Definition: Small Components that come together for achieving a specific objective / goal | Information — Meaningful, Useful Structured & Processed data is Information Components of Information System People — mean all those who operate manage , maintain systems , i.e system administrator , IS Personnel , programmers & end users Hardware — Physical components of computer Software — It includes O/s & Application Software Data — Raw fact which is input in the system Network - means communication media Five Activities of System / Steps of IS Model Input - data flowing into the system from outside Process - converting the input into useful form Output - the information flowing out of a system Storage — Regular backups should be stored at different locations, so that we can recover from disaster from any disaster Feedback - Occurs when the outcome has an influence on the inputt APPLICATION SOFTWARES It helps in addressing the needs of user. It is dependent on system software. It addresses real life problem of the users. Application Suite like MS Office 2010 which has MS Word, MS Excel, MS Access, etc. ; Enterprise Software like SAP ; Content Access Software like Media Players, Adobe Digital etc. are some examples of Application Software SYSTEM SOFTWARES: Itis most important part of computer, it acts as interface between Hardware & Application Software ACTIVITIES (User ki Hardware File MTNLse Chalti He) User Interface - Most of the O/S’s are Graphic User Interface (GUI) which uses icons & menus for executing activities on a computer Performing Hardware Functions - obtaining inputs from keyboards and mouse, access of data from hard disk & display of outputs on monitor Hardware Independence - We have operating system, which provides Application Program Interfaces (API), which can be used by application developers to create application software , so our application will run on any Hardware for that 0/S File Management - It keeps a track of where each file is stored and who can access it Memory Management - With help of O/s , we can see how much memory is free & how much is occupied Task Management - O/S can execute many tasks simultaneously and it maintains track of resources used by multiple jobs / tasks being executed simultaneously Networking Capability - 0/S Provide many features & capabilities to help connect computer networks. Logical Access security - It provides logical security by establishing a procedure for identification & authentication using a User ID and PasswordOUTPUT Various Forms of output devices are : Textual - create words, sentences, and paragraphs Graphical - digital representations of non- text information such as drawings, charts, photographs, and animation Audio - any music, speech, or any other sound Video - consists of images played back at speeds to provide the appearance of full motion Tactile - raised line drawings may be useful for some individuals who are blind Eg’s of output devices are screen, printer, speaker PROCESSING DEVICE CPU — CPUs the actual hardware that interprets & executes the software Itis CPU through which processing happens, it interacts with all the input devices and produces output. It has 3 units CU - controls all the input & output devices. It takes the data and instruction from RAM & decides which task to execute & when ALU - performs arithmetic & logical calculations such as addition, deletion , subtraction , & logical comparison ( IF , THEN etc.) Registers - These are high speed memory units within CPU for storing small amount of data * Accumulators - Store the intermediate results of a processing or can keep running totals of arithmetic values * Adress Registers - Store the intermediate results of a processing or can keep running totals of arithmetic values © Storage Registers - Store data that is being sent to or coming from the system memory * Miscellaneous - Used for several functions for general purpose Keyboard — Text based input Mouse — menu or selection Scanners & webcams — image input Microphone — voice based input STORAGE Internal Memory- © Registers - Registers are internal memory within CPU, which are very fast and very small * Cache Memory - Bridge the speed differences between Registers and Primary memory (RAM) , so whenever CPU wants to do any task , first it will to go Cache memory , if not available then RAM Primary Memory * RAM - Read as well as modified , Used to execute applications , Volatile i.e Information is lost as soon as power is off * ROM - Only Read, Used to store programs to boot computer , Non-volatile i.e Content remains , even if power off Virtual Memory ~ When RAM is full, O/s will tell Hard disk to compensate RAM & become Virtual RAM , so when RAM is full, all files which we are not using in RAM are transferred to Paging file in Hard disk, so RAM is free & can do more tasks idary Memory — Non-volatile, Large capacity, Low cost & slow speedDef : DBMS is a system in which there is Advantages of DBMS UI Mein 3D Security User Friendly - it makes the data access and manipulation easier for the user Integrity - Updates and changes to the data only have to be made in one place in DBMS ensuring Integrity Data Sharing - same Types of DBMS Hierarchical DBMS - In this records are classified based on Hiearchy of relationships In this one to one & one to many relationships are possible Itis less flexible because data has to go through fixed routes Network DBMS - in this all types of relationships are possible 1, Oneto One 2. One to Many collection of data in sucha way, it is easy toadd, delete , modify & retrieve the 3. Many to one information can be made data whenever 4. Many to Many available to different users Reeiel Itis more flexible because data can be Minimize Data Redundancy - Minimizing redundancy can reduce the cost of storing information on hard drives and other storage devices Faster Application Development - Application developer has to think of only the logic required to retrieve the data in the way auser needs. Improved Security - DBMS provide various security features which can be used for providinga secured database transferred from anyway Relational DBMS - It is in the form of two directional table , each table is small file and are linked to each other Object Oriented DBMS - In this objects (tables) are created . Each object (table) is independently working application assigned with specific task.. In case we want to create new application we can use the same object (table) or create new object. Big Data It refers to large data that conventional database tools do not have the power of analyse them Benefits © Ability to Process Big Data brings Multiple Benefits - Access to social data from search engines and sites enable business to fine tune their strategies Improved Customer Service - Big Data and natural language processing technologies are being used to read and evaluate consumer responses © Better Operational Efficiency - Offload infrequently accessed data, this leading to better operational efficiency Disadvantages cs Costly - Implementing a DBMS system can be expensive and time- consuming, especially in large enterprises Security - Even with safeguards in place, it may be possible for some unauthorized users to access the databaseNETWORK It is a collection of computers and other hardware interconnected by communication channel that allow sharing of resources and information between connected computers and devices 2 Types of Network © Connection Oriented networks: Where in a connection is first established and then data is exchanged * Connectionless Networks: Where no prior connection is made before data exchanges. Data which is being exchanged from sender to receiver in fact has a complete information of recipient and at each intermediate destination Benefits of Network (CURD) Network will Address following Issues (RCB) = Routing — It refers to process of deciding how to communicate data from source to destination because there are multiple ways = Resilience — It refers to ability of network to recover from any kind of error like communication failure, loss of data = Contention — It refers to situation when 2 people are trying to communicate at same time ( both are trying to call) = Bandwidth — It refers to amount of data which can be sent across network (Wire will decide speed) = Computational Power sharing - The computational power of most of the applications would increase drastically as computers in network can use and share each other’s computational power ™ User Communication - Allow users to communicate using e-mail, newsgroups, video conferencing, etc ™ Resource Sharing - Data could be stored at a central location and can be shared across different systems. Even resource sharing could be in terms of sharing peripherals like printers = Reliabil y - Many critical applications should be available 24x7, if such applications are run across different systems which are distributed, across network then the reliability of the application would be high ® Distributed Nature of Information (Information sharing) - Computer networks provide distributed data processing system wherein information can be distributed geographically and data can be processed from anywhereInformation System Controls Preventive — With this threats can be prevented before they arise Characteristics Understanding vulnerability of assets is required Understanding of probable threats is required Provision of necessary controls for preventing threats from materializing Detective — With this threats are there to detect errors , omission of malicious acts that occur and report occurrence Characteristics Clear understanding of lawful activities so deviation can be reported Mechanism to report unlawful activities to appropriate person/ group Interaction with preventive to prevent such act from occuring ON THE BASIS OF OBJECTIVE Corrective — Threats are designed to reduce the impact or correct an error once it has occurred Characteristics Minimize impact of threat Correct error arising from a problem Feedback from preventive & detective control Modify the system to minimize future problems FOR MORE DETAILS , PLEASE VISIT WWW.MRUGESHMADLANI.COM|User Access Control Whyis the user granted the access? Has the data owner approved the access? Privilege Management - Aligned with job requirements and responsibilities User Password Management - Allocations, storage, revocation, and reissue of password are password management functions. Review of User ‘Access Rights - Periodic review of access rights to check anomalies in the user's current job profile, and the privileges granted earlier LOGICAL ACCESS CONTROLS User Responsibilities Password use - Mandatory use of strong passwords to maintain confidentiality Unattended user equipment - None of the equipment under their responsibility is ever left unprotected Operation System ‘Access Control Log-on Procedures - authorized users to access the computer system by validating user’s ID and Password. Access Control List - User ID and passwords are compared with access control list and if matches user is granted access Access Token - Remains valid for a particular session and it keeps all the events information of that session in log file Password management system — Internal storage of password should use one-way encryption algorithms Terminal time out - Log out the user if the terminal is inactive Limitation of connection time - Define the available time slot Network Access Control (FE - CP) Firewall - All traffic between the outside network & the organization intranet should pass through the firewall Encryption - In this technique data to be transmitted is converted into secret form from normal form Enforced Path - Specify the exact path or route connecting the networks; Call back Devices - Ifthe caller is authorized, the call back device dials the caller's number to establish anew connection Policy on use of network services- An enterprise wide applicable network / internet policy should be there Application & Monitoring System Access Control Information System Restriction - The access to information is prevented by application specific menu interfaces ive system Isolation - Based on the criticality of system in an enterprise it may even be necessary to run the system in an isolated environment Event logging - In Computer systems it is easy and viable to maintain extensive logs for all types of events Monitor system use - Based on the risk assessment a constant monitoring of some critical system is essential Mobile Computing —There should be controls in portable devices also, Theft of data carried on the disk drives of portable computers isa high risk factor.BOUNDARY CONTROLS Cryptography - It converts normal text Into CIPHER TEXT, so unauthorized user can’t access the information PIN - Which is Generated by the SYSTEM Plastic Cards - Used to store information which helps us in identification Access Control Identification - Enter login id & password Authentication - system will establish & check user authentication Authorization - specify what resources user would be permitted to access Digital Signature - Establishing authenticity of persons 3nd preventing the Jenial of message or contracts Inline Output Production & istribution Controls ource- Output which can be enerated or accessed online is uthorized , complete & timely istribution - Prevent nauthorized copying of online utput when it is distributed to terminal ommunication - Reduce ‘posures from attacks during ansmission sceipt - Evaluate whether itput should be accepted or jected wiew- Timely action of fended recipients on the tout sposition - Actions to be cen on online output they eve tention— How long to be ined letion — Delete once expired INPUT CONTROLS Source Document - Implement control procedure over source documents to avoid any document fraud DATA CODING - Check two types of errors which can corrupt a data code and cause processing errors Batch Controls - Process of grouping together transactions that bear some type of relationship to each other Validation Controls - Used for detecting errors in data before the data is processed reversed transposed DATA CODING TRANSCRIPTION Addition- extra digit or character is added Truncation - digit or character is removed from the end of a code Substitution - Replacement of one digit in a code with another. TRANSPOSITION Single - Occur when two adjacent digits are Multiple - Occur when nonadjacent digits are PROCESS CONTROLS | OUTPUT CONTROLS Inference Controls - Here user can only obtain aggregate statistics rather than values of individual data items Processor— It has 3 components CU , ALU & Registers Real Memory - Seek to detect and correct errors that occur in memory and to protect areas of memory assigned toa rogram from illegal access by another rogram Batch Report Design Controls - Features should comply with control procedures laid down during output process Virtual Memory - Batch Output report controls to identify Control mechanism | Production & errors or irregularities must bein place that | Distribution Controls - | File Handling -To Prevent ‘maps virtual memory addresses into real Inform of tables, ‘graphs or images is memory addresses | produced at some eee Dela reeeenr ‘operations facility & Constraints are established Control.However, | distributed to users of | to specify type of caren output relationship & consistency ‘among rows in relationship should be enforced | Ontine output through the front- neeaceanal eee Distribution Controls BATCH CONTROL CONTROL TYPES Record Count - Grand totals for the number of documents in record in the batch Hash Total - Grand totals for the number of documents in record in the batch Financial Total - Grand totals calculated for each field containing money amounts DATABASE CONTROLS caFL Concurrency Controls - Address situation which arise due to simultaneous access to same database Cryptographic Controls - Protecting integrity of data stored in database using block encryption ‘Access Control- A Security policy has to be specified following choosing an access control mechanism that will enforce the policy chosen Application Software — Only correct changes are made & accidental destruction of data contained on a storage ‘medium Batch Output Producti Distribution Controls SUPER ‘pooling File ~ Spool File shall not be access to unauthorized modification Storage Controls ~ Appropriate controls over stored output User / Client Service Review- detection of errors / irregularities in output User Output -Review output on timely basis Printing Controls ~ Output on correct printer Report Program Execution - Only Authorized users are permitted to.execute batch report programs Report Distribution- Collect print ‘as soon as given Retention & Destruction - Time duration for which output should be retainedTop Management Planning - Determining the goals of the information systems function and the means of achieving these goals. Steering committee is responsible for over-all direction of IT Organizing - Prescribed IT organizational structure with documented roles and responsibilities and agreed job descriptions Leading - Motivating, guiding, and ‘communicating with personnel; The purpose of leading is to achieve the harmony of objectives Controlling - Comparing actual performance with planned performance as a basis for taking any corrective actions Security Management Controls For each threat , there should be appropriate controls In spite of controls we should also have 1. Disaster Recovery Plan —4 Plans Emergency, Backup , Recovery , Test Plan 2. Insurance- Adequate insurance must be able to replace Information Systems assets and to cover the extra costs associated with restoring normal operations. System Development Management Controls Problem Definition & Feasibility Assessment - All solutions must be properly & formally authorized to ensure their economic justification & feasibility ‘Analysis of Existing System - Study the existing ‘organizational history , culture Study the exi product & information flows ‘timing of data & information flows decisions is made based on evaluation objective Data Resource Management Controls ‘ABCD-QU ‘Access Controls - To prevent unauthorised access in the system Back-up Controls - In case data is lost, it ensures availability of data at all times Concurrency Controls - It provides solution & agreed upon schedules when 2 people update same data at same time Definition Controls - These controls are there to ensure database always responds ‘and complies with standards Quality Controls - It includes validation of input data ensure accuracy & completeness of data Update Controls - It restricts update of data to authorized users in 2 ways = Permit only addition of data = Allowing users to change or delete existing data Quality Assurance Management Controls IS produced by IS Function achieve certain quality goals Development , implementation , operation & maintenance of information system comply with standards ig product & information flows as processed system will be based primarily on current Information Processing System Design - Designers shall determine flow of data / information , frequency & Hardware / Software Acquisition & Procedures Development - Vendor proposals are invited & final ‘Acceptance Testing - Identify errors or deficiencies i system prior to its final release into production use Operation & Maintenance - New system is run as production system & periodically modified to meet its Programming Management Controls Planning - Techniques like Work Breakdown Structures (Wes), PERT Charts can be Used to monitor progress against plan. Design - any of the structured design approaches design is adopted Coding - Module implementation and integration strategy, a documentation strategy Testing — Unit Integration & Whole of Program Testing Operation & Maintenance Corrective , Adaptive & Perfective Maintenance Control ~ Corrective action Operations Management Controls Library mein Operations aur Technical support Hona Chahiye File Library - management of an organization's machine-readable storage media like magnetic tapes, cartridges, and optical disks Documentation & Program library - Only authorized personnel gain access to documentation; that documentation is kept up-to-date and that adequate backup exists for documentation Computer operations - Govern the activities that directly support the day-to- day execution of either test or production systems on the hardware/software platform available Network operations - Proper functioning of network and network devices ‘Management of outsource operations - responsibility for carrying out day-to-day ‘monitoring of the outsourcing contract Technical support — How to use & resolve errors Capacity Planning & Performance ‘Monitoring - Resource deficiencies must be identified well in time so that they can be made available RRSYSTEM AUDIT Factors influencing organization towards audit and control of computers / Why Controls ? Incorrect Computer ka Cost aur data loss hota he Incorrect — Incorrect decision making - Audit of Information Systems ensure that accurate data is available for managers to take high level decisions Computer — Value of computer Hardware , Software & Personnel - critical resources of an organization which has a significant impact on business competitiveness, Cost — Cost of computer abuse - Unauthorised access to computer systems, computer viruses can lead to destruction of assets High cost of computer error — A data error during entry or process would cause great damage Data — Organisation cost of Data Loss - Data is the most critical resource for an organisation for its present as well as future Objectives of IS Auditing ¢ Asset Safeguarding - Information system assets must be protected by a system of internal controls from unauthorised access. Data Integrity - Maintain integrity of data of an organization is required all the time, else an organization may suffer loss of competitive advantage System Effectiveness - Objective of the system to ascertain that it meets substantial user requirement System Efficiency - Control and Audit of Information Systems are required to optimize the use of various information systemSNAPSHOT Itisinstalled by auditor in client system It takes photos of transaction before , during & after transaction Itis then sent to auditor to verify accuracy , authenticity & completeness of transaction Only material transactions are selected Areas to be decided by auditor: 1.Snapshot points 2.When to capture? 3.How to report ? INTEGRATED TEST ‘SCARF (System FACILITY Control Audit Review File) In this we will create dummy In this we will embed entity and enter audit software in the dummy data to host application verify processing system We will also test Whenever any trstn by live data by occurs it is compared tagging to see with SCARF , in case of whether we are any errors it is written getting desired to SCARF master file output or not for review by auditor In the end auditor It is same like snapshot will collect result , but takes photos of and compare with only those transaction expected results to with some processing verify whether controls are working as desired Objectives of Audit Trail (DRP) Detecting Unauthorized Access - His detection can be either real time detection or after the fact detection. Real time detections are alerts configured to trigger even when unauthorized access is being attempted Reconstruction of Events - Logs help analyze the error condition & prevent future occurrence. Similarly logs help reconstruct account balances if the files are corrupted. Personal Accountability - User's activity can be monitored & this acts as a deterrent against unauthorized access or policy violations by users CIs (Continous Intermittent Simulation) Whenever any database transaction is initiated and updates DBMS, it will be sent to CIS module, it independently process the data & compare with that of DBMS No Diff = No report Small Diff = Report to exception log file Major Diff = Prevent transaction from updating in DBMS Audit Hooks Whenever we want to catch the person red handed , we will flag suspicious transactions & tag name and address change , so auditor is informed as soon as such things occur -Eg-LIC