: selects test paths according to the locations of definitions & uses of
variables in the program.
- Flow-Graphs: Can be used to represent control flow in a program & can help in the
derivation of a basic set.
7. Unit Testing is a method of testing the correctness of a particular module of source code.
Software verification & validation method where programmer gains confidence that
individual units of source code are fit for use.
A unit test is a method of testing the correctness of a particular module of source code &
write test cases for every function in module such that each test case is separate from
others.
Benefits:
- Encourages change
- Simplifies integration
- Documents the code
Limitations:
8. Requirement Testing
Helps to ensure that system’s requirements communicated by users are correct &
requirements are correctly understood & specified by developers for further system
development.
Helps in developing correct system in efficient manner
73
04 TESTING – GENERAL & AUTOMATED CONTROLS
Objectives:
9. Regression Testing
The process of testing changes to computer programs to make sure that older programs
still work with new changes.
A regression test re-runs previous tests against changed software to ensure that changes
made in current software do not affect functionality of existing software.
Objectives:
To be used when there is high risk that new changes may affect unchanged areas of
application software.
10. Error Handling Testing refers to the detection and resolution of programming, application and
communication errors. There are 2 types of errors:
a. Development error (also known as syntax and logical error) – Happens due to typing
mistakes or incomplete logics; and
Error handling testing means establishing that all error handling procedures are in place for
applications, i.e. errors will be detected and handled as per set guidelines.
Error handling Objectives are:
74
04 TESTING – GENERAL & AUTOMATED CONTROLS
11. Manual Support Testing means that certain functions will be performed by people rather than
automated IS. Manual Support Testing is the testing of the manual support functions. Manual
support testing is best done during the installation phase.
Verify that manual support procedures are correct and documented properly
Determine that manual support responsibilities are established & defined correctly
Determine that manual support people are adequately trained
Determine that manual support procedures are properly connected
12. Inter System Testing ensures that interconnection between various systems & applications
work properly. It is done to ensure that:
Parameters and data are correctly passed between linked applications and systems
Proper coordination between working of different linked systems exists
13. Control Testing is a check and it acts as a management tool to ensure that processing is
performed in accordance to the intents of the management. It ensures that:
It is done to ensure that the processing of the new application is consistent with respect to
the processing of the previous system.
The objective is to ensure that the new system performs correctly and to demonstrate the
consistency and inconsistency between the 2 applications.
It is the testing of the system when the maximum numbers of users are simultaneously
active and when the database contains the greatest volume of data.
The purpose of volume testing is to find out the weakness in the system with respect to its
handling of large amount of data during the extended time periods.
75
04 TESTING – GENERAL & AUTOMATED CONTROLS
16. Functional Testing
Checks whether programs do what they are supposed to do what they are supposed to do
or not.
Test plan specifies operating conditions, input values and expected results and as per this
plan, the programmer checks by inputting the values to see whether the actual result and
expected result match.
The purpose of stress testing if to find defects in the system capacity of handling large
numbers of transactions during peak periods.
Server testing deals with the quality of the application in the expected environment. The
idea is to create an environment more demanding of the application than the one the
application would experience during its normal course of operation.
System performance is generally assessed in terms of response time and throughput rates
under different processing and configuration conditions.
The performance problems are most often the result of the client or server being configured
inappropriately.
The best strategy for improving client server performance is a three step process:
1st, execute controlled performance tests that collects data about volume, stress and
loading tests.
2nd, analyze the collected data
3rd, examine and tune database queries.
Need:
- To continuously monitor the system
- To collect audit evidences while live data are processed during regular operating hours
Uses embedded audit modules which are segments of program code that perform audit
functions.
Audit Hooks are auditing routines that flag/ mark suspicious transactions. When employed,
auditors are informed of questionable transactions immediately on their occurrence. This
immediate notification is called Real-time notification.
76
04 TESTING – GENERAL & AUTOMATED CONTROLS
Integrated Test Facility (ITF):
Snapshot Technique:
77
04 TESTING – GENERAL & AUTOMATED CONTROLS
- Advantages of CIS:
Does not require modification to application system for auditing
Faster & efficient testing with large samples of data
Increases the quantity of audits, so lesser risks
Entire process can be evaluated and analyzed
- Timely audit
- Comprehensive & detailed auditing
- Surprise test capability
- Assessing whether IS meets set objectives
- Training for new users
- Memory
- Performance
- Security
- Reliability
- Error handling/ exit testing
- Max. no. of users supportable
- Maintenance support
- Accessibility testing
78
04 TESTING – GENERAL & AUTOMATED CONTROLS
Preventive
Hardware Hardware Maintenance General
Acquisition Updation Plan Controls
Check whether
Check for
updation timely Check
written policy
planned frequency
Check approval
Check whether timely planned Check
process
updation Check controls/
Check whether
schedule maintenance procedures
requests are
provides time contracts & being used
supported by
for installation actual Check logs of
cost benefit
& testing maintenance system for
analysis
Check for performed hardware
Check
proper Check performance &
procedure of
documentation maintenance problems
purchase
Check effect on
Check for
updation, operations
proper
where ever
documentation
necessary
Here, the auditor reviews the procurement, implementation, execution and maintenance of
system software such as operating system, in terms of:
The reviewer / auditor of networks should have knowledge about networks, network topology,
LAN technicalities etc. The auditor should review, test and validate the following controls for
networks:
Physical controls
Logical controls
Environment controls
- Verify adequate temperature, static electricity facilities & electric surge protectors
- Verify storage & backup media facilities
80
04 TESTING – GENERAL & AUTOMATED CONTROLS
SUMMARY OF VARIOUS CONCURRENT AUDIT TESTING
***
81
05 RISK ASSESSMENT
METHODOLOGIES & APPLICATIONS
1. Risk Assessment seeks to identify which business processes and related resources are
critical to the business, what threats or exposure exists, that can cause an unplanned
interruption of the business processes and what costs accrue due to an interruption
Risk assessment consists of two basic components: Data Collection & Data Analysis. Purpose
of risk analysis involves threat identification and risk mitigation
2. Risk
It is the likelihood that an organization may be exposes to some threats that may cause
harm to an organization.
Risk leads to a gap between the need to protect a system and the degree of protection
applied. This gap is known as Security Gap
3. Definitions
Threat is an action, event or condition where there is compromise in the system, its quality
and ability to inflict harm to the organization. It is any circumstance or event with the
potential to cause harm to an Information System in the form of destruction, disclosure,
adverse modification of data and denial of services
82
05 RISK ASSESSMENT
METHODOLOGIES & APPLICATIONS
Vulnerabilities is the weakness in the safeguard or security of the system that exposes the
IS to various threats.
Exposure is the extent of loss organization may face in case of risk. It is impact of
occurrence of risk in immediate & longer term.
Likelihood of the threat occurring is the estimation of the probability that the threat will
succeed in achieving an undesirable event
Attack is a set of actions which may compromise the integrity & confidentiality & other
desired features of an IS. The type of attack & its degree of success determine the results
or consequences of attack.
Residual Risk: Any risk that still remains after all the security measures to prevent the risks
are analyzed & implemented. Here, organization Management needs to consider two areas:
Risk Acceptability Level refers to the issue of how much risk is acceptable and what
should the price that would be payable to reduce a certain part of the risk
Security Gap is the gap between the need to protect systems & the degree of protection
applied.
Malicious code is a code such as viruses and worms which freely access the unprotected
networks which may affect organizational and business networks that use these
unprotected networks.
Power loss
Communication network failure
Disgruntled employees
Errors
Malicious codes (programs)
Abuse of access privilege by employees
Natural disasters
Theft & destruction of computing resources
Downtime due to technology failure
83
05 RISK ASSESSMENT
METHODOLOGIES & APPLICATIONS
5. Cyber Crime & threats due to Cyber Crime
Cyber Crime is the general nomenclature for “electronic offences” due to increasing use of
computer network & internet & frauds thereof.
Theft of proprietary information is the illegal obtaining of designs, patents etc. and personal
or financial information, usually by electronic copying
Denial of service is usually caused by events such as ping attacks, port scanning probes
and excessive amounts of incoming data
Computer virus is a computer program that can copy itself and infect a computer without
the permission or knowledge of the user
6. Risk Assessment is a critical step in disaster and business continuity planning. It is necessary
for developing a well tested contingency plan.
Risk assessment is the analysis of threats to resources and the determination of amount of
protection necessary to adequately safeguard the resources, so that vital systems, operations
and services can be resumed to normal status in the minimum time in case of a disaster.
Risk assessment is a useful technique to asses the risks involved in the event of unavailability
of information, to prioritize applications, identify exposures and develop recovery scenarios.
The areas to be focused are:
- Legal liabilities
- Interruptions of customer service
- Possible losses
- Likelihood of fraud and recovery procedures
84
05 RISK ASSESSMENT
METHODOLOGIES & APPLICATIONS
Assessment of Insurance coverage. The Information System insurance policy should be a
multi peril policy, designed to provide various types of coverage
Classification of Risks
- Identify the technology related risks under the scope of operational risks
- Address the identified risks in terms of probability and exposure
- Classify the risks as systematic and unsystematic
- Identify various managerial actions that can reduce exposure to systematic risks and the
cost of implementing the same
- Identify the contribution of the technology in reducing overall risk exposure
- Evaluate the technology risk premium on available solutions and compare the same with
the possible values of loss from the exposure
- Match the analysis with the management policy on risk appetite and decide on
introduction of the same
Risk management cycle is a process involving the following steps: identifying assets,
vulnerabilities and threats; assessing the risks; developing a risk management plan;
implementing risk management actions and re-evaluating the risks.
85
05 RISK ASSESSMENT
METHODOLOGIES & APPLICATIONS
8. Risk Assessment & Evaluation Process
9. Risk Identification
Delphi Techniques
Scoring Approach
Quantitative Techniques
- Involves calculating an annual loss exposure value based on the probability of the event
and the exposure in terms of estimated costs
Requires that each component & application be analyzed separately before ranking
87
05 RISK ASSESSMENT
METHODOLOGIES & APPLICATIONS
Two quantitative parameters used for ranking:
- Probability of occurrence
- Possible impact or exposure of threats
Should be based on probability of occurrence of risk & severity of risk in terms of losses
- Insurance
- Outsourcing
- Service Level Agreements
***
88
06 BUSINESS CONTINUITY PLANNING
& DISASTER RECOVERY PLANNING
1. Business Continuity Planning refers to the plans to avoid crisis & disasters, and in case
crisis & disasters occur, then, it defines plans for immediate recovery from these. It defines
steps, plans & procedure for continuance of business activities irrespective of any situation.
BCP is a plan for running the business under stressful & time-compressed conditions.
Objectives of BCLC:
The above resources are assigned based on following Business Continuity Life Cycle
assessment: (Components of BCLC)
- Risk Assessment
- Determination of Recovery Alternatives
- Recovery Plan Implementation
- Recovery Plan Validation
2. Objectives of BCP
‘Objectives’ are used for ‘long-term aim’ & ‘Goals’ are used for ‘short-term aim’
Objectives:
89
06 BUSINESS CONTINUITY PLANNING
& DISASTER RECOVERY PLANNING
Goals:
3. Developing BCP
Phases of BCP:
- Design & develop BCP Plan: two aims:- business recovery & technical recovery
- Testing: ensure recovery procedures are complete & workable; adequate competence
of personnel; availability of resources; workability of manual procedures; proper training
of BCP programmes
- Implementation: implement selected plan; define periodic test schedules; define test
approaches; identify test types with procedure to conduct tests; analyze test results;
modify plans as per maintenance program
90
06 BUSINESS CONTINUITY PLANNING
& DISASTER RECOVERY PLANNING
4. Business Impact Analysis is a means of systematically assessing the potential impacts
resulting from various events or incidents. A critical step in a sensible BCP is to consider &
analyze the potential impact of each type of problem. This is called BIA.
Purpose:
Tasks:
Back-up Plan: decide what back-up to be maintained; resources to be considered for back-
up. Intended to restore operations quickly so that IS functions can continue to serve an
organization.
Recovery Plan: explains steps to be taken to recover immediately from disaster; decide
which applications to be recovered first. Sets out procedures to restore full IS capabilities.
Test Plan: frequently test to check whether all plans are properly functioning. Purpose is to
identify deficiencies in emergency, back-up or recovery plans.
91
06 BUSINESS CONTINUITY PLANNING
& DISASTER RECOVERY PLANNING
6. Threats Management
Potential Threats:
- Human errors - Natural disasters
- Equipment failures - Virus attack/ hacking
- Electricity/ communication outages - Outsourcing
Single Point of Failure Analysis: a particular failure may disrupt entire services in
organization.
It is a framework that governs technical choice & delivery processes with cyclic checkpoints
during the project life cycle.
Objectives:
Identify IT risks
Determine level of risks
Identify risk factors
Develop risk mitigation strategies
Benefits:
- Identifies, quantifies & manages risk while listing out future suggestions for improvement in
technical delivery
- Governs technical choice & delivery process
- Interpretation & communication of potential risk impact
- Implementation of strict disciplines for active risk management
92
06 BUSINESS CONTINUITY PLANNING
& DISASTER RECOVERY PLANNING
8. Software & Data Back-Up Techniques
Full back-up:
- Restores all back-up files at one stretch
- Contains every file
- Requires huge space & consumes lot of time
Differential back-up:
- Contains all files that have changed since last back-up
- Faster & economical
- 2-step operation
Incremental back-up:
- Only those files are saved that are modified since last full/ differential back-up
- Difficult to restore
Mirror back-up:
- Used to create exact copy of back-up data
Cold Site: maintains critical equipments & resources in duplicate form at some off-site
location. In case of disasters, these resources & equipments operate from off-site. Low-
cost, but does not provide 100% downtime elimination
Hot Site: maintains critical equipments & resources in synchronized form at some off-site
location. Most expensive, but nil downtime.
Warm Site: between hot & cold sites. Better than cold, worse than hot sites.
10. Issues to be considered which deciding to outsource a third party site for alternate back-up &
recovery process:
93
06 BUSINESS CONTINUITY PLANNING
& DISASTER RECOVERY PLANNING
11. Back-Up Redundancy
Off-site back-up: maintain at least one back-up at different location (if the back-up is
maintained at working location itself, it is active back-up)
Media rotation: rotate active back-up with off-site back-up to update off-site back-up with
latest values
- Speed - Extensibility
- Reliability - Cost
- Capacity - Flexibility
Back-up Tips:
DRP is a document which includes all the procedures to be followed to recover from
disasters
94
06 BUSINESS CONTINUITY PLANNING
& DISASTER RECOVERY PLANNING
Includes:
- Emergency plan
- Recovery plan
- Back-up plan
- Test plan
- Insurance
14. Insurance
Considered to spread the cost & risk of loss from individual to large number of people
Types of Insurances:
- Hypothetical test: paper test where verification of all procedures & actions specified in
recovery plan are conducted
- Component test: used to verify details & accuracy of individual procedures within
recovery plan
- Full test: used to verify that multiple modules will recover immediately from any
disaster. Main objective is to ensure that: 1) total time for recovery meets set time
objective & 2) recovery plan is efficient & can be performed without obstacle
95
06 BUSINESS CONTINUITY PLANNING
& DISASTER RECOVERY PLANNING
16. Audit Tools & Techniques For DRP
The best audit tool & technique is a Periodic Simulation of a disaster. Other audit tools &
techniques would include:
Observations Meetings
Interviews Questionnaires
Checklists Documentation review
Inquiries
Automated tools
Internal control auditing
Disaster & security check-list
Penetration Testing (used to locate specific vulnerabilities & threats)
Steps:
***
96
07 AN OVERVIEW OF ERP
1. Introduction
ERP is a solution to overall business problems. It is an attempt to integrate the five major
resources of an organization, i.e. Man, Material, Money, Machine & Market
It involves managing a large volume of data, number of users & multiple system
components
It attempts to integrate all functions & resources to make business more effective.
2. Definition
ERP is “Software solution that addresses the need of the enterprise by tightly integrating all
functions of an enterprise.”
ERP is reengineering of the current business practices for more efficient & accurate
functioning. It is a mix of software tools enabled with newly designed, well-planned
business practices.
4. Evolution of ERP
Aggressive cost-cutting
Cost/ Revenue Analysis
Flexibility to respond quickly to enhancing requirements
Better-informed decision-making
To assist businesses in their needs, following IS were introduced:
97
07 AN OVERVIEW OF ERP
The above IS lacked integration. Then,
MRP was further extended to include vendors, suppliers etc. through LAN & WAN. This was
known as:
Server: stores data, maintains integrity & consistency & processes user requests from
client desktops
Middleware: contains all application logic & rules, does validation checks
To facilitate online transactions, other important enabling technologies for ERP systems are:
Workflow,
Work group,
Electronic Data Interchange,
Internet & Intranet; and
Data warehousing.
98
07 AN OVERVIEW OF ERP
7. Ideals/ pre-requisites of ERP
8. Characteristics of ERP
Flexibility
Open-system architecture
Comprehensive
On-line connectivity to other business entities
Collection of best business practices
9. Features of ERP
Cross-functional
Multi-faceted
Comprehensive
Supports business process integration
Provides end-to-end supply chain management solutions
Provides customer relations management solutions
Bridges information gap across organization
Inter-group system integration
Automatic use of latest technologies like EFT, EDI, Data Warehousing & E-commerce
Provides intelligent business tools
Tangible Benefits
Intangible Benefits
99
07 AN OVERVIEW OF ERP
Business Process Re-Engineering
11. Definition
BPR is the fundamental rethinking, radical redesign and reinventing of business processes
to achieve dramatic improvement in terms of cost, quality, service and speed.
Business Engineering is the merger of two concepts. It combines the innovation of information
technology with BPR to focus on better business processes. The main thrust of business
engineering lies in far reaching; best procedure based, and process oriented solutions; which
have been greatly enhanced by client / server computing.
The basic objective of implementing ERP is to put in place the application and infrastructure
that support organization’s business plans & processes in the best possible manner. Thus,
BPR is mandatory for successful ERP implementation.
100
07 AN OVERVIEW OF ERP
17. Business Modeling
The first step in ERP implementation is to carry out BPR by development of business
process model showing business processes as one large system with interconnection and
sequence of business subsystems and processes. This development of business process
model for present and required business process is known as Business Modeling.
Business modeling is not a mathematical model, but the representation of business as one
large system with interconnection and sequence of business subsystems and processes.
Business modeling is the portrayal of a business as one large system based on business
strategy & objectives, showing the inter-connection & sequence of business sub-systems or
processes that drive it.
It is kind of diagrammatical and tabular representation of various business processes in an
interconnected manner with their underlying data models.
First, an existing business model is prepared and based on that, another business model
consisting the required business model is prepared.
101
07 AN OVERVIEW OF ERP
Criteria for evaluation of ERP packages
Flexibility
Comprehensive
User-specific
Integral
Beyond the company
Best business practices
Technological updations
24. Expectations
An improvement in processes
Increased productivity on all fronts
Total automation & disbanding of all manual processes
Improvement of all Key Performance Indicators (KPI)
Elimination of all manual records
Availability of real time information systems
Total integration of all operations
25. Fears
Organizations should prepare a list of Critical Success Factors (CSF) & their corresponding
KPIs and continuously evaluate the processes against KPI
CSF is a process name which is critical to the successful working of the organization. Some
general CSF are:
103
07 AN OVERVIEW OF ERP
- Customer complaint response time
- Labour productivity
- Quality of product
- Consumption of resources
All these CSF have some sort of KPI, i.e. can be quantified in a value known as KPI, which is a
continuously changing value.
Both CSF and their corresponding KPI are defined through BPR.
Changing CSF due to changing business environment & corresponding new KPI which
require change in processes
BAAN
MFG / Pro
ORACLE
SAP R/3
JD Edwards
SAP AG has developed an ERP package called “SAP R/3”. It is the most popular package and
considers the entire business as a single entity. It is a unique system that supports nearly all
areas of business on a global scale.
SAP has a number of application modules in the package. Some of these are:
Financials
Cost control
104
07 AN OVERVIEW OF ERP
Investment management
Treasury management
Integrated enterprise management
Product data management
Sales & distribution
Production, planning & control
Materials management
Human resource management
To facilitate E-com, IT departments should build 2 new channels of access into ERP systems:
Enterprise controlling is the SAP module used to consolidate financial statements including
elimination of inter company transactions
EC-CS: Used for financial, statutory and management consolidation. Allows fully automated
consolidation of investments.
EC-PCA: Allows working with internal transfer prices and have profit center and enterprise
perspective in parallel. Provides management with a consistent flow of external and internal
financial management reports
EC-EIS: Allows financial data to combine with external data such as market data, industry
benchmarks and non SAP applications
***
105
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
1. IS Audit Standards provides audit professionals a clear idea of the minimum level of
acceptable performance essential to discharge their responsibilities effectively.
The technical competencies & skills of IT professionals are assessed against these IS Audit
Standards & practices.
IS AUDITING STANDARDS
↓
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
BS CMM COBIT COSO CoCo ITIL SysTrust HIPPA SAS 70
7799 &
WebTrust
2. BS 7799 (1998)
Components
Benefits:
Checks:
106
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
3. Information Security Management Standard (ISMS)
General Specifications:
- Protection of assets
- Risk management approach
- Control objectives
- Suitable degree of assurance
- Verification procedures
- Implementation procedures
Documentation:
- Management control
- Management framework summary
- Procedure adopted to implement control
- ISMS management procedure
Document control:
- Ready availability
- Periodic review
- Maintain version control
- Preservation for legal purpose
107
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
4. Ten focus areas of ISMS
1) Security Policy
This activity involves a thorough understanding of the organization business goals & its
independence on information security. This is an extremely important task & should convey
total commitment to top management. It should cover:
‡ A definition of IS
‡ Allocation of responsibilities
‡ Explanation of reporting process
‡ Defined review process
‡ Nomination of policy owner
Detailed control & objectives are:
‡ To provide direction & support for IS
‡ To manage IS infrastructure
‡ To maintain security of information assets accessed by third parties
‡ To maintain IS when responsibility of information processing is outsourced
2) Organizational Security
Needs proper procedures for approval of the IS policy, assigning of the security roles &
coordination of security across organization.
Detailed control & objectives are:
‡ To manage IS infrastructure within the organization
‡ To maintain security of information assets accessed by third parties
‡ To maintain IS when responsibility of information processing is outsourced
4) Personnel Security
108
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
Detailed control & objectives are:
‡ To reduce risk of human error/ misuse of facilities
‡ To ensure that users are aware of IS threats & concerns
‡ To minimize damage from security incidents & malfunctions & monitor them
Involves determining physical security parameter, physical entry control, creating secure
offices, providing protection devices. COST EFFECTIVE DESIGN and CONSTANT
MONITORING are 2 key aspects to maintain adequate security control.
Properly documented procedures for management & operation of all information processing
facilities should be established. External exchange of information should be controlled.
Controls should be applied to protect E-com transactions from any threats.
Detailed control & objectives are:
‡ To ensure correct operational procedures & responsibilities
‡ To minimize risk of system failure
‡ To protect integrity of software & information
‡ To prevent damage to assets
7) Access Control
Access to information and business processes should be controlled on the business and
security requirements. This will include defining access control policy ,rules and monitoring
system access & use and ensuring information security when using mobile computing and
tele-working facilities.
Detailed control & objectives are:
‡ Business requirement for access control to control access to information
‡ User access management to prevent unauthorized access to Information System
‡ User responsibilities to prevent unauthorized user access
‡ Network access control to protect networked services
‡ Operating system access control to prevent unauthorized computer access
‡ Application access control to prevent unauthorized access to information held in
Information System
‡ Monitoring system access and use to detect unauthorized activities
‡ Mobile computing and tele-working to ensure information security when using mobile
computing & tele-working facilities
109
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
8) Systems Development & Maintenance
10) Compliance
Basic Terms:
- Process is a set of activities, methods that people use to develop & maintain software &
the associated products
110
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
- Capability describes the range of expected results that can be achieved by following
process
- Performance represents the actual results achieved by following a software process
Level-1 Features:
Level-2 Features:
policies for managing a software project & procedures to implement those policies are
established
policies guide projects in establishing management processes
capability is enhanced by establishing basic process management
software process capability is disciplined
basic software management control exist
software project standards are defined & faithfully followed
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
Level-3 Features:
Level-4 Features:
Level-5 Features:
6. COBIT
- Quality requirements
- Fiduciary requirements
- Security requirements
112
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
Key Aspects of COBIT:
Effectiveness Availability
Efficiency Compliance
Confidentiality Reliability
Integrity
- IT Resources (5 classifications)
Data
Application Systems
Technologies
Facility
People
Planning & Organization: covers strategy & tactics & concerns the identification of
the way IT can best contribute to the achievement of business objectives.
Acquisition & Implementation: to realize the IT strategy, IT solutions should be
identified, developed or acquired as well as implemented & integrated into business
practices
Delivery & Support: concerned with actual delivery of required services, which
range from traditional operations & continuity aspects to training
Monitoring & Evaluation: domain addresses management’s supervision of the
organization’s control process & independent assurance provided by internal &
external audit
7. COSO Framework
113
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
8. CoCo
CoCo is a guidance matter, useful in making judgements about designing, assessing &
reporting on the control systems
Concerned with pro-active & forward-looking services that the business requires of its ICT
provider, in order to provide adequate support to the business users.
Components:
Focuses on the user of ICT services and is primarily concerned with ensuring that they
have access to the appropriate services to support the business functions.
Components:
‡ Incident management
‡ Problem management
‡ Configuration management (to track all individual components in a system)
‡ Change management
‡ Release management (to plan roll-out of software)
114
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
Book 03: ICT Infrastructure Management
Recommends best practice for requirements analysis, planning, design, deployment &
ongoing operations management & technical support of an ICT infrastructure {ICT =
Information & Communications Technology}
‡ Confidentiality
‡ Integrity
‡ Availability
‡ Privacy
‡ Anonymity
‡ Verifiability
Book 05: The Business Perspective
Collection of best practices that is suggested to address some of the issues often
encountered in understanding & improving IT service provision.
Encompasses a set of best practices proposed to improve the overall quality of IT software
development and support through life-cycle of the software development projects, with
specific attention to gathering & defining requirements that meet business objectives
115
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
Book 07: Software Asset Management
Two specific services developed based on trust services principles & criteria
Scope:
Areas:
11. “The Health Insurance Portability & Accountability Act (HIPPA)” (1996)
(An US Federal Act)
116
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
3 types of security safeguards:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
Administrative Safeguards:
Adopt a written set of privacy procedures & designate a Privacy Officer responsible for
implementing all required procedures
Identify employees having access to Protected Health Information
Have an appropriate training program
Have a contingency plan for responding to emergencies
Have internal audit system
Document instructions for responding to security breaches
Physical Safeguards:
Technical Safeguards:
Type-I Report:
Type-II Report:
117
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
Features:
13. IIA is an international professional association that provides dynamic leadership for the global
profession of internal auditing. It issued Global Technology Audit Guide which provides
management of organizations with information on technology management, control and
security and Information Systems Auditors with guidance on different technology associated
risks and recommended practices. Following are the GTAG developed by the IIA
***
118
09 IS SECURITY POLICY, AUDIT POLICY
AND IS AUDIT REPORTING
The protection of the interest of those relying on the information and information system
and communications that delivers the information, from harms, failures of availability, loss of
confidentiality and integrity.
Smooth functioning
Increased dependence of organizations on information
Information spread geographically and accessed through networks, which are vulnerable
Organizations depend upon timely, complete, reliable and valid information
IS are increasingly, coming under threats from internal and external sources
Security failure may result in both financial and intangible losses
4. Sensitivity of information
Strategic Plans: They are very crucial for success of organization and it is required that
these plans should be well protected
119
09 IS SECURITY POLICY, AUDIT POLICY
AND IS AUDIT REPORTING
6. Purpose and Scope of Information Security Policy
Purpose is to define, what the organization is trying to accomplish through security policy
for IS and its information
Value of information
Place of critical data (How information is placed)
Type of storage media
Hardcopy output of information
Access to information (Who all should be provided access)
Accountability Integration
Awareness Reassessment
Multidisciplinary Timeliness
Cost efficient Societal factors
Preventive Protection: This is based on use of security controls. This is based on three
types of controls, i.e. Physical controls, Logical controls and Administrative controls.
11. Wholistic Protection: Protection should be done wholistically to give cost effective security to
the firm in such a way that it gives business, appropriate level of security at a cost acceptable
to business.
120
09 IS SECURITY POLICY, AUDIT POLICY
AND IS AUDIT REPORTING
12. Methods of implementing Information Security
Security Policy: Security policy sets the acceptable norms for information access and also
set out reactions of organization when such norms are violated.
A good security policy should provide for procedures and policies that can prevent losses
and also help in increasing productivity. The main aim of the policy should be to recognize
the value of, and the dependence on, the information of the organization
Policy Development: The security policy must be developed on the basis of security
objective and core principles of information security. The security policy so developed
should also support and complement the existing organization policy.
Roles & Responsibilities: For security to be effective, it is necessary that individual roles,
responsibilities and authorities are clearly defined, communicated and understood by all.
Design: Design consists of standards, measures, practices and procedures within which,
systems and individuals would function and maintain. System should be designed based on
the need of the organization.
- Managerial controls
- Identification and authentication controls
- Logical access controls
- Accountability controls
- Cryptographic controls
- SDLC controls
- Physical environment controls
- Computer support and operational controls
- Business continuity & planning controls
Awareness Training & Education: All employees should be aware of security policies and its
importance. Regular training programs are needed in this regard. Achieving security
objectives is not one time implementation but is a mission.
The security policy is a set of laws, rules and practices that regulates how assets and
information are managed, protected and distributed within the organization. A policy addresses
many issues related to information such as disclosure, integrity and availability issues.
121
09 IS SECURITY POLICY, AUDIT POLICY
AND IS AUDIT REPORTING
An information security policy discusses the following in detail:
Issues to address
- Business requirements
- Legal, statutory & regulatory requirements
User Security Policy sets out the responsibilities and requirements from the users of the
information system
Acceptable Usage Policy defines the rules for email and internet services
Organizational Information Security Policy defines the group of policies for security of
the information and information systems
Network & System Security Policy defines rules for network & Data communication
systems
Conditions of Connection define the rules for access of network and it specifies the
conditions to be satisfied for connecting to different networks
122
09 IS SECURITY POLICY, AUDIT POLICY
AND IS AUDIT REPORTING
System development and maintenance controls
Network and data communication controls
Business continuity planning
Security incident response and reporting mechanisms
123
09 IS SECURITY POLICY, AUDIT POLICY
AND IS AUDIT REPORTING
20. Business Continuity Management v/s. System Development & Maintenance Controls
Compliance testing: the IS policy should outline the compliance testing areas:
- Safeguarding of IS assets
- Maintenance of data integrity
- Maintenance of system effectiveness
124
09 IS SECURITY POLICY, AUDIT POLICY
AND IS AUDIT REPORTING
23. Scope of IT Audit
Audit policy should determine when & to whom audit results should be reported. It should
define access rights to be given to auditors & must include:
125
09 IS SECURITY POLICY, AUDIT POLICY
AND IS AUDIT REPORTING
- Record of internal controls related to IS
- Copies of previous audit report
- Copies of management letters issued by auditors
Planning documents:
- Knowing available resources
- Knowing the audience
- Knowing scope of work
Finalizing documents:
- Thoroughly tested & revised documents
- Proper glossary & index
- Proper format
***
126
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
1. Objectives of the Act
To grant legal recognitions for transactions carried out by means of EDI & other means of
communication commonly referred to as “electronic Commerce” in place of paper-based
method of communication
To give legal recognitions to digital signature for authentication of any information or matter
which requires authentication under any law
To facilitate electronic filing of documents with government departments
To facilitate electronic storage of data
To facilitate & give legal sanctions to EFT between banks & financial institutions
To give legal recognition for keeping of books of accounts by bankers in electronic form
To amend the-
- Indian Penal Code
- Indian Evidence Act, 1872
- Banker’s Book Evidence Act, 1891
- Reserve Bank of India Act, 1934
Act extends to the whole of India, unless otherwise provided in the act. Also applies to any
offence or contravention hereunder committed outside India.
3. Definitions
Access means gaining entry into, instructing or communicating with the logical, arithmetical
or memory function resources of a computer, computer system or computer network
Asymmetric Crypto System means a system consisting of secure key pair, private key &
public key to verify the digital signature
127
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
Communication Device means cell phones, PDA or any other device used to
communicate, send or transmit any text, video, image
Computer source code means the listing of programmes, computer commands, design
and layout and program analysis of computer resource in any form
Computer contaminant means any set of computer instructions that are designed –
Cyber Cafe means any facility from where access to the internet is offered by any person
on the ordinary course of business to the members of public
Cyber Security means protecting information, equipment, devices & information stored
therein from unauthorized access, use, disclosure, modification or destruction
Function includes logic, control, arithmetic process, deletion, storage & retrieval from or
within a computer
Information includes data, message, text, images, sound or computer generated micro
fiche
Key Pair means a private key & corresponding mathematically related public key
128
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
Hash Function
Hacking is a term is used to describe the act of destroying or deleting or altering any
information residing in a computer resource or diminishing its value of utility, or affecting it
injuriously in spite of knowing that such action is likely to cause wrongful loss or damage to
the public or that person.
Private Key means key of key pairs used to create digital signature
Public Key means key of key pairs used to verify digital signature
Secure System means computer system which is secured from unauthorized access &
misuse
Traffic data means any data identifying or purporting to identify any person, computer
system or computer network or location to or from which the communication is or may be
transmitted and includes communications origin, destination, route, time, date, size,
duration or type of underlying service or any other information.
4. Digital Signature
Digital signature is created in 2 steps. First, the e-record is converted into a message digest
by using a hash function, which digitally freezes the electronic record thus ensuring the
integrity of the content of the intended communication
Secondly, identity of the person affixing the digital signature is authenticated through private
key which attaches itself to the message digest & which can be verified by anybody who
has the corresponding public key to such private key
5. E-Governance
E-Gov. is filing of any form, application or other document with govt. dept. in e-form &
similarly grants of any license or permit from govt. offices, also in e-form.
129
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
Low cost, efficient & transparent working
Rules for making E-Gov. possible:
- Provide legal recognition for E-records
- Provide legal recognition for digital signatures
- Provide for filing of any form, application or other document with govt. dept. in e-form &
similarly grant of any license or permit from govt. offices, also in e-form
- Specify ways for retaining e-documents
- Mandate manual filing of forms in govt. depts. in addition to e-forms in case of violation of
rights
This chapter provides the manner in which acknowledgement of receipt & dispatch of
electronic records shall be made &
The manner in which the time & place of dispatch & receipt of electronic records sent by
sender shall be identified
The signature creation / authentication data is linked to the signatory/ authenticator & to no
one else
The signature creation / authentication data was, at the time of signing, under the control of
the signatory/ authenticator & to no one else
Any alteration to the e-sign made after affixing such signature is detectable
Any alteration made to the information after its authentication is detectable
9. Section 5 provides for the legal recognition of digital signatures. Where any law requires that
any information or matter should be authenticated by affixing the signature of any person, then
such requirement shall be satisfied if it is authenticated by means of digital signatures affixed in
such manner as may be prescribed by the central government
130
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
Details which will facilitate identification of origin, destination, dates & time of dispatch/
receipt of such e-record are available
11. The Central Government may, for the purposes of this act, by rules, prescribe U/s. 10
Where the originator has not stipulated that the acknowledgement of receipt of electronic
record be given in a particular form or manner, then an acknowledgement may be given by
any communication or any action of the addressee.
‡ The signature creation data, at the time of affixing the signature, was under the exclusive
control of the signatory and no other person; and
‡ The signature creation data was stored and affixed in such exclusive manner as may be
prescribed
15. The Central Government may by Notification in the Official Gazette, appoint a Controlling a
Certifying Authority for the purposes of this act. The Controller shall discharge his functions
under this act subject to general controls and directions of the Central Government. (U/s. 17)
131
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
16. Functions of the Controller U/s. 18
‡ Exercising supervision over the activities; Certifying public keys; specifying the conditions
with regard to conduct of business and laying down standards to be maintained by the
certifying authorities
‡ Specifying the content of materials and advertisements that may be distributed or used with
respect to and specifying the form and content of an electronic signature certificate
‡ Maintaining the database containing the disclosure record of every certifying authority
containing prescribed disclosures
17. Section 19 provides for the power of the controller with the previous approval of the Central
Government to grant recognition to foreign certifying authorities subject to such conditions and
restrictions as may be imposed by regulations.
18. Section 21 provides that the license to be issued to a certifying authority to issue Digital
Signature Certificates by the Controller shall be in such form and shall be accompanied with
such fees and documents as may be prescribed by the Central Government. Further, the
controller may either grant the license or reject the application after giving reasonable
opportunity of being heard.
A license granted under this section shall be valid for such period as may be prescribed; not be
transferable or heritable and be subject to such terms & conditions as may be prescribed.
19. Section 22 provides that the application of license shall be accompanied by a certification
practice statements and statement including the procedure with respect to identification of the
applicant. It shall be further accompanied by a fee not exceeding Rs. 25000/- and other
documents as may be prescribed by the Central Government
20. Section 23 provides that the application for renewal of a license shall be in such form and
accompanied by such fees not exceeding Rs. 5000/- which may be prescribed by the Central
Government.
21. Section 24 deals with the procedure for grant or rejection of license by the controller on certain
grounds. No application shall be rejected under this section unless the applicant has bee given
a reasonable opportunity of presenting his case
22. Section 25 provides that the controller may revoke a license on grounds such as incorrect or
false material particulars being mentioned in the application and also on the ground of
contravention of any provisions of this act. No license shall be revoked unless a reasonable
opportunity has bees given against the proposed suspension.
132
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
23. Section 26 provides that the controller shall publish notice of suspension or revocation in the
database maintained by him.
24. U/s. 27, the controller may, in writing, authorize the deputy controller, assistant controller or
any officer to exercise any of the powers of the controller under section 18
25. U/s. 28, the controller or any officer authorized by him in this behalf shall take up investigation
of any contravention of the provisions of this act, rules or regulations made there under.
26. U/s. 29, the controller or any person authorized by him shall, if he has reasonable cause to
suspect that any contravention of the provisions of this chapter made there under has been
committed, have access to any computer system, any apparatus, data or any other material
connected with such system, for the purpose of searching or causing a search to be made for
obtaining any information or data contained or available to such computer system.
27. Section 30 prescribes the duties the certifying authority shall follow in respect of digital
signatures. Certifying authorities shall
‡ Make use of hardware, software and procedures that are secure from intrusion and misuse;
‡ Provide a reasonable level of reliability in its service which are reasonably suited to the
performance of intended functions
‡ Adhere to security procedures to ensure that secrecy and privacy of the electronic signature
are assured
‡ Observe such other standards as may be specified
28. U/s. 31, every certifying authority shall ensure that every person employed or otherwise
engaged by it complies with the provisions of this act
29. U/s. 32, every certifying authority shall display its license at a conspicuous place at the
premises in which it carries on its business
30. U/s. 33, every certifying authority whose license is suspended or revoked shall immediately
after such suspension or revocation, surrender the license to the controller
31. U/s. 34, every certifying authority shall disclose the manner specified in the regulations
133
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
32. Section 35 lays down the procedure for issuance of the digital signature certification. It
provides that an application for such certificate shall be made in the prescribed form and shall
be accompanied by a fee not exceeding Rs. 25000/-. The fee shall be prescribed by the
Central Government and different fees may be prescribed for different classes of applicants.
The section also provides that no digital signature certificate shall be granted unless the
certifying authority is satisfied that
‡ The applicant holds the private key corresponding to the public key to be listed in the digital
signature certificate
‡ The applicant holds a private key, which is capable of creating a digital signature
‡ The public key to be listed in the certificate can be used to verify a digital signature in such
form as may be prescribed by the Central Government
33. Section 36 requires that while issuing a digital signature certificate, the certifying authority
should certify that it has compiled with the provisions of the act, the rules and regulations made
there under and also with other conditions mentioned in the digital signature certificate
34. Section 37 states that the certifying authority may suspend such certificate if it is of the opinion
that such a step needs to be taken in public interest. Such certificate shall not be suspended
for a period exceeding 15 days unless the subscriber has been given an opportunity of being
heard.
35. Section 38 provides for revocation of the digital signature certificate under the following
circumstances. Such revocation shall not be done unless the subscriber has been given a
reasonable opportunity of being heard. The conditions are:
36. Where a digital signature certificate is suspended U/s. 37 or revoked U/s. 38, the certifying
authority shall publish a notice of such suspension or revocation, as the case may be, in the
repository specified in the digital signature certificate for publication of such notice U/s. 39
37. Where any digital signature certificate, the Public Key of which corresponds to the Private Key
of that subscriber which is to be listed in the digital signature certificate has been accepted by
the subscriber, the subscriber shall generate that key pair by applying the security procedure
[Section 40]
38. In respect of electronic signature certificate, the subscriber shall perform such duties as may
be prescribed [Section 40A]
134
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
39. A subscriber shall be deemed to have a digital signature certificate if he publishes or
authorizes the publication of a digital signature certificate to one or more person; in a repository
or otherwise demonstrates his approval of the digital signature certificate in an manner
[Section 41]
40. Every subscriber shall exercise reasonable care to retain control of the Private Key
corresponding to the plc listed in his digital signature certificate and take all steps to prevent its
disclosure and if it has been compromised, then the subscriber shall communicate the same
without any delay to the certifying authority in the prescribed manner. [Section 42]
If any person without permission of the owner or any other person who is in charge of a
computer, computer system or computer network -
Where a body corporate, processing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
135
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to
pay damages by way of compensation, to the person so affected
Is any person, who is required under this act or any rules, made there under
‡ Fails to furnish any document, return or report to the controller or the certifying authority, he
shall be liable to a maximum penalty of Rs. 150000/- for each failure
‡ Fails to file any return or furnish any information, books or other documents with time
mentioned, he shall be liable to a maximum penalty of Rs. 5000/- for each day of failure
‡ Fails to maintain books of accounts or records, he shall be liable to a maximum penalty of
Rs. 10000/- for each day of failure
43. Section 45 provides for residuary penalty under this act for contraventions against which no
specific penalty if mentioned. The amount of penalty shall be a maximum of Rs. 25000/-
44. Section 46 confers the power to adjudicate contraventions under the act to an officer not
below than the rank of a Director to the Central Government or an equivalent officer of the
state government. Such appointment shall be made by the Central Government.
The person to be appointed must posses’ adequate experience in the field of information
technology and such legal or judicial experience as may be prescribed by the Central
Government.
The adjudicating officer shall be responsible for holding an inquiry in the prescribed manner
after giving reasonable opportunity of being heard and there after, imposing penalty where
required.
45. Section 47 provides that while deciding upon the quantum of compensation, the adjudicating
officer shall have due regard to the amount of gain of unfair advantage and amount of loss
caused to any person as well as the repetitive nature of default.
46. Sections 48 & 49 provide for the establishment of one or more “Cyber Regulations Appellate
Tribunal” which shall consist of one “Presiding Officer of the Tribunal”, who shall be appointed
by the Central Government by Notification in the Official Gazette and must be qualified to be a
judge of the High Court.
136
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
47. Other members of the tribunal may be appointed by the Central Government and must be from
amongst the persons having special knowledge of, and professional experience in information
technology, telecommunication or consumer affairs. [Section 50]
48. The presiding officer or the member has a term of 5 years or up to a maximum age of 65 years.
[Section 51]
49. Section 52 provides that the salary and allowances payable to the chairperson and members
of the tribunal shall be as prescribed.
51. Section 53 provides that in the situation of any vacancy occurring in the office of the presiding
officer of the tribunal, the Central Government shall appoint another person in accordance with
the provisions of the act.
52. Section 54 provides that the chairperson or other members of the tribunal may, by notice in
writing, addressed to the Central Government, resign from his office. It shall be a three months
notice
53. A shortcoming in the constitution of the tribunal will not invalidate its proceedings [Section 55]
54. The Central Government shall provide staff for the tribunal and they shall function according to
the instructions of the presiding officer and their salaries shall be prescribed.[Section 56]
55. Any person aggrieved by the order of a controller or an adjudicating authority may prefer an
appeal to the tribunal. No appeal shall be made if the judgment has been made with the
consent of the subscriber. Appeal shall be filed within a period of 45 days from the date of the
order. On receipt of an application, the tribunal shall pass such orders as it thinks fit,
confirming, modifying or setting aside the order appealed against. The appeal shall be finished
off in a period of 6 months [Section 57]
56. U/s. 58, the tribunal shall be bound by the principles of natural justice and shall have powers to
regulate its own procedure including the place at which it shall have its sittings. The tribunal
shall have the powers vested in a civil court and every proceeding before the tribunal shall be a
judicial proceedings
137
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
57. The appellant has the right to legal representation before the tribunal,[Section 59] and the
provisions of Limitation Act, 1963, shall as far as may be apply to an appeal made to the Cyber
Appellate Tribunal [Section 60]
58. Civil court shall not jurisdiction to entertain any suit in respect to which the tribunal exercises
jurisdiction [Section 61]
59. Appeal against the order of the tribunal can be filed with the High Court within 60 days from the
date of order on any question of law [Section 62]
60. Section 63 provides that any contravention under that act may be compounded by the
controller or adjudication officer, either before or after the institution of the adjudication
proceedings subject to such conditions as he may impose.
Compounding sum shall not exceed the maximum amount of penalty and no compounding
shall not apply to a person who commits the same or similar contravention within a period of
three years from the date of first contravention
61. Section 64 provides for recovery of penalty as arrears of land revenue and for suspension of
the license or digital signature certificate till the time the penalty is paid
62. Section 65 provides for punishment up to three years or with a fine which may extend to Rs. 2
lakhs or with both whomsoever knowingly or intentionally tampers with the computer code
source documents.
63. Section 66 provides that a person who commits hacking shall be punished with a fine up to
Rs. 2 lakhs or with imprisonment up to 3 years or both.
64. Section 66A deals with punishment by way of imprisonment up to a maximum of three years
for sending offensive messages through communication service. Any person who sends an
information which is offensive or has a menacing character or any information which the
sender knows to be false shall be liable to punishment U/s. 66A
65. Section 66B deals with punishment for dishonestly receiving computer resource or
communication device knowingly or having reason to believe the same to be stolen computer
resource or communication device. The punishment is imprisonment for a term up to three
years or a fine up to a maximum of Rs. 1 lakh or both
66. Section 66C provides that whomsoever, fraudulently or dishonestly makes use of electronic
signature, password or any other unique identification feature of any other person, shall be
punished with imprisonment of a maximum of three years and fine up to Rs. 1 lakh.
138
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
67. Section 66D provides that whomsoever, by means of any communication device or computer
resource cheats by personation, shall be punished with imprisonment up to three years and a
fine up to Rs. 1 lakh
68. Section 66E provides punishments for person who intentionally or knowingly captures,
publishes or transmits the image of a private area of any person without his or her consent;
under circumstances violating the privacy of that person shall be punished with imprisonment
up to three years and / or fine up to Rs. 2 lakhs
69. Section 66F provides for punishments to the acts of cyber terrorism
Whomsoever with intent to threaten the unity, integrity, security or sovereignty of India or to
strike terror in the people or any section of the people by
Denying or cause the denial of access to any person authorized to access computer
resource; or
Attempting to penetrate or access a computer resource without authorization or exceeding
authorized access; or
Introducing or causing to introduce any computer contaminant and by means of such
conduct causes or is likely to cause death or injuries to persons or damage to or destruction
of property or disrupts or knowing that it is likely to cause damage or disruption of supplies
or services essential to the life of the community or adversely affect the critical information
infrastructure specified U/s. 70
71. Section 67 A provides punishment for publishing or transmitting of material containing sexually
explicit act, etc. in electronic form. Punishment for first conviction is imprisonment up to five
years and fine up to Rs. 10 lakh. Punishment for further convictions is imprisonment up to
seven years and fine up to Rs. 10 lakhs.
72. Section 67 B provides punishment for publishing or transmitting material depicting children in
explicit act, etc. in electronic form. Punishment for first conviction is imprisonment up to five
years and fine up to Rs. 10 lakh. Punishment for further convictions is imprisonment up to
seven years and fine up to Rs. 10 lakhs.
139
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
73. Section 67 C relates to preservation and retention of records by intermediaries:
Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
Contravention shall lead to imprisonment up to three years and also fine
74. Section 68 provides that the controller may give directions to a certifying authority or any
employee of such authority to take such measures or cease carrying on such activities as
specified in the order, so as to ensure compliance with this law. If any person fails to comply,
he shall be liable to imprisonment up to 3 years or fine up to Rs. 2 lakhs or both
Section 69 A empowers the Central Government or any of its officer, if he is satisfied that it
is necessary or expedient to do so in the sovereignty and interest of India, security of the
state, friendly relation with foreign states or public order, it may, by order in writing, direct
any government agency to block access by the public or cause to blocked for access by
public any information generated, transmitted, received, stored or hosted in any computer
resource. Contravention shall lead to imprisonment up to seven years and also fine
76. Section 69 B gives power to Central Government to authorize to monitor and collect traffic
data or information through any computer resource for cyber security. The Central Government
may, to enhance cyber security and for identification, analysis and prevention of any intrusion
or spread of computer contaminant in the country, by Notification in the Official Gazette,
authorize any agency of the government to monitor and collect traffic data or information
generated, transmitted received or stored in any computer resource
77. Section 70 empowers the appropriate government to declare by notification, any computer, or
computer system or computer network to be a protected system. Any unauthorized access of
such systems will be punishable with imprisonment which may extend to ten years or with fine.
78. U/s. 70 A, the Central Government may, by Notification in the Official Gazette, designate any
organization of the government as the national nodal agency in respect of critical information
infrastructure protection.
79. U/s. 70 B, the Central Government shall, by Notification in the Official Gazette, appoint an
agency of the government to be called the Indian Computer Emergency Response Team and
shall provide the agency with a Director General and such other officers and employees.
140
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
It shall perform the following functions in the area of cyber security
80. Section 71 provides that any person found misrepresenting or suppressing any material fact
from the controller or the certifying authority shall be punished with imprisonment extending up
to two years or fine up to Rs. 1 lakh
81. Section 72 provides a punishment for breach of confidentiality and privacy of electronic
records, books, information, etc. by a person who has access to them without the consent of
the person to whom they belong with imprisonment up to two years or fine up to Rs. 1 lakh or
both
82. Section 72 A provides that any person including an intermediary who, while providing services
under the terms of lawful contact, has secured access to any material containing personal
information about another person, with the intent to cause or knowing that he is likely to cause
wrongful loss or wrongful gain discloses, without the concern of the person concerned or in the
breach of a lawful contract, shall be imprisoned up to three years and fine up to Rs. 5 lakhs
83. Section 73 provides punishment for publishing a digital signature certificate false in material
particulars or otherwise making it available to any person with imprisonment for a term which
may extend to two years and / or fine up to Rs. 5 lakhs
84. Section 74 provides punishment for knowingly publishing a digital signature certificate for
fraudulent purposes with imprisonment for a term which may extend to two years and / or fine
up to Rs. 1 lakh
85. Section 75 provides punishment for commission of any offence/ contravention by a person
outside India (irrespective of nationality) if the offence involves a computer, computer system
or computer network located in India
86. Section 76 provides for confiscation of any computer (system), storage devices or other
accessories related thereto in respect of contravention of any provision of this act
87. Section 77 provides that no provisions of this act shall prevent award of compensation or
imposition of penalty or punishment under any other law in force
141
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
88. Section 77A provides that a court may compound offences subject to following:
90. Section 78 provides for power to investigate the offences under this act by a police officer not
below the rank of deputy superintend of police
91. Section 79 provides that the network service providers shall not be liable for any third party
information or data made available by him if he proves that the offence was not committed
without his knowledge or consent
92. Section 79 A provides that the Central Government may, for the purposes of providing expert
opinion on electronic form evidence before any court or other authority specify, by notification
in the official gazette, any department, body or agency of the Central Government or a state
government as an examiner of electronic evidence
93. Section 80 provides that a police officer, not below the rank of an inspector, or any other
officer of the Central Government or the State Government may enter any public place and
search and arrest without warrant any person found therein who is reasonably suspected to
having committed or of committing or of being about to commit any offence under this act. The
person so arrested shall be taken before a magistrate having jurisdictional authority.
94. Section 81 provides that the provisions of this act shall have effect notwithstanding anything
inconsistent therewith contained in any other law for the time being in force.
95. Section 81 A relates to the application of the provisions of this act to electronic cheques and
truncated cheques subject to such modifications and amendments as may be necessary for
carrying out the purposes of the Negotiable Instruments Act
96. As per Section 82, the chairperson, members and other officers and employees of the cyber
appellate tribunal shall be deemed to be public servants
97. As per Section 83, the Central Government may give directions to the State Government as to
carrying in to execution in the state any of the provisions of this act
98. U/s. 84, no suit shall be entertained by any court against any authority, including government,
for anything which is done in good faith or intended to be done in pursuance of this act
142
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
99. The Central Government may, for secure use of the electronic medium and for promotion of e-
governance, prescribe the modes or methods for encryption U/s. 84 A
100. U/s. 84 B, who ever abets an offence shall, if the act abetted is committed in consequence of
the abatement and no express provision is made in the act for punishment of such
abatement, be punished with the punishment provided for the offence under this act.
101. Punishment for attempt to commit offences mentioned under this act shall be imprisonment
extending to one half of the longest term of imprisonment provided for that offence and / or
with fine [Section 84 C]
102. Where the person committing a contravention is a company, every person who, at the time of
committing the contravention, was responsible to the company for conduct of the business of
the company as well as the company, shall be guilty of the contravention and shall be liable
to be proceeded against and punished accordingly. [Section 85]
103. If any difficulty arises in giving effect to the provisions of this act, the Central Government
may, by order published in the official gazette, make such provisions not inconsistent with the
provisions of this act as appear to it to be necessary or expedient for removing the difficulty.
[Section 86]
104. The Central Government may, by Notification in the Official Gazette, make rules to carry out
the provision of the act [ Section 87]
105. The Central Government shall, as soon as may be after the commencement of this act,
constitute a committee called the Cyber Regulations Advisory Committee which shall consist
of a chairperson and other official and non official members. [Section 88]
The Central Government either generally as regards any rules or for ay other purpose
connected with this act;
The controller in framing regulations under this act
106. The controller may, after consultation with the committee and with the previous approval of
the Central Government, by Notification in the Official Gazette, make regulations consistent
with this act and the rules made there under to carry out the purposed of this act. [Section
89]
143
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
Such regulations may provide for all or any of the following matters, namely
a) The particulars relating to the maintenance of database containing the disclosure record
of every certifying authority
b) The conditions and restrictions subject to which the controller may recognize any foreign
certifying authority
c) The terms and conditions subject to which a license may be granted
d) Other standards to be observed by a certifying authority
e) The manner in which the certifying authority shall disclose specified matters
f) The particulars of statement accompanying application
g) The manner by which a subscriber communicates the compromise of a private key to the
certifying authority
h) The manner in which a subscriber communicates compromise of private key to certifying
authority
The State government may, by Notification in the Official Gazette, make rules to carry out
the provisions of this act
Such rules may provide for the electronic form in which filing, issue, grant receipt or
payment shall be effected
***
144