Server – it is a computer or system that provide resources, data, services or programs to other

computers known as clients over a network. Example is sa comlab.

Virtualization hypervisor – a piece of computer software, firmware or hardware that creates and runs
virtual machine environment normally called the host.

Example : Oracle VM Virtual box -  the world’s most popular open source, cross-platform, virtualization
software, enables developers to deliver code faster by running multiple operating systems on a single
device. IT teams and solution providers use VirtualBox to reduce operational costs and shorten the time
needed to securely deploy applications on-premises and to the cloud.

Guest Machine – Virtual environment elements like OS, switches, routers, firewalls (residing on the
computer which a hypervisor has been installed) na naga serve as barrier para katong mga policies na
wala na regulate sa isa ka device is dili sya mag overlap or makasulod sa device.

Key risk areas

 Example, logging password entry. Antivirus software may not detect this, because the malware
runs below the entire OS.
 Can lead to unauthorized access to resources, one guest OS injecting malware or placing
malware code into another guest’s memory.
 This functionality can inadvertently provide an attack vector for malware or allow an attacker to
gain access to particular resources
 These snapshots pose a greater risk than images because snapshots contain the contents of
random access memory (RAM) at the time that the snapshot was taken, and this might include
sensitive information that was not stored on the drive itself.
 Therefore, anyone who can launch an application on the host OS can run the hypervisor. The
only access control is whether someone can log into the host OS.

Business-to-consumer (B-to-C) relationships - Companies can tailor their marketing strategies to an

individual customer’s needs and wants. As more of its business shifts online, a company will have an
enhanced ability to track how its customers interact with it.

Business to employee relationship = is the way an employer (either an individual or an entity) and
employees view and treat one another in a work setting.

Business to government relationship - The government most often directly influences organizations by
establishing regulations, laws, and rules that dictate what organizations can and cannot do.

Single-tier architecture implies putting all of the required components for a software

application (both the backend and the frontend) on just one server.
A two-tier architecture is a software architecture in which a presentation layer or interface runs
on a client, and a data layer or data structure gets stored on a server.
Three-tier architecture is a well-established software application architecture that organizes
applications into three logical and physical computing tiers: the presentation tier, or user interface; the
application tier, where data is processed; and the data tier, where the data associated with the
application is stored and managed.

• Confidentiality—Potential consumers are concerned about providing unknown vendors with personal
(sometimes sensitive) information for a number of reasons including the possible theft of credit card
information from the vendor following a purchase.

• Integrity—Data, both in transit and in storage, could be susceptible to unauthorized alteration or

deletion (i.e., hacking or the e-business system itself could have design or configuration problems).

• Availability—The Internet holds out the promise of doing business on a 24-hour, seven-day-aweek
basis. Hence, high availability is important, with any system’s failure becoming immediately apparent to
customers or business partners.

• Authentication and nonrepudiation—The parties to an electronic transaction should be in a known

and trusted business relationship, which requires that they prove their respective identities before
executing the transaction in preventing man-in-the-middle attacks (i.e., preventing the seller from being
an impostor).

• Power shift to customers—The Internet gives consumers unparalleled access to market information
and generally makes it easier to shift between suppliers. Firms participating in ebusiness need to make
their offerings attractive and seamless in terms of service delivery. This will involve not only system
design, but also reengineering of business processes. Back-end support processes need to be as efficient
as possible because, in many cases, doing business over the Internet forces down prices (e.g., online
share brokering). To avoid losing their competitive advantage of doing business online, firms need to
enhance their services, differentiate from the competition and build additional value. Hence, the drive
to personalize web sites by targeting content based on analyzed customer behavior and allowing direct
contact with staff through instant messaging technology and other means.

EDI

Communications software moves data from one point to another, flags the start and end of an EDI
transmission and determines how acknowledgments are transmitted and reconciled. Translation
software helps build a map and shows how the data fields from the application correspond to elements
of an EDI standard. Later, it uses this map to convert data back and forth between the application and
EDI formats.

In reviewing EDI, IS auditors need to be aware of the two approaches related to EDI: the traditional
proprietary version of EDI used by large companies and government parties, and the development of
EDI through the publicly available commercial infrastructure offered through the Internet.

• EDI translator—This device translates the data between the standard format (ANSI X12) and a trading
partner’s proprietary format.
• Application interface—This interface moves electronic transactions to or from the application systems
and performs data mapping. Data mapping is the process by which data are extracted from the EDI
translation process and integrated with the data or processes of the receiving company.

3.7.6 POINT-OF-SALE SYSTEMS Point-of-sale (POS) The most common payment instruments to operate
with POS are credit and debit cards, which are associated with bank accounts.

Risk Management Controls for E-banking

Effective risk management controls for electronic banking include the following 15 controls divided
among three categories:

• Board and management oversight:

1. Effective management oversight of e-banking activities
2. Establishment of a comprehensive security control process
3. Comprehensive due diligence and management oversight process for outsourcing relationships and
other third-party dependencies

• Security controls:
4. Authentication of e-banking customers
5. Nonrepudiation and accountability for e-banking transactions
6. Appropriate measures to ensure SoD
7. Proper authorization controls within e-banking systems, databases and applications
8. Data integrity of e-banking transactions, records and information
9. Establishment of clear audit trails for e-banking transactions
10. Confidentiality of key bank information

• Legal and reputational risk management:

11. Appropriate disclosures for e-banking services
12. Privacy of customer information
13. Capacity, business continuity and contingency planning to ensure availability of e-banking systems
and services
14. Incident response planning
15. Compliance to banking sector directives (e.g., Basel Accords)