Chapter 3 - Information Systems and its components

Part – 1 Data, Information, System and information system

1. What is information?
Processed data is known as information. Information is always meaningful.
2. What is data?
Data is in raw form. Processing data produces information
3. What is relation between data and information?
Data is in raw form, information is in finished form. Relation between data and information is as good as raw material
and finished goods.
4. Explain Data model hierarchy.
 Database: This is a collection of Files.
 File: This is a collection of Records.
 Record: This is a collection of Fields.
 Field: This is a collection of Characters.
 Characters: These are a collection of Bits.
5. Explain meaning of System.
The system can be defined as a group of mutually related, cooperating elements with a defined boundary; working on
reaching a common goal by taking inputs and producing outputs in organized transformation process.
6. Explain relation between system and sub system.
Often a system contains several subsystems with sub goals, all contributing to meeting the overall system goal. Sub
part of system is known as sub system and main system for such sub system is known as supra system.
7. What are the five components of a generic system?
 Input,
 Process,
 Output,
 Feedback and
 Control.
8. Explain what is information system?
 The main aim and purpose of each Information System is to convert the data intoinformation which is useful and
meaningful.
 Information System (IS) is a combination of people, hardware, software, communication devices, network and
data resources that processes (can be storing, retrieving, transforming information) data and information for a
specific purpose.
9. Explain components of Information Systems.
 People,
 Hardware,
 Software,
  `Data and
 Network,
10. Explain he steps of information system model. / Functions of information system.
 Input: Data is collected from an organization or from external environments and converted into suitable format
required for processing.
 Process: A process is a series of steps undertaken to achieve desired outcome or goal.
 Output: Then information is stored for future use or communicated to user after application of respective
procedure on it.
11. What are the important characteristics of Computer based Information Systems
 Work for predetermined objectives
 Interrelated and interdependent subsystems
 Interrelated components
 Interaction
 Common goal
12. What is interaction?
The way a subsystem works with another subsystem is called interaction.
13. Explain People Resources with respect to components of information system.
From help desk to CIO

Part – 2 – Computer system, Hardware and Software

14. What is computer system? Explain computer system is combination of hardware and software.
Computer System is combination of Hardware and Software.
15. What is hardware?
Hardware is the tangible portion of our computer systems; something we can touch and see. It basically consists of
devices that perform the functions of input, processing, data storage and output activities of the computer.
16. Explain typical hardware architecture with diagram.
i) Input Devices
ii) Processing Devices
- Control Unit (CU)
- Arithmetic and Logical Unit (ALU)
- Registers
 Accumulators
 Address Registers
 Storage Registers
 Miscellaneous
iii) Data Storage Devices
(a) Internal Memory
 Processor Registers
  Cache Memory
(b) Primary Memory/Main Memory
 Random Access Memory (RAM)
 Read Only Memory (ROM)
(c) Secondary Memory:
(d) Virtual Memory
iv) Output Devices:

17. Short Note on Input devices.

Input Devices are devices through which we interact with the systems and include devices like Keyboard, Mouse and
other pointing devices, Scanners & Bar Code, MICR readers, Webcams, Microphone and Stylus! Touch Screen.
18. Short Note on processing devices.
Processing Devices include computer chips that contain the Central Processing Unit and main memory.
19. Short note on CPU.
The main function of CPU is to execute programs stored in memory. It consists of three functional units:
 Control Unit (CU)
 Arithmetic and Logical Unit (ALU)
 Registers:
 Accumulators
 Address Registers
 Storage Registers
 Miscellaneous

20. Explain following

 Control unit
- CU controls the flow of data and instruction to and from memory, interprets the instruction and controls
which tasks to execute and when.
 Arithmetic and Logical unit
- Performs arithmetic operations such as addition, subtraction, multiplication, and logical comparison of
numbers: Equal to, Greater than, Less than, etc.
 Registers
- These are high speed memory units within CPU for storing small amount of data (mostly 32 or 64 bits).
21. Explain following types of registers
 Accumulators:
- They can keep running totals of arithmetic values.
 Address Registers
- They can store memory addresses which tell the CPU as to where in the memory an instruction is located.
 Storage Registers
 - They can temporarily store data that is being sent to or coming from the system memory.
22. Short note on data storage devices.
Data Storage Devices refers to the memory where data and programs are stored.
 Data Storage Devices
- Internal Memory
 Processor Registers
 Cache Memory
- Primary Memory/Main Memory
 Random Access Memory (RAM)
 Read Only Memory (ROM)
- Secondary Memory:
- Virtual Memory
23. What are the various types of memory techniques? Or what are the types of data storage devices?
 Data Storage Devices / memory techniques
- Internal Memory
 Processor Registers
 Cache Memory
- Primary Memory/Main Memory
 Random Access Memory (RAM)
 Read Only Memory (ROM)
- Secondary Memory:
- Virtual Memory
24. Explain about internal memory.
Internal Memory: This includes Processer Registers and Cache Memory.
25. Explain about following
 Processor registers
- Registers are internal memory within CPU, which are very fast and very small.
- Registers:
 Accumulators
 Address Registers
 Storage Registers
 Miscellaneous
 Cache memory
Cache (pronounced as cash) is a smaller, faster memory, which stores copies of the data from the most frequently
used main memory locations so that Processor/Registers can access it more rapidly than main memory.
 Virtual memory
 Virtual memory combines computer’s RAM with temporary space on the hard disk. When RAM runs low, virtual
memory moves data from RAM to a space called a paging file. Moving data to and from the paging file frees up
RAM to complete its work. Thus, Virtual memory is an allocation of hard disk space to help RAM
26. Short Note on Primary memory and its types.
- Primary Memory/Main Memory
 Random Access Memory (RAM)
 Read Only Memory (ROM)
27. Short note on main memory and its types
- Primary Memory/Main Memory
 Random Access Memory (RAM)
 Read Only Memory (ROM)
28. What is RAM and ROM. Explain the difference between RAM and ROM.
RAM: Volatile in nature means Information is lost as soon as power is turned off.
ROM: This is non-volatile in nature (contents remain even in absence of power).
29. Short Note on secondary memory.
The most common forms of secondary storage are: USB Pen Drives, Floppy drive, Hard Drive, CD, DVD and Smart
cards.
30. What is virtual memory? Explain with diagram.
Virtual memory combines computer’s RAM with temporary space on the hard disk. When RAM runs low, virtual
memory moves data from RAM to a space called a paging file. Moving data to and from the paging file frees up RAM
to complete its work. Thus, Virtual memory is an allocation of hard disk space to help RAM
31. Short note on output devices.
Display devices include CRT monitors, LCD monitors and displays, gas plasma monitors, and televisions.
32. Explain types of outputs
 Textual output
 Graphical outputs
 Tactile output
 Audio output
 Video output
33. Short note on software.
Software is defined as a set of instructions that tell the hardware what to do. Software is created through the process of
programming. Without software, the hardware would not be functional. Software can be broadly divided into two
categories: Operating Systems Software and Application Software
34. What are the categories of software?
Operating Systems Software and Application Software
35. Explain about operating system.
36. Operating Systems Software
 An Operating System (OS) is a set of computer programs that manages computer hardware resources and acts as an
interface with computer applications programs.
Some prominent Operating systems used nowadays are Windows 7, Windows 8, Linux, UNIX, etc.
37. What are the various activities executed by operating system?
 Performing hardware functions
 User Interfaces
 Hardware Independence
 Memory Management
 Task Management
 Networking Capability
 Logical Access Security
 File management
38. Explain about application software.
Application software includes all that computer software that cause a computer to perform useful tasks beyond the
running of the computer itself. It is a collection of programs which address a real-life problem of its end users which
may be business or scientific or any other problem.
39. Explain about different types of application softwares.
 Application Suite: Has multiple applications bundled together. Related functions, features and user interfaces
interact with each other. E.g. MS Office 2010 which has MS Word, MS Excel, MS Access, etc.
 Enterprise Software: Addresses an enterprise’s needs and data flow in a huge distributed environment. E.g. ERP
Applications like SAP.
 Enterprise Infrastructure Software: Provides capabilities required to support enterprise software systems. E.g.
email servers, Security software.
 Information Worker Software: Addresses individual needs required to manage and create information for
individual projects within departments. E.g. Spreadsheets, CAAT (Computer Assisted Audit Tools) etc.
 Content Access Software: Used to access contents and addresses a desire for published digital content and
entertainment. E.g. Media Players, Adobe Digital etc.
 Educational Software: Holds contents adopted for use by students. E.g. Examination Test CDs
 Media Development Software: Addresses individual needs to generate and print electronic media for others to
consume. E.g. Desktop Publishing, Video Editing etc.
40. Explain following application software with example:
 Application suite
 Enterprise software
 Enterprise Infrastructure software
 Information worker software
 Content access software
 Educational software
 Media development software
41. What are the benefits of application software?
 Addressing User needs:
 Less threat from virus:
 Regular updates:
42. What are the disadvantages of application software?
 Development is costly
 Infection from Malware
43. Short note on application areas of computer based applications.
 Finance and accounting
 Marketing and sales
 Production or manufacturing
 Inventory/stores management
 HRM
44. Explain application of computer based applications on following areas
 Finance and accounting
 Marketing and sales
 Production or manufacturing
 Inventory/stores management
 HRM
Part 3 - DBMS
45. Short Note on Data
Data are the raw bits and pieces of information with no context. Data can be quantitative or qualitative.
46. Write down detail note on database.
 A database is an organized collection of related information.
 The goal of many information systems is to transform data into information to generate knowledge that can be
used for decision making.
 To do this, the system must be able to take data, put the data into context, and provide tools for aggregation and
analysis. A database is designed for just such a purpose
47. Explain database model hirarchy.
 Hierarchy of database is as under:
 Database
 File
 Record
 Field
 Characters
48. What is DBMS?
  Database is just an electronic filing cabinet i.e., a collection of computerized data files. Even this simple system
helps us do various operations on the files. DBMS may be defined as a software that aid in organizing, controlling
and using the data needed by the application programme.
49. What are the variuos operations of DBMS on the files ?
 DBMS helps us do various operations on the files, such as:
 Adding new files to database,
 Deleting existing files from database,
 Inserting data in existing files,
 Modifying data in existing files,
 Deleting data in existing files, and
 Retrieving or querying data from existing files.
50. Write down about some of the prominent data base models.
Some prominent database models are as follows:
i) Hierarchical Database Model,
ii) Network Database Model,
iii) Relational Database Model, and
iv) Object Oriented Database Model
51. Short note about hirarchical database model.
In a Hierarchical Database Model, records are logically organized into a hierarchy of relationships.
52. Short note about Network database model
A network database model is a database model that allows multiple records to be linked to the same owner file.
53. Short note about Relational database model
A relational database contains multiple tables, with at least similar value occurring in two different records (belonging
to the same table or to different tables) that implies a relationship among those two records.
In a relational database, all the tables are related by one or more fields, so that it is possible to connect all the tables in
the database through the field(s) they have in common
54. Short note about object oriented database model.
An Object-Oriented Database provides a mechanism to store complex data such as images, audio and video, etc. An
object- oriented database (also referred to as object-oriented database management system or OODBMS) is a set of
objects. In these databases, the data is modeled and created as objects.
55. Explain about advantages of DBMS.
Major advantages of DBMS are given as follows:
 Permitting Data Sharing
 Minimizing Data Redundancy
 Integrity can be maintained
 Program and File consistency
 User-friendly
 Improved security
  Achieving program/data independence
 Faster Application Development
56. Explain about disadvantages of DBMS.
 Cost
 Security
57. Short note on Big data.
A new buzzword that has been capturing the attention of businesses lately is big data. The term refers to such
massively large data sets that conventional database tools do not have the processing power to analyze them. For
example, Walmart must process over one million customer transactions every hour.
58. Short note on Data warehouse.
The concept of the data warehouse is simple: extract data from one or more of the organization’s databases and load it
into the data warehouse (which is itself another database) for storage and analysis. However, the execution of this
concept is not that simple.
59. What are the criteria should be met in order to design data warehouse?
 It uses non-operational data.
 The data is time-variant.
 The data is standardized.
 Two primary schools of thought when designing a data warehouse: Bottom-Up and Top- Down.
60. Explain data is standardized in data warehouse. Explain ETL.
For the data warehouse to match up dates, a standard date format would have to be agreed upon and all data loaded
into the data warehouse would have to be converted to use this standard format. This process is called Extraction-
Transformation- Load (ETL).
61. Explain the two primary schools of thought when designing a data warehouse?
 Two primary schools of thought when designing a data warehouse: Bottom-Up and Top- Down.
62. Explain bottom approach while designing data warehouse.
The Bottom-Up Approach starts by creating small data warehouses, called data marts, to solve specific business
problems. As these data marts are created, they can be combined into a larger data warehouse.
63. Explain top down approach while designing data warehouse.
The Top-Down Approach suggests that we should start by creating an enterprise-wide data warehouse and then, as
specific business needs are identified, create smaller data marts from the data warehouse.
64. What is data mart? Explain with example.
A data mart is a repository of data that is designed to serve a particular community of knowledge workers. The
difference between a data warehouse and a data mart can be confusing because the two terms are sometimes used
incorrectly as synonyms. A data warehouse is a central repository for all an organization's data.
Example:- Finance Data mart, Marketing Data mart, Production data mart, Sales data mart
65. What are the benefits of data warehouse?
 Better understand the data collection
 A centralized view of all data
  Organization can generate one version of the truth.
 Snapshots of data can be taken over time
 Provides tools to combine data to analyze
66. Short Note on Data mining. What are the steps involved in data mining?

Data Mining is the process of analyzing data to find previously unknown trends, patterns, and associations (knowledge) to
make decisions.

Steps:

 Data
 Database
 Data Processing
 Data warehouse
 Information
 Data mining
 Patterns
 Business Decision
 Business knowledge.

Part 4 – Computer network and related concepts

67. Explain how does computer network increase the value of business?
i) An increase in the efficiency of operations;
ii) Improvements in the effectiveness of management; and
iii) Innovations in the marketplace.
68. What is computer network?
 Computer Network is a collection of computers and other hardware interconnected by communication
channels that allow sharing of resources and information.
 Where at least one process in one device can send/receive data to/from at least one process residing in a
remote device, then the two devices are said to be in a network. A network is a group of devices
connected to each other.
69. Short note on network and communication system.
 These consist of both physical devices and software, links the various pieces of hardware and transfers the
data from one physical location to another.
 Computers and communications equipment can be connected in networks for sharing voice, data, images,
sound and video. A network links two or more computers to share data or resources such as a printer.
70. What does enterprise need to do to manage its information in an appropriate and desired manner?
Every enterprise needs to manage its information in an appropriate and desired manner. The enterprise must do the
following for this:
  Knowing its information needs;
 Acquiring that information;
 Organizing that information in a meaningful way;
 Assuring information quality; and
 Providing software tools so that users in the enterprise can access information they require.
71. What is node?
Each component, namely the computer in a computer network is called a ‘Node’
72. Explain types of networks.
Networks could be of two types:
 Connection Oriented networks:
 Connectionless Networks:
73. What are the basic issues handled and addressed by networks?
 Routing
 Bandwidth
 Resilience
 Contention
74. Explain following:
 Routing: It refers to the process of deciding on how to communicate the data from source to destination in a
network.
 Bandwidth: It refers to the amount of data which can be sent across a network in given time.
 Resilience: It refers to the ability of a network to recover from any kind of error like connection failure, loss of
data etc.
 Contention: It refers to the situation that arises when there is a conflict for some common resource in a network.
For example, network contention could arise when two or more computer systems try to communicate at the same
time.
75. What are the important benefits of computer network?
 Distributed nature of information
 Resource Sharing
 Computational Power
 Reliability
 User communication
76. What are the impacts of telecommunications?
Telecommunications may provide these values through the following impacts:
a) Time compression
b) Overcoming geographical dispersion
c) Restructuring business relationships
77. Explain about packet.
The fundamental unit of data transmitted over the Internet.
78. Explain about repeater.
A repeater regenerates the signal over the same network before the signal becomes too weak or corrupted to extend
the length to which the signal can be transmitted over the same network.
79. Explain about hub
A simple network device that connects other devices to the network and sends packets to all the devices connected to
it.
80. What is bridge?
Bridge is a communications processor that connects two Local Area Networks (LAN5) working on the same protocol.
81. What is switch?
A network device that connects multiple devices together and filters packets based on their destination within the
connected devices.
82. What is MAC Address?
These are most often assigned by the manufacturer of a Network Interface Controller (NIC) and are stored in its
hardware, such as the card’s read-only memory or some other firmware mechanism.
83. What is router?
 A device that receives and analyses packets and then routes them towards their destination. In some cases, a router
will send a packet to another router; in other cases, it will send it directly to its destination.
84. Detailed Short not on network topology. What are the types of network topology?
 The term ‘Topology’ defines the physical or logical arrangement of links in a network. It is the geometric
representation of the relationship of all the links and linking devices (usually called Nodes) to each other.
 Common topologies are
- Star Network
- Bus Network
- Ring Network
- Mesh Network
85. Explain following:
 Star Network that involves a central unit with number of terminals tied into it;
 Bus Network in which a single length of wire, cable, or optical fiber (called bus) connects several computers;
 Ring Network much like a bus network, except the length of wire, cable, or optical fiber connects to form a loop;
and
 Mesh Network in which each node is connected by a dedicated point to point link to every node.
86. Short note on transmission mode. What are the types of transmission mode.
 It is used to define the direction of signal flow between two linked devices.
 There are three types of transmission modes characterized as per the direction of the exchanges:
- Simplex (wherein the data flows in only one direction- unidirectional),
- Half-Duplex (where in the data flows in one direction or the other, but not both at the same time) and
- Duplex (in which the data flows in both directions simultaneously).
87. What is protocol?
 In computer networking, a protocol is the set of rules that allow two (or more) devices to exchange information back
and forth across the network.
88. Short note on IP Address.

Every device that communicates on the Internet, whether it be a personal computer, a tablet, a smart phone, or anything
else, is assigned a unique identifying number called an IP (Internet Protocol) address.

89. Short note on domain name.

A Domain Name is a human-friendly name for a device on the Internet. These names generally consist of a
descriptive text followed by the top-level domain (TLD). For example, Wikipedia’s domain name is wikipedia.org;
90. Short note on DNS.
DNS which acts as the directory on the Internet, when a request to access a device with a domain name is given, a
DNS server is queried. It returns the IP address of the device requested, allowing for proper routing.
91. Short note on packet switching.
 When a packet is sent from one device out over the Internet, it does not follow a straight path to its destination.
 Instead, it is passed from one router to another across the Internet until it is reaches its destination.
 In fact, sometimes two packets from the same message will take different routes. Sometimes, packets will arrive
at their destination out of order.
 When this happens, the receiving device restores them to their proper order.
92. Short note on Wi-fi
Wi-Fi is a technology that takes an Internet signal and converts it into radio waves. These radio waves can be picked
up within a radius of approximately 65 feet by devices with a wireless adapter.
93. Short note on VOIP
 A protocol called VOIP enables sounds to be converted to a digital format for transmission over the Internet and
then recreated at the other end.
 By using many existing technologies and software, voice communication over the Internet is now available to
anyone with a browser (think Skype, Google Hangouts, Whatsapp calls).
Part 5 – Information system and controls
94. Short note on need for controls in information system.
 Today’s dynamic global enterprises need information integrity, reliability and validity for timely flow of accurate
information throughout the organization.
 The goals to reduce the probability of organizational costs of data loss, computer loss, computer abuse, incorrect
decision making and to maintain the privacy; an organization’s management must set up a system of internal
controls.
 Safeguarding assets to maintain accurate data readily available and its integrity to achieve system effectiveness
and efficiency is a significant control process.
95. Explain some categories of exposures.
Some categories of exposures are as follows:
 Errors or omissions in data, procedure, processing, judgment and comparison;
  Improper authorizations and improper accountability with regards to procedures, processing, judgment and
comparison; and
 Inefficient activity in procedures, processing and comparison.
96. Explain some of the critical control lacking in computerized environment.
Some of the critical control lacking in a computerized environment are as follows:
 Lack of management understanding of IS risks and related controls;
 Absence or inadequate IS control framework;
 Absence of weak general controls and IS controls;
 Lack of awareness and knowledge of IS risks and controls amongst the business users and even IT staff;
 Complexity of implementation of controls in distributed computing environments and extended enterprises;
 Lack of control features or their implementation in highly technology driven environments; and
 Inappropriate technology implementations or inadequate security functionality in technologies implemented.
97. What are the two main purposes served by the control objectives?
 Outline the policies of the organization as laid down by the management; and
 A benchmark for evaluating whether control objectives are met.
98. What are the impacts of technology on controls?
 Competent and Trustworthy Personnel
 Segregation of Duties
99. Explain types of IS Controls on the basis of objective of controls.
 Preventive Controls
 Detective Controls
 Corrective Controls
 Compensatory Controls
100. Explain types of IS Controls on the basis of nature of IS resources.
 Environmental Controls
 Physical Access Controls
 Logical Access Controls
101. Explain types of IS Controls on the basis of audit functions.
 Managerial Controls
 Application Controls
102. Short note on preventive controls.
 In other words, Preventive Controls are those inputs, which are designed to prevent an error, omission or
malicious act occurring.
103. Short note on detective controls. Explain the characteristics of detective controls.
 These controls are designed to detect errors, omissions or malicious acts that occur and report the occurrence. In
other words, Detective Controls detect errors or incidents that elude preventive controls.
104. Short note on corrective controls.
 It is desirable to correct errors, omissions, or incidents once they have been detected.
105. What are the main characteristics of corrective controls?
 Minimizing the impact of the threat;
 Identifying the cause of the problem;
 Providing Remedy to the problems discovered by detective controls;
 Getting feedback from preventive and detective controls;
 Correcting error arising from a problem; and
 Modifying the processing systems to minimize future occurrences of the incidents.
106. Short note on environmental controls.
These are the controls relating to IT environment such as power, air-conditioning, Uninterrupted Power Supply
(UPS), smoke detection, fire-extinguishers, dehumidifiers etc.
107. Explain about controls for following environmental exposures.
 Fire Damage
 Power spikes
 Water damage
 Pollution damage and others
108. Short note on physical exposures
These are the controls relating to physical security of the tangible IS resources and intangible resources stored on
tangible media etc. Such controls include Access control doors, Security guards, door alarms, restricted entry to
secure areas, visitor logged access, CCTV monitoring etc.
109. What are the types of locks?
 Cipher locks (Combination Door Locks)
 Bolting Door Locks
 Electronic Door Locks
110. What are the physical identification mediums?
 Personal Identification Numbers (PIN)
 Plastic Cards
 Identification Badges
111. Difference between manual logging and electronic logging.
112. Explain following means of controlling physical access.
 Video cameras
 Security guards
 Controlled visitor access
 Bonded personnel
 Dead man doors
 Non exposure of sensitive facilities
 Computer terminal locks
 Controlled single entry point
 Alarm system
  Perimeter fencing
 Control of out of hours of employee – employees
 Secured report / document distribution cart
113. Short note on logical access control.
These are the controls relating to logical access to information resources such as operating systems controls,
application software boundary controls, networking controls, access to database objects, encryption controls etc.
Logical access controls are implemented to ensure that access to systems, data and programs is restricted to authorized
users to safeguard information against unauthorized use, disclosure or modification, damage or loss.
114. Short note on technical exposures.
Technical exposures include unauthorized implementation or modification of data and software.
Methods
 Data Diddling
 Bomb
 Christmas Card
 Worm
 Rounding Down
 Salami Techniques
 Trap Doors
 Spoofing
115. Short Note on Asynchronous attacks
Data that is waiting to be transmitted are liable to unauthorized access called asynchronous attacks
116. Explain following Asynchronous attacks:
 Data leakage
 Subversive attacks
 Wire – tapping
 Piggybacking
117. Short note about logical access violators
 Hackers
 Employees (authorized or unauthorized);
 IS Personnel
 Former Employees
 End Users.
118. What are the types of logical access controls?
I. User Access Management:
 User Registration.
 Privilege management.
 User password management.
 Review of user access rights.
 II. User Responsibilities:
 Password use.
 Unattended user equipment.
III. Network Access Control:
 Policy on use of network services:
 Enforced path:
 Segregation of networks:
 Network connection and routing control:
 Security of network services:
 Firewall:
 Encryption:
 Call Back Devices:
IV. Operating System Access Control:
Protecting operating system access is extremely crucial and can be achieved using following steps.
 Automated terminal identification:
 Terminal log-in procedures:
 Access Token:
 Access Control List:
 Discretionary Access Control:
 User identification and authentication:
 Password management system:.
 Use of system utilities:
 Duress alarm to safeguard users:
 Terminal time out:
 Limitation of connection time:
V. Application and Monitoring System Access Control: Some of the steps are as follows:
 Information access restriction:
 Sensitive system isolation:
 Event logging:
 Monitor system use:
 Clock synchronization:
119. Short note on User Access Management
VI. User Access Management:
 User Registration.
 Privilege management.
 User password management.
 Review of user access rights.
120. Short note on logical access control on the basis of user responsibilities.
 User Responsibilities:
 Password use.
 Unattended user equipment.
121. Short note on network access control
Network Access Control:
 Policy on use of network services:
 Enforced path:
 Segregation of networks:
 Network connection and routing control:
 Security of network services:
 Firewall:
 Encryption:
 Call Back Devices:
122. Short note on operating system access control.
Protecting operating system access is extremely crucial and can be achieved using following steps.
 Automated terminal identification:
 Terminal log-in procedures:
 Access Token:
 Access Control List:
 Discretionary Access Control:
 User identification and authentication:
 Password management system:.
 Use of system utilities:
 Duress alarm to safeguard users:
 Terminal time out:
 Limitation of connection time:
123. Short note on Application and monitoring system access control.
 Information access restriction:
 Sensitive system isolation:
 Event logging:
 Monitor system use:
 Clock synchronization:
124. What is mobile computing?
Mobile Computing is a technology that allows transmission of data, voice and video via wireless enabled device
without having to be connected to a fixed physical link
125. What are the managerial controls?
  In this part, we shall examine controls over the managerial controls that must be performed to ensure the
development, implementation, operation and maintenance of information systems in a planned and controlled
manner in an organization.
 The controls at this level provide a stable infrastructure in which information systems can be built, operated,
and maintained on a day- to-day basis
126. Explain about top management and IS management controls.
The controls adapted by the management of an enterprise are to ensure that the information systems function correctly
and they meet the strategic business objectives.
127. What are the tasks involved at the time of preparing plans?
 Preparing the plan: This involves the following tasks:
 Recognizing opportunities and problems that confront the organization in which Information technology
and Information systems can be applied cost effectively;
 Identifying the resources needed to provide the required information technology and information systems;
and
 Formulating strategies and tactics for acquiring the needed resources.
128. What are the types of plans?
 Strategic plan and
 an Operational plan
129. Short note on role of steering committee regarding management and is management controls.
The steering committee shall comprise of representatives from all areas of the business, and IT personnel. The
committee would be responsible for the overall direction of IT. The steering committee should assume overall
responsibility for the activities of the information systems function.
130. Short note on system development management controls.
System development controls are targeted to ensure that proper documentations and authorizations are available for
each phase of the system development process. It includes controls at controlling new system development activities.
131. What are the six activities which deal with the system development controls in IT setup?
 System Authorization Activities:
 User Specification Activities:
 Technical Design Activities:
 Internal Auditor’s Participation
 Program Testing
 User Test and Acceptance Procedures:
132. Short note on programming management controls.
Program development and implementation is a major phase within the systems development life cycle. The primary
objectives of this phase are to produce or acquire and to implement high-quality programs.

133. What are the phases of program development life cycle?

  Planning;
 Design;
 Control;
 Coding;
 Testing; and
 Operation and Maintenance
134. Short note on data resource management controls.
The control activities involved in maintaining the integrity of the database is as under:
a) Definition Controls:
b) Existence/Backup Controls
c) Access Controls:
d) Update Controls:
e) Concurrency Controls:
f) Quality Controls:
135. Short note on quality assurance management controls.
Quality Assurance management is concerned with ensuring that the —
 Information systems produced by the information systems function achieve certain quality goals; and
 Development, implementation, operation and maintenance of Information systems comply with a set of
quality standards.
136. What are the reasons for emergence of quality assurance ?
 Organizations are increasingly producing safety-critical systems and users are becoming more demanding
in terms of the quality of the software they employ to undertake their work.
 Organizations are undertaking more ambitious projects when they build software.
 Users are becoming more demanding in terms of their expectations about the quality of software they
employ to undertake their work,
 Organizations are becoming more concerned about their liabilities if they produce and sell defective
software.
 Poor quality control over the production, implementation, operation, and maintenance of software can be
costly in terms of missed deadlines, dissatisfied users and customer, lower morale among IS staff, higher
maintenance and strategic projects that must be abandoned.
 Improving the quality of Information Systems is a part of a worldwide trend among organizations to
improve the quality of the goods and services they sell.
137. Short note on Security management controls.

Information security administrators are responsible for ensuring that information systems assets categorized under
Personnel, Hardware, Facilities, Documentation, Supplies Data, Application Software and System Software are secure.
Assets are secure when the expected losses that will occur over some time, are at an acceptable level

138. Short note on major security threats and their controls.

139. Short note on BCP controls.
These controls are related to having an operational and tested IT continuity plan, which is in line with the overall
business continuity plan, and its related business requirements to make sure IT services are available as required and
to ensure a minimum impact on business in the event of a major disruption.
140. Short note on operations management controls. OR What are the functions of operations management
controls?
Operations management typically performs controls over the functions as below:
i) Computer Operations:
 Operation Controls:
 Scheduling Controls:
 Maintenance Controls:
ii) Network Operations:
 Communication lines
 Hardware.
 Software.
iii) Data Preparation and Entry:
iv) Production Control:
v) File Library:
vi) Documentation and Program Library:
vii) Help Desk/Technical support:
viii) Capacity Planning and Performance Monitoring
ix) Management of Outsourced Operations:
141. Explain about applications controls
The objective of application controls is to ensure that data remains complete, accurate and valid during its input, update
and storage. The specific controls could include form design, source document controls, input, processing and output
controls, media identification, movement and library management, data back-up and recovery, authentication and
integrity, legal and regulatory requirements.

142. What are the categories of application controls?

 Boundary Controls
 Input controls
 Communication controls
 Processing controls
 Database controls
 Output controls
143. Short note on boundary controls
 Purposes
 Identification:.
 Authentication:
 Authorization:
 Major Boundary Control are as follows:
 Cryptography:
 Passwords:
 Personal Identification Numbers (PIN
 Identification Cards:
 Biometric Devices
144. What are the major purposes of boundary controls?
 Purposes
 Identification:.
 Authentication:
 Authorization
145. What do you mean by cryptography?
It deals with programs for transforming data into cipher text that are meaningless to anyone, who does not possess the
authentication to access the respective system resource or file. A cryptographic technique encrypts data (clear text)
into cryptograms (cipher text) and its strength depends on the time and cost to decipher the cipher text by a
cryptanalyst.
146. Classifications of input control.
A. Source Document control
B. Data Coding Control
C. Batch Control
D. Validation Control
147. Short note on source document control.
 Use pre numbered source documents
 Use source documents in sequence
 Periodically audit source documents
148. Short note on errors in data coding control.
Two types of errors
 Transcription errors
- Addition errors
- Truncation errors
- Substitution errors
 Transposition errors
- Single transposition
- Multiple transposition
149. Short note on batch controls
 Batch control relates to the concept of batch processing, which means to process multiple transactions or
input data at the same time.
 Batch controls are used to verify the completeness and accuracy of batches after they are processed. They
are able to detect loss, duplication, and the corruption of data during processing.
 Types
 Financial totals
 Hash totals
 Document / Record Counts
150. What are the validation controls?
 Field Interrogation:
 Limit Check:
 Picture Checks:
 Valid Code Checks:
 Check Digit:
 Arithmetic Checks:
 Cross Checks:
 Record Interrogation:
 Reasonableness Check:
 Valid Sign:
 Sequence Check:
 File Interrogation:
 Version Usage:
 Internal and External Labeling:
 Data File Security:
  Before and after Image and Logging
 File Updating and Maintenance Authorization
 Parity Check
151. What is record interrogation and file interrogation? Specify the techniques.
 Record Interrogation:
 Reasonableness Check:
 Valid Sign:
 Sequence Check:
 File Interrogation:
 Version Usage:
 Internal and External Labeling:
 Data File Security
152. Short note on communication controls.
 Physical component controls
 Line error controls
 Flow control
 Link controls
 Topological controls
 Channel access control
 Internetworking control
153. What are the physical components affecting reliability of communication subsystem?
 Transmission media
 Communication lines
 Modem
 Port protection devices
 Multiplexers and concentrators
154. Short note on
 Physical component controls
These controls incorporate features that mitigate the possible effects of exposures. Following are the physical
components: Transmission media, Communication lines, Modem, Port protection devices, Multiplexers and
concentrators
 Line error controls
Whenever data is transmitted over a communication line, recall that it can be received in error because of
attenuation distortion, or noise that occurs on the line. These errors must be detected and corrected.
Steps:
 Error Detection:
 Error Correction:
 Flow control
 Flow controls are needed because two nodes in a network can differ in terms of the rate at which they can send,
received, and process data. For example, a main frame can transmit data to a microcomputer terminal. The
microcomputer cannot display data on its screen at the same rate the data arrives from the main frame. Moreover,
the microcomputer will have limited buffer space.
 Link controls
In Wide Area Network (WAN), line error control and flow control are important functions in the component that
manages the link between two nodes in a network. The link management components mainly use two common
protocols HDLC (Higher Level Data Link control) and SDLC (Synchronous Data Link Control).
 Topological controls
A communication network topology specifies the location of nodes within a network, the ways in which these
nodes will be linked, and the data transmission capabilities of the links between the nodes
 Channel access control
Two different nodes in a network can compete to use a communication channel. Whenever the possibility of
contention for the channel exists, some type of channel access control technique must be used. These techniques
fall into two classes:
- Polling methods and
- Contention methods.
 Internetworking control
Internetworking is the process of connecting two or more communication net-works together to allow the users of
one network to communicate with the users of other networks.
155. Short note on processing control.
 Processor Control
 Real memory controls
 Virtual memory controls
 Data processing control
156. Short note on processor control or What are the 4 types of controls can be used to reduce expected losses
from faults of CPU?
 Error detection
 Multiple execution states
 Timing controls
 Component Replication
157. What is Real memory controls?
Real memory controls seek to detect and correct errors that occur in memory cells and to protect areas of memory
assigned to a program from illegal access by another program.
158. What is virtual memory controls?
To achieve this outcome, a control mechanism must be in place that maps virtual memory addresses into real memory
addresses.
159. What is data processing controls?
  Run-to-Run Totals
 Reasonableness Verification
 Edit Checks
 Field Initialization
 Exception Reports
160. Short note on database controls.
 Update Controls
o Sequence Check between Transaction and Master Files
o Ensure All Records on Files are processed
o Process multiple transactions for a single record in the correct order
o Maintain a suspense account
 Report controls
o Standing Data
o Print-Run-to Run control Totals
o Print Suspense Account Entries
o Existence/Recovery Controls:
161. Explain major update controls
a. Sequence Check between Transaction and Master Files
b. Ensure All Records on Files are processed
c. Process multiple transactions for a single record in the correct order
d. Maintain a suspense account
162. Explain major report controls
o Standing Data
o Print-Run-to Run control Totals
o Print Suspense Account Entries
o Existence/Recovery Controls
163. Short note on output controls
 Storage and Logging of sensitive, critical forms
 Logging of output program executions
 Spooling/Queuing
 Controls over printing
 Report Distribution and Collection Controls
 Retention Controls
Part 6 – Is Auditing
164. What are the major objectives of IS audit?
 Asset Safeguarding
 Data Integrity
 System Effectiveness
  System Efficiency
165. Explain need of audit of information system.
 Organisational Costs of Data Loss
 Cost of Incorrect Decision Making
 Costs of Computer Abuse
 Value of Computer Hardware, Software and Personnel
 High Costs of Computer Error
 Maintenance of Privacy
 Controlled evolution of computer Use
166. Short note on IS audit evidence.
Evidences are also necessary for the following purposes:
 Means of controlling current audit work;
 Evidence of audit work performed;
 Schedules supporting or additional item in the accounts; and
 Information about the business being audited, including the recent history.
167. What are the inherent limitations of Audit.
168. Short note on concurrent or continuous audit.
Today, organizations produce information on a real-time, online basis. Real-time recordings need real-time auditing to
provide continuous assurance about the quality of the data that is continuous auditing. Continuous auditing enables
auditors to significantly reduce and perhaps to eliminate the time between occurrence of the client’s events and the
auditor’s assurance services thereon.
169. What are the types of audit tools?
 Snapshot technique
 ITF
 SCARF
 CIS
 Audit Hooks
170. Short note o following audit tools
 Snapshot technique
Tracing a transaction in a computerized system can be performed with the help of snapshots or extended records.
The snapshot software is built into the system at those points where material processing occurs which takes
images of the flow of any transaction as it moves through the application.
 ITF
The ITF technique involves the creation of a dummy entity in the application system files and the processing of
audit test data against the entity as a means of verifying processing authenticity accuracy, and completeness.
 SCARF
The information collected is written onto a special audit file- the SCARF master files. Auditors then examine the
information contained on this file to see if some aspect of the application system needs follow-up.
  CIS
This technique can be used to trap exceptions whenever the application system uses a database management
system.
 Audit Hooks
There are audit routines that flag suspicious transactions. For example, internal auditors at Insurance Company
determined that their policyholder system was vulnerable to fraud every time a policyholder changed his or her
name or address and then subsequently withdrew funds from the policy.
171. Short note on audit trail, its types and objectives.
Audit Trails are logs that can be designed to record activity at the system, application, and user level. When properly
implemented, audit trails provide an important detective control to help accomplish security policy objectives.
Types
 Accounting audit trail
 Operations audit trail
Objectives
 Detecting Unauthorized Access
 Reconstructing Events
 Personal Accountability
172. Short note on roll of auditor and auditing environmental controls.
 Role of Auditor in Auditing Environmental Controls
 Audit of Environmental Controls
 Power conditioning
- Backup power
- Heating, Ventilation, and Air Conditioning (HVAC)
- Water detection:
- Fire detection and suppression
- Cleanliness
173. Short note on roll of auditor and auditing physical access controls.

Role of IS Auditor in Auditing Physical Access Controls

 Risk assessment
 Controls assessment
 Review of documents

Audit

 Sitting and marking

 Physical barriers
 Surveillance
 Guards and dogs
  Key – Card systems
174. Short note on roll of auditor and auditing logical access controls.
Role of IS Auditor in Auditing Logical Access Controls
 Network access paths
 Documentation
Audit
I) Audit of user access control
i) User Access Control
 Authentication
 Access violations
 User account lockout
 Intrusion detection and prevention
 Dormant accounts
 Shared accounts
 System accounts
(ii) Password management
(iii) User access provisioning
 Access request processes
 Access approvals
 New employee provisioning
 Segregation of Duties (SOD)
 Access reviews
(iv) Auditing Employee Terminations
 Termination process
 Access reviews
 Contractor access and terminations
II) User Access Logs
 Centralized access logs
 Access log protection
 Access log review
 Access log retention
III) Investigative Procedures:
 Investigation policies and procedures
 Computer crime investigations
 Computer forensics
IV) Internet Points of Presence
 Search engines
 Social networking sites
  Online sales sites
 Domain names
 Justification of Online Presence
175. Short note on roll of auditor and auditing managerial controls
 Top Management and Information Systems Management Controls
 System Development Management Controls
 Programming Management Controls
 Data Resource Management Controls
 Quality Assurance Management Controls
 Security Management Controls
 Operations Management Controls
176. What are the different types of audits during system development process.
 Concurrent Audit
 Post implementation audit
 General Audit
177. What are the audit trails under programming management controls.
Audit trails exist in following phase
 Planning,
 Control
 Design
 Coding
 Testing
 Operation and maintenance
178. Write down roll of auditor on following
 Data resource management controls
 Quality assurance management controls
 Security management controls
 Operations management controls
179. What are the accounting and operational audit trails in following controls?
 Boundary controls
 Input controls
 Communication controls
 Processing controls
 Database controls
 Output controls
180. Short note on organization structure and responsibilities.
Organizations require structure to distribute responsibility to groups of people with specific skills and knowledge. The
structure of an organization is called an organization chart (org chart).Organizing and maintaining an organization
structure requires that many factors be considered. In most organizations, the organization chart is a living structure that
changes frequently, based upon several conditions

181. What are the factors on which organization chart is based upon?
 Short and long term objectives
 Market conditions
 Regulation
 Available talent
182. Short note on following regarding organization charts
 Short and long term objectives
 Roles and responsibilities
 Job titles and job descriptions
 Title involved in executive management, software development, data management, system management, systems
management, general operations, security operations and service desk teams.
183. Short note on segregation of duties and controls.
The concept of Segregation of Duties (SOD), also known as separation of duties, ensures that single individuals do
not possess excess privileges that could result in unauthorized activities such as fraud or the manipulation or exposure
of sensitive data.