Module 1 to 6 Printable Chart-book (1)

A ChartBook on
INFORMATION
SYSTEM AUDIT
for ISA 3.0 (New Course)
FCA RAJAT AGRAWAL

For Better understanding refer this
ChartBook along with our video lectures
& quiz available in www.prokhata.com
4
th
Edition
MODULE1 : INFORMATION SYSTEMS
AUDIT PROCESS MODULE  6 EMERGING
1 Concepts of IS Audit 1
TECHNOLOGIES
2 IS Audit in Phases 3 1 Arti cial Intelligence 86
3 IS Audit Tools & Techniques 9 INFORMATION 2 Blockchain 89
3 Cloud Computing 91
4
Application Controls Review of
11 SYSTEM AUDIT 3.0 4 Data Analytics 94
Business Applications
Application Controls Review of 5 Internet of ings 98
5 13
Specialised Systems 6 Robotic Process Automation 101
6 IT Enabled Assurance Services 14
MODULE  2 : GOVERNANCE AND MODULE  5 PROTECTION OF

MANAGEMENT OF ENTERPRISE INFORMATION ASSETS
Concepts of Governance and MODULE  3 SYSTEM DEVELOPMENT, MODULE  4 INFORMATION SYSTEMS Introduction to Protection of
1 17 1 67
Management of Information Systems Information Assets
ACQUISITION, IMPLEMENTATION OPERATIONS AND MANAGEMENT
GRC Frameworks and Risk Administrative Controls of
2 19 1 Project Management for SDLC 34 1 Information Systems Management 54 2 69
Management Practices Information Assets
3 Key Components of A Governance 24 2 SDLC – Need, Bene ts and Phases 39 2 Information Systems Operations 56 3 IS Audit Tools & Techniques 72
4 Performance Management Systems 27 3 Soware Testing and Implementation 45 3 Soware Operations & Management 59 4 Logical Access Controls 76
5 Business Continuity Management 29 4 Application Controls 51 4 Incident Response and Management 64 5 Network Security Controls 80
HOW TO PRACTICE QUESTIONS

IN PROKHATA
FEATURES
MODULE WISE QUIZ
MODULE TOPIC VIDEO • Detailed explanation with my comments
BASIC ADVANCE
WEIGHTAGE WISE QUIZ LECTURE • Aer submitting the quiz - Sort all wrong answers
LEVEL LEVEL
• Increase your analytical skill.
0 - (0%) 0 Topics 0 Ques. 0 Ques. 09:01 Hr
• You can retake quizzes multiple times.
• Practice Topic-wise quiz aer every Chapter lecture.
• Each Module-wise quiz is divided into 2 sections
• basic & advance quiz (MTP)
• Save the quiz in between & continue solving anytime.
• Full mock tests in last week in exam conditions.
• Track your progress with instant evaluation.
700 TOPICS
TOTAL 887 QUES. 716 QUES. 39:00 HR • Get a Brief Overview of each topic in colourful charts.
2900 QUES.
VISIT PROKHATA.COM > DASHBOARD > COURSES > ENROLLED COURSES > START COURSE > START COURSE
Chapter 1 Concepts of IS Audit Module - 1 Information Systems Audit Process
CHAPTER 1:
CONCEPTS OF IS AUDIT
DEFINITION
Audit Computer System: Risk:
Audit is an inspection of an organization’s accounts, typically by It is a Complete and Functional Computer includes Hardware & Soware. Potential that a given threat will exploit the vulnerabilities of an asset
an Independent Body. Information: Impact. Another
to cause loss. Risk is the product of Probability and Impact
It means Data Processed in a Meaningful Context and has value to user. way of de ning risk would be reat exploiting Vulnerabilities.
Information Systems (IS): Internal Control:
Financial Audit IS Audit
It means Systems designed to Collect, Processs, Store and Distribute Information. Organisational structures designed to provide reasonable assurance
Four Components of IS : Task, People, Structure and Technology. that enterprise objectives will be achieved and undesired events will be
Ind ep endent Independent Review
Secure system: prevented, detected and corrected.
E xamination
A u t o m a t e d Manual Computer hardware, soware & procedures secure from unauthorized access, correct Business Process:
of Financial Interface
Information Systems Systems information processing, perform intended functions, generally accepted security procedures. It is a Collection of tasks that produce a speci c service
Information
CONCEPTS OF AUDIT CONCEPTS OF IT RISK
IS Audit : IT risk is a component of the overall risk universe of the enterprise. In many enterprises, IT-related
(General Standards of auditing are applicable to IS Audit.) risk is considered to be a component of operational risk
As Internal Audit As External Audit As Specialized Audit Enterprise Risk
Penetration Testing
Provide Assurance Part of Statutory Audit
Audit of Data Centre, STRATEGIC ENVIRONMENT MARKET CREDIT COMPLIANCE
Provide Report on ImplementedControl
Scope : Bound By Applicable Audit of Business Continuity Plan RISK RISK RISK RISK RISK
Provide Appropriate Recommendations
Regulatory Requiement Rreview of IT Strategy IT-Risk
for Mitigating Control Weaknesses
Standard on Auditing (SA 200)- Basic principles of audit IT Risk in the Risk Hierarchy
Describes risk in the overall environment and provides a structure for managing IT risk. e Risk Universe :
1. Integrity, Objectivity and Independence 4. Work performed by others • Considers the overall business objectives
e auditor should maintain Impartial Attitude. Should obtain Reasonable Assurance for work Performed by others. • Considers the full value chain of the enterprise
2. Knowledge, Skill and Competence 5. Documentation • Considers a full life-cycle
Auditor should have Adequate Knowledge, Training, Manatin documentary evidence in accordance with IS Auditing • Includes a logical and workable segmentation of the overall risk environment.
Experience and Competence. standards, guidelines and procedures. • Needs to be reviewed and updated on a regular basis
3. Con dentiality 6. Information systems and internal control Risk Management
Not Disclose any such Information to a ird Party Evaluate internal controls to determine the nature, timing and Process of identifying vulnerabilities & threats. Deciding what countermeasures to take to reduce
unless there is any legal or professional duty to disclose. extent of other audit procedures. risk to an acceptable level based on the value of the information assets to the organization. e primary
7. Audit Conclusions and reporting responibility of risk management lies with management. e Risk can be avoided, reduced, transferred,
Reveiw and assess the conclusions drawn from the audit evidence. accepted, rejected/ignored.
Residual Risk - Risk Appetite
AUDITING IN A COMPUTERIZED ENVIRONMENT In case the residual risks aer applying the controls exceed the risk appetite and have not been approved by
Audit in a Computerized Environment the management, these should be reported along with appropriate remedial measures.
Overall scope & Objectives of audit do not change in a computerised environment. Use of computers changes methodology of RISK BASED AUDITING
processing and storage of information. Audit approach and Audit evidence have moved from physical to digital. is approach is used to assess risk & to assist an IS Auditor to focus on high risk areas and in making the
Audit of Computerised Environment decision with regards to the sample size to perform either compliance testing and/or substantive testing. It
e objective of the IS audit is to Evaluate the adequacy of internal controls with regard to speci c computer program and data also help to relate the cost-bene t analysis of the controls to the known risks.
processing environment as a whole.
IS Audit is not only audit of automated information processing systems only but also include audit of non-automated processes
and their interfaces to the automated processes.
It can be performed by Audit and Control professionals who have expertise in understanding of business processes and internal
controls and knowledge of information systems’ risks and associated controls.
www.prokhata.com 1
CA Rajat Agrawal
Module - 1 Information Systems Audit Process Chapter 1 Concepts of IS Audit
AUDIT UNIVERSE CONCEPTS OF INTERNAL CONTROLS
Audit universe consists of all risk areas that could be subject to audit, resulting in a list of possible audit Policies, procedures, practices and organizational Internal Controls IS Controls
engagement that could be performed. It may be organised by: structures which are implemented to reduce risks
in the organisation to an acceptable level. Application IT general
Business Units Product or service lines Processes Programs Systems or controls General Controls Controls Controls
Internal controls are developed to provide reasonable
Bene ts of having an Audit Universe assurance to management that the organization’s business objectives will be achieved and risk will be managed.
It enables the audit activity to be clear about the extent of coverage of key risks and other risk areas each year. Type of IS Controls
Revenue Audit Risk Based Internal High Risk
Tier 1 Low or Full Coverage Preventive Controls: Detective Controls: Corrective Controls:
Stock & Recivable IS Audit Medium Risk
Controls that prevents problems Controls that detect and report the Controls that minimize the impact of
Tier 2 Medium Coverage before they arise. monitor both occurrence a threat. help in Identi cation of the
Credit Forensic Audit operations and inputs. cause of the problem.
Low Risk
Tier 3 Low or No Coverage
ORGANIZATION OF IS AUDIT FUNCTION
e role of the IS Audit function is de ned by the audit charter which de nes the authority, scope and responsibility. Based
AUDIT RISK AND MATERIALITY on the overall guidelines de ned in the audit charter, the audit function is created with speci c roles and responsibilities.
Audit Risk Audit Charter Audit Committee
Risk of Issuing unquali ed report due to the auditor's failure to detect material misstatement. Audit risk is Authority Scope Composition
composed of inherent risk (IR), control risk (CR) and detection risk (DR). Audit risk can be high, moderate or Department
& Responsibility & Constitution
low depending on the sample size selected by the Auditor. (IS Audit Function)
Inherent Risk
Suspectibility of Information resource to material the, destruction or any kind of impairment, assuming that Organization Infrastructure
there are no related internal controls. Inherent risk for audit assignment can be project related, revenues related, Skills and competent human resources CAATs.
resource related. Inherent risk to business can be dependent on nature of business. Aer the implementation of Infrastructure and Orgnization
controls, it is known as residual risk/net risk. • IS audit function should be equipped with sufficient resources to discharge its duties efficiently and effectively.
Control Risk Assurance function perspective: 1002 Organisational Independence
Risk that an error will not be prevented or detected and corrected on a timely basis by the internal control Which organizational structures are required to provide assurance ? e IS audit shall be independent of the area
system. Which information items are required to provide assurance (audit or activity being reviewed to permit objective
Detection Risk universe, audit plan, audit reports, etc.) ? completion of the audit and assurance engagement.
Risk that the IS Auditor’s substantive procedures will not detect an error which could be material. It is the risk
that is in uenced by the actions of an auditor. Internal and External Audit Control Quality Assessment and Peer Reviews
Materiality in case of: Framework • Best auditing practices following the professional standards and
• Ensures the minimum quality of audits. pronouncements,
Finacial Audit Regulatory Audit IS Audit • Policies and procedures for risk • IS Audit function is subject to both internal and external quality
assessment, planning, implementation assessments, peer reviews, certi cation and accreditation.
Value & Volume of Impact of Non- Effect or consequence of and reporting are to be established. • In case of external audit, the audit engagement letter de nes the scope and
Transaction Compliance the risk in terms of potential loss objectives of individual audit assignment.
• Materiality is an important aspect of the professional judgment of the IS Auditor Standards on Audit Performance
• Higher the level of materiality, lower is the risk that an IS auditor is, usually, willing to take. 1004 Reasonable Expectations 1007 Assertions
Measures to assess materiality: • Engagement can be completed in accordance with the IS audit • Assertions against which the subject matter will be
• Criticality of the business processes • Nature, timing and extent of reports and assurance standards. assessed assertions are sufficient, valid and relevant.
• Cost of the system or operation • Nature and quantities of materials handled • Scope of the engagement enables conclusion on the subject
• Potential cost of errors • Service level agreement (SLA) matter and addresses any restrictions. 1006 Pro ciency
• Number of accesses/transactions/inquiries • Penalties for failure to comply • Management understands its obligations and responsibilities • Possess adequate skills and pro ciency in
SA 320 - Audit Materiality is applied when conducting an IS Audit Engagement. with respect to the provision. conducting IS audit
Standards on Materiality as per ITAF (3rd Edition) • Possess adequate knowledge of the subject matter.
1008 Criteria • Maintain professional competence through
1204.3 Select criteria, against which the subject matter will be assessed, appropriate continuing professional education and
1204.1 1204.2 1204.4
Auditor shall consider that are objective, complete, relevant, measurable, understandable, training.
Auditor shall consider Auditor shall consider Auditor shall disclose-
Cumulative effect widely recognised, authoritative and understood by, or available to,
potential weaknesses or audit materiality and its Absence of controls,
of minor control all readers and users of the report. 1005 Due Professional Care
absences of controls which relationship to audit risk control de ciency,
de ciencies or 2 Source of the criteria-relevant authoritative bodies before • Observance of applicable professional audit
could result in a signi cant nature, timing and extent signi cant de ciency or
weaknesses. accepting lesser-known criteria. standards.
de ciency or a material of audit procedures. material weakness.
weakness.
2 www.prokhata.com
CA Rajat Agrawal
Chapter 2: IS Audit Phases Module : 1 - Information System Audit Process
CHAPTER 2:
IS AUDIT IN PHASES
INTRODUCTION Audit Charter and Terms of Engagement
Integral Part of Business •IS Audit charter Quality Assurance Process
Controls
Information •
e scope, authority, and responsibilities of the audit function should be the content of an audit charter. •is process is established to understand
Most Critical Asset •Senior management should approve the audit charter of an organization. Auditee’s needs and expectations.
Systems IS Auditor
More vulnerable to the •Prime
Prime reason for review of an organization chart is to get an understanding the authority and responsibility •
e IS Audit standards require IS Auditor
of individuals. to deploy and monitor completion of the
IS Audit Phase •e actions of an IS auditor are primarily in uenced by Audit Charter. assurance assignments with the staff.
•Audit charter provides the overall authority for an auditor to perform an audit. •IS
IS auditor should develop standard
Plan Execute Report
•
e audit function should directly report to the audit committee because it should be independent of the approach, documentation and
Understanding the Analytics procedures, Audit report and business function and should have direct access to the audit committee of the board. methodology with appropriate templates
environment and Compliance and recommendations •
e audit charter should clearly address the four aspects of purpose, responsibility, authority and for various types of assignments.
setting of objectives Substantive Testing Presentation to accountability.
Risk Assessment & Sampling management Communication with Auditee Audit Engagement Letter
Control Identi cation Using CAATs and Effective communication with Auditee involves: (SA) 210 Agreeing the terms of Audit Engagements requires auditor client
Follow up review
Audit Program and evaluating Audit •Describing
Describing the service, its scope and timeliness of delivery to agree on the terms of engagement and document them in the audit
Procedures Evidence •Providing cost estimates engagement letter. IS Audit is performed internally as per audit charter. may
•Describing
Describing problems and possible resolutions be outsourced to an external IS Auditor.
CONDUCTING AN IS AUDIT •Providing
Providing accessible facilities for effective communication, External Auditor
•Determining
Determining relationship between services offered & needs of the Auditee. Internal Auditor
IS Audit is necessary in today’s business environment as business processes Audit Engagement Letter
have been integrated into system and lot of decision is being taken through Audit charter forms a sound basis for communication with Auditee & include
+ Purpose = Audit Charter
these integrated system. Conducting IS Audit provides reasonable assurance references to service level agreements such as: Responsibility Accountability
about coverage of material items. Availability for unplanned work, Delivery of reports, Costs, Response to
Setting up of audit objectives Auditee complaints etc. Authority
• Audit objectives refer to the speci c goals that must be met by the audit. audit. AUDIT SCOPE
One of the basic purposes of any IS audit is to identify control objectives and Scope and objectives are determined through discussion with the auditee management and a speci c risk assessment. scope of audit determined by the
the related controls that address these objectives. management in case of internal audit and is set by statute if it is as per regulatory requirement.
• In absence of established audit objectives, auditor will not be able to determine
key business risks. Audit Planning Before Audit Document
• Control objective refers to how an internal control should function. • Audit Planning ensures that the audit is performed in an effective way and completed in a timely manner. RFP
• ey oen focus on substantiating the existence of internal controls & the • Planning also assists in proper assignment of work to assistants and in coordination of work done by other
Response to RFP
appropriateness of functioning. Auditors and experts.
• ey are invariably set down at the beginning of the audit process. • To plan an audit, the IS auditor is required to have a thorough understanding of business processes, When Audit begins (Communication
• A major purpose of Information Systems audit is whether the internal control business applications, and relevant controls. between auditor & orgnisation
system design is robust and is operated effectively. • IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when Audit Charter
Request for proposal (RFP) planning individual engagements and consider subject matter risk, audit risk and related exposure to the Audit Engagement Letter
An RFP is Standard solicitation document to acquire services. A successful enterprise. en 2 new document/process develop
RFP supports principles of fair, open, and transparent procurement. e best • e rst step in risk-based auditing is to identify areas of high risk.
proposal is awarded the contract though it may, or may not, quote the lowest Audit Scope
• Utilization of resources for high-risk areas is the major bene t of risk based audit planning.
price. IS Auditor can play an important role in preparation and evaluation of • Identifying threats and vulnerabilities is the most important step in a risk assessment. Audit Planning
responses to RFP. • e evaluation of vulnerabilities and threats to the data should be the rst step to conduct a data center
RFP is most oen used to acquire services
services, although it may be used in some review.
circumstances to acquire goods. • Once threats and vulnerabilities are identi ed identifying and evaluating existing controls should be the next
step.
Note:-
Points to Remember :
www.prokhata.com 3
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 2: IS Audit Phases
OBJECTIVES OF IS CONTROLS
Ensure risk management processes implemented as per the risk management strategy involves risk avoidance, elimination transfer acceptance.
Objectives of IS Controls
Principles of Fiduciary Principles of Quality Principles of Security
Reliability Compliance Efficiency Effectiveness Con dentiality Integrity Availability

Information Complying with Right amount of resources Objectives of a process, Ability to control or Means it is accurate and reliable Available when it is needed. preventing service disruptions
processes should be laws, regulations to deliver a Process, service or activity have restrict access principles of not been changed or tampered. due to power outages, hardware failures, and system
reliable and accessible and contractual needed to determine value been achieved. needed to con dentiality is "need-to- Authenticity, Non-repudiation upgrades. Ensuring availability also involves preventing
as and when needed. regulations. for money. determine value for money. know" or "least privilege". & Accountability. denial-of-service attacks.
UNDERSTANDING THE IT ENVIRONMENT OF AUDITEE
Business of the Entity Regulations, Standards, Policy, Procedures, Guidelines & Practices LODR – Listing Obligations & Disclosure Requirements of SEBI on
IS Auditor should obtain a e IS auditor should ensure that speci c regulatory requirements as applicable for the assignment are included as Corporate Governance
preliminary knowledge of one of the primary criteria for evaluation. Identify regulations applicable to the organisation, Identify compliance Audit Committee:
the entity and of the nature requirements. e role of audit committee has sharpened with speci c responsibilities including
of ownership, management, SA 250 “Considerations of laws and regulations in conducting an Audit”: recommending appointment of Auditors and monitoring their independence and
regulatory environment and Auditor has to obtain just a general understanding of the laws and regulations and he should alert the management performance, approval of related party transactions, scrutiny of intercorporate
operations of the entity. of the material non compliances applicable penalties. loans and investments, valuation of undertaking/assets etc.
Organization Structure Information Technology Act 2000 (Amended in 2008): ISO/IEC 27001:
Organizational structure Section 7A:: Audit of Documents etc. maintained in Electronic Form. ISO/IEC 27001:2013 formally speci es an Information Security Management
activities are task allocation, Section 43A: It provides that a body corporate possessing, sensitive personal data and is negligent resulting in System (ISMS), a suite of activities concerning the management of information
coordination and wrongful loss or wrongful gain may be held liable to pay damages no upper limit for the compensation. security risks.
supervision. Organizational Section 66 to 66F and 67: Sending offensive messages using electronic medium IT for unacceptable purposes, ISO/IEC 27001 is basically an Information security management system
structure allows the Dishonestly stolen computer resources, Unauthorized Access to computer resources, Identity the/Cheating established by the International Standards Organization in association with the
allocation of responsibilities by impersonating using computer, Violation of privacy, Cyber terrorism/Offences using computer, Publishing International Electro technical Commission.
for different functions and or transmitting obscene material. e ISMS ensure that the security arrangements are ne-tuned to keep pace with
processes. Section 72A: Disclosure of information, without the consent of the person concerned and in breach of changes to the security threats, vulnerabilities and business impacts.
IT Infrastructure lawful contract has been also made punishable with imprisonment for a term extending to three years or ne ISO/IEC 27001:2013 is a formalized speci cation with two distinct purposes:
IS Auditor has to keep extending to INR 5,00,000 or with both. • It lays out, what an organization can do to implement ISMS.
in mind the present IT Section 404 of Sarbanes Oxley Act, 2002 (SOX) • Can be used as basis for formal compliance assessment.
infrastructure capacities, e independent Auditor is required to opine on the effectiveness of internal controls over nancial reporting ISO/IEC 27002:
the age of hardware in addition on the fair presentation of organization's nancial statements. ISO/IEC 27002: 2013 is a code of practice - a generic, advisory document, not
and soware, licensing Public Company Accounting Oversight Board (PCAOB) a formal speci cation It recommends information security controls addressing
agreements, third party Standard 5 of the PCAOB establishes requirements and provides direction that applies when an Auditor is information security control objectives arising from risks to the con dentiality,
vendor agreements. engaged to perform an audit of management's assessment of the effectiveness of internal control over nancial integrity and availability of information.
reporting.
FRAMEWORK AND BEST PRACTICES OF IS AUDIT
ITAF (3rd edition)
Information Technology Assurance Framework (ITAF) is a comprehensive good-practice-setting reference model that: Establishes standards, De nes terms and concepts, Provides guidance and tools for audit and assurance.
ITAF audit and assurance standards are divided into three categories:
General standards (1000 series) Performance standards (1200 series) Reporting standards (1400 series)
Are the guiding principles under which the IS assurance profession operates. deal with the Deal with the conduct of the assignment assignment management, audit and Address the types of reports, means of communication and the
IS audit and assurance professional’s ethics, independence, objectivity and due care as well assurance evidence, and the exercising of professional judgment and due care. information communicated.
as knowledge, competency and skill.
Note:-
4 www.prokhata.com
CA Rajat Agrawal
Cobit 2019 Framework Principles, Components and Core Models
COBIT 2019 is a globally accepted framework and caters for the governance and management of enterprise information and technology. It helps ensure effective enterprise governance and management of Information and Technology
Governance System Principles of COBIT 2019
1: Provide Stakeholder Value: 2: End to End Governance 3: Tailored to Enterprise Needs: 4: Holistic Approach: 5: Governance distinct from 6: Dynamic Governance System:
By maintaining a balance between the realization System: Governance system should be Efficient and effective Management: Each time one or more of the design
of bene ts and the optimization of risk and use of Governance system should customized to the enterprise governance and management of Different types of factors changes impact of these
resources. COBIT 2019 provides all of the required focussing on not only the IT needs, using a set of design factors enterprise I&T require a holistic activities require different changes on the Enterprise Governance
processes and other enablers to support business function but on all technology customise and prioritise the approach, taking into account organizational structures and of Information and Technology
value creation. and information processing. Governance system components. several integrating components. serve different purposes. (EGIT) system must be considered.
Components/Enablers of Governance system are: Using COBIT 2019 for IS Assurance Evaluating the System of Internal Controls Core Governance and Management Objectives
• Processes It is written in a non-technical language and usable “MEA 02 Managed System of Internal Control”, which provides in COBIT 2019
• Organizational structures not only by IT professionals and consultants but guidance on evaluating and assessing internal controls e key
1. Align, Plan and Organise (APO)
• Information ows and items also by senior management. Globally from the GRC management practices evaluating the system of internal controls are:
• People, skills and competence perspective, COBIT has been widely used with COSO by • Monitor internal controls, 2. Build, Acquire and Implement (BAI)
• Policies and procedures management, IT professionals, regulators and Auditors • Review business process controls effectiveness,
3. Deliver, Service and Support (DSS)
• Culture, ethics and behaviour (internal/external) for evaluating governance and • Perform control self-assessment,
• Services, infrastructure and applications management practices from an end to end perspective. • Identify and report control de ciencies. 4. Monitor, Evaluate and Assess (MEA)
RISK ASSESSMENT
IS Auditor should identify all the risks present in the IT Environment. Based on this the required audit strategies, materiality levels and resource requirements can then be developed. IS Auditor can focus on the high-risk areas and decide the
sampling
Guidance on Risk Assessment by ISACA Risk Assessment Use of Risk Assessment in Audit Planning
• Conduct and document, at least annually Procedures and ere are many risk assessment methodologies, computerized and non-
• Quantify and justify the amount of IS audit resources needed related Activities computerized from which the IS Auditor may choose. ese range from
• Seek approval of the risk assessment from the audit stakeholders, Risk assessment simple classi cations of high, medium and low, based on the IS Auditor’s
• Prioritise and schedule IS audit and assurance work based on assessments of risk. procedures shall judgment, to complex scienti c calculations that provide a numeric risk
• Develop a plan that: acts as a framework, considers non-IS audit and, addresses responsibilities set by the audit charter. include: Inquiries of rating. Scoring system is useful in prioritizing audits based on an evaluation
• When planning an individual engagement, professionals should: assess risks & conduct a preliminary assessment of the risks management, Analytical of risk factors. Combination of techniques may be used as well. IS Auditor
relevant to the area, procedures, Observation should consider the level of complexity and detail appropriate for the
• Objectives for each speci c engagement should re ect the results of the preliminary risk assessment., & Inspection. organization.
• Consider prior audits, reviews and ndings, including any remedial activities., Steps of Risk Assessment
• Attempt to reduce audit risk to an acceptable level, and meet the audit objectives, • Identify Relevent Assets or Critical Assets. • Risk Prioritization
• Recognise that the lower the materiality threshold, the more precise the audit expectations and the greater the audit risk., • Identify Vulnerabilities & reats. (Relevant Risks) • Risk Treatment.
• To reduce risk for higher materiality, compensate by either extending the test of controls or substantive testing procedures. • Analyze identi ed relevant risks.
Note:-
www.prokhata.com 5
CA Rajat Agrawal
GOVERNANCE AND MANAGEMENT CONTROLS
IT General Controls areas
A general controls’ review attempts to gain an overall impression of the controls that are present in the environment surrounding the information systems. IT General controls are controls that are not speci c to any application, but exist in
an IT environment. A general controls’ review would also include the infrastructure and environmental controls such as review of the data centre or information processing facility should cover the adequacy of air conditioning, power supply
and smoke detectors/ re suppression systems, etc. Some of IT General Controls are discussed below:
1.Operating System Controls: 2. Organisational Controls:
It performs the main tasks of ese controls are concerned with the decision-making processes that lead to management and authorization of transactions.
scheduling jobs, managing
hardware and soware resources, (i) Responsibilities and objectives: (ii) Policies, standards, procedures and practices: iii) Job Descriptions: (iv) Segregation of Duties:
maintaining system security, IS functions must be clearly de ned and documented, including systems Policies establish the rules or boundaries of authority ese communicate It refers to concept of distribution of work
enabling multiuser resource soware, application programming and systems development, database delegated to individuals Procedures establish the m a n a g e m e n t ’ s responsibilities. e main purpose is to
sharing, handling interrupts and administration, and operations. e senior manager are responsible for instructions that must be followed for completing the speci c expectations prevent or detect errors or irregularities
maintaining usage records. the effective and efficient utilization of IS resources. assigned tasks. for job performance. by applying suitable controls.
3. Management Controls 4. Financial Controls
Segregation of Duties
Controls adapted to ensure that the information systems function correctly and they meet the strategic business Control over transactions processing using reports
It is concept of distribution of work responsibilities. e
objectives and needs. e controls ow from the top of an organization to down; the responsibility still lies with generated by the computer applications. ere are numerous
main purpose is to prevent or detect errors or irregularities
the senior management. e control consideration includes : nancial control techniques. A few examples are :
by applying suitable controls.
• Authorisation which entails obtaining the authority to
Responsibility : An IT Organization Structure : An IT Steering Committee : Separate who can
perform some act typically accessing assets.
Senior management personnel ere should be a prescribed IT ese communicate • Budgets are estimates of the amount of time or money
responsible for the IS within the organizational structure with management’s speci c expected to be spentduring a particular period, Run live programs Change Programmes
overall organizational structure. documented roles and responsibilities expectations for job performance. project, or event. Access Data Run Programs
Input Data Approve/Reconcile Data
5. Data Management Controls 6. Data Processing Controls Test Programmers Develop Programmes
Access controls are designed to prevent unauthorized individuals from viewing, retrieving, Controls are related to hardware and soware controls are applicable to Enter error in a log Correct the error
computing or destroying data. Back up controls are designed to ensure the availability of data in the on-line transaction processing systems,database administration, media Enter Data Access the database
event of its loss. library, etc.
Following controls are discussed in 11. System Development Controls 12. Computer Centre Security Controls Personal Computers Controls Internet and Intranet Controls
further chapters in detail Ensure that proper documentation Physical security attempts to restrict breach of access. Soware and Safeguard mechanisms for personal ese controls includes building component level
7. Physical Access Controls and authorizations are available data security ensures that there is use of passwords, authorizations, computers, pen drives and external redundancy, avoiding single point of failures,
8. Logical Access Controls for each phase of the system screening and logs of all activity of the entity. Data communication drives etc. against the risk of the using tested and robust systems, hardening of
9. Business Continuity Planning Controls development process. security is implemented by terminal locks, encryption of data, of hardware, data/information. systems, patch management, use of updated anti
10. System Maintenance Controls network administration, sign on user identi ers etc. -virus solutions, rewalls, IDS, encryption etc.
IT Application Controls
Soware could be a payroll system, a retail banking system, an inventory system, and a billing system or, possibly, an integrated ERP. First question to ask application soware review is, "What does the application soware do; what business
function or activities does it perform?" the IS auditor's knowledge of the intricacies of the business is as important. Once this is done, identify the potential risks associated with the business activity/function and to see how these risks are
handled by the soware. IT application controls are, indeed, controls which are in-built in the soware application itself.
Objectives of application controls: 1. Boundary Controls: 2. Input Controls: 3. Processing Controls:
•Input
Input data is accurate, complete, authorized, Controls to ensure that application is restricted only to authorized users. Controls to ensure Controls to ensure that only authorized processing
•Data
Data is processed acceptable time period, Data may be in any stage - in input, processing, transit or output or at that only complete, and integrity of processes and data is ensured.
•Data
Data stored is accurate and complete, rest. accurate and valid Performs validation checks to identify errors during
•Output
Output is accurate and compete. Access controls may be implemented by using any of the logical security data and instructions processing of data. ey are required to ensure both
A record is maintained to track the data from input to storage and to the eventual techniques embedded in the application soware. Separate access control form an input to the the completeness and accuracy of the data being
output categories of application control are. mechanism is required for controlling access to application. application. processed.
4. Data File Controls: 5. Output Controls: 6. Existence Controls: Scope and steps of IS Audit of Application soware
Controls to ensure that data resident Controls to ensure that output is Ensure the continued availability. Existence controls should •Mainly cover: Adherence to business rules,
in the les are maintained consistently delivered to the users in a consistent include backup and recovery procedures of data & also controls •Validations of various data inputs,
with the assurance of integrity & and timely manner in the format that recover the process from a failure. Existence controls should •Logical access control and authorization,
con dentiality of stored data. prescribed/required by the user. also be exercised over output to prevent loss of output in any form. •Exception handling and logging.
6 www.prokhata.com
CA Rajat Agrawal
CREATION OF RISK CONTROL MATRIX RCM AUDIT SAMPLING, DATA ANALYSIS AND BUSINESS INTELLIGENCE
RCM details the risks that have been identi ed in the Risk Assessment phase. A Audit Sampling
typical RCM would consist of the following: Application of audit procedures to less than 100 percent of the population. IS auditor should consider selection techniques that result in a statistically based
• Series of spreadsheets marking a single process, application (Custom Business representative sample for performing compliance or substantive testing. Statistical sampling should be used when the probability of error is objectively
Application), area (Information security, Logical Security, Physical security). quanti ed. It also helps in mitigating sampling risk. When testing for compliance , attribute sampling is most useful. Discovery sampling is a method
• Each Spread sheet would contain: Risk No, Risk in depth control(s) that is which would best assist auditors when there is concerns of fraud
ideal to counter identi ed risk, control number, control that is implemented
Methods for Sampling SA 530 – Audit Sampling:
by the enterprise to counter the risk
Applies when the auditor has decided to use audit sampling
RCM may be used as Audit Notebook containing details of control owner, process Statistical Non Statistical in performing audit procedures. It deals with the auditor’s use
owner, testing plans and results, evidences, risk ranking, recommendations etc.
of statistical and non-statistical sampling when designing and
SUBSTANTIVE TESTING Random Systematic Haphazard Judgmental selecting the audit sample, performing tests of controls and tests of
Evidence is gathered to evaluate the integrity of individual transactions, data or Sampling Sampling Sampling Sampling details, and evaluating the results from the sample.
other information. Substantive Procedures are tests designed to obtain evidence
to ensure the completeness, accuracy and validity of the data. Substansive tests While designing the sample consider the objectives of the test and attributes. Based on the initial assessment, the sample size can be increased or decreased
can be reduced if internal controls are strong Ex: examining the trial balance. to achieve the objective of assessing the tests of existence and adequacy of control for the IT environment.
cash veri cation, balance con rmation etc. Data Analytics Business Intelligence
COMPLIANCE TESTING e use of Data analytics tools and techniques helps the IS auditor to improve audit approaches. e IS auditor BI can handle enormous amount of
Compliance testing is the process of evidence gathering for the purpose of testing can use data analytics by which insights are extracted from nancial, operational and other forms of electronic structured as well unstructured data to
an organization’s compliance with control procedures. Compliance review data, internal or external to the organization. Determining the objective and scope of analytics will be the rst help identify, develop and otherwise
determines if controls are being applied in accordance with organizational step of conducting data analytics. create new opportunities.
policies. Compliance Procedures help obtain reasonable assurance that those Analytical Review Procedures: CAAT Tools
internal controls on which audit reliance is to be placed are operating effectively. Analytical review procedures may be de ned as substantive tests for a study of comparisons and relationship among data. Underlying attributes of computer
By performing Compliance tests, the IS Auditors can ascertain the existence, based transactional systems make the task of auditing more complex, auditors may be required to rely upon use of CAAT tools.
effectiveness and continuity of the internal control system. Ex: Review of system
access rights, review of rewall settings etc. • Absence of input documents: Data may be entered directly into the computer system without supporting documents.
Difference between Compliance and Substansive testing • Lack of visible transaction trail: e transaction trail may be partly in machine-readable form, or it may exist only for a limited period of time.
Objective of substantive testing is to test individual transactions whereas • High volume of transactions being processed
objective of compliance testing is to test the presence of controls. • Different sources of input and distributed processing.
DESIGN AND OPERATIONAL EFFECTIVENESS
Design Effectiveness Operational Effectiveness System controls:
A walkthrough of a business Testing of Operating Effectiveness refers to actual performance of the Control e evidence of the control will be obtained through obtaining appropriate reports and screen shots.
process and the risks and controls in the IT Environment. Manual controls:
within it can help evaluate its design Sample based self-testing: is Involves the selection of samples, Documented Are subject to human error, auditor should test the quality of the control to gain assurance. Manual controls the
effectiveness for compliance. evidence must be obtained to ascertain that the control has been performed. evidence that the control has been performed should be available through physical records created.
AUDIT DOCUMENTATION Standards on Evidence

Standards By ICAI: (SA) 230, “Audit documentation” deals with the
Auditor’s responsibility to prepare audit documentation for nancial
Audit documentation generally includes: Test working papers: Documentation Controls: statements. (SA) 500, “Audit Evidence” deals with the Auditor’s
Basic documents relating to control Testing work papers are obtained as a result of the compliance Each working paper (or work responsibility to design and perform audit procedures to obtain sufficient
environment, Documents relating to laws, and substantive testing procedures performed by the IS Auditor. paper) should be: Dated and appropriate audit evidence to be able to draw reasonable conclusions
regulations, Preliminary review, Risk analysis, Each working paper should follow a naming convention and manually or digitally signed by on which to base the Auditor’s conclusions. (SA) 580 “Written
Audit plan, Audit ndings, observations, numbering convention. Referenced with a unique number. Representations” deals with the Auditor’s responsibility to obtain written
inspection reports, Interpretation of audit Substantive test les require the same elements as compliance
representations from the management and, where appropriate, those
evidence, Audit Report issued. test les except for the review of existing internal controls. Organization of audit working charged with governance.
papers: Standards by ISACA, 1205 Evidence: 1205.1 professionals shall obtain
Points to Remember : Audit working papers: Each document must describe sufficient and appropriate evidence to draw reasonable conclusions on
Aid in the planning and performance of the audit, Aid in the supervision and review, Provide evidence of the audit work. Objective, Work done, Finding, which to base the engagement results. 1205.2 professionals shall evaluate
IS Auditor’s work must be documented and organized in a standardized fashion for easy reference in future audits. Risk, Recommended action, Action. the sufficiency of evidence.
www.prokhata.com 7
CA Rajat Agrawal
AUDIT EVIDENCE: METHODS Using Work of Another Auditor and Expert
Evidence is any information used by the IS Auditor to determine whether As per area of specialization such as banking, securities trading, insurance, legal experts etc. Based on the nature of assignment, special consideration, Access to
the entity follows the established criteria or objectives, and supports audit systems, Con dentiality restrictions, Use of CAATs, Non-disclosure agreements. Responsibility of the IS Auditor to: Clearly communicate the audit objectives,
conclusions. It is a requirement that the IS Auditor’s conclusions be based scope and methodology , place a monitoring process, Assess appropriateness of reports. ISACA standard 1206: Using the work of other experts.
on sufficient, relevant, competent and appropriate audit evidence. Audit Even though a part of or whole of the audit work may be delegated to the related professional liability is not necessarily delegated. Responsibility of the IS
ndings should be supported by sufficient and appropriate audit audience. Auditor is to Clearly communicate the audit objectives, scope and methodology, place a monitoring process, Assess appropriateness of report.
1. Evaluating Audit Evidance Evaluation of Strengths and Weaknesses: Judging by Materiality
A control matrix is oen utilized in assessing the proper level of controls. Known types of errors that can occur in the area under review are placed on the top
axis and known controls to detect or correct errors are placed on the side axis. e IS Auditor should be aware of compensating controls in areas where controls
Independence of the Quali cations of the Objectivity have been identi ed as weak. Where a compensating control situation occurs when one stronger control supports a weaker one, overlapping controls may exit.
provider of the audit individual providing the of evidence Where two strong cntrols exist.
evidence information/evidence Judging the Materiality of Findings: e IS Auditor must use judgment when deciding which ndings to present to various levels of management. Key to
Timing determining the materiality of audit ndings is the assessment of what would be signi cant to different levels of management.
of the
outside sources is more Objective evidence is more
evidence
reliable than from reliable than evidence that
within the organization requires considerable judgment
*Inventory
2. Types *Cash
of Physical *Securities Risk Ranking
Evidence examination *Tangible FA Risks are typically measured in terms of impact and likelihood of occurrence. Risk rating scales may be de ned in quantitative and/or qualitative terms.
*Notes receivable Quantitative rating scales bring a greater degree of precision and measurability to the risk assessment process.
Con rmation Qualitative terms need to be used when risks do not lend themselves to quanti cation, when credible data is not available, or when obtaining and analysing
3rd party verifying the accuracy
data is not cost-effective.
INTERNAL Substantiate
Documentation Information
Ordinal scales de ne a rank order of importance (e.g., low, medium, or high), interval scales have numerically equal distance(e.g., 1 equals lowest and 3 equals
EXTERNAL included FS highest, but the highest is not 3 times greater than the lowest), and ratio scales have a “true zero” allowing for greater measurability (e.g., a ranking of
10 is 5 times greater than a ranking of 2).
Analytical Comparisons
An example of a Risk Rating Model is : Green Areas identi ed as being low risk, Orange Areas identi ed as medium risk & Red Areas considered to be
procedures Relationships inherently high risk.
Inquiries of Written
Audit Report Structure and Contents
the Client Oral ISACA standards require IS audit professionals shall provide a report to communicate the results including: Identi cation of the enterprise, e scope, nature,
Recalculation timing and extent of the work performed, ndings and recommendations, quali cations or limitations. Exit interview, conducted at the end of the audit
Independent tests
Procedures provides IS Auditor chance to discuss ndings and recommendations with management.
Performance Controls
Observation Presentation techniques could include:
Executive summary an easy to read concise report that presents ndings to management in an understandable manner & Visual presentation: may include
Evidence Preservation slides or computer graphics .
It is also important to preserve the chain of custody. Chain of custody is IS Auditors should be aware that ultimately, they are responsible to senior management and the audit committee of the board of directors. Before communicating
a term that refers to documenting, in detail, how evidence is handled and the results of an audit to senior management, the IS Auditor should discuss the ndings with the management staff of the audited entity. A summary of audit
maintained, including its ownership, transfer and modi cation. is is activities will be presented periodically to the Audit Committee.
necessary to satisfy legal requirements that mandate a high level of con dence Audit Deliverables & Communicating Audit Results
regarding the integrity of evidence. ere is no speci c format for IS audit report. Audit reports will usually have the following structure and content:
Sufficiency and Competency of Audit Evidence 1. Introduction to the report, including audit objectives, limitations audit and scope, the period of audit coverage.
e quality and quantity of evidence must be assessed by the IS Auditor. 2. A good practice is to include audit ndings in separate sections.
ese two characteristics are referred to be competent and sufficient. 3. e IS Auditor’s overall conclusion and opinion on the adequacy of controls
Evidence is competent when it is both valid and relevant. Audit judgment is 4. IS Auditor’s reservations or quali cations.
used to determine when sufficiency is achieved 5. Detailed audit ndings and recommendations.
Management Implementation of Recommendations 6. IS Auditor may choose to present minor ndings to management in an alternative format such as by memorandum.
Auditing is an ongoing process. IS Auditors should have a follow IS Auditor should be concerned with providing a balanced report,describing not only negative issues ndings but positive constructive comments. IS Auditor
up program to determine if agreed on corrective actions have been should exercise independence in the reporting process.
implemented. Although IS Auditors who work for external audit rms may
not necessarily follow this process.
8 www.prokhata.com
CA Rajat Agrawal
Chapter 3 IS Audit Tools & Techniques Module : 1 - Information System Audit Process
CHAPTER 3:
COMPUTER ASSISTED AUDIT TOOLS AND TECHNIQUES
Computer Assisted Audit Techniques
CAAT is a signi cant tool for auditors to gather evidences independently. It provides means to gain access and to analyse data for predetermined audit objectives, and report the audit ndings with evidences. CAAT is the most effective tool
for obtaining audit evidence through digital data. It also provide assurance about data reliability.
Needs for CAAT Types of CAATs
In computerised environments evidence exists on magnetic media and it may not be possible to analyze While selecting the CAAT, IS Auditor is faced with certain critical decisions be required to make, while balancing on the quality and
data without the help of some soware tool(s). ICAI Guidance note on CAAT CAATs may be used in cost of audit:
performing various auditing procedures including:
A. Audit soware developed by the B. Develop his /her own audit C. Use a standard off the shelf
(a) Tests of details of transactions and balances, (d) Sampling programs client. soware. Generalised Audit Soware
(b) Analytical procedures, (e) Tests of application controls,
(c) Tests of general controls, (f) Re-performing calculations First two options requires auditors to be technically competent in programming. Computer audit soware also known as Generalised
Audit Programs (GAS) is readily available with speci c features useful for data interrogation and analysis. Auditors do not require
Purpose of CAATs much expertise and knowledge to be able to use these for auditing purpose. Different types of CAAT are:
It gives auditors ability to maximize their efficiency and effectiveness during audit. IS auditors can use
CAATs to perform tests that would normally be impossible or time consuming to perform manually.
Functional Capabilities of CAATs Generalised Audit Soware (GAS) Specialised Audit Soware (SAS) Utility Soware
•File access : Enables the reading of different record formats and le structures. “e processing of a client’s live les by the Written for special audit purposes Utilities usually come as part of
•File reorganization : Enables the indexing, sorting, merging and linking with another le. auditor’s computer programs”. Computer audit or targeting specialized IT office automation soware, operating
•Data selection: Enables global ltration conditions and selection criteria. soware may be used either in compliance or environments. Speci c to the systems, and database management
•Statistical functions: Enables sampling, strati cation and frequency analysis. substantive tests. Perform functions such as type of business, transaction or IT systems useful in performing
•Arithmetical functions: Enables arithmetic operators and functions. reading data, selecting and analyzing information, environment. Such soware may common data analysis functions such
performing calculations, creating data les and be either developed by the auditee as searching, sorting, appending,
How to use CAATs reporting in a format speci ed by the auditor. or embedded as part of the client’s joining, analysis etc. Utilities
Approach for using CAATs is given below: GAS has standard packages for auditing data. mission critical application soware. are extensively used in design,
1. Set the objective of the CAAT application Typical operations using GAS include: Such soware may also be developed development, testing and auditing
2. Determine the content and accessibility of the entity's les Sampling Items, Extraction Items, Totalling the by the auditor independently. Auditor of application soware, operating
3. De ne the transaction types to be tested total value, Ageing Data, Calculation Input data should take care to get an assurance systems parameters, security
4. De ne the procedures to be performed on the data is manipulated prior to applying selection criteria. on the integrity and security of the soware parameters, security testing,
5. De ne the output requirements soware developed by the client. debugging etc.
6. Identify audit and IT personnel to be involved in design and use of tests for CAATs.
Typical Steps in using GAS
General Uses and Applications of CAATs
i. De ne the audit objectives. vi. Obtain copies of application les be tested.
1. Exception identi cation: Identifying exceptional transactions
ii. Identify the tests vii. Execution of the package
2. Control analysis: Identify whether controls as set have been working as prescribed.
iii. Package input forms viii. Maintain security of output
3. Error identi cation: Identify data which is inconsistent or erroneous.
iv. Compile the package ix. Check test results draw audit conclusions.
4. Statistical sampling: Perform various types of statistical analysis.
v. Programmer’s work must be tested. x. Interface test results with subsequent manual audit work to be done.
5. Fraud detection: Identify potential areas of fraud
6. Veri cation of calculations: Perform various computations to con rm the data stored. Selecting, implementing and using CAATs
7. Existence of records: Identify elds, which have null values. CAATs provide a means to gain access and analyse data for a predetermined audit objective and to report audit ndings with evidence.
8. Completeness of data: Identify whether all elds have valid data. ey help the auditor to obtain evidence directly on the quality of the records produced and maintained in the system.
9. Consistency of data: Identify data, which are inconsistent Some examples of CAATs, which can be used to collect evidence:
10. Duplicate payments: Establish relationship between two or more tables as required and • ACL, IDEA, Knime etc.
identify duplicate transactions. • Utility Soware such as Find, Search, Flowcharting utilities
• Spreadsheets such as Excel
Strategies for using CAATs
• SQL Commands, OS commands
•Identify the goals and objectives of the investigation/audit
• ird party access control soware
•Identify what information will be required
•Determine what the sources of the information
•Identify who is responsible for the information What: When: Where: Why: How:
•Review documentation Objectives Period Sources Reason Types of analysis
•Understand the system generating the data
•Develop a plan for analyzing the data (What, When, Where, Why, and How)
www.prokhata.com 9
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 3 IS Audit Tools & Techniques
Continuous Auditing Approach
Continuous auditing is a process through which an auditor evaluates the particular system(s) and thereby generates audit reports on real time basis.
Techniques for Continuous Auditing
Snapshot Integrated Test Facility (ITF) Systems Control Audit Review File
• e snapshot technique uses a series of sequential data captures referred to as snapshots. Integrated Test Facility (ITF) is a system in which a test pack is pushed through (SCARF)
• Digital pictures of procedures are saved and stored in the memory the production system affecting “dummy” entities. is technique involves embedding
• It is useful when an audit trail is required. Advantages of ITF specially written audit soware in the
Employed for: • Useful in identifying errors and problems that occur in the live environment and organisation’s host application systems
• Analysing and tracking down the ow of data that cannot be traced in the test environment so that the application systems are
• Documenting the logic, input/output controls of the application program sequence of processing. • Validate the accuracy of the system processing. monitored on a continuous basis.
Continuous and Intermittent Simulation Audit Audit Hook System Activity File Interrogation Embedded Audit Facilities
• In this technique, a simulator identi es transactions • Embedding audit modules in application system Producing a log of every event occurring in the system, Consist of program audit procedures inserted into the client’s
as per the prede ned criteria. to capture exceptions or suspicious transaction. both user and computer initiated. Report exceptional application programs and executed simultaneously. is technique
• It is most useful when transaction are to be • Helpful to auditor in identifying irregularities, items of possible audit interest such as unauthorised helps review transactions as they are processed and select items
identi ed as per pre-de ned criteria in a complex such as fraud or error before they gets out of access attempts, unsuccessful login attempts, changes according to audit criteria automatically write details of these items
environment. hand. to master records and the like. to an output le for subsequent audit examination.
Note:-
10 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Application Controls Review of Business Applications Module : 1 - Information System Audit Process
CHAPTER 4:
APPLICATION CONTROLS REVIEW OF BUSINESS APPLICATIONS
Application Control Safeguard assets Application Controls
ese applications are the Help To Maintain data integrity “Application controls" are a subset of internal controls that relate to an application system the information managed by that application. Timeliness,
interface between the user Achieve organisational goals accuracy & reliability of information dependent on application systems used to generate, process, store and report the information. Information conforms
and business functions. Effectively Efficiently to certain criteria what COBIT refers to as business requirements for information.
Internal Controls
Business Application Soware: Selection Parameters A process, affected by an organisation’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the
Key parameters of selection of business application soware achievement of objectives in the following categories:
Business Goal Effectiveness efficiency of operations, Reliability of nancial reporting & Compliance with laws regulations.
E.g. Customer driven, social causes, capitalist mind-set COSO de nes control activities as the policies and procedures that help ensure management directives are carried out.
Nature of Business Objectives of Application Controls
E.g. Generate daily cash Application controls are intended to provide reasonable assurance that management’s objectives relative to a given application will be achieved.
Geographical spread Examples include:
More spread more robust soware required (i) Completeness: Processes all transactions and the resulting information is complete.
Robust means capability to work 24/7 (ii) Accuracy: Processing is accurate & resulting information is accurate.
Volume of transactions (iii) Validity: Only valid transactions are processed.
As the transaction volumes increase organisation business application (iv) Authorisation: Only appropriately authorised transactions are processed.
sowares that can support business for the next few years. (v) Segregation of duties: Application provides for appropriate segregation of duties and responsibilities.
Regulatory structure
Soware which is capable to cater to the compliance requirements. Information Criteria
Key business requirements for information also called as information criteria need to be present in information generated. ese are:
Types of Business Application
Classi cation of Business Application 1. Effectiveness:: Information being relevant and pertinent to the process as well as being delivered in a timely, correct, consistent and
usable manner.
Processing Type Source Function 2. Efficiency: Provision of information through the optimal (most productive and economical) use of resources.
• Batch • Online • Real Time • In house • Brought-in Covered 3. Con dentiality:
dentiality: Protection of sensitive information from unauthorised disclosure.
Type of Business Application on basis of function 4. Integrity: Relates to the accuracy and completeness of information & its validity in accordance with business values and expectations.
Availability: Availability of information as and when required & also with the safeguarding of necessary resources.
5. Availability
Compliance: Complying with the laws, regulations and contractual arrangements to which the process is subject.
6. Compliance
Accounting Banking Application ERP Application Payroll 7. Reliability: Provision of appropriate information for management to operate the organisation and exercise its duciary and governance
Application Banking system has Manage resources Application responsibilities.
• Used for accounting of shied to core banking optimally maximize Software
day to day transactions business applications Economy, Efficiency & that process
• Generate Financial (referred to as CBS) E.g. Effectiveness payrolls for
Information FINACLE, FLEXCUBE, employees
• (E.g. Tally, Tally EX, TCS BaNCS
UDYOG)
Other Business Applications:

i. Office Management Soware v. Logistics Management Soware
ii. Compliance Applications vi. Legal matter management
iii. Customer Relationship vii. Industry Speci c Applications
Management Soware
iv. Management Support Soware
Note:-
www.prokhata.com 11
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 4 Application Controls Review of Business Applications
Application Control Objectives and Control Practices
Source Data Source Data Collection Accuracy, Processing Integrity and Validity Output Review, Reconciliation and Transaction
Preparation and and Entry Completeness and Error Handling Authentication and
Authorisation Authenticity Checks Integrity
Prepared by authorised and Correction and resubmission Validate data that were input, Detection of erroneous transactions not dis- Output is handled in an authorised manner, de- Before passing transaction
quali ed personnel taking in of data that were erroneous- or send back for correction as rupt the processing of valid transactions. livered to the appropriate recipient and protected check the data for proper ad-
a/c segregation of duties rely input should be performed close to the point of origina- during transmission; dressing, authenticity of or-
garding the origination & ap- without compromising original tion as possible. Veri cation, detection and correction of the accura- igin and integrity of content.
proval of documents. transaction authorisation levels. cy of output occur.
•Design source documents to •Communicate criteria for •Transaction data are veri ed •Authorise
Authorise the initiation of transaction pro- ••Follow
Follow de ned procedures and consider privacy •Establish an agreed-upon
increase accuracy with which timeliness, completeness ac- as close to the data entry cessing. Only appropriate and authorised and security requirements. standard of communication
data can be recorded, control curacy of source documents. point as possible. applications and tools are used. •Take
Take a physical inventory of all sensitive output. and mechanisms necessary
the work ow and facilitate •Use only pre-numbered source •Controls may include se- •Processing
Processing is completely and accurately •Match
Match control totals in the header and/or trailer for mutual authentication,
subsequent reference check- documents. quence, limit, range, valid- performed with automated controls. records of the output to balance with the control •Tag output from transaction
ing. •Communicate who can input, ity, reasonableness, table •Transactions
Transactions failing validation routines totals produced by the system to ensure complete- processing applications to
•Document procedures for edit, authorise, accept and re- look-ups, existence, key ver- are reported and posted to a suspense le. ness. facilitate counterparty au-
preparing source data entry, ject transactions. Implement i cation, check digit, com- Valid transactions is not delayed. Process- •Validate completeness and accuracy of processing thentication, and allow for
ensure proper communication access controls and establish pleteness duplicate and logi- ing failures is kept to allow for root cause before operations performed. content integrity veri ca-
to appropriate and quali ed accountability. cal relationship checks, time analysis. •Business owners review the nal output for reason- tion.
personnel. •Procedures to correct errors, edits. Validation criteria and •Transactions
Transactions failing validation routines are ableness, accuracy and completeness. •Determine authenticity of
•Maintain list of authorised per- override errors and handle parameters should be sub- follow-up until transaction is cancelled. •Application produces sensitive output, de ne who origin. Maintenance of the
sonnel, including signatures. out-of-balance conditions. ject to periodic reviews and •Correct
Correct sequence of jobs has been docu- can receive it, label the output Where necessary, integrity during transmis-
•Source documents include •Generate
Generate error messages as con rmation. mented and communicated to IT opera- send it to special access-controlled output devices. sion.
standard components, contain close to the point of origin as •Establish access control.
control tions.
proper documentation & au- possible. Transactions not be •Segregation
Segregation of duties for Unique and sequential identi er every
•Unique Information Criteria
thorised by management. processed unless errors are entry, modi cation and au- transaction.
•Assigns a unique and sequen- corrected. thorisation of transaction •Maintain the audit trail of transactions pro-
tial identi er every transac- •Errors
Errors and out-of-balance re- data. cessed. For sensitive data listing should- Application and Control Objectives and
tion. ports reviewed by appropriate •Report
Report transactions failing contain before and aer images. Information Criteria
•Return
Return documents that are not personnel. Automated moni- validation and post them to •Maintain the integrity of data during un-
properly authorised /incom- toring tools should be used to a suspense le. expected interruptions in data processing
plete to the submitting orig- identify, monitor and manage •Transactions failing edit and with system and database utilities. Any 1 Source Data Preparation and S P S P S
inators for corrections & log errors. validation routines subject changes approved by the business owner. Authorisation
the fact that they have been •Source
Source documents are safe- to appropriate follow-up un- •Adjustments, overrides and high-value 2 Source Data Collection and S S S P S
returned. stored. til errors are remediated. Al- transactions are reviewed by a supervisor. Entry
low for root cause analysis. •Reconcile le totals. 3 Accuracy, Completeness and S P S P S P P
Authenticity Checks
4 Processing Integrity and P P P P P
Validity
5 Output Review, Reconciliation P S P P P P P
and Error Handling
6 Transaction Authentication S P P P
and Integrity
P= S = Secondary
Primary
12 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Application Controls Review of Specialised Systems Module : 1 - Information System Audit Process
CHAPTER 5:
APPLICATION CONTROLS REVIEW SPECIALISED SYSTEMS
As per SA200 ,Compliance procedures are tests designed to obtain reasonable assurance that those internal controls on which audit reliance is to be placed are in effect. As per ISACA ITAF 1007 “Assertions”, IS Audit and assurance professional
shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant.
Review of Application Controls Review of Business Application Controls through use of Audit Procedures
Implemented for a speci c business purpose. Assess whether the business objectives from implementing will be achieved. SA 500 "Audit Evidences"- Auditor while designing tests of controls shall see whether controls so put in place
Need for Application Controls Procedures used to obtain evidance include: are effective.
To draw conclusion on : 1. Inquiry and con rmation 5. Analytical Procedures
• How much reliance to put on entities’ 2. Re-performance 6. Inspection Inquiry and con rmation: Re-performance:
business application system 3. Recalculation 7. Observation Checklist enquire and con rm whether controls are in place. Process test data to see how itresponds.
• Planning IS audit procedures. 4. Computation 8. Other Generally Accepted Methods Evaluate existence of controls.
Application Controls Review for Specialised Systems

1. Arti cial Intelligence (AI) 4. Electronic Funds Transfer (EFT)
AI is the theory and development of computer systems so as to be able to perform tasks normally (RBI) has issued detailed guidelines for banks to follow for EFT transactions. RBI has speci ed Banks need to create procedural guidelines,
requiring humanintelligence, such as visual perception, speech recognition, decision-making, for the purpose of:
and translation between languages. Knowledge base is the most important component of the 1.Verifying that a payment instruction, NEFT Data File is authorised 2. Detecting errors in the transmission.
arti cial intelligence. IS Auditor’s role:
AI can be classi ed into three major categories: e major concern shall be: (i) Authorisation of payments, (ii) Validation of receivers’ details (iii) Verifying the payments made. (iv) Getting
Cognitive Science: Robotics: Natural Languages: acknowledgement (v) Obligation against which the payment was made has been ful lled
It focuses on how human brain A p p l i c a t i o n s 'Converse' with computers in 5. E-Commerce
works and how humans think that give robots human languages. Interactive E Commerce involves information sharing, payment, ful lment of contractual obligations of the parties & service and support.
and learn.Ex: Expert Systems, visual perception, voice response and natural Risks of E-commerce
Learning Systems, Neural capabilities to feel programming languages, closer to (i) Identity & nature of Relationships, (ii) Integrity of Transactions (iii) Electronic Processing of Transactions, (iv) Systems' Reliability, (v)
Networks, Intelligent Agents and by touch, dexterity human conversation are some of Privacy Issues, (vi)Return of Goods, (vii) Taxation & Regulatory Issues.
Fuzzy Logic. and locomotion. the applications. IS Auditor’s role:
IS Auditor’s responsibility shall be to assess whether the transactions have:-
IS Auditor's Role: 1. Authorisation, 2. Authentication, 3. Con rmation, 4. Whether the payment gateway is secured or not.
IS auditor has to be conversant with the controls relevant to these systems when used as the 6. Point of Sales System (PoS):
integral part of the organizations business processes. Capture data at the time and place of transaction. oen attached to scanners to read bar codes and magnetic cards for credit card payment
2. Data Warehouse and electronic sales. ey provide signi cant cost and time saving as compared to the manual methods.
It is a Central Repository of clean, consistent, integrated & summarized information, extracted IS Auditor's Role:
from multiple operational systems, for on-line query processing.” Generally, data is processed (i) Evaluate the batch controls implemented by the organization. (ii) Check if they are in operation (iii) Review exceptional transaction logs.
by TPS (Transaction Processing Systems), also known as operational systems. Customers (iv)Check whether internal control system is effective to ensure the accuracy and completeness of the transactions.
depositing and withdrawing money, applying for loans, opening accounts in a bank are examples 7. Automatic Teller Machines (ATM)
of Transactions Processing Systems.
IS Auditor's Role: A Specialized form of POS terminal Function
IS Auditor should consider the following while auditing data warehouse:
1. Credibility 4. Accuracy of extraction and transformation T Designed for unattended use by custormer Cash Other operations like
accepting request for
2. Accuracy 5. Access control rules M System provide high level of logical & physical security Deposits Withdrawals
3. Complexity 6. Network capacity for speedy access
3. Decision Support System (DDS) Guidelines for Internal Controls of ATM System which the Auditor shall Evaluate and Report
DSS are information systems that provide interactive information support to middle management
through analytical models. Ad hoc systems for speci c decisions by individual-managers. ese Authorized Exception ATM • Card PIN
systems answer queries that are not answered by the transactions processing systems. individuals reports liability • Issue against valid • Controls on unused PINs
Examples: Comparative sales gures, Revenue and Cost projections, Evaluation of different Access coverage application • Control over activation of PINs
Points to Remember : (attempts
alternatives. exceed limits) • Custody of unissued cards • Procedure for issue of PINs
IS Auditor's Role: Onsite Offsite • Return of old/ unclaimed • Ensure PINs not appear in printed
1. Credibility, 2. Accuracy source data, 3.Accuracy extraction and transformation process, 4. Machine Machine cards • Control over retrieval of PINs
Accuracy correctness, 5. Access control rules.
www.prokhata.com 13
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 6 IT Enabled Assurance Services
CHAPTER 6:
IT ENABLED SERVICES
Classi cation of Audits IT Enabled Servises
Systems and Applications: Inadequate IT management Practices:
Secure input, processing, and output, Solution Opportunity for an IS Auditor
Information Processing Facilities:
Ensure timely, accurate, and efficient processing. Policies should be draed Create appropriate policies
Systems Development: Procedures arise from the policies Assist in development of the procedures
Developed in accordance with generally accepted
standards. Appropriate application soware selected Assist in implementation. Participate in Project Management. Assist as scope Manager in the SDLC process
Management of IT and Enterprise Architecture: Business work ows enforced in the applications Design, develop necessary work ows. Perform a BPR
Ensure a controlled and efficient environment.
Compliance Audits: Perform risk assessment and rank the risks Identify those areas of high risk that need a higher attention.
Conducted to evaluate whether speci c regulatory or Ensure appropriate segregation of duties by ensuring right access is given to Designing roles responsibilities. Review existing roles responsibilities. Identify con icts
industry standards are complied with. the right employees
Examples- Training to be provided Regarding new work ows, procedures
Payment card industry Data security standard audits,
Health insurance portability and accountability act Fraud
audit (HIPAA) etc. Establishment of a strong internal control environment is necessary to deter against fraud perpetration. For internal controls to be effective, they must be constantly evaluated
Operational Audit: for effectiveness and changed as business processes change.
Evaluates the accuracy of internal controls of Fraud Detection
application in operation or logical security systems. Management is primarily responsible for design of IT controls. A well-designed internal control system provides a good deterrence against frauds opportunity for their timely
Financial Audit: detection. Internal controls may fail where these are circumvented by exploiting vulnerabilities or through management facilitated weaknesses in controls or collusions. Legislations
Assess the accuracy of nancial reporting. It oen cast signi cant responsibilities on management, IS Auditors and the audit committee regarding detection and disclosure of any fraud. IS Auditors should observe and exercise due
involves detailed, substantive testing. professional care. IS Auditors should be aware of the possibility and means of perpetrating fraud, IS Auditor may communicate the need for a detailed investigation
Integrated Audits:
Combines nancial ,operational and other types of 1.Information Technology (Amendment) Act 2008: 2. LODR of SEBI: 3. CARO 2003:
audit to assess the overall objectives to safeguard an Casts responsibility on body corporates to protect sensitive Makes the top management accountable Requires verifying the adequacy of internal control procedures and
asset's efficiency and compliance. It can be performed personal information by implementing reasonable security for weaknesses in the internal control determining whether there were any continuing failures to correct
by internal as well as external auditors. practices and procedures. It also recognises and punishes systems. It requires CEOs and CFOs major weaknesses in internal controls. It also requires to report
Administrative Audits: offences committed by companies and individuals through to certify on the effectiveness of the whether any frauds on or by the company had been noticed or reported
Efficiency of operational productivity. the misuse of IT. Internal Controls. during the year.
IS Audits:
National Cyber Security Policy. aims at protecting information and information infrastructure in cyberspace and building capabilities to prevent and respond to cyber threats.
Forensic Audit:
Discovering, disclosing and following up on frauds Standard on Internal Audit (SIA) 11 (SA) 505 “External Con rmations” (SA) 580 “Written SIA 2 SA 240
and crimes. de nes Fraud as: Deals with the Auditors’ use of external Representations” Requires internal auditors Requires an auditor to
Specialized Audit: “An intentional act involving the use con rmation procedures to obtain Deals with the Auditor’s to use their knowledge evaluate whether the
Examine areas such as services performed by third of deception to obtain unjust or illegal audit evidence in accordance with responsibility to obtain and skills to reasonably information obtained
parties. advantage”. A fraud that involves use of the requirements of SA 330 and SA written representations enable them to identify from risk assessment
Control Self-Assessment: Computers and Computer Networks is 500. e reliability of audit evidence from the management and, fraud indicators. procedures and related
Conducted by the business process owners but called a Cyber fraud. ey need to have is in uenced by its source and is where appropriate, those SIA 11 activities indicate
facilitated by the auditors. setting the evaluation appropriate knowledge of relevant standards dependent on the circumstances in charged with governance.
SIA 11 de nes fraud and presence of fraud risk
criteria and executing the evaluation are carried out by and regulations as well as the various data which it was obtained. Audit evidence Written representations do
lays the responsibility factors.
the business owners themselves. analysis tools and techniques available. is more reliable when it is obtained not absolve the IS Auditor
for prevention and SA 315 requires an
Internal Audit/Compliance Reviews: Strengthening the system of internal controls from independent sources outside of from performing his duties
detection of frauds on the auditor to identify risks
Performed by a third party who is not involved in the is the best deterrence to frauds the entity being audited. while conducting the audit.
management and those of material misstatement
functioning of the enabler. More independent than a charged with governance. arising due to fraud.
self-assessment because the auditor is not involved in
SA 315 – Standard on Risk Assessment procedures issued by ICAI is also applicable for risk
the functioning of the enabler.
Functional Audit: assessment pertaining to IS Audit assignment. is requires that the IS Auditor perform Risk
Conducted to evaluate and determine the accuracy of Assessment Activities.
soware functionality.
14 www.prokhata.com
CA Rajat Agrawal
Chapter 6 IT Enabled Assurance Services Module : 1 - Information System Audit Process
Cyber Fraud Investigation
Cyber fraud investigation procedures are:
1. Collecting and analysing documentation. 2. Conducting interviews. 3. Data mining & digital forensics.
Assessment essentially involves: 1. Identifying signi cant risk 2. Assessing their likelihood impact 3.Determining where, how & by whom they may be committed 4. Assessing existing controls would prevent their occurrences.
Cyber Fraud Likelihood Impact Internal Controls
e - Unauthorised access to computer Hardware. (e .g. Data centers, server rooms, network 1. Key Cards, 2. Security Guards, 3. Visitor Logs, 4. Circuit Cameras, 5. Back up & Recovery Plans ,
Low High
devices, etc.) 6. Physical access controls through biometrics,etc.
Identity the - Unauthorised access to personal information of Customers and Employees. 1. Unique user IDs, 2. Strict password policy, 3. IDS & Firewalls, 4. Incident response policy,
Medium High
{e.g. Credit card information of customers, Login IDs & Passwords of employees, etc.) 5. Delete ex-employee access
Information the - Unauthorised access to con dential information of Company. (e.g. 1. Segregation of Duties, 2. Access Logs, 3. Transact ion Logs, 4. Security violation logs, 5.
Medium High
Strategic Plans, Unpublished nancial reports, etc.) Encryption
Copyright Infringement - Unauthorised access to Soware and Databases. {e.g. Soware 1. Block peer-to-peer sharing, 2. Internet Surveillance, 3. Soware Licensing, 4. Information
Medium High
piracy, Peer-to-peer le sharing, etc.) Sharing Policy, 5. Protection of Soware code
Questions for assessments and reviews for each of seven components adapted from COBIT 2019 are given below:
1. Policies and Procedures: 2. Processes: 3. Organisation 4. Culture, Ethics and 5. Information Flows and 6. Services, 7. People, Skills and Competencies:
Documented and approved Approved security policy that senior management Structures: Behaviour: Items: Infrastructure and Expert teams to conduct periodic fraud
Cyber Fraud Governance and conduct cyber fraud risk assessment regularly Clearly de ned roles Employee awareness Proper reporting mechanism Applications: investigations.
Management Program. remedial measures are implemented. andresponsibilities. programs and training. for notifying fraud concerns. Use of technology.
Cyber Forensics: Digital Forensics
Cyber fraud investigation procedures are:
For evidence to be admissible in a court of law, the chain of custody needs to be maintained professionally:
Computer Forensics is a process of
Any electronic document can be used as digital evidence, provided contents of digital evidence are in their original state and have not been tampered with or
Identifying Preserving Analysing modi ed during the process of evidence collection and analysis. e chain of evidence essentially contains information regarding:
• Who had access to the evidence (chronological manner)?
Digital Evidence
• e procedures followed in working with the evidence (such as disk duplication, virtual memory dump etc.)
• Providing assurance that the analysis is based on copies that are identical to the original evidence.
Presenting in a Manner
Fraud investigation Tools and Techniques
Legally acceptable in legal proceedings (CAAT) are the mosteffective tools and techniques to detect fraud. Useful functions available in CAAT are:
1. Strati cation: identify abnormal strata, 6. Trend Analysis,
Integrity and Reliability of evidence can be maintained through: 2. Classi cation: identify abnormal patterns, 7. Gap Test,
•Identi
Identi cation of information that is available and might form the evidence. 3. Summarisation: compute totals, 8. Duplicate Test,
•Retrieving
Retrieving identi ed information and preserving it. Requires being able to 4.Outliers: outside normal range, 9. Relation,
document chain of custody. 5. Benford Law: identify possible fraud areas, 10. Compare.
•Involves
Involves extracting, processing and interpreting the evidence. Control Self Assessment
•Presantation
Presantation to relevant parties for acceptance of evidence. •Allows teams and its managers to directly assess the risk management & control processes .
•Major bene ts of CSA are Early detection of risks, more effective and improved Internal Controls.
•IS Auditor's in CSA is of facilitator.
Note:-
www.prokhata.com 15
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 6 IT Enabled Assurance Services
1. THE $ 54 MILLION FRAUD 2. COSMOS BANK FRAUD
What happened? Malware
She opened a secret account in the name of city in which she was only signatory, created false state invoices , wrote checks in name Sent to
of "Treasurer" from city funds, and transfered the amount the the secret account.
ATMs of Cosmos Bank (Intended Target)
How it happened?
• Malware created a proxy server which helped cloned Debit cards to surpass CBS.
Treasurer of a town, Rita Crundwell, embezzle nearly $54 million over two decades & remained undetected in annual audits by
• Fraudsters approved 14800 transactions to withdraw Rs. 80.5 cr (2.5 cr in India).
two independent accounting rms and in annual audit reviews by state regulators.
• Another amt of 13.5 cr transfered to Hongkong based entity through SWIFT.
Why it happened?
Due to lack of segregation of duties. In absence of a city manager, Crundwell had a wide rein over city's nances and set the stage Points to be noted:
for her massive fraud. • is happened because ATMs were running on Microso Xp or other unsupported sowares.
Lesson and tips: • RBI instructed banks to upgrade their soware by June 2019
Roles and responsibilities must be clearly de ned and proper segregation of duties must be done to ensure that no single person 4. WORLDCOM FRAUD
can be maker as well as the checker of a particular transaction ow. Auditors must ensure the existence of internal controls with Assessee recorded expenses as investment and made bogus revenue entries to hide the falling
systems designed to prevent or deter these types of frauds. pro t.
3. e Satyam Fraud
AUDITORS OF WORLDCOM
A case of manipulation of the books of account by in ating revenues through fake invoices.
• Applied data mining techniques to search data using small scrips and ms access.
e Company’s standard billing systems were subverted to generate false invoices to show in ated sales. 7,561 invoices worth Rs.51
• ey searched entire population and found $500 million of debit in ppe account for which invoices
billion (US$1.01 billion) were found hidden in the invoice management system using a Super User ID.
couldn't be found.
e charge framed against the Auditors was that they did not bring the internal control de ciencies to the notice of audit committee.
• Lesson: sampling is not recommended in fraud detection rather analysis of entire population is
Lesson to Auditor: required.
Auditors must remember that anything can be faked in this modern technology driven world and that they need to continuously update
their skills and knowledge in order to keep up with the new challenges.
5. Bangladesh Central Bank Fraud
What Happened
• An Malware attack was waged against Bangladesh Bank, the nation's central bank.
• 35 fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US $1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank.
• e perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers.
• ey used these credentials to authorise about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the account of Bangladesh Bank.
Lessons & Tips
• e key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems.
• e Governor of Bangladesh Bank stated that he had foreseen cyber security vulnerabilities one year ago and had hired an American cyber security rm to bolster the rewall, network and overall cyber security of the bank. However, the
bureaucratic hurdles prevented the security rm from starting its operations
Note:-
16 www.prokhata.com
CA Rajat Agrawal
Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 1: CONCEPTS OF GOVERNANCE AND MANAGEMENT OF IS
CHAPTER 1:
CONCEPTS OF GOVERNANCE AND MANAGEMENT OF IS
KEY CONCEPTS OF GOVERNANCE
Process + Structures Enterprise Governance Conformance or Corporate Governance Dimension Enterprise Governance Framework
Governance ISO/IEC 38500 : “e system by which • e conformance dimension of governance covers corporate governance issues such Corporate governance Performance
Implemeted by Board
TO organisations are directed and controlled.” ‘e as: roles of the chairman and CEO, role and composition of the board of directors, management Internal Controls Enterprise Risk
Inform Direct Manage Monitor set of responsibilities and practices exercised by Board committees, Controls assurance and Risk management for compliance. Management.
the board and executive management with the • Established oversight mechanisms for the board to ensure that good corporate Risk management strategy has to be adapted,
Activities of Orgnisation
goal of providing strategic direction, ensuring that governance processes are effective. which should be designed and promoted
objectives are achieved, ascertaining that risks are • Include committees composed of independent non-executive directors, particularly by the top management.Objectives of
Achivement of objectives
managed appropriately and verifying that the the audit committee or its equivalent in countries where the two-tier board system Enterprise Governance Bene t realisation Risk
organization’s resources are used responsibly.’ is the norm. Optimisation Resourse Utilisation
Performance or Business Governance Dimension Corporate Governance and Regulatory Requirements Need for Corporate Goveranace
• e performance dimension of governance is pro-active • Companies Act, 2013 - Mandatory Internal Audit and reporting on Internal Financial Controls [sections 138]. Corporate Governance is de ned as the system by company
in its approach. Act requires auditor report to include “whether the company has adequate internal nancial controls system in or enterprise is directed and controlled to achieve the
• Focuses on strategy and value creation with the objective place and the operating effectiveness of such controls objective of increasing shareholder value by enhancing
of helping the board to make strategic decisions, • e Information Technology Act - Provisions relating to maintaining privacy of information and imposed economic performance.
understand its risk appetite and key performance drivers. compliance requirements on management with penalties for non-compliance. Some key concepts of corporate governance are:
• is dimension does not lend itself easily to a regime of • e Sarbanes Oxley Act (SOX) - Implementation and review of internal controls as relating to nancial audit • It provides strategic direction.
standards and assurance as this is speci c to enterprise • SEBI introduced a mandatory audit to ensure that this is maintained as per its norms by all listed companies • Clear assignment of responsibilities incorporating a
goals and varies based on the mechanism to achieve them. as part of corporate governance.. hierarchy of required approvals.
Corporate Governance • Mechanism for the interaction among the board of
De ned as the system by which a company or enterprise is directed and controlled to achieve the objective of increasing shareholder value by enhancing economic performance. directors, senior management and the auditors;
It concerns relationships among the management, Board of Directors, the controlling shareholders and other stakeholders. • Implementing strong internal control systems, including
Good corporate governance requires sound internal control practices such as segregation of incompatible functions, elimination of con ict of interest, establishment of audit internal and external audit functions, risk management
committee, risk management and compliance with the relevant laws and standards including corporate disclosure requirements. Directors of a company are accountable to the functions
shareholders • Monitoring of risk exposures
Corporate Governance Participants • Financial and managerial incentives to act in an
• Board of Directors & Committees appropriate manner.
• Risk & Performance Management • Monitoring
• Business Practices & Ethics • Appropriate information ows internally and to the public.
• Communication • Legal & Regulatory
• Disclosure & Transparency
Enterprise Governance of Information and Technology (EGIT) Implementing EGIT
Sub-set of corporate governance and facilitates implementation of a framework of IS controls within an enterprise as relevant and encompassing all key areas. e key bene ts EGIT in organizations requires understanding concepts
of using EGIT is that it provides a consistent approach integrated and aligned with the enterprise governance approach. of Governance, IT deployment and how IT can be used
IT also acts as a strategic partner which helps enterprises in achieving both competitive and strategic advantage. to implement Governance. EGIT is a blend of these
Reserve Bank of India issues guidelines covering various aspects of secure technology deployment. Guidelines are prepared based on various global best practices such as concepts. Implementing EGIT requires establishing the
COBIT 2019 and ISO 27001. Information technology Rules, 2011 outlines the need for maintaining secrecy of personal and sensitive information and identi es ISO 27001 as right structures with de ned roles and responsibilities,
“Reasonable Security Practices and Procedures” for implementing best practices. implementing relevant processes using best practices.
Implementing EGIT from conformance (corporate)
Conformance Structures Processes perspective would require viewing the enterprise at macro
Area Perfomance (Business) Roles and responsibilities. IT Strategic Information Systems Planning,
(Corporate) level and consider not only the business but also the external
orgnisation structure. CIO on Board. (IT) BSC, Information Economics, linkages. In case of performance (business) the enterprise
Scope Boarc Structure, Roles Strategic decision making and IT strategy sommittee. IT steeriing SLA, COBIT and ITIL, IT Alignment/
and Remuneration value creation has to be viewed at internal level and the focus on the
committee(s) governance maturity models processes and activities within the enterprise.
Addressed via Standards and Codes Best practices, tools and
techniques IT Governance Framework Guidelines for Implementing EGIT
COBIT 2019 implementation guide provides a systematic
Auditability Can be audited for Not easily auditable Relational mechnisms approach with de nes phases and speci c roles and
compiances Active participation and collaboration between principle stakeholders, Partnership responsibilities for implementing EGIT. is approach can
Ovesinght Audit Committee Balnce score cards rewards and incentives, Business/IT co-location, Cross-functional business/IT traning be customized and used by any organization.
Mechanism and rotation.
CA Rajat Agrawal www.prokhata.com 17

CHAPTER 1: CONCEPTS OF GOVERNANCE AND MANAGEMENT OF IS
Systemic Approach to Implementing EGIT
Focus should be rst on implementing the systems and processes rst and then automating rather than expecting that automation will implement systems and processes as required. Frameworks such as COBIT 2019 also provide a systematic
approach for implementing the relevant frameworks. General guidelines on implementing EGIT
1. Aligning IT Goals with Business Goals 2.Formalise and Implement Right IT Governance 3. Establish Required IT 4. Involve Board of 5. Govern and Manage Roles and Responsibilities
IT goals set out in the IT strategy plan should clearly Processes Organisation and Decision Directors/Executive Board should ensure that governance and
support the achievement of one or more business Aer aligning, implementation of required set of efficient Structure Management in IT Related management structures are established involving
goals. Achieved through: and effective IT governance and management processes. Effective Governance of enterprise Matters the organisation, the location of the IT function, the
• Clear goals, communicated to entire organisation. It is important to select the most critical process based IT is determined by the way the IT Executive management has existence of clearly de ned roles and responsibilities
• Involvement of IT in business strategy process on business priorities, assign process owners, develop department is organised and where to be aware and actively and a diversity of IT/business committees. e
• Align IT goals to business goals metrics and monitor the achievement of process as per the IT decision-making authority participating in the existing ultimate responsibility for IT governance lies with
• Derive IT strategy from business strategy set objectives. is located within the organisation. governance activities. management.
Establish IT Strategy and IT Steering Plan, Align and Manage IT Enabled Investment as a Implement Performance Measurement System Establish Sustainability rough Support, Monitoring and
Committee Portfolio Integrated with Regular Process Regular Communication
IT strategy committee has to operate at the board Clear responsibility has to be allocated between IT Performance management system could be integrated Aligning business goals with IT goals requires ongoing and
level and the IT steering committee has to operate who would be responsible for execution of IT enabled using the balanced scorecard technique with the complete constant interaction between IT and business function. is
at executive level with each committee having projects, but business has to be responsible for analysing set of metrics which is consolidated for different levels requires a constant communication channel and mechanism to
speci c responsibility, authority and membership. the anticipated bene ts and making decisions. and areas as required. encourage the relationship between business and IT.
Enterprise Risk Management

Management to ensure that the enterprise risk management strategy considers information and its associated risks while formulating IT security and controls as relevant. IT security and controls are a subset of the overall enterprise
risk management strategy and encompass all aspects of activities and operations of the enterprise.
Governance Objectives Internal Controls
Speci ed in COBIT 2019 are these governance objectives “An effective internal control system is an essential part of the efficient management of
Bene t Realisation Risk Optimisation a company” established through the governance system.
Value that I&T delivers should be Value delivery focuses on the creation of It is an Element of the management system rather than an aspect of the governance
aligned directly with the values value, risk management focuses on the system.
on which the business is focussed preservation of value. Auditor provide appropriate recommendations for mitigating control weaknesses. e Process of
and measured in a way that
Resource Optimisation
IS Auditors may be required to review and evaluate the system of governance, risk
management and controls
INTERNAL CONTROL
transparently shows the impacts
e main objective of IT governance is
and contribution of the I&T-
optimal use of technology resources.
enabled investments
Right capabilities are in place to execute the
strategic plan and sufficient, appropriate and
effective resources are provided.
Governance, Risk and Compliance is a regulatory requirement, and this can be effectively implemented using well established frameworks. ere is need to adapt a macro level and architecture perspective for securing information and
information systems. senior management have to be involved in providing direction on how governance, risk and control are implemented using a holistic approach encompassing all levels from strategy to execution. e Board of directors
have to evaluate, direct and monitor effective use of I&T to achieve enterprise objectives. Best practices framework can be customized to meet stakeholder requirements. IS Auditors can assist management in implementing these frameworks
management have to certify whether Risk management and internal controls have been implemented as per organisation needs and auditors have to certify whether this implementation is appropriate and adequate.
Note:-
18 www.prokhata.com CA Rajat Agrawal

CHAPTER 2 GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES
CHAPTER 2:
GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES
Governance, Risk and Compliance is a regulatory requirement, and this can be effectively implemented using well established frameworks. ere is need to adapt a macro level and architecture perspective for securing information and
information systems. Senior management have to be involved in providing direction on how governance, risk and control are implemented using a holistic approach encompassing all levels from strategy to execution. e Board of directors
have to evaluate, direct and monitor effective use of I&T to achieve enterprise objectives. Best practices framework can be customized to meet stakeholder requirements. IS Auditors can assist management in implementing these frameworks.
Management have to certify whether Risk management and internal controls have been implemented as per organisation needs and auditors have to certify whether this implementation is appropriate and adequate.
GRC Frameworks Enterprise Risk Management
COBIT 2019 Risk Management
e COBIT 2019 Core Model and its 40 Governance and Management objectives provide the platform for establishing your governance Risk management processes primarily focuses on three major areas viz. Market Risk, Credit risk and
program; the performance management system is updated and allows the exibility to use maturity measurements as well as capability Operational Risk. Most organization addresses rst two risks i.e. market risk and credit risks since
measurements; introductions to design factors and focus areas offer additional practical guidance on exible adoption of COBIT 2019. these are part and parcel of business activities. Whereas operational risks address the issues and
COBIT 2019 can be used as a benchmark for reviewing and implementing governance and management of enterprise I&T. concerns related to operations of a business.
COBIT 2019 enables I&T to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end
business and I&T functional areas of responsibility, considering the I&T related interests of internal and external stakeholders.
Integrating COBIT 2019 with Other Frameworks: Business Risk Strategic Risk IT Risk
COBIT 2019 acts as the single overarching framework, which serves as a consistent and integrated source of guidance in a non-technical,
Enterprise Risk
technology-agnostic common language. Market Risk Competition IT Risk
management
Governance objectives are grouped in the Evaluate, Direct and Monitor (EDM) Domain.
Operational Risk IT Risk
Management Objectives are grouped into four Domains:
Align Plan and Organise (APO) Build, Acquire and Implement (BAI) Risk Management in COBIT 2019
Addresses the overall organization strategy and supporting treats the de nition, acquisition and implementation of I&T solutions e Governance Domain contains ve Governance processes and one of the Governance process
activities for I&T. and their integration in business processes. EDM03: Ensured Risk Optimisation primarily focusses on stakeholders’ risk-related objectives.
Deliver, Service and Support (DSS) Monitor, Evaluate and Assess (MEA) Cobit framework 2019 has management domain of Align, Plan and Organise which contains a risk
Addresses the operational delivery and support of I&T Addresses performance monitoring and conformance of I &T with related process APO 12: Managed Risk.ere are 3 broad categories of Risk Management :
Services internal performance targets, internal control objectives and external • Evaluate Risk Management: Continually examine and make judgment on the effect of risk on the
requirements. current and future use of I&T in the enterprise.
ISO 27001 • Direct Risk Management: Direct the establishment of risk management practices to provide
ISO/IEC 27001 formally speci es an Information Security Management System (ISMS). e ISMS ensure that the security arrangements reasonable assurance that I&T risk management practices are appropriate to ensure that the actual
are ne-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts. I&T risk does not exceed the board’s risk appetite
ISO 27001 consists of 114 controls and 10 management system clauses that together support the implementation and maintenance of • Monitor Risk Management: Monitor the key goals and metrics of the risk management
the standard. processes and establish how deviations or problems will be identi ed, tracked and reported on for
remediation.
ISO/IEC 27001: 2013 controls: Metrics of Risk Management
1. A.5 Information security policies 8. A.12 Operational security • Percentage of critical business processes, I&T services and I&T-enabled business programs covered
2. A.6 Organisation of information security 9. A.13 Communications security by risk assessment;
3. A.7 Human resources security 10. A.14 System acquisition, development and maintenance • Number of signi cant I&T related incidents not identi ed
4. A.8 Asset management 11. A.15 Supplier relationships • Percentage of enterprise risk assessments including I&T related risks;
5. A.9 Access control 12. A.16 Information security incident management • Frequency of updating the risk pro le based on status of assessment of risks.
6. A.10 Cryptography 13. A.17 Information security aspects of BCM Key Management Practices of Risk Management (APO 12: Managed Risk)
7. A.11 Physical and environmental security 14. A.18 Compliance • Collect Data: To enable effective I&T related risk identi cation, analysis and reporting.
ISO 31000 • Analyze Risk: Develop a substantiated view on actual I&T risk in support of risk decisions.
e standard primarily adopts AS/NZS 4360 for risk management. Risk management – Guidelines, provides principles, framework and • Maintain a Risk Pro le: Maintain an inventory of known risks and risk attributes
a process for managing risk. • Articulate Risk: Provide information on the current state of I&T- related exposures and
ISO 38500:2015 opportunities in a timely manner to all required stakeholders for appropriate response.
ISO/IEC 38500 is an international standard for Corporate governance of information technology. It provides a framework for effective • De ne a Risk Management Action Portfolio: Manage opportunities and reduce risk to an
governance of IT to assist those at the highest level of organizations to understand and ful ll their legal, regulatory, and ethical obligations acceptable level
in respect of their organizations’ use of IT. • Respond to Risk: Respond in a timely manner with effective measures to limit the magnitude of
Purpose of ISO/IEC 38500:20015 is to promote effective, efficient, and acceptable use of IT in all organizations by assuring stakeholders loss.
standard followed, guiding governing bodies, vocabulary for the governance of IT.

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 2 GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES
COBIT*2019 • Enterprise Strategy

Goals
• Enterprise Goal
COBIT Core • Enterprise Size
Inputs to COBIT*2019 • Role of IT
Reference Model of Governance • Sourcing model ffor IT
COBIT 5 and Management Objectives • Compliance
ompliance requirments
• Etc.
EDM01-Ensured
EDM04-Ensured EDM05-Ensured
Governance EDM03-Ensured
Standards Framework Setting Risk Realization
Resource Stakeholder
Optimization Engagement
Framworks and Maintenance
Regulations Design Factors
Community Tailored Enterprise
Contribution APO01-Managed APO03-Managed
IT Management
Framwork
APO02-Managed
Strategy
Enterprise
Architecture
APO04-Managed
Innovation
APO05-Managed
Portfolio
APO06-Managed
Budget and Costs
APO07-Managed
Resources
Human Resource Governance
MEA01-Managed
Performance and System for
Co
Conformance
APO08-Managed
APO09-Managed
APO10-Managed APO11-Managed APO12-Managed APO13-Managed APO14-Managed
Monitoring Information and
Service
Relationships
Agreements
Vendors Quality Risk Security Data
Technology
MEA02-Managed
System of Internal
BAI07-Managed Control
BAI04-Managed BAI05-Managed
BAI01-Managed BAI06-Managed IT Change
Availability
ailability Organizational
Programs IT Changes Acceptance and
and Capacity Change
Transitioning
BAI08-Managed
knowledge
owledge
BAI09-Managed
Assets
BAI11-Managed
Projects
Pr
MEA03-Managed
Compliance With
External
Focus Area
Requirements
• SME
DSS02-Managed DSS05-Managed DSS06-Managed • Security
DSS01-Managed DSS03-Managed DSS04-Managed
Operations
Service
ice Requests
Problems Continuity
Security Business MEA04-Managed
Assurance
• Risk
and incidents Services Process Controls
• DevOps
• Etc.
Note:-

Risk Factors Elements of Risk Management Developing Strategies for Information
• External risk factors include political situations, the economy, regulations, natural disasters, competition. • Top Management Support: Risk management must start and be supported at the Risk Management
• Internal risk factors include Organization’s culture, Internal environment affecting employee’s moral, policies, highest level within the company. • Two model for risk management:
ethics and values projected senior management, process environment, control environment and so on. • Proactive Approach : Involves the active identi cation, scanning of changes in Centralized & Decentralized model.
Categories of Risks the risk pro le and reports on managing the risk pro le. • e model selection depends upon
• Business Risks: Inherent risks associated with nature of business. • No Ambiguity: clear de nition of the risks, and these must be understood across organization’s particular operations,
• Market Risks: Risks associated with uctuations on market. the organization. signi cant risks culture of the
• Financial Risks: Risk associated with nancial decisions. • Accountability: Responsibility for responding to and managing the risks must be organization, management style etc.
• Operational Risks: Associated with failure of operations of organization. • clearly understood • In a centralized model Information Risk
• Strategic Risks : Associated with incorrect and inappropriate strategy selection and implementation. • Resource Allocation: Appropriate resources need to be made available to Management team develops policies for
• IT Risks: How the company's IT infrastructure relates to business operations. help managers, executive & others to conduct their obligations within the risk the board to consider. Decentralized
• Compliance Risks: When an organization does not comply with legal, regulatory, contractual or internal management framework. model requiring the involvement of
compliance requirements • Cultural Change: e organization’s culture must provide for the active front-line staff in managing the inherent
• Reputational Risk: Chance of losses due to a declining reputation. management of risk. risks.
Risk Management Process
e Objective of risk management process is to ensure that the organization can manage risks within acceptable limits. ese limits are decided by Risk Appetite ad Risk tolerance.
Risk Appetite Risk Tolerance
Ability of organization to sustain losses due to materialization of risk. It also represents the ability of organization to take It is the limit up to which organization can tolerate to sustain loss of business in case risk materializes. If risk
risk while considering new business initiatives. It is a broader concept. materialize ,organization must recover from it within speci c time. It is a narrow concept.
IT risk management process follows following steps: 1. Risk Identi cation
1. Establish the Context • 5. Risk response Some methods of Risk Identi cation:
2. Risk identi cation • 6. Risk mitigation • Workshop and brainstorming sessions with stakeholders and process owners: In case process owners does not
3. Risk evaluation • 7. Risk monitoring agree a method called Delphi technique be used to assess the risks.
4. Risk prioritization • Use of generic risk scenarios based on industry experience and historical data.
• Review and audit of processes and technology. is includes vulnerability assessment:Audit ndings.
(I). Risk Component
It is important to understand all the speci c components of all identi ed risks and these are:
Risk Scenario Likelihood / Probability Response Inherent Risk Risk Pro le Risk Owner
A possible event due to Judgment of possibility that Acton Plan designed by Total risk without any controls is inherent risk. Collective view of all risks an Person or entity that is
materializing of one or more risks threat shall exploit vulnerability. organization to minimize impact Residual Risk organization likely to face. responsible for evaluation
reat Impact / Consequences or likelihood of risk materializing. Controls cannot mitigate the risk completely. It also Risk Register and decision of response for
Reason for risk materialization When threat materializes, it will Four types are: Accept, Transfer, includes accepted risk. A document that is maintained to identi ed risk.
Vulnerability affect normal functioning which Avoid and Mitigate. Risk Aggregation provide information on identi ed risks
Weakness that gets exploited due might result in loss of business, Controls / Mitigation A risk different impact on different business function/ Heat Map
to threat. interruption of services. In order to mitigate risk locations. from organization’s perspective it is Graphical representation of risk
management implements controls necessary to present them as total risk for organization. pro le.
(II). reat Pro le / Inventory (III). Vulnerability Assessment (IV). Asset Inventory (V). Risk Register and Control Catalogue
A list of all possible threats that might have impact on organization. An evaluation to identify gaps and vulnerabilities in your network, ISO27001:2005 also recommends Collective record of all identi ed and evaluated risk
• Physical and Environmental threats like re, the etc. servers, etc. which help you validate your con guration and patch implementing controls around assets along with risk owner and risk response. T
• External threats that are not in control of organization like management,and identify steps to improve your information security. by prioritizing them based on results he structure of risk register must contain risk scenario,
hackers. Assessments are typically performed according to the following steps: of risk evaluation. (ISO27001:2013 likelihood, assets impacted, overall impact on business.
• Internal threats are those are initiated within organization for a. Cataloguing assets and resources in a system. recommend ISO31000 for Risk It must be maintained based on updating process.
example disgruntled employee, unauthorized access etc. b. Assigning quanti able value or rank and importance to those resources management and also states that risk It is used to develop risk pro le for reporting to
• Natural threats like earthquake, oods, and tsunami etc c. Identifying the vulnerabilities or potential threats to each resource management need not be asset based.) management and approval.
Note:-

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 2 GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES
2. Risk Evaluation 3. Determine Likelihood of Risk 4. Risk Prioritization 5. Risk Response Risk Monitoring
Also called risk assessment, process for assessing Several factors need to be considered when e organizations •Accept the Risk: Some risks may be considered minor, & consciously •Periodic review identi ed
likelihood and impact of identi ed risk. ere determining this likelihood: generally use Risk accepting the risk as a cost of doing business is appropriate. and evaluated risks to
are two methods (a) Consider source of the threat, motivation pro le and Heat map •Avoid the Risk: Some risk are associated with the use of a particular con rm that the evaluation is
Quantitative Risk Analysis behind the threat, and capability of the source. to prioritize evaluated technology, supplier, or vendor. Risk can be avoided/ eliminated by replacing appropriate.
Expressing total risk in monetary terms (b) Determine the nature of the vulnerability risks based on the technology suppliers and vendors. •Review of risks associated
Qualitative Risk Analysis and, criticality of risks and •Transfer the Risk: Risk mitigation approaches can be shared with trading with changes in infrastructure
Expressing total risk with quali cation like (c) e existence and effectiveness of current priorities of business partners and suppliers. ••Audit
Audit ndings also requires
high, low etc. controls to deter or mitigate the vulnerability. objectives. •Mitigate the Risk: Suitable controls must be devised and implemented to review of risks
prevent the risk.
IS Risks and Risk Management
IS security is de ned as "procedures and practices to assure that computer facilities are available at all required times, that data is processed completely and efficiently and that access to data in. Computer systems is restricted to authorized
people". IS Auditors are required to evaluate whether the available controls are adequate and appropriate to mitigate the risks. If controls are unavailable it has to be reported to auditee management with appropriate recommendations to
mitigate them.
Compliance in Cobit 2019-MEA03:Managed Compliance with External Requirements
Key Management Practices of IT Compliance Key Metrics for Assessing Compliance Process
Identify Compliance with External Laws and Regulations: IT Compliance with Internal Policies:
Identify changes in local and international laws & regulations. • Number of incidents related to non-compliance to policy;
Cost of IT non-compliance • Percentage of stakeholders who understand policies;
Optimize
Consider industry standards, codes of good practice. No. of IT related non-compliance • Percentage of policies supported by effective standards and working
issues reported to board or causing relating to contractual agreements practices; and
Con rm
public comment with IT service providers; • Frequency of policies review and updates.
Con rm compliance of policies, principles, standards, procedures and
methodologies with legal, regulatory and contractual requirements Coverage of compliance assessments.
Obtain Assurance
Corrective actions to address compliance gaps are closed in a timely manner.
Information Technology Act 2000
e Information Technology Act 2000, (Amended 2008) provides that any organization is collecting PII shall be liable in case absence of reasonable security of such information results in identify the.
Addition with Section 43 A Addition with Section 69B Addition with Section 70B Addition with Section 72A General
• Deals with compensation for failure to • Deals with cyber security Power to central government to move india Punishment for disclosure enterprise appointed designated officer/
protect data. • is section gives power to government that computer resource computer emergency response team, this of information in breach of nodal officer/computer-in-charge to
• Body corporate dealing with sensitive frok which data | Information traffic is occuring can monitor | agency will do data collection information careful contacts. comply with the directions of competent
personal data and negligect in security authorise analysis forecast, take emergency measures, authority/agency details of such designated
will have to pay compensation to affected • Subscriber t assist govt by providing data otherwise liasel to pay. ensure coordination issue guidelines. officer/nodal officer readily available online
person
Section 7A Audit of documents i.e. in Electronic Form: Where in any law there is a provision for audit of documents, that provision shall also be applicable for audit of documents, maintained in electronic form. Section 43A of the (Indian)
Information Technology Act, important to note no upper limit speci ed for the compensation. IT Act 2008 punishes offences Section 66 to 66F and 67 deal with the following crimes:
• Sending offensive messages using electronic medium for unacceptable purposes • Violation of privacy
• Dishonestly stolen computer resource • Cyber terrorism/Offences using computer
• Unauthorized Access to computer resources • Publishing or transmitting obscene material
• Identity the/Cheating by personating using computer
Section 72A imprisonment for a term extending to three years or ne extending to INR 5,00,000 or with both.
Note:-

General Data Protection Regulation (GDPR)
Introduction of European Union's ("EU") regulations on protection of natural persons regard to processing of personal data and free movement of such data implications on Indian entities processing personal data of EU Residents. "personal
data" de ned information relating to an identi ed or identi able natural person (i.e. "Data Subject"). An identi able natural person is one who can be identi ed, in particular by reference to an identi er is considered as 'personal data' under
the GDPR. nes of up to EUR 10,00,000 or 20,000,000, or in the case of an undertaking, up to 2% or 4% of the total worldwide annual turnover of the preceding nancial year, whichever is higher.
e Personal Data Protection Bill, 2019
e provide for protection of personal data individuals, and establishes a Data Protection Authority for the same.
Bill governs the processing of personal data by: (i) Government, (ii) Companies incorporated in India, and (iii) Foreign companies dealing with personal data of individuals in India.
Personal data includes nancial data, biometric data, caste, religious or political or any other category speci ed by the government.
Obligations of data duciary Rights of the individual Transfer of data outside India Offences
A data duciary is an entity who decides means and purpose of • Obtain con rmation from the duciary • Sensitive personal data • Processing or transferring personal data in violation of the Bill ne
processing personal data. All data duciaries must undertake certain • Seek correction of inaccurate, incomplete, or out-of-date may be transferred outside of Rs 15 crore or 4% of the annual turnover whichever is higher
transparency and accountability measures such as: personal data. India for processing if • Failure to conduct a data audit, ne of ve crore rupees or 2%
• Implementing security safeguards (such as data encryption and • Personal data transferred to any other data duciary explicitly consented to by annual turnover whichever is higher.
preventing misuse of data) • Restrict continuing disclosure of their personal data by the individual, and subject to • Re-identi cation and without consent punishable with
• Instituting grievance redressal mechanisms to address complaints of a duciary, no longer necessary or consent is withdrawn. certain additional conditions. imprisonment of up to three years, or ne, or both.
individuals.
Note:-

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 3: KEY COMPONENTS OF A GOVERNANCE SYSTEM
CHAPTER 3:
KEY COMPONENTS OF A GOVERNANCE SYSTEM
Components are factors that, individually and collectively, contribute to the good operations of the enterprise’s governance system over I&T.
COBIT 2019 Governance System Principles
Principle 1: Provide Stakeholder Value Principle 5:
COBIT 2019 provides all of the required processes and other components to support business value creation through the use of I&T. Enterprise can Governance Distinct from Management:
customize COBIT 2019 to suit its own context Two disciplines encompass different types of activities require different
Principle 2: End-to-End Governance System: organizational structures and serve different purposes.
COBIT 2019 integrates governance of enterprise IT into enterprise governance. It covers all functions and processes within the enterprise; COBIT 2019 does IT Steering Committee IT Strategy Committee
not focus only on the IT function but treats information and related technologies as assets Evaluate Stakeholder needs PBRM activities
Principle 3: Tailored to Enterprise Needs: Determine Agreed on enterprise Align with direction set by the
objectives governance body
A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customize and prioritize the governance
system components. Set Director Prioritization and Achieve Enterprise
Principle 4: Holistic Approach: decision making objectives
COBIT 2019 de nes a set of components to support the implementation of a comprehensive Enterprise governance system for I&T. Components are broadly Monitor Performance Monitor and Performance and
de ned as anything that can help to achieve objectives of the enterprise. and compliance Report conformance
Principle 6: Dynamic Governance System: Responsibility Board of Responsibility Management at
Each time one or more of the design factors are changed (e.g., a change in strategy or technology), the impact of these changes on the EGIT system must be directors all levels
considered. A dynamic view of EGIT will lead toward a viable and future-proof EGIT system.
Components of the Governance System as per COBIT 2019

1. Principles, Policies, Procedures 2. Processes: Collection of Practices 3. Organizational Structures
Convey the governing bodies and •Establishing accountability mechanisms through appropriate organisation
Purpose
managements direction & instructions. Process Process activities Inputs and Outputs structure.
Reason for Translate desired strategy into practical practices ‘Guidance’ to achieve C onsidered •RACI chart helps in de ning roles, responsibilities covering risks and controls
implementing guidance for day to day management. ‘G u i d a n c e’ management practices for necessary to support for all critical areas.
to achieve successful governance and operation of the
Difference between Principles need to be limited in Good practices of organizational structure
policies & principles process goals. management of enterprise IT. process.
numbers
Characteristics of good policies
Each process should provide: Operating Principles Level of Authority Escalation Procedures
• Process description, Process purpose statement, IT-related Goals e practical arrangements Decisions that Actions in case of
• Each IT-related goal is associated with a set of generic related regarding how the the structure is problems in making
Be Effective Be Effective Non-Intrusive
metrics structure will operate authorized to decisions.
To Achieve Purpose In implementing Make Sense
• Process Goals take.
Policies should have a framework in place where they • Each process goal is associated with a set of generic metrics.
can be effectively managed • Process contains a set of Management Practices. Span of Control Delegation of Responsibility
• associated with a generic RACI chart (Responsible, Accountable, Boundaries of the organization Delegate a subset of its decision rights
Policy Should be structure’s decision rights. to other structures reporting to it.
Consulted, Informed)
Comrehensive Open & exible Up to date • management practices contains a set of inputs and outputs (called Stake Holders
work products)
•Purpose
Purpose of a policy life cycle is that it must support a policy
• Each management Practice is associated with a set of activities. Board of Directors
framework
• It clearly distinguishes between Governance processes and
•Good
Good practice requirements have to be approved by the Board. CEO
management processes.
Chief People Chief Chief Chief Chief

Officer Financial Operations Technology Marketing
(HR) Officer Officer Officer Officer
Manager Manager Manager Manager Manager
Teams Teams Teams Teams Teams

CHAPTER 3: KEY COMPONENTS OF A GOVERNANCE SYSTEM
Chief Executive Officer 5. Information
Information is the most valuable asset how well information is processed and made available to requisite level of security.
Quality of Information
Chief Internal Chief Technology Officer/ Chief Risk
Auditor Chief Information Officer Officer Relevancy Appropriateness Consistency Ease of Manipulation
Helpful Volume of Information Same format. Apply to Different Tasks
Completeness Conciseness Understandability
IS IT Technical IT Chief Information is not missing Compactly represented understandable
Auditors Development Support Operations Information
manager Managers Manager Security Officer 6. Services, Infrastructure and Applications
Services provided by IT to business and stakeholders to meet internal as well as external requirements. Application helps in providing services
Application Systems End User Database Security by processing information. Application is hosted using IT infrastructure. All three aspects: services, infrastructure and applications must be
Development Support Administrator manager considered together.
Manager Manager Five architecture principles
Application Systems Network Systems Reuse Buy vs. Build Simplicity Agility Openness
Application Systems Analysts Administrator Administrator Components First Preference Purchase As simple as possible Changing business needs Architecture Industry
Programmers Quality Assurance Architecture standards
Manager 7. People, Skills and Competencies
ese are the most valuable asset of an enterprise. Most of the routine transaction processing is automated. It is the people with the required
Organisation and Structure skills and competencies who are the key differentiator. In order to ensure appropriate skills organization, follow various people management
practices like training, motivational programs, career progressions, job rotation. While de ning organization structure organizations also de ne
IT Strategy Committee IT Steering Committee
job description, roles and responsibilities. For successful implementation of EGIT, selecting the right blend of these components customised as
•Composed of board and non-board •Comprise
Comprise of functional heads from key
required is most critical. e components also have the openness of integrating across various frameworks.
members. department including audit and IT deptt.
•Operates at board level. •Situated at Executive level. Designing a Tailored Governance System of COBIT 2019
•Assists board in governing & •Depending
Depending on size appropriate direction to Effective governance over information and technology is critical to business success. e
overseeing the enterprise IT related IT deployment & Information System. design guide is a new offering that includes four steps to design a tailored governance system:
matters. •Role
Role & responsibility of this committees and • Understand the enterprise context and strategy • Re ne the scope of the governance system
•Ensure IT is a regular item on board members document and approved by senior • Determine the initial scope of the governance system • Conclude the governance system design
agenda management. Stakeholder in Implementing EGIT
•Responsibility of implementation of Responsibility of IT Steering Committee
EGIT. •It
It is the responsibility of steering commitee to Board and executive Business management/ Chief information officer (CIO), IT Risk, compliance and Internal audit
Responsibility of IT Strategy Committee approve project plans and budget. management Business process owners management and IT process owners legal experts Value delivery
•Ensures alignment of IT and business •Aligns
Aligns project workings with business De ne enterprise use I&T-related goals for Plan, build, deliver and monitor Risks are identi ed, and risk
objectives. requirement and provide continous of I&T business value information and IT assessed and mitigated. mitigation.
•It identi es exposures to IT risks monitoring.
•It provides strategic directions to •
e steering committee have Overall
management regarding Information responsibility for
Technology. •System development projects
Appointment Responsibilities Objective Chairman Representation

By the Board De ned in a formal IS department is aligned Member of the board of directors Broad-based and Cross-
charter, which should be with the organization’s who understands information section of senior business
approved by the Board. mission and objectives technology risks and issues. managers
4. Culture, Ethics and Behaviour
Culture is shaped and transformed by consistent patterns of senior management action.
Some examples are: Good practices:

• Behaviour towards risk taking. • Communication throughout the enterprise of desired behaviours and corporate values.
• Behaviour towards the enterprise’s principles • Awareness of desired behaviour strengthened by senior management example.
• Behaviour towards negative outcomes • Incentives to encourage and deterrents to enforce desired behaviour.
• Rules and norms which provide more guidance

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 3: KEY COMPONENTS OF A GOVERNANCE SYSTEM
Using Systematic Approach for Implementing EGIT
Implementing EGIT project within an enterprise with speci c phases, tasks and activities and roles and responsibilities and deliverables of each of these phases. One of the key components of EGIT
implementation is “Culture, ethics and behavior”. is is set by the tone at the top with the senior management.
Phase 1: Establish the Desire to Change Phase 3: Communicate Desired Vision Phase 5: Enable Operation and Use
Current pain points and trigger events can provide a good foundation e communication should include the rationale for and bene ts of the change, As initiatives are implemented within the core implementation life cycle, the
for establishing the desire to change. e ‘wake-up call’, an initial as well as the impacts of not making the change (purpose), the vision (picture), change response plans are implemented. It is important to balance group and
communication on the programme, can be related to real-world issues that the road map to achieving the vision (plan) and the involvement required of individual interventions to increase buy-in and engagement and to ensure that
the enterprise may be experiencing. the various stakeholders (part). Senior management should deliver key messages all stakeholders obtain a holistic view of the change.
Phase 2: Form an Effective Implementation Team (such as the desired vision). Phase 6: Embed New Approaches
Assembling the right core implementation team include involving the Phase 4: Empower Role Players and Identify Quick Wins As concrete results are achieved, new ways of working should become part
appropriate areas from business and IT as well as the knowledge and Change response plans are developed to empower various role players. of the enterprise’s culture and rooted in its norms and values (‘the way we do
expertise, experience, credibility, and authority of team members. e e scope include: things around here’)
essence of the team should be a commitment to: • Organisational design changes. Phase 7: Sustain
• A clear vision of success and ambitious goals • Operational changes. Changes are sustained through conscious reinforcement and an ongoing
• Engaging the best in all team members, all the time • People management changes such as training and reward systems. communication campaign, and they are maintained and demonstrated
• Clarity and transparency of team processes & accountabilities Visible and unambiguous quick wins can build momentum and credibility for by continued top management commitment. Corrective action plans are
• Integrity, mutual support and commitment to each other’s success the programme. It is imperative to use a participative approach in the design and implemented, lessons learned are captured and knowledge is shared with the
• Mutual accountability and collective responsibility building of the core improvements. By engaging those impacted by the change broader enterprise
• Measurement of its own performance & the way it behaves as a team in the actual design, buy-in can be increased.
Implementing EGIT in Speci c Areas
Strategic Alignment of Aligning IT Strategy with Enterprise Strategy Value Optimization Sourcing Processes Capacity Management & Capex and Opex
IT with Business Achieved by ensuring optimization Sourcing is managed through suppliers and Growth Planning Processes Use of IT through
Ensure that IT goals Understand enterprise direction: of the value contribution to the appropriate service agreements. Capacity management is the outside vendors reduces
are aligned with the Consider the current enterprise environment and business from the business processes, Manage service agreements process of planning, sizing and capital expenditure
enterprise goals and business processes, as well as the enterprise strategy and IT services and IT assets. Align IT-enabled services and service continuously optimising IS but increases revenue
there are process goals future objectives. Consider external environment. Bene t of implementing this levels with enterprise needs and capacity in order to meet long expenditure.
are set for the IT goals Assess the current environment, capabilities and process will ensure that enterprise expectations. and short-term business goals Capex stands for Capital
and metrics are designed performance: is able to secure optimal value from Manage Supplier in a cost effective and timely Expenditures and is
for these. Alignment of Assess current internal business and IT capabilities I&T-enabled initiatives services. Ensure that IT-related services provided manner. the money spent of
the IT strategy with the and external IT services develop an understanding Success of the process of ensuring by all types of suppliers meet enterprise Capacity management or generating physical
organizational strategy architecture. business value from use of I&T requirements con guration management assets. Opex stands for
tells us whether IT adds De ne the target IT capabilities: can be measured by evaluating the process is used in order to assess Operating Expenditures
Outsourcing
value to the organization Assessment of the current business process and IT bene ts realized from I&T enabled the effectiveness and efficiency and refers to day to
• IT is one of the key areas which is
or not. environment and issues; consideration of best practices investments and how transparency of the IS operations. day expenses required
outsourced in part or in totality depending
Objective of IT Strategy and validated emerging technologies. of IT costs, bene ts and risk is Capacity includes: to maintain physical
on the criticality of the processes.
Alignment of the Conduct a gap analysis: implemented. • Storage space assets.
• Some of the important tools which are
strategic IT plans with Identify the gaps between the current and target Metrics for value optimization: • Network throughput Capex is what needs to
used to manage and monitor IT service
the business objectives environments and consider the alignment of assets with Percentage of I&T enabled • Human resources be avoided, while Opex
providers are performance targets, service
is done by clearly business outcomes. investments where claimed bene ts • Electronic messaging is something to be kept
level agreements (SLAs), and scorecards.
communicating the De ne the strategic plan and road map: met or exceeded etc. • Customer Relationship under tight control.
• It is critical to note that senior
objectives and associated In cooperation with relevant stakeholders, how IT- Resource Optimization Management
management cannot abdicate its ultimate
accountabilities. related goals will contribute to the enterprise’s strategic e primary objectives of • Quantum of data processed
responsibility for IT service delivery
goals. Include how IT will support IT-enabled investment implementing this process is to Bene ts of good capacity
just because it has been outsourced as
programs, business processes, IT services and IT assets. IT ensure that the resource needs of • Enhanced customer
the responsibility for compliance and
should de ne the initiatives that will be required to close the enterprise are met in the most satisfaction
ensuring performance vests with the
the gaps, the sourcing strategy, and the measurements to optimal manner, I&T costs are • Better justi cation of spending
enterprise.
be used to monitor achievement of goals, then prioritize optimised, and there is an increased
the initiatives and combine them in a high-level road likelihood of bene t realization and
map. readiness for future change.
Communicate the IT strategy and direction:
To appropriate stakeholders and users throughout the
enterprise.

CHAPTER 4: PERFORMANCE MANAGEMENT SYSTEMS
CHAPTER 4:
PERFORMANCE MANAGEMENT SYSTEMS
e Governance processes of ISO 38500 and COBIT 2019 primarily focus on “Evaluate, Direct and Monitor”.
e ‘direct’ function provides what is expected from management, ‘monitor’ function focuses on whether what was expected has been achieved or not.e challange is to ‘evaluate’ what is actually achieved and validate whether it is as per
set objectives. is help to make a realistic assessment of what was achieved, what are the gaps and how to monitor the performance not only on reactive but proactive basis. Performance measurement can be implemented by use of relevant
governance and performance frameworks such as balanced scorecards, maturity models, and quality systems.
Performance Measurement Performance Measurement System
Process of collecting, analysing and/or reporting information regarding the performance of an individual, group, organization, A performance management system which assesses performance against goals by setting right key goals
system or component. indicators and key process indicators. Performance is evaluated at various levels such as: at organization
In developing a performance measurement system identify the enterprise goals and then obtain understanding of the connection. level against goals and objectives, resource level against set performance goals by de ning key performance
Between the entity’s mission, vision and strategies and its operating environment. Phases of performance measurement system: indicators (KPI), risk level based on key risk indicators (KRI). ere are two approaches
• Plan, establish & update performance measures • Report on performance information. • Proactive approach management to provide assurance on achieving goals by implementing best
• Establish the accountability • Take corrective action practices and using lead indicators.
• Collect & Analyse data • Reactive approach were achievements are compared with goals using lag indicators.
Goal Setting Goal Setting and Stakeholder Needs: EGIT is very helpful for three reasons:
Goal setting is the rst pre-requisite of performance management. At a macro level, the Board of directors set • Needs in uence priorities of EGIT. example, focus on cost reduction, compliance or launching a new business product,
the enterprise direction and goals to be achieved. ese are the overall enterprise goals set from a top-down • Needs and objectives focus where attention when improving EGIT
or bottom-up or combination of these two approaches. Once goals set, top-level goals need to be allocated to • Better forward planning of opportunities to add value to the enterprise.
function/business units and speci c goals set for each of them. From a governance perspective, the enterprise Category of Enterprise Goal
goals will have to be shared by the IT department which will prepare the IT strategy in alignment with the
enterprise strategy. ese IT goals facilitate achievement of enterprise goals. Strategic Operational Reporting Compliance
Two type of goals High-level goals, Effectiveness and efficiency of the e effectiveness of the e enterprise’s
aligned with enterprise’s operations, including enterprise’s reporting, including compliance with
Outcome Performance and supporting performance and pro tability goals, internal and external reporting applicable laws
• Evaluated through key goal indicators (KGI). • Evaluated through key performance indicators the enterprise’s which vary based on management’s and involving nancial or and regulations.
• Also called Lag Indicators. (KPI). mission or vision choices about structure and performance. non nancial information.
• Measurment of achievement is aer event or period. • Also called lead indicators. Enterprise goals are set by the board of directors based on the strategy and objectives. ese need to be customised by
• Measure the perfomance selecting by what is relevant for the enterprise and adding speci c dates, values and number to the identi ed goals.
Enterprise and Alignment Goals Category of Enterprise Goal
Enterprise and alignment goals are used as the basis for setting IT objectives & establishing a performance measurement framework. COBIT 2019 provide structures for Enterprise goals include:
de ning goals at three levels: for the enterprise, for IT overall, for IT processes. ese need to be customised by selecting by what is relevant for the enterprise and adding EG01: Portfolio of competitive products and services
speci c dates, values and number to the identi ed goals. EG02: Managed business risk
• AG01: I&T compliance and support for business compliance with external laws • AG07: Security of information, processing infrastructure and applications, and privacy EG03: Compliance with external laws and regulations
and regulations • AG08: Enabling and supporting business processes by integrating applications and technology EG04: Quality of nancial information
• AG02: Managed I&T-related risk • AG09: Delivering programs on time, on budget and meeting requirements and quality standards EG05: Customer-oriented service culture
• AG03: Realized bene ts from I&T-enabled investments and services portfolio • AG10: Quality of I&T management information EG06: Business service continuity and availability
• AG04: Quality of technology-related nancial information • AG11: I&T compliance with internal policies EG07: Quality of management information
• AG05: Delivery of I&T services in line with business requirements • AG12: Competent and motivated staff with mutual understanding of technology and business EG08: Optimization of business process functionality
• AG06: Agility to turn business requirements into operational solutions • AG13: Knowledge, expertise and initiatives for business innovation EG09: Optimization of business process costs
EG10: Staff skills, motivation and productivity
EG11: Compliance with internal policies
EG12: Managed digital transformation programs
EG13: Product and business innovation
Note:-

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 4: PERFORMANCE MANAGEMENT SYSTEMS
Requirements for Measures: Measures and performance information need to be linked to strategic management processes.
-: Bene ts :- Performance Measurement Processes / Indicators Examples of Performance Measures
•Early warning indicator of problems and the effectiveness of corrective action. What cannot be measured cannot be improved metrics e.g. nancial • Better use of communications bandwidth and computing power
•Input to resource allocation and planning. measurement, benchmarking satisfaction of customers, Performance •Lower
Lower number of non-compliance with prescribed processes
•Provides periodic feedback to employees, customers and stakeholders about the measurement is used to: reported
quality, quantity, cost and timeliness of products • Manage products •Better
Better cost and efficiency of the process
Most important bene t it builds a common results language among all decision • Assure accountability •Lower
Lower numbers of complaints made by stakeholders
makers. • Budgeting decisions •Better quality and increased innovation etc.
Important to make a distinction between outcome measures and performance • Optimise performance i.e. improve the productivity without making •Lower number of errors and rework
drivers. Outcome measures indicate whether goals have been met. unnecessary added investments •Improved staff productivity
Measures De ned: metrics are de ned at three levels:
Enterprise Alignment Governance and management objectives and metrics
De ne the organizational context and objectives and how to measure them De ne what the business expects from IT and how to measure it De ne what the IT-related process must deliver to support IT’s objectives and how to measure it
Balanced Scorecard (BSC)
De ned by Robert S. Kaplan and David P. Norton, focuses the energy of an organization into achieving strategic goals and objectives that are represented by key performance indicators (KPIs)
BSC Perspectives
Financial Perspective BSC has the following characteristics Financial
Whether a strategy is achieving bottom-line • Uses a common language at all levels "To Succeed nancially, how should we
results. Financial metrics are classic lagging of the organization. appear to our shareholders?"
indicators. e more common ones are: • Provides a balance between Financial Objectives
Pro tability and non- nancial goals, Internal
Revenue growth and external in uences, Leading and Measures
Economic value added lagging indicators, Targets
Customer Perspective. Initiatives
De nes target customers and the value proposition it offers whether it is efficiency (low Customer Internal Business Processes
price, high quality), innovation, or exquisite service. "To achieve our vision, how should we "To satisfy our shareholders and customers,
• Customer satisfaction appear to our customers?" what business processes must we excel at?"
• Customer loyalty Vision
• Market share, "share of wallet" Objectives Objectives
Measures
and
Internal Process Perspective Measures
Delivering value to customers including product development, production,
Strategy
Targets Targets
manufacturing, delivery, and service. Organizations may need to create brand new
processes to meet goals outlined in the Customer perspective.Patents pending, ratio of Initiatives Initiatives
new products to total products ,Inventory turnover, stock-outs & Zero defects, on-time Learning and Growth
deliveries "To achieve our vision, how will we sustain
our ability to change and improve?"
Learning and Growth Perspective
Objectives
Measures the internal resources needed to drive the other three perspectives. include
employee skills and information technology. Measures
• Employee satisfaction, turnover rate, absenteeism
Targets
• Training hours, leadership development programs
• Number of cross-trained employees, average years of service Initiatives
Strategic Scorecard
Strategic Scorecard is a pragmatic and exible tool that is designed to help boards to ful l their responsibilities to contribute to and oversee strategy effectively. enterprise governance framework helps understand the importance of both
conformance and performance to the organization’s long-term success. What the scorecard does is to give the board a simple, but effective process that helps it to focus on the key strategic issues.
•Summarizes the key aspects of the environment in which an organization is operating
•Identi es the (key) strategic options that could have a material impact on the strategicdirection of the organization and helps the board to determine which options will be developed further and implemented.
Strategic Position Strategic Option Strategic Implementation Strategic Risk
•Micro environment • Capabilities e.g. SWOT analysis •Scope change e.g. area, product, market sector •Project milestones and timelines •Informing the board on risks and how they are being managed
•reats from changes • Stakeholders •Direction change e.g. high or low growth, price and quality offers •Pursue or abandon the plan etc. •Measurement of risks
•Business position •Internal controls

CHAPTER 5: BUSINESS CONTINUITY MANAGEMENT
CHAPTER 5:
BUSINESS CONTINUITY MANAGEMENT
A Business Continuity Plan outlines a range of disaster scenarios and the steps the business will take in any particular scenario to return to regular trade.
De nitions of Key Terms
1. Business Continuity Planning 9. Recovery Point Objective (RPO): 10.Service Delivery Objective (SDO) 11. Recovery Time Objective (RTO)
Process of developing prior arrangements and procedures that enable an organisation to respond to • RPO is a measure of how much data loss due to a Service Delivery Objective (SDO) RTO is the measure of the user’s
an event in a manner that critical business functions can continue within planned level of disruption. node failure is acceptable to the business. A large is the level of services to be reached tolerance to downtime. For example:
End result of the planning is called a Business Continuity Plan. RPO means that the business can tolerate a great during the alternate process mode until Critical monitoring system must have
2. Crisis: deal of lost data. Depending on the environment, the normal situation is restored. is is very low RTO or zero RTO. RTO may
Abnormal situation which threatens the operations, staff, customers or reputation of the organisation. the loss of data could have a signi cant impact. directly related to the business needs. be measured in minutes or less.
3. Disaster: Disaster Tolerance
Physical event which interrupts business processes sufficiently to threaten the viability of the • It indicates the tolerance level of organisation to accept non availabilty of IT facilities.
organisation. • High RTO/RPO ~ High Disaster Tolerance
• Low RTO/RPO ~ Low Disaster Tolerance
4. Emergency Management Team (EMT):
Comprising of executives at all levels including IT is vested with the responsibility of commanding Some examples of RPO and RTO
the resources which are required to recover the enterprises operations. • A stock exchange trading system must be restored very quickly and cannot afford to lose any data. Since the price of the next trade
depends upon the previous trade, the loss of a trade will make all subsequent transactions wrong. In this case, the RTO may be measured
5. Incident:
as a few minutes or less, but the RPO must be zero.
Event that has the capacity to lead to loss of or a disruption to an organisation’s operations, services,
• A critical monitoring system such as those used by power grids, nuclear facilities, or hospitals for monitoring patients must have a very
or functions
small RTO, but the RPO may be large.
6. Incident Management Plan: • A Web-based online ordering system must have an RPO close to zero (the company does not wish to lose any sales or, even worse,
Documented plan of action covering the key personnel, resources, services and actions needed to acknowledge a sale to a customer and then not deliver the product). However, if shipping and billing are delayed by even a day, there is
implement the incident management process. oen no serious consequence, thus relaxing the RTO for this part of the application.
7. Minimum Business Continuity Objective • A bank’s ATM system is even less critical. If an ATM is down, the customer, although aggravated, will nd another one. If an ATM
Minimum level of services and/or products that is acceptable to an organisation during an incident, transaction is lost, a customer’s account may be inaccurate until the next day when the ATM logs are used to verify and adjust customer
emergency or disaster. accounts. us, neither RPO nor RTO need to be small.
8. Maximum Acceptable Outage (MAO): 12. Resilience: 13. Risk: 14. Vulnerability:
Time frame during which a recovery must become effective before an outage compromises the e ability of an organisation e combination of the e degree to which a person, asset, process, information,
ability of an Organization. MAO is also known as maximum tolerable outage (MTO), maximum to resist being affected by the probability of an event and its infrastructure or other resources are exposed to the actions
downtime (MD), Maximum Tolerable Period of Disruption (MTPD). incident. consequence. or effects of a risk, event or other occurrence.
Key concepts of Disaster Recovery, Business Continuity Plan and Business Continuity Management
Contingency Plan
An organisation’s ability to withstand losses caused by unexpected events depends on proper planning and execution of such plans. Its main goal is to restore normal modes of operation with minimal cost and minimal disruption to normal
business activities aer unexpected event. It should ideally ensure continuous information systems availability despite unexpected events.
1. Components of Contingency Planning IV. Disaster Recovery Plan (DRP) 2. Business Continuity Plan vs. Disaster Recovery Plan
I. Business Impact Analysis (BIA) Disaster Recovery Plan is the set of plans which are to be executed initially at the e primary objective of Business Continuity Plan is to ensure that
e steps involved in impact analysis are risk evaluation, de ning critical moment of crisis. ere are three basic strategies that encompass a disaster recovery plan: mission critical functions and operations are recovered and made
functions in the organisation, identifying critical facilities required for preventive measures, detective measures, and corrective measures. operational in an acceptable time frame. DRP is to re-establish the
providing recovery of the critical functions and their interdependencies and primary site into operation with respect to all business processes
nally setting priorities for all critical business applications which need to be a.Preventive measures of the organisation facing the disaster.
recovered within de ned timelines. Preventive measures will try to prevent a disaster from occurring. ese measures 3. Business Continuity Management
II. Incident Response Plan (IR plan) may include keeping data backed up and off site, using surge protectors, installing BCM is a holistic process that identi es potential threats and
IR Plan includes tasks like incident planning, incident detection, incident generators and conducting routine inspections. the impacts on normal business operations should those threats
reaction, incident recovery etc. Incident Response plan gives an entity a set of b. Detective measures actualize. BCM provides a framework to develop and build
procedures and guidelines that is needed by an entity to handle an incident. Detective measures are taken to discover the presence of any unwanted events within the organisation's resilience with the capability for an effective
III. Business Continuity Plan (BCP) the IT infrastructure. ese measures include installing re alarms, using up-to-date response. e purpose of BCM is to minimize the operational,
BC Plan includes tasks like establishing continuity strategies, planning antivirus soware, holding employee training sessions, and installing server and nancial, legal, reputational and other material consequences
for continuity of critical operations, continuity management etc. Business network monitoring soware. arising from a disruption due to an undesired event (Basel
Continuity Plans on a whole is about re-establishing existing business c.Corrective measures Committee on Banking Supervision, 2005), minimizing losses and
processes and functions, communications with the business contacts and Corrective measures are aimed to restore a system aer a disaster or otherwise restoring normal, regular operations in the shortest, possible time.
resuming business processes at the primary business location. unwanted event takes place.

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 5: BUSINESS CONTINUITY MANAGEMENT
Objectives of BCP and BCM Phases of Disaster
Objectives of Business Continuity Plan 1. Crisis Phase
Key objectives of BCP are: e Crisis Phase is under the overall responsibility of the Incident Control Team (ICT). It comprises the rst few
• Manage the risks • Minimize the risks in recovery process. hours aer a disruptive event starts or the threat of such an event is rst identi ed; and is caused by, for example:
• Reduce the time taken to recover • Reduce costs involved in reviving • Ongoing physical damage to premises which may be life threatening, such as a re; or
e pre-requisites in developing a Business Continuity Plan (BCP) includes planning for all phases & making it • Restricted access to premises, such as a police cordon aer a bomb incident.
part of business process.
2. Emergency Response Phase
Objectives of Business Continuity Management (BCM)
e Emergency Response Phase may last from a few minutes to a few hours aer the disaster. During the Emergency
• Reduce likelihood of a disruption occurring that affects the business through a risk management process.
Response Phase, the Business Continuity Team (BCT) will assess the situation; and decide if and when to activate
• Enhance organisation’s ability to recover following a disruption to normal operating conditions.
the BCP.
• Minimize the impact of that disruption, should it occur.
• Protect staff and their welfare and ensure staff knows their roles and responsibilities. 3. Recovery Phase
• Tackle potential failures within organisation’s I.S. Environment e Recovery Phase may last from a few days to several months aer a disaster and ends when normal operations
• Protect the business. can restart in the affected premises or replacement premises. During the recovery phase, essential operations will
• Preserve and maintain relationships with customers. be restarted (this could be at temporary premises) by one or more recovery teams using the BCP; and the essential
• Mitigate negative publicity. operations will continue in their recovery format until normal conditions are resumed.
• Safeguard organisation’s market share and/or competitive advantage. 4. Restoration Phase
• Protect organisation’s pro ts or revenue and avoid nancial losses. is phase restores conditions to normal. During the restoration phase, any damage to the premises and facilities
Need for BCM at Various Levels of I&T Environment will be repaired.
Disaster Recovery is an essential phase to critical IT Resources. IT Infrastructure generally includes Servers,
Workstations, Network and Communication, Operating system soware, business applications soware, essential Examples of Disaster
utility soware, Data Centers, Support Desks, IT Personnel, Disks, Tapes etc. In this technologically driven world, Serious re during working Hours All phases in full
IT Infrastructure has essentially become an integral part of an entity’s anatomy. Mail Servers and communication Serious re outside during working hours All the phases, however, no staff and public evacuation
lines like Internet, Phone and Fax are also essentially the important components of the Infrastructure. It is therefore Very minor re during working hours Crisis Phase only, staff and public evacuation but perhaps no removal of
critical to get these components up and running for a successful Recovery of the business. erefore when critical valuable objects, Fire Service Summoned to deal with the re
industries like Banks, Insurance Companies, Stock Exchanges, Airline Companies, Railways, Multinational Gas leak outside or during working hours, Only emergency response phase is appropriate
Companies, Government Agencies rely on IT Infrastructure for its daily operations, it is crucial to maintain BCM repaired aer some hours
for such organisations. Soware like the Core Banking Systems, SWIFT Financial Messaging Services, Airline
Communication Services like AMADEUS, Stock Market Trading Applications, ERP Systems, e-commerce sites Impact of Disaster
and many more are critical where no downtime is tolerated. ese applications are used to conduct transactions • • Total destruction of the premises and its contents. For example as a result of a terrorist attack;
worldwide and are run only on extensive IT Resources. BCM therefore is a much needed requirement for a quick • • Partial damage, preventing use of the premises. For example through ooding; or
recovery from a crisis to ensure survival of the business. • • No actual physical damage to the premises but restricted access for a limited period, such as enforced evacuation due to
Need for BCM at Business Level the discovery nearby of an unexploded bomb.
• Need to provide access to potentially millions of new customers. Loss of Human Life
• Need to ensure security, privacy and con dentiality. e extent of loss depends on the type and severity of the disaster. Protection of human life is of utmost importance
• Need to integrate business processes onto web. and, the overriding principle behind continuity plans.
• Need to integrate business partners into key business processes.
• Increased pressure on delivering quality customer service 24x7. Loss of productivity
• Emerging pervasive computer devices. When a system failure occurs, employees may be handicapped in performing their functions. is could result in
productivity loss for the organisation.
Various Types of Disaster
BCM or BCP is all about planning in advance to meet future unforeseen events which may two major categories Loss of revenue
as: For many organisations like banks, airlines, railways, stock brokers, effect of even a relatively short breakdown may
lead to huge revenue losses.
1. Natural Disasters 2. Man-Made Disasters Loss of market share
Natural Disasters are those which are a result Man-made disasters are arti cial disasters which arise due to the In a competitive market, inability to provide services in time may cause loss of market share. For example, a prolonged
of natural environment factors. A natural actions of human beings. Arti cial disasters has its impact on a non-availability of services from services providers, such as Telecom Company or Internet Service Providers, will
disaster has its impact on the business’s business entity speci c to which it has occurred. Arti cial disasters cause customers to change to different service providers.
that is present in a geographical area where arising due to human beings Include Terrorist Attack, Bomb reat,
the natural disaster has struck. Natural Chemical Spills, Civil Disturbance, Electrical Failure, Fire, HVAC Loss of goodwill and customer services
disasters are caused by natural events and Failure, Water Leaks, Water Stoppage, Strikes, Hacker attacks, Viruses, In case of a prolonged or frequent service disruption, customers may lose con dence resulting in loss of faith and
include re, earthquake, tsunami, typhoon, Human Error, Loss Of Telecommunications, Data Center outrage, goodwill.
oods, tornado, lightning, blizzards, freezing lost data, Corrupted data, Loss of Network services, Power failure, Litigation
temperatures, heavy snowfall, pandemic, Prolonged equipment outrage, UPS loss, generator loss and anything Laws, regulations, contractual obligation in form of service level agreement govern the business operations. Failure
severe hailstorms, volcano etc. that diminishes or destroys normal data processing capabilities. in such compliance may lead the company to legal litigations and lawsuits.

Invoking a DR Phase / BCP Phase Key Disaster Recovery Activities
Operating Teams of Contingency Planning Declaring of an incident/event is done by assigned personnel of management. Declaration of a disaster means:
Contingency Planning Team: 1. Activating the recovery plan 7. Recon guring the network
is team collects data about information systems and threats, conducts business impact 2. Notifying team leaders 8. Reinstalling soware and data
analysis, and creates contingency plans for incident response, disaster recovery, business 3. Notifying key management contacts 9. Keeping management informed
continuity. 4. Redirecting information technology service to an alternate location 10. Keeping users informed
5. Securing a new location for the data centre 11. Keeping the public informed
Incident Response Team:
6. Ordering and con guring replacement equipment
is team Manages/executes IR plan & is rst team to arrive during the outbreak of an
incident. If unsuccessful, then summons the Disaster Recovery Team. DRP
Disaster Recovery Team: A DRP should contain information about the vital records where it is stored, who is in charge of that record. It contains information about what
is team manages/executes DR plan by detecting, evaluating, responding to disasters; re- is stored offsite such as: Current copy of this disaster recovery plan,Copies of install disks etc.
establishes primary site operations. Manages/executes DR plan role in reducing the impact Disaster Recovery Team
of the disaster and executes the steps de ned in the DR Plan to recover and protect resources
that are being impacted by the disaster and to mitigate the disaster itself. Disaster Recovery Management Team
Business Continuity Team: General Responsibilities General Activities
Manages/executes BC plan by establishing off-site operations to ensure Business Continuity. Responsible for the overall coordination of the disaster recovery process from an Information • Assess the damage and if
Business Continuity Team initiates those responses to the impacts that are being faced by the Technology Systems perspective. e other team leaders report to this team during a disaster. In addition necessary, declare a disaster
entity and would bring the entity back to its original level of business functioning. to their management activities, members of this team will have administrative, supply, transportation, • Coordinate efforts of all teams
and public relations responsibilities during a disaster. Each of these responsibilities should be headed by • Be the liaison to upper
Disaster Recovery Plan (DRP) Scope and Objectives a member of the MGMT team. management
e DRP should inform the user about the primary focus of this document like responding
Administrative Team - Responsibilities Supply Team - Responsibilities
to disaster, restoring operations as quickly as possible and reducing the number of
Hiring of temporary help or reassignment of other clerical personnel. Purchase of all needed supplies include computing equipment and
decisions which must be made when, and if, a disaster occurs. It should also inform about
Procedures during All Phases: supplies paper and pencils, and office furnishings.
the responsibility to keep this document current. It should be approved by appropriate
• Process expense reports Public Relations Team- Responsibilities
authority. e objectives of this plan are to protect organisation’s computing resources and
• Account for the recovery costs Will pass appropriate information to the public and to employees.
employees, to safeguard the vital records of which Information Technology Systems and
• Handle personnel problems
to guarantee the continued availability of essential Information Technology services. e
plan represents a dynamic process that will be kept current through updates, testing, and Management Team Call Checklist Facility Team
reviews. As recommendations are completed or as new areas of concern are recognized, the Specify the contact information about Team leader as well as team Salvage Team-Responsibilities
plan will be revised to re ect the current IT and business environment. e IS Auditor has members with the details on which functionality he/she can be Minimizing the damage at the primary site and to work with the
to review the process followed for preparation of the DRP and assess whether it meets the contacted. insurance company for settlement of all claims. what equipment is
requirements of the organisation and provide recommendations on any areas of weaknesses Technical Support Team Call Checklist salvageable and what is also responsible for securing the disaster
identi ed. recovery data centre.
Hardware Team-Responsibilities
Disaster Recovery Phases Acquire con gure and install servers and workstations New Data Centre Team-Responsibilities
1. Disaster Assessment: Soware Team-Responsibilities Locating the proper location for a new data centre and overseeing
e disaster assessment phase lasts from the inception of the disaster until it is under Maintain the systems soware at the alternate site and reconstruct the the construction of it. is includes the environmental and security
control and the extent of the damage can be assessed. Cooperation with emergency system soware upon returning to the primary site. controls for the room.
services personnel is critical. Network Team-Responsibilities New Hardware Team-Responsibilities
2. Disaster recovery activation: Preparing for voice and data communications to the alternate location Responsible for ordering replacement hardware for equipment
When the decision is made to move primary processing to another location, this phase data centre and restoring voice and data communications damaged in the disaster and installing it in the new or rebuilt data
begins. e Disaster Recovery Management Team will assemble and call upon team centre.
Operations Team-Responsibilities
members to perform their assigned tasks. e most important function is to fully restore Daily operation of computer services and management of all backup
operations at a suitable location and resume normal functions. Once normal operations tapes.
are established at the alternate location, Phase 2 is complete.
3. Alternate site operation
is phase involves continuing operations at the alternate location. In addition, the Need for BCM at Business Level
process of restoring the primary site will be performed • Need to provide access to potentially millions of new customers.
• Need to ensure security, privacy and con dentiality.
4. Return to primary site: • Need to integrate business processes onto web.
is phase involves continuing operations at the alternate location. In addition, • Need to integrate business partners into key business processes.
the process of restoring the primary site will be performed. is phase involves the • Increased pressure on delivering quality customer service 24x7.
reactivation of the primary site at either the original or possibly a new location • Emerging pervasive computer devices.

DOCUMENTATION: BCP MANUAL AND BCM POLICY DATA BACKUP, RETENTION AND RESTORATION PRACTICES
All documents that form the BCM are to be subject to document control and record control processes. e following Back up Strategies
documents (representative only) are classi ed as being part of the business continuity management system: Dual recording of data
• e business continuity policy; • e aims and objectives of each function; Under this strategy, two complete copies of the database are maintained. e databases are concurrently updated.
• e business continuity management system; • e activities undertaken by each function; Periodic dumping of data
• e business impact analysis report; • e business continuity strategies; is strategy involves taking a periodic dump of all or part of the database. e database is saved at a point in
• e risk assessment report; • e overall and speci c incident management plans; time by copying it onto some backup storage medium – magnetic tape, removable disk, Optical disk. e dump
To provide evidence of the effective operation of the BCM, records demonstrating the operation should be retained as per may be scheduled.
policy of the organisation and as per applicable laws, if any. In this, a pro le is developed by identifying resources required Logging input transactions
to support critical functions, which include hardware (mainframe, data and voice communication and personal computers), this works in conjunction with a periodic dump. In case of complete database failure, the last dump is loaded and
soware (vendor supplied, in-house developed, etc.), documentation (user, procedures), outside support (public networks, reprocessing of the transactions are carried out which were logged since the last dump.
DP services, etc.), facilities (office space, office equipment, etc.) and personnel for each business unit. Logging changes to the data
BCM Policy is involves copying a record each time it is changed by an update action.
ey should consider all relevant standards, regulations and policies that have to be included or can be used as benchmark. It is important to implement email and personal les backup policies. e data so transferred in the server will be
e objective of this policy is to provide a structure through: • Incident Management Plans and BCP are subject to backed up by the IT department as a part of their routine backup.
• Critical services and activities identi ed. ongoing testing, Types of Backup
• Plans will be developed to ensure continuity of key service delivery • Planning and management responsibility are assigned When the back-ups are taken of the system and data together, they are called total system’s back-up.
• Invocation of incident management to members of the relevant senior management team. Full Backup
BCP Manual Captures all les on the disk
A BCP manual consists of the Business Continuity Plan and the Disaster Recovery Plan. e BCP Manual is expected Incremental Backup
to specify the responsibilities of the BCM team, whose mission is to establish appropriate BCP procedures to ensure the An incremental backup captures les that were created or changed since the last backup, regardless of backup type.
continuity of organisation's critical business functions. Differential Backup
Elements of BCP Manual A differential backup stores les that have changed since the last full backup. Restoring from a differential backup
is a two-step operation: Restoring from the last full backup; and then restoring the appropriate differential backup.
1. Purpose of the plan: Mirror Backup
Included in this section should be a summary description of the purpose of the manual. A mirror backup is identical to a full backup, with the exception that the les are not compressed in zip les and
2. Organisation of the manual: they cannot be protected with a password.
Direction to the relevant section of the manual Recovery Strategies
3. Disaster de nitions Recovery plan should identify a recovery team that will be responsible for working out the speci cs of the recovery
Four types of classi cation can generally be used: to be undertaken. e plan might also indicate which applications are to be recovered rst. Periodically, they must
Problem/Incident: Major disaster: review and practice executing their responsibilities soNetworked
Strategies for they are prepared
Systemsshould a disaster occur.
No signi cant damage. Signi cant impact and effect on outside clients. Vary depending type of network architecture and implementation. For example, LANs can be implemented in
Minor disaster: Catastrophic disaster: two main architectures:
Limited nancial impact, Affect the organisation’s “going concern” status LAN Systems
4. Objectives of the plan: •Peer-to-Peer: Each node has equivalent capabilities and responsibilities. For example, ve PCs can be networked
e objectives of the manual should be clearly stated in the introductory section. Safety/security all personnel. e through a hub to share data.
paramount objective of a BCP is to ensure the safety and security of people. e safeguarding of assets/data is always a •Client/Server: Each node on the network is either a client or a server. A client can be a PC or a printer where a
secondary objective. client relies on a server for resources.
5. Scope of the plan: Listed below are some of the strategies for recovery of LANs:
e scope of the plan must be clearly identi ed. Any limitations must be explained. 1. Eliminating Single Points of Failure (SPOC):
6. Plan approach / recovery strategy: e organisation should identify single points of failure that affect critical systems or processes outlined in the Risk
A step by step summary of the approach adopted by the plan should be presented. For ease of reference, it may be good Assessment. ese single points of failures are to be eliminated by providing alternative or redundant equipment.
to provide this overview by means of a schematic diagram.. 2. Redundant Cabling and Devices:
7. Plan administration: Contingency planning should also cover threats to the cabling system, such as cable cuts, electromagnetic and
e introductory section should also identify the person or persons, responsible for the business continuity plan radiofrequency interference, and damage resulting from re, water, and other hazards. As a solution, redundant
manual, and the expected plan review cycles. cables may be installed when appropriate.
8. Plan management: 3. Remote Access
e management responsibilities and reporting channels to be observed, during disaster recovery should be clearly Remote access is a service provided by servers and devices on the LAN. Remote access provides a convenience for
established in advance. users working off-site or allows for a means for servers and devices to communicate between sites.
Wireless LANs
9. Disaster noti cation and plan activation procedures:
Do not require the cabling infrastructure wireless networks broadcast the data over a radio signal, enabling the
e procedures represent the rst steps to be followed when any disaster occurs.
data to be intercepted. security controls, such as data encryption, should be implemented.

Strategies for Distributed Systems
Distributed systems use the client-server model to make the application more accessible to users in different locations. e contingency strategies for distributed system re ect the system's reliance Nolan and WAN availability In addition, a
distributed system should consider WAN communication link redundancy and possibility of using Service Bureaus and Application Service Providers (ASPs).
Strategies for Data Communications Strategies for Voice

Communications
(i) Dial-up: (ii) Circuit extension: (iii) On-demand service (iv) Diversi cation of services: (v) Microwave communications: (vi) VSAT (Very Small Aperture (i) Cellular phone backup
Using Dial-up as a backup to is is by, where the from the carriers: e use of diverse services provides is could be used to: backup Terminal) based satellite Phones could also be used on an
normal leased or broadband commun icat ions Many carriers now offer the best solutions to the loss of communications from the communications: on-going basis and could be used to
communications lines from the remote sites on-demand services which a carrier central office. Diversity central office to the primary site, is technique could similarly be balance the load on the main PBX
remains the most popular can be directed to the provide the mechanisms can be achieved in a number of in case of breakage in the land used to back up the primary carrier switch.
means of backing up wide- primary site or the to switch communications manners, including: Use of more lines; backup communications service. e use of this technology (ii) Carrier call rerouting systems:
area network communications recovery site from the to the recovery site from than one carrier on a regular basis. from the central office to the requires VSAT terminals to be All calls to a given number can
in an emergency. Ideally, carrier’s central office. the primary site on client If the organisation uses two or more recovery center; or a backup installed at each remote location be rerouted to another number
the modems should be full noti cation. carriers, it will likely pay above link from a company controlled and at the recovery center if it does temporarily.
duplex modems. e half- the odds for its regular service communications center direct to not currently provide such a service.
duplex option will require two and require investment in some the recovery center.
telephone lines. additional equipment.
Types of Recovery and Alternative Sites

Traditional focus of BCP/DRP was the recovery of the corporate computer system, which was almost always a mainframe or large minicomputer, Mainframe centric disaster recovery plans oen concentrated on replacing an inaccessible or
non-functional mainframe with compatible hardware. Types of Alternate processing sites are outlined along with some of the widely adopted strategies for centralized system recovery.
Cold Site Offsite Data Protection
A cold site is the least expensive type of backup site for an organisation to operate. It does not include backed up copies of data Data can also be sent electronically via a remote backup service, which is known as electronic vaulting
and information from the original location of the organisation, nor does it include hardware already set up. e lack of hardware or e-vaulting.
contributes to the minimal start-up costs of the cold site, but requires additional time following the disaster to have the operation Data Vaults
running at a capacity close to that prior to the disaster. Backups are stored in purpose-built vaults three categories:
Hot Site Warm Site • Underground vaults
A dedicated contingency center, or ‘hot site’ is a fully A warm site is a compromise between hot and cold. • Free-standing dedicated vaults
equipped computer facility with electrical power, heating, ese sites will have hardware and connectivity • Insulated chambers sharing facilities
ventilation and air conditioning (HVAC) available for use already established, though on a smaller scale than Hybrid Onsite and Offsite Vaulting
in the event of a subscriber’s computer outage. A hot site the original production site or even a hot site. An Sometimes known as Hybrid Online Backup, involve a combination of Local backup for fast backup
is a duplicate of the original site of the organisation ese example would be backup tapes sent to the warm and restore, along with Off-site backup for protection against local disasters. Storing data either the
facilities are available to a large number of subscribers on site by courier. backup soware or a D2D2C (Disk to Disk to Cloud) appliance encrypts and transmits data to a service
a membership basis and use of site is on a ‘ rst come, rst provider. Cloud storage appliances from CTERA Networks, Naquin, StorSimple and Twin Strata.
served’ basis.
Mirror Site
e single most reliable system backup Alternate Mobile Site
A mobile site is a vehicle ready
strategy is to have fully redundant systems
called an active recovery or mirror site.
Recovery with all necessary computer
equipment, and it can be
While most companies cannot afford to build Site moved to any cold or warm site
and equip two identical data centers, those depending upon the need.
companies that can afford to do so have the
ability to recover from almost any disaster.

System Resiliency Tools and Techniques
Fault Tolerance Redundant Array of Inexpensive Disks (RAID)
Fault-tolerance is the property that enables a system (oen computer-based) to continue operating properly in the event of the failure of (or one or Provides fault tolerance and performance improvement via hardware and soware
more faults within) some of its components. e basic characteristics of fault tolerance require: solutions.
1. No single point of failure. 4. Fault containment to prevent propagation of the failure. RAID levels:
2. No single point of repair. 5. Availability of reversion modes. Levels 0, 1, and 5 are the most commonly found, RAID-1and RAID-5 for data redundancy.
3. Fault isolation to the failing component. Electronic vaulting:
Fault tolerant systems are characterized in terms of both planned service outages and unplanned service outages. usually measured at the application Data is backed up to an offsite location. e data is backed up, generally, through batch
level and not just at a hardware level. A ve nines system would therefore statistically provide 99.999% availability. A spare component addresses rst process and transferred through communication lines to a server at an alternate location.
fundamental characteristic of fault-tolerance in three ways: Remote journaling:
(i) Replication: A parallel processing of transactions to an alternate site, as opposed to batch dump
Multiple identical instances of the same system or subsystem, requests to all of them in parallel, and choosing the correct result on the basis of a process like electronic vaulting. e alternate site is fully operational at all times and
quorum; introduces a very high level of fault tolerance.
(ii) Redundancy: Database shadowing:
Multiple identical instances of the same system in case of a failure (failover); Live processing of remote journaling but creates even more redundancy by duplicating
(iii) Diversity: the database sites to multiple servers.
Multiple different implementations of the same speci cation using them like replicated systems to cope with errors in a speci c implementation.
Testing of BCP
1. Checklist test: 2. Structured walk 3. Simulation test: 4. Parallel test: 5. Full interruption test:
Copies of the plan are through test: Simulation test is a mock practice Critical systems will actually run at the During a full interruption test, a disaster is replicated event the point of ceasing
distributed to each business Representatives meet to session in response to a simulated alternate processing backup site. Systems normal production operations. e plan is implemented as if it were a real disaster,
unit’s management. e plan walk through the plan. disaster. e simulation may go are relocated to the alternate site, parallel to the point of involving emergency services.
is then reviewed to ensure Each step of the plan is to the point of relocating to the processing backup site, and the results of Documentation of results:
that the plan addresses all walked through in the alternate backup but does not the transactions and other elements are Detailed documentation of observations, problems and resolutions should be
procedures and critical areas of meeting and marked as perform any actual recovery compared. is is the most common type of maintained. Live tests especially could create disaster if not planned properly
the organisation. performed. process. disaster recovery plan testing. because they use real people and real resources in real conditions,
BCP Audit and Regulatory Requirements
Role of IS Auditor in BCP Audit Regulatory Requirements Regulatory Compliances of BCP
e objective of BCP review e business continuity plan Basel Committee on E-Banking Indian legislations Bank Audit
is to assess the ability of the audit should be programmed e Basel Committee on E-Banking outlines the principles for electronic ere are various Indian legislations such as the Long Form Audit report contains
organisation to continue all critical to cover the applicable laws, banking as; “Banks should have effective capacity, business continuity Information Technology Act, Indian Income two key points relating to business
operations during a contingency standards and Frameworks etc. and contingency planning processes to help ensure the availability of Tax act, Central Sales Tax act, State VAT Acts, continuity and disaster recovery.
and recover from a disaster within It is also necessary to understand e-banking systems and services”. e Committee underlines that banks Services tax act, Central excise act etc. which •Regular back-ups of accounts and
the de ned critical recover time whether the information should also ensure that periodic independent internal and/or external require data retention for speci c number of off-site storage are maintained
period. IS Auditor is expected technology related to BCP/DRP audits are conducted about business continuity and contingency years. Organisations which have to comply with •Adequate contingency and
to identify residual risks which arrangements are supporting planning. ese requirements are spelt out in Appendix VI relating these requirements have to ensure that they disaster recovery plans
are not identi ed and provide the business compliance with to “Sound Capacity, Business Continuity and Contingency Planning have a proper business continuity plan which
recommendations to mitigate them. external laws and regulations. Practices for E-Banking”: meets these requirements.
ISO 22301:2019
ISO 22301 speci es requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events when they arise.
ISO 27031:2011
Describes the concepts and principles of information and communication technology (ICT) & provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation). It
includes and extends the practices of information security incident handling and management and ICT readiness planning and services.
Services that can be Provided by an IS Auditor in BCM
1. Management Consultancy Services in providing guidance in draing of a BCP/DRP. 6. Consultancy Services in Risk Assessment and Business Impact Analysis.
2. Designing and implementing a BCP/DRP. relevant to the organisation’s nature and 7. CAs be involved in areas of BCP implementation areas could be pertaining to:
size. design the phases for implementation of the BCP. (a) Risk Assessment (e) Fast-track Business Continuity Development
3. Designing Test Plans and Conducting Tests of the BCP/DRP. (b) Business Impact Assessment (f) BCP / DRP Audit, Review and Health-check Services
4. Consultancy Services in revising and updating the BCP/DRP. (c) Disaster Recovery Strategy Selection (g) Development and Management of BCP / DRP Exercises and Rehearsals
5. Conducting Pre-Implementation Audit, Post Implementation Audit, General Audit (d) Business Continuity Plan Development (h) Media Management for Crisis Scenarios
of the BCP/DRP. (i) Business Continuity Training

CHAPTER 1 : PROJECT MANAGEMENT FOR SDLC MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION
MODULE 3  SYSTEM DEVELOPMENT, ACQUISITION IMPLEMENTATION AND MAINTENANCE APPLICATION SYSTEM AUDIT
CHAPTER 1:
PROJECT MANAGEMENT FOR SDLC
Project Management for SDLC
Unless the proposed system becomes operational and organization begins deriving bene t out of it, SDLC project cannot be treated as complete. IS Auditor should ensure that appropriate controls are designed at analysis and design stage.
Project Management Frameworks
Project is initiated once it is approved. Project management practices, Project Management Body of Knowledge (PMBOK®) version ere are signi cant differences in scope, content and wording in each
tools and control frameworks, makes it possible to manage all the 6, IEEE standard Project Management Institute (PMI), of these standards, each approach has its own pros and cons, several
Approaches
relevant aspects like planning, scheduling, resource management, risk elements are common. Some are focused soware development, others
for project
management, sizing and estimation of efforts, milestone achievements, Projects in a Controlled Environment (PRINCE2TM) Office general approach; some focuses on holistic and systemic view, others
management
quality, deliverables and budget monitoring, of a large project. of Government Commerce (OGC) in the UK, are very detailed work ow including templates for document creation.
Capability Maturity Model Integration (CMMI) : Process improvement approach that provides enterprise with the essential elements of effective processes.
Instance view/ Individual knowledge Enterprise view/Corporate knowledge
Level 0 Incomplete Level 1 Performed Level 2 Managed Level 3 Established Level 4 Predictable Level 5 Optimized
Process is not implemented Implemented process Process is now implemented in a managed fashion Previously described managed process is Previously described process now Previously described process is
or fails to achieve its process achieves its process are appropriately established, controlled and now implemented using a de ned process operates within de ned limits to continuously improved to meet relevant
purpose. purpose maintained capable of achieving its process outcomes achieve its process outcomes current and projected business goals
Key Concepts of Project Management

Project is a temporary activity undertaken to generate de ned outcome (like creating a service or product). Project is closed, once the expected outcome is delivered or results are achieved or if the project becomes technically or economically
unviable.
Five major process groups:
Project monitoring and controlling
Processes related to monitoring risks, Scope Creeps, quality of deliverables, costs and budgets, performance reporting.
Project initiation Project planning
Processes related to developing project Processes related to developing project execution nalizing requirements, de ning work breakdown structure and modules estimating Project closing
charter based on scope of project. In SDLC efforts and cost, resource planning, risk management, procurement planning and plan for communications with stakeholders. Handing over
project, it is business case that help in Project execution deliverables or
identifying bene ciaries and stakeholders Processes related to direct project teams, ensuring quality assurance and testing, managing requirements and changes in requirements, terminating project.
of project. ensuring timely procurements and manage resources.
Program and Project Management and Organization
Portfolio/Program Management Program/Project management Organization Forms: depending upon the nature of business
Program is a group of projects and/or time-bound tasks that are linked together through common
objectives. Programs have a limited time frame (start and end date), predetermined budget, de ned
Functional org. in uenced by the projects: Projectile organization: Matrix project organization:
deliverables/outcomes Program is more complex than a project and many times consists of multiple
ese are business organizations that are involved in ey execute projects. Most IT companies falls under
projects.
production of goods and services. Projects are undertaken For ex, an infrastructure such categories where these
to support the functional activities. For example, a development organization. organizations undertake project to
Portfolio Project/program management office (PMO) manufacturing organization may want to automate Project Manager has only a manage business functions for other
Group of all projects/ PMO governs the processes of project management but is not involved administrative processes (like nance, HR, pay roll etc.) staff function without formal organizations and also executes
programs (related or in management of project content. Includes Management of: Program using IT. e Project Manager is only allowed to advise management authority. projects for customer organization.
unrelated) carried out scope, Program nancials (costs, resources, cash ow, etc.), schedules, peers and team members as to which activities should be
in an organisation. objectives, context, communication, organization. IS Auditor has to understand these organizational forms and their
completed.
implications on controls in SDLC project management activities.

MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION CHAPTER 1 : PROJECT MANAGEMENT FOR SDLC
Portfolio, Program and project
Program 1 (IT Security Port folio (IT related development, IT services, procedure documentation, IT risk Program 2 (Application
Management) management, IT security Management etc.) Management)
Sub-Program 1.1 (IT Asset and Risk Managementt Project 1.1 (ISO 27001 accreditation) Sub-Program 2.1 (Web based services development) Sub-Program 2.2 (ERP Implementation)
Project 1.1.1 (IT Asset
Project 2.2.1 (Standard ERP con guratuion and Pilot
Management and Project 2.1.1 (Supplier web service application
Project 1.1.1 (IT Risk Management implementation at P1
classi cation automation development- SDLC)
Outsourced FPP) using service manager Project 2.2.2 (ERP roll out at P2 to P5)
Project 2.1.2 (Customer Access and help desk-Web Based application -SDLC)
Project Initiation
Whenever stakeholders in the business or senior management to undertake computerization, a project will have to be initiated. For ex:
•New business application to address a new or existing business process HR management system, billing system, order processing
•Adoption of a new technology invented Internet based advertising for an advertising company .
•Application soware computerization of college admissions
•Migrating
Migrating from text-based computerized system GUI based system old COBOL / XBASE based distributed banking to RDBMS based Core Banking system.
Initiated from any part of the organization, including project is time bound, with speci c start and end dates. A project sponsor and project manager is appointed to execute the further activities. compiled into terms of reference or a project
charter that states the objective of the project. Approval of a project initiation or project request is authorization for a project to begin.
Major activities:
Project initiation team Relationship with customer Plan for project Management procedures Project workbook and project management environment
To complete the project To build stronger customer initiation To achieve successful To organize and collect the tools that will be used for managing the project project workbook is derived from charts,
initiation activities. partnerships and also higher De ne the scope of the completion of project. diagrams and description of the system. Serves as a repository for all project deliverables, inputs, outputs, correspondence,
trust level. project. procedures, and standards established by the project.
Standard process for project management prepare a formal Project Initiation Report that is presented to Senior Management or Board of Directors. Once accepted this becomes formal charter for the project and triggers next phases of SDLC.
Project Management Project Context and Environment Project Communication and Project Objectives Project Management Practices
Methodology • Organization may be running Culture To deliver the de ned outcome/deliverables/product in time, within budget •Many organizations prefer to adopt the practices
• IT projects are divisible into pre- several projects at the same time. Success of project depends and of desired quality. Measurement of success depends upon clearly de ning based on global standards/best practices e.g.
de ned phases. • Relationships between these upon timely communication results that are speci c, measurable, attainable, realistic and timely (SMART). PMBOK, Prince2 etc.
• Begins with the project charter projects have to be established to with stakeholders and affected Work breakdown structure (WBS) •Successful project planning is a risk-based
and ends with the closure of the identify common objectives for the parties through : WBS is a tool used for the project in terms of manageable and controllable management process that is iterative in nature.
project. business. • One-on-one meetings. units of work and forms the baseline for cost and resource planning. •Project management practices for SDLC
• Organizations may adopt • is is a function of a project • Kick-off meetings Work packages (WP) projects also provide standards for systematic
standard processes prescribed portfolio management to help in • Project start workshops Detailed speci cations regarding the WBS can be used to develop work quantitative and qualitative approaches to
by globally accepted standards consolidating common activities • Periodic reporting packages (WP). Each WP must have a distinct owner and a list of main soware size estimating, scheduling, allocating
developed by organizations like Context is based on : Project Manager develop objectives, and may have a list of additional objectives. e WP speci cations resources and measuring productivity.
PMI • Importance of project deliverables and execute communication should include dependencies on other WPs. •Project management to ols like MS project can
• Organizations following a to organization’s objectives. plan so as to inform issues, Task list be adapted to implement techniques to assist
standard project management • Relationship with other projects concerns, if any and to report A list of actions to be carried to complete each work package and includes the Project Manager in controlling the time and
process have higher possibility • Priority based on the business case project progress. assigned responsibilities and deadlines. Task list when merged together forms resources utilized during execution of project.
of completing projects in time, • Start and end time of the project, a project schedule.
within budget and deliverables Project schedules
meeting with expected quality. Work documents containing the start and nish dates, percentage completed,
task dependencies, and resource names of individuals planned to work on
tasks.

Project Planning
To plan & control SDLC projects, Project Manager needs to determine: Major activities:
• Various project tasks and management tasks to develop/acquire and implement business application system. • Measure the development efforts. Different soware sizing techniques
• Order in which these tasks should be performed. • Identify resources. e.g. Skilled People, Development tools.
• Estimated duration for each task. • Budgeting Although overall budget for the project has been allocated at high- level during business case development,
• priority of each task. Project Manager need to prepare granular budget for monitoring.
• IT resources, available, • Scheduling and establishing the time frame. when these resources are required in the project.
• Budget or costing for each of these tasks. Notional for internal resources monetary for outsourced projects. When these resources are required in the project.
ere are some techniques like Gantt chart, Program Evaluation Review Technique (PERT), Critical Path • Logical sequential & parallel tasks relationship & determining earliest start date.
Method (CPM) etc., that are useful in creating and monitoring project plan. • Resource arriving at latest expected nish date.
• Schedules are presented using PERT, CPM diagrams and Gantt Charts.
Project Controlling
New requirements for the project are documented appropriate resources are allocated. Control of changes during a project ensures that projects are completed meeting stakeholder requirements
Mid-term project review IS Auditor focus on project planning and controlling activities to ensure that these are not deviating from primary objectives of the project.
Management of Scope - “Scope Creep”. Resource Management Project Risk Management Standards and Methods
Scope creep refers to an uncontrolled project scope due to continuous changes Monitoring resource usage in project execution is the process to control budget and ensure that PMBOK of PMI speci es following activities for
in project requirements. Scope creep is one of the major factors in the failure of cost plan is on track. Project Manager:
a project. Earned Value Analysis Project Planning Phase Project
is can be controlled by: Earned Value Analysis (EVA) is the technique for projecting estimates at completion. Plan Risk Monitoring
• Baselining the requirements before project planning. Comparing expected budget till date, actual cost, estimated completion date and actual Identify Risk, Phase
• Change management process who can request for change, how a formal change completion at regular intervals during the project. It is tool used to verify that deployed resources Qualitative Analyses of Risks Control Risks
request be made, what it should contain and the reasons for the change. For are capable of nishing a task within the set time limit and with the expected quality level Quantitative Analysis of Risks
complex deliverables, it is best to document the work breakdown structure. Plan Risk Response
• e Project Manager then assesses the impact of change request on project 8 Hours End of day 1 8 Hours
activities, schedule and budget. Day 1 Day 2 Risk in Project Management
Earned Value Two main categories of project risk: impacts the
• Change advisory board evaluate change requests and decide on approving
(Time remaining to complete the task) business bene ts impacts the project itself. project
changes.
• Change is accepted, Project Manager should update the project plan. sponsor is responsible for mitigating Project Manager
<8 Hours 8 Hours >8 Hours
• Updated project plan must be formally con rmed by the Project SponsorSponsor— Resource might be idle Projection track Project might be delayed
accepting or rejecting the recommendation of the change advisory board.
Project Risk Risk Management Process
Based on impact Identify Risk Assess and Evaluate Risk Manage Risk Monitor risk Evaluate the Risk
Brainstorming session Quantify the likelihood as percentage More important the risk, the more budget should Risk that materializes, Management Process
Business Bene ts Project itself with your team and and the impact of the risk as amount .e be made available for counter-measures. Risk can and act accordingly. Review and evaluate the
create an inventory of “insurance policy” (total impact) that needs be mitigated, avoided, transferred or accepted effectiveness and costs of the
Project sponsor is Project manager possible risks. to be in the project budget is calculated as the depending on its severity, likelihood and cost of Risk Management Process.
responsble to mitigate risk likelihood multiplied by the impact. counter-measures and the organization’s policy.
IS Auditor has to focus on the Risk Management Process as it provides detailed insight on the effectiveness of Project Management.
Project Closing
Projects should be formally closed to provide accurate information on project results, improve future projects and allow an orderly release of project resources. Project closure is to be planned in two situations:
Project deliverables are completed Project is suffering from Risk Materialization and has to be terminated.
1. Project Sponsor should be satis ed system produced is acceptable 4. Achievement of objectives adherence to the Changes in functional requirements, obsolescence of planned technology, availability of new technology,
2. Custody of contracts may need to be assigned schedule, costs, and quality of the project. unforeseen budget constraints, strategy changes etc. planned depending upon the status of project.
3. Survey the project team, development team, users to identify any 5. Post project review in which lessons learned. IS Auditor conducting review aer project closure objectives achieved, time overrun, cost overrun, quality
lessons learned that can be applied to future projects. 6. Release of project teams. of deliverables,

MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION CHAPTER 1 : PROJECT MANAGEMENT FOR SDLC
Roles and responsibilities
Steering Committee Business Management Technology Specialist
Provides overall direction and monitors the project execution Assumes ownership of the project and resulting allocates quali ed Experts in speci c technology areas, such as Microso technology, Web-
Responsible for all deliverables, project costs and schedules. representatives actively participates in business process redesign, enablement and the like.
system requirements de nition, test case development, acceptance Systems Analyst
Comprise of senior representatives having authority for decision testing and user training. To understand existing problem/system/data ow and new requirements. Convert
making. Project Sponsor will chair the steering committee. e Business Management is concerned with questions like: the user’s requirements in the system requirements to design new system.
Project Manager is a member of steering committee. • Are the required functions available in the soware,
Programmers/Developers
• How reliable & efficient is soware
Convert design into programs by coding using programming language. Referred
Role of Project Steering Committee: • Is it possible to add new functions
to as Coders or Developers.
• Reviews project progress periodically • Does it meet regulatory requirements etc.
• Serves as co-ordinator and advisor to the project Testers
Systems Development Project Team
• Takes corrective action based on reviews. Junior level quality assurance personnel test programs and subprograms and
Consist of System Analyst, Developers, Testing Professionals, Control
• Take decision on and if required recommend the project be prepare test reports.
Consultants (IS Auditor), Hardware and Network Consultants. ey
halted or discontinued. Documentation Specialist
complete the assigned tasks, communicate effectively with users,
Project Sponsor advises the Project Manager of necessary project plan deviations. Creation of user manuals and other documentation.
Provides funding and assumes overall ownership and Database Administrator (DBA)
Business Function Representatives/Domain Specialists
accountability of the project. Handles multiple projects; and ensures the integrity and security of information
Consists of Subject Matter Experts (SME) that provides inputs to
Project Manager developers and system analysts on requirements, business related stored in the database.
Identi ed and appointed by the IS steering committee. controls, and sometime approves the low-level design speci cations. Data Administrator (DA)
Complete operational control over the project. Gathers and analyzes business requirements and develops conceptual and logical
Primary Function of project manager are : Security Officer
Ensures that system controls and supporting processes provide an models of business. De nes and enforces standards and naming conventions of
• Day-to-day management database. Administration of meta data repository and data administration tools
• Ensure expected quality effective level of protection, based on the data classi cation set in
accordance with corporate security policies. also keeps interface with business users for data de nition.
• Resolve con icts.
• Delivery of a project within the time and budget. Consults throughout the life cycle on appropriate security measures User Manager
that should be incorporated into the system Immediate manager or reporting manager of an employee. Ultimate responsibility
Senior Management for all user IDs and information assets owned by company employees. In the case
Quality assurance (QA)
Demonstrates commitment to the project and approves the of non-employee individuals such as contractors, consultants, etc., user manager
• Develop test plan and test the code.
necessary resources to complete the project. Senior management is responsible for the activity and for the company assets used by these individuals.
• Review Project Documentation is complete.
representative is appointed by the steering committee.
• Review deliverables of the project.
Role of IS Auditor in SDLC
•Analyze
Analyze the associated risks and exposures inherent in each phase of SDLC.
•Assure
Assure that appropriate control mechanisms are in place to minimize the risks in a cost-effective manner.
•Assess
Assess the project development team’s ability to produce key deliverables by the promised dates. documentation of all phases should be collected and reviewed by processes, speci c areas of review
Quality assurance (QA)
Understand standards adopted through the process of inquiry, observation and documentation review. • Test methodology adopted and determine compliance by reviewing the documentation produced.
Determine signi cant phases for the various size and type. • Evaluate controls designed for compliance with internal control principles and standards.
assess efficiency and effectiveness of each function to satisfy the users goals and organization objectives. • Determine compliance with common security, auditability and change control standards.
If IS Auditor is part of project team in an advisory role then depending on the level of involvement, IS
Auditor may become ineligible to perform audits of the application when it becomes operational.

SDLC Project Management Techniques and Tools
Computer-Aided Soware Engineering (CASE) tools Soware Size Estimation

Automated tools that aid in the soware development process. ese Once the work breakdown structure is completed Project Manager must perform Soware size estimation, i.e. determining the physical size of application (number of
includes tool for capturing and analyzing requirements, soware programs, modules, reusable function/modules etc.). is helps the Project Manager in deciding resource and skills requirements, to judge the time and cost required
design, code generation, testing, document building and other for development,
soware development activities. Source Lines Of Code (SLOC) Function Point Analysis (FPA) FPA Feature Points - for web-enabled applications
IS Auditor is not expected to have detailed knowledge of how to use · SLOC is a direct method of · Indirect method of soware size estimation. · In web-enabled applications, the development effort depends on
CASE tools for effective audit of SDLC project, as required. soware size estimation. · Function points are a unit measure for soware size much the number of forms, number of images; type of images (static or
· FPA is more reliable as like an hour is to measuring time, miles are to measuring animated), features to be enabled, interfaces and crossreferencing
Code Generators
compared to SLOC specially for distance or Celsius is to measuring temperature. that is required.
•Part of CASE tools or development environment like Visual Studio.
complex projects. · FPA is arrived on the basis of number and complexity of us, from the point of view of web applications, the effort would
•Generate program source code based on parameters provided.
inputs, outputs, les, interfaces and queries. include all that is mentioned under Function Point Estimation, plus
•Reduce the development (particularly coding) time; maintaining or
· FPA is more reliable than SLOC. the features that need to be enabled for different types of user groups.
changing these programs might be painful and time consuming.
Cost Budgets: Cost estimates of a SDLC project are based on the amount of effort likely to be required to carry out each task.
Development Environments and Non-Procedural Languages
Person-hours Infrastructure Other costs
E.g. System Analyst, Programmers, Support Staff, Testing Teams Hardware, Soware, Networks ird-party services, automation tools required for the
Developer’s Workbench Non-procedural languages etc. etc. project, consultant or contractor fees, training costs, etc.
Provides environment to Event driven and make
developer for editing, simulating extensive use of Object-Oriented Prepare estimate of human and machine effort by for all tasks. Determine hourly rate for each type of person-hours and arrive total person cost.
code, temporary storage, le Programming concepts such as Project Controlling Tools and Techniques
management and sometimes objects, properties and methods.
A. Program Evaluation Review Technique B. Critical Path Methodology C. Gantt Charts
code generation. referred to ese languages provide
(PERT) CPM is a technique for estimating project duration. All projects have • Gantt Charts are aid for
as an Integrated Development environmental independence
PERT is a technique for estimating project atleast one critical path. scheduling activities/tasks needed
Environment (IDE). (portability)
duration and timeline. • Critical path is sequence of activities where duration is longest as to complete a project.
ese languages are classi ed in the following ways: PERT is more reliable than CPM for compared to other path. • Progress of the entire project
estimating project duration because in • us, CPM represents the shortest possible time required for completing can be tracked from the Gantt
Query and Report E m b e d d e d Relational Database CPM only single duration is considered while the project. Chart.
Generators: Database Languages Languages PERT considers three different scenarios i.e. • If activities with zero slack time are addressed rst, early completion of • ey re ect the resources
Extract and Extract and produce Optional feature optimistic (best), pessimistic (worst) and the projectis possible. assigned to each task and by
produce reports reports normal (most likely) and on the basis of three • Activities on Critical Path have zero slack time. whatpercent allocation.
scenarios, a single critical path is arrived. • Slack time can be de ned as the amount of time an activity can be • ese charts show details related
delayed without impacting the completion date of the project. us zero to activities calculated during
PERT time = slack time makes an activity critical and concentration on such activities PERT and CPM.
[Optimistic + Pessimistic + 4(most likely)]/6. will help to reduce overall project completion time.
Note:-

MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION CHAPTER 2: SDLC – NEED, BENEFITS AND PHASES
CHAPTER 2 :
SDLC  NEED, BENEFITS AND PHASES
SDLC Systems Development Methodology What is SDLC?
A standard set of steps used for use of standard set of steps to develop and support Process of examining a business case with the intent of improving it through better procedures and methods.
developing systems business applications Relevance of SDLC for Business Process Automation
SDLC Phases SDLC Models Business Application System, also called Application Soware, is designed to support a speci c function or process of an organization,
• Waterfall Model such as management of inventory, payroll, or analysis of market. e objective of application system is to process data to produce
•Phase 1: Feasibility Study
information.
•Phase 2: Requirement De nation • Incremental Model
Business Drivers
•Phase 3a: System Analysis • Soware Reengineering and Reverse Engineering e attributes of a business function (service delivery) that arise out of strategic objectives to enhance targets and goals of business
•Phase 3b: Design Phase • Object Oriented Soware Development (OOSD) function to achieve the strategic goals of the business.
•Phase 4: Development Phase • Component Based Development Need for SDLC Situations -
•Phase 5: Testing Phase • Web-Based Application Development • New service delivery opportunity (e.g. e-commerce);
• Problems with an existing systems
•Phase 6: Implementation Phase • Prototype Model
• Change in strategic focus Mergers and Acquisitions, or new Service Delivery Channels like ATM for Banks.
•Phase 7: Maintanence Phase • Spiral Model • Availability of new technology Mobile Technology for Banking Services
• RAD Model Bene ts of SDLC - Less COST & Less Time
• Agile Model Business drivers are the attributes of a business function (service delivery) that arise out of strategic objectives to enhance targets and
• DevOps goals of business function to achieve the strategic goals of the business.
Phases of SDLC
1.Feasibility Study 2.Requirements De nition 3a.System Analysis 3b. Design
e feasibility study is based on technical, is phase involves preparing the statement of Process of gathering and analyzing the facts, diagnosing is phase takes primary inputs from Requirement De nition phase.
economical and social aspects and this helps intent explaining the need for new application problems, and using the outcome to recommend Based on the requirements identi ed, the team may need to nalize
in determining strategic bene ts of using to provide functional, service and quality improvements to the proposed system. requirements by multiple user interactions and establish a speci cation
system. requirements of the solution system. Analysis is also important to decide upon system design baseline for development of system and sub system.
Identify and quantify the cost savings and is phase includes studying needs of the users, approach. Role of IS Auditor:
estimate the probable ROI which is used to obtaining inputs from employees and managers on Due to extensive use of technology in modern • Review system owcharts for adherence to the general design
build a business case covering both tangible their expectations. organizations, the focus now is more on service oriented • Review input, processing and output controls
as well as intangible factors . Techniques and tools used are questionnaires, approach where the objective of the system is to provide • Assess adequacy of the audit trails which provide traceability and
Role of IS Auditor: interviews, observing decision-maker behaviour services using data models. accountability.
• Review of documentation for the and their office environment etc. Role of IS Auditor: • Verify key calculations and processes for correctness and
reasonableness. Role of IS Auditor • Verify that Management has approved the initiation of completeness.
• Review cost justi cation/bene ts • Identify the affected users and the key team the project and the cost • Interview users to ascertain their level understanding of the system
• Identify if the business needs used to justify members. • Determine whether the application is appropriate for design, input to the system, screen formats and output reports.
the system actually exist. • Review detailed requirements de nition the user of an embedded audit routine or modules • Verify that system can identify erroneous data correctly and can
• Justi cation for going for a development or document. • In case of acquisition, determine that an appropriate handle invalid transactions.
acquisition. • Review existing data ow diagrams. number of vendors have been given proposals.
• Review the alternate solutions for
reasonableness.
• Review the reasonableness of the chosen
solution.

CHAPTER 2: SDLC – NEED, BENEFITS AND PHASES MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION
4. Development
Efforts are made to use the design speci cations to begin programming, and formalizing support for operational processes of the system. Aer the system design details are resolved, the resource needs are determined. In the development
phase, the design speci cations are converted into a functional system that will work in planned system environment.
1. Characterstics of A well coded program 2. Role of IS Auditor in development phase: 4. Soware Escrow
Reliability Efficiency •Ensure that documentation is complete. e objective of soware escrow is to address the risk of the closure of
Consistency with which a Performance per unit cost •Review QA report on adopting coding standards by developers. vendors of customized written soware .
program operates over a period with respect to relevant •Review the testing and bugs found are reported and sent for rework to developers
Developer End User
of time. However, poor setting of parameters and it should not 3. Some key aspects of development: Escrow Agent Lincensor
Licensor
parameters and hard coding could be unduly affected with the Program Coding Standards: Programming Language:
result in the failure of a program increase in input values. •e logic of the program outlined in the Application programs are coded in the Proprietary materials includes:
Robustness Usability owcharts is converted into program form of statements than converted by •Two
Two copies of the Source Code on magnetic media
Applications’ strength to perform It refers to a user-friendly statements or instructions. the compiler to object code for the •All
All manuals not provided to the licensee
operations in adverse situations interface and easy-to- •For each language, there are speci c rules computer to understand and execute. •Maintenance
Maintenance tools and necessary third-party system utilities
by taking into account all possible understand internal/external concerning format and syntax. •Detailed
Detailed descriptions of necessary non- licenser proprietary soware
High-level general-purpose
inputs and outputs. documentation. •Syntax means vocabulary, punctuation and •Names
Names and addresses of key technical employees that a licensee may hire
COBOL and C
Accuracy Readability grammatical rules •Compilation
Compilation instructions in written format or recorded on video format.
Object oriented
Ability to take care of ‘what it It refers to the ease of •Programmer turnover. C++, JAVA
should not do’.is is of great maintenance of program •Standards
Standards provide simplicity, Scripting language
interest for quality control even in the absence of the interoperability, compatibility, efficient JavaScript, VBScript
personnel and auditors. program developer. utilization of resources and reduce Decision Support or Logic
processing time. LISP and PROLOG.
SDC MODELS
1. Waterfall Model 2. Incremental Model
ese phases include requirements analysis, speci cations and design requirements, coding, nal testing, and release. e e model is designed, implemented and tested incrementally. is model combines the elements of the
traditional approach is applied, an activity is undertaken only when the prior step is completed. waterfall model with the iterative philosophy of prototyping.
Key characteristics e product is decomposed into a number of components, each of which are designed and built separately
• Project is divided into sequential phases, with some overlap and splash back acceptable between phases. (termed as Builds). Each component is delivered to the client when it is complete. is allows partial
• Emphasis is on planning, time schedules, target dates, budgets and implementation of an entire system at one time. utilization of product and avoids a long development time. It also creates a large initial capital outlay, and the
• Tight control is maintained over the life of the project through the use of extensive written documentation, as well as through subsequent long wait is avoided.
formal reviews and approval/signoff by the user and information technology management occurring at the end of most Key Features
phases before beginning the next phase. •A series of mini-Waterfalls are performed, where all phases of the Waterfall development model are completed
for a small part of the system, before proceeding to the next increment.
•Mini–Waterfall development of individual increments of the system.
Strengths: Weaknesses:
•e initial soware concept, requirement analysis, and design of architecture and system core are de ned
• Supporting less experienced • In exible, slow, costly, and cumbersome due to signi cant structure and tight controls.
using the Waterfall approach, followed by Iterative Prototyping, which culminates in installation of the nal
project teams. • Project progresses forward, with only slight movement backward.
prototype
• Orderly sequence of development • Little to iterate, essential in situations.
to ensure the Quality, Reliability, • Early identi cation and speci cation of requirements, not be able to clearly de ne
Adequacy and Maintainability of ‘what they need early in the project’. Strengths: Weaknesses:
the developed soware. • Requirement inconsistencies, missing system components and unexpected •Potential exists for exploiting knowledge gained in an early •When utilizing a series of mini-Waterfalls
• System development can be development needs discovered during design and coding are most difficult to handle. increment as later increments are developed. for a small part of the system before moving
tracked and monitored easily. • Problems are oen not discovered until system testing. •Moderate control is maintained over the life of the project onto the next increment, there is usually a
• Conserve resources. • System performance cannot be tested until the system is almost fully coded, and through the use of written documentation and the formal lack of overall consideration of the business
under capacity may be difficult to correct. review and approval/signoff problem and technical requirements for the
• It is difficult to respond to changes, which may occur later in the life cycle, and if •Concrete evidence of project status throughout the life overall system.
undertaken it proves costly and are thus discouraged. cycle. •Each phase of an iteration is rigid and do
• Written speci cations are oen difficult for users to read and thoroughly appreciate. •Flexible and less costly to change scope and requirements. not overlap each other.
• It promotes the gap between users and developers with clear vision of responsibility. •Gradual implementation provides the ability to monitor •Since some modules will be completed
the effect of incremental changes, isolated issues and make much earlier than others, well-de ned
adjustments interfaces are required.

Type of SDLC
Soware Reengineering and Reverse Engineering
Soware Reengineering When to Reengineer?
Process of updating an existing system by reusing design and program • When system changes are con ned to one subsystem, the subsystem needs to be reengineered • When tools to support restructuring are readily available
components.ese changes typically prompt for new soware development • When hardware or soware support becomes obsolete • When some business processes or functions are reengineered
project, however as an interim solution a reengineering project is initiated.
Soware Reengineering Activities Soware Reverse engineering
Reverse Engineering is the process of
Inventory Analysis Document Restructuring Design Recovery Reverse Engineering
studying and analysing an application, a
Listing and identifying active soware Identify documentation for identi ed Identify the design of the application module Process of design recovery - Analyzing
soware application or a product to see how
applications and components required by applications/modules. (Identifying poor or weak to be reengineered. (In case it is not available a program in an effort to create a
it functions and to use that information
business. e attributes of applications can be documentation for re-documentation sometimes it may have to be built based on code or representation of the program at some
to develop a similar system. is process
criticality, longevity, current maintainability. considered as reengineering activity) using Reverse Engineering method) abstraction level higher than source code
is carried out to understand and extract
Code Restructuring Data Restructuring Forward Engineering design, architecture, components, and
Source code is analysed and violations of structured Usually requires full Reverse Engineering, current data Also called reclamation/renovation, recovers design information from knowledge of a system to produce a new
programming practices are noted and repaired, the architecture is dissected and data models are de ned, existing source code and uses this information to reconstitute the system.
revised code also needs to be reviewed and tested existing data structures are reviewed for quality existing system to improve its overall quality and/or performance.
Object Oriented Soware Development (OOSD) Component Based Development
OOSD is the process of solution speci cation and modelling where data and procedures can be grouped into an entity Component-Based Development is an outgrowth of Object-Oriented Development. Component-Based
known as an object.. An object’s data are referred to as its attributes and its functionality is referred to as its methods. Its Development is in fact assembling packages of executable soware that make their services available through
ability to reuse a model is its major advantage. de ned interfaces. ese packages also called as enabling pieces of programs are called Objects. ese objects are
Objects independent of programming languages or operating system. e basic types of Components are:
Created from a general template called a Class. For example, consider a car owned by you as an object. e object is In-Process Client Components: Stand-Alone Client Components
complete in itself and all necessary data (components and speci cations) are embedded into the object. e object ese components must run from within de ned program (called as Applications (like Microso’s Excel and
can be speci cally used for the purpose it has been designed. However, there are different objects either having similar ‘Container’) such as a web browser; they cannot run on their own. Word) that work as service.
data (same model, same company) or different data (Different model, different companies etc.) All these objects Stand-Alone Server Components
belong to class cars. Processes running on servers that provide services in standardized way.
Classes ese are initiated by remote procedure calls (RPC) or some other kind of network call. Technologies supporting
Super-Classes (i.e., Root or Parent Classes) with a set of basic attributes or methods, or this include
Sub-Classes which inherit the characteristics of the Parent Class and may add (or remove) functionality as required. • Microso’s Distributed Component Object Model (DCOM) - COM is the basis for ActiveX technologies,
In addition to inheritance, Classes may interact through sharing data, referred to as aggregate or component grouping, • Object Management Group’s Common Object Request Broker Architecture (CORBA) and
or sharing objects. • Sun’s Java through Remote Method Invocation (RMI).
All object cars have common attributes (i.e. steering, gear, break, wheels etc.) that are inherited from class cars (or may In-Process Server Components:
be from superclass vehicles). One can modify the object car by keeping basic common attributes and add few more ese components run on servers within containers. Examples include
functions to it. (Polymorphism) • Microso’s Transaction Server (MTS) - MTS when combined with COM allows developers to create components
Aggregate Classes that can be distributed in the Windows environment. COM is the basis for ActiveX technologies,
Interact through messages, which are requests for services from one Class (called a client), to another Class (called a • Sun’s Organization Java Beans (EJB)
server). A Polymorphism is termed as the ability of two or more Objects to interpret same message differently during Advantages of Component-Based Development are: Disadvantages:
execution, depending upon the superclass of the calling Object. • is reduces development time as application system can be assembled from • Attention to soware
Although it is possible to do object-oriented development using a waterfall model in practice most object-oriented prewritten components and only code for unique parts of the system needs to integration should be
systems are developed with an iterative approach. As a result, in object-oriented processes "Analysis and Design" are be developed. provided continuously
oen considered at the same time. • Improves quality by using pre-written and tested components. during the development
Uni ed Modelling Language (UML) • Allows developers to focus more strongly on business functionality. stage.
UML is a general-purpose notational language which helps developers to specify and visualize complex soware • Simpli es re-use and avoids need to be conversant with procedural or class • If system requirements
for large object-oriented projects. libraries. no source is required. are poorly de ned or the
Applications that use object-oriented technology are: • Supports multiple development environments due to platform independent system fails to adequately
Web Applications • Office Automation for email and work orders components. address business needs,
E-Business applications • Arti cial Intelligence • Allows a satisfactory compromise between build and buy options i.e. Purchase the project will not be
CASE for Soware Development • Computer-Aided Manufacturing (CAM) for production and process Control only needed components and incorporate these into a customized system. successful.

Web-Based Application Development
It eliminates the need to implement client module on end-user’s desktop, and is delivered via internet-based technologies. User need to know URL to access the application and if need be the same is delivered on users’ desktop or executed
from web server.
Application Programming Interface (API) Remote Procedure Calls (RPCs) Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL)
Historically, soware written in one language Component Based Technologies An XML language is used to de ne APIs. It is also based on XML.
on a particular platform has used a dedicated such as CORBA and COM that use SOAP will work with any operating system and Used to identify the SOAP speci cation that is to be used for the code module API
Application Programming Interface (API). e Remote Procedure Calls (RPCs) have programming language that understands XML. Used to identify the particular web service accessible via a corporate intranet or across the
use of specialized APIs has caused difficulties in been developed to allow real-time SOAP is simpler than using the more complex Internet by being published to a relevant intranet or Internet web server.
integrating soware modules across platforms. integration of code across platforms. RPC-based approach.
Selection of SDLC Model
Assess the needs of Stakeholders Is the SDLC suitable for -

We must study the business domain, stakeholders’ concerns and • Size of our team and their skills? • size and complexity of our soware?
requirements, business priorities, our technical capability and ability, and • Selected technology we use for implementing the solution? • type of projects we do?
technology constraints to be able to choose the right SDLC against their • Client and stakeholders’ concerns and priorities? • soware engineering capability?
selection criteria. • Geographical situation (distributed team)? • project risk and quality insurance?
Prototyping Methodology
In order to avoid such bottlenecks and overcome the issues, organizations are increasingly using prototyping techniques Strengths:
to develop smaller systems such as DSS, MIS and Expert systems. e goal of prototyping approach is A prototype may • It improves both user participation in system development.
be a usable system or system component that is built quickly and at a lesser cost, As users work with the prototype, • It is especially useful for resolving unclear objectives and requirements;
they learn about the system criticalities and make suggestions about the ways to manage it. ese suggestions are then • Potential exists for exploiting knowledge gained in an early iteration as later iterations are developed.
incorporated to improve the prototype, which is also used and evaluated. Finally, when a prototype is developed that • It helps to easily identify confusing or difficult functions and missing functionality.
satis es all user requirements, either it is re ned and turned into the nal system or it is scrapped. • It enables to generate speci cations for a production application.
• It encourages innovation and exible designs.
Generic Phases of Model
• It provides for quick implementation of an incomplete, but functional application.
Identify Information System Requirements • It typically results in a better de nition of these users’ needs and requirements than does the traditional systems
In traditional approach, the system requirements are to be identi ed, e design team needs only fundamental development approach.
system requirements to build the initial prototype, • A very short time period is normally required to develop and start experimenting with a prototype. is short time
Develop the Initial Prototype period allows system users to immediately evaluate proposed system changes.
e designers create an initial base model and give little or no consideration to internal controls, but instead • As a result, the information system ultimately implemented should be more reliable and less costly to develop than
emphasize system characteristics such as simplicity, exibility, and ease of use. users to interact with tentative when the traditional systems development approach is employed.
versions of data entry display screens, menus, input prompts, and source documents. Weaknesses:
e users also need to be able to respond to system prompts, make inquiries, judge response times of the system, • Approval process and control are not formal.
and issue commands. • Prototyping makes use of the expertise of both the user and the analyst, thus ensuring better analysis and design, and
Test and Revise: prototyping is a crucial tool in that process.
Aer nishing the initial prototype, the designers rst demonstrate the model to users and then give it to them • Prototype has one major drawback. Many-a-time users do not realize that prototype is not actual system or code but
to experiment and ask users to record their likes and dislikes about the system and recommend changes. Using is just a model.
this feedback, the design team modi es the prototype as necessary and then re-submits the revised model to • Users may think that the system is ready. Whereas actual development starts only aer the prototype is approved.
system users for re-evaluation. us, iterative process of modi cation and reevaluation continues until the users Hence, the actual system may require time before it is ready for implementation and use.
are satis ed. • In the meantime, users may get restless and wonder why there is so much delay.
Obtain User Signoff of the Approved Prototype
Users formally approve the nal version of the prototype, the current design and establishes a contractual
obligation about what the system will, and will not do or provide. Prototyping is not commonly used for developing
traditional MIS and batch processing type of applications such as accounts receivable, accounts payable, payroll,
or inventory management, where the inputs, processing, and outputs are well known and clearly de ned.

Spiral Model Agile Soware Development Methodology
It combines the features of the prototyping model and the waterfall model. Initially spiral model was intended for • Adopt a non-traditional way of developing complex systems.
large, expensive and complicated projects like Game development because of size and constantly shiing goals of • e term “Agile” designed to exibly handle changes, Scrum is the rst project management approach.
large projects. Spiral model when de ned was considered as the best model and further models were developed using • Agile processes such as Extreme Programming (XP), Crystal, Adaptive Soware Development, Feature Driven
spiral models. Development and Dynamic Systems Development Method have since emerged.
Key characteristics Characteristics
•A preliminary design is created for the new system during initial iterations. is phase is the most important • Use of small, time-boxed subprojects or iterations where each iteration forms the basis for planning next
part of “Spiral Model” in which all possible alternatives that can help in developing a cost-effective project are iteration.
analysed and strategies are decided to use them. • e agile methodology may be considered as iterative and incremental development,
•A rst prototype of the new system in constructed from the preliminary design during rst iteration. is is • Product Module Assigned and Expand by team called as "Sprint Backlog"
usually a scaled-down system, and represents an approximation of the characteristics of the nal product. • Product Modules called as "Product Backlog"
•A second prototype is evolved during next iteration by a fourfold procedure by evaluating the rst prototype in • Pair-wise programming (two persons code the same part of the system) as a means of sharing knowledge and
terms of its strengths, weaknesses, and risks; de ning the requirements of the second prototype; planning and as a quality check.
designing the second prototype; and constructing and testing the second prototype. Key Features
Strengths: • Customer satisfaction by rapid delivery of useful soware;
•Enhances the risk avoidance. • Changing requirements, even late in development;
•Incorporates Waterfall, Prototyping, and Incremental methodologies. • Working soware is delivered frequently (weeks rather than months);
•For example, a project with low risk of not meeting user requirements but high risk of missing budget or Strengths:
schedule targets would essentially follow a linear Waterfall approach for a given soware iteration. Conversely, • Adaptive team, which enables to respond to the changing requirements.
if the risk factors were reversed, the Spiral methodology could yield an iterative prototyping approach. • Face to face communication and continuous inputs from customer representative.
Weaknesses: • e documentation is crisp and to the point to save time.
•Challenging to determine the exact composition of development methodologies Weaknesses:
•Skilled and experienced Project Manager. • difficult to assess the efforts required at the beginning of the System Development life cycle.
•No
No rm deadlines. Hence has an inherent risk of not meeting budget or schedule. • necessary designing and documentation due to time management. As a result, documentation is generally le
out or remains incomplete.
Rapid Application Development (RAD) • Verbal communication and weak documentation.
Minimal planning of soware developed using RAD is interleaved with writing the soware itself. makes it easier to • Project can easily go off the track, customer representative is not having clarity about the requirements and
change requirements. nal deliverables.
Key characteristics
• Key objective is fast development and delivery of a high-quality system at a relatively low investment cost,
• breaking a project into smaller segments
• Aims to produce high quality systems quickly Graphical User Interface (GUI) builders, Computer
Aided Soware Engineering (CASE) tools, Database Management Systems (DBMS), Fourth Generation
Programming Languages, Code Generators and Object-Oriented Techniques.
• ful lling the business need
• “time boxes" project starts to slip, emphasis is on reducing requirements to t the time box, not in increasing
the deadline.
• Joint Application Development (JAD), users are intensely involved in system design, structured workshops,
or through electronically facilitated interaction.
Strengths:
• e operational version of an application is available much earlier than with Waterfall, Incremental, or Spiral
frameworks.
• produce systems at lower cost.
Weaknesses:
• Fast speed and lower cost may affect adversely the system quality.
• More requirements than needed, feature creep and more features are added to the system during development.
• Inconsistent designs within and across systems.
• Violation of programming standards.
• Formal reviews and audits are more difficult to implement.

DevOps Secure SDLC
• Developing a culture of collaboration between the teams. • Adopt a non-traditional way of developing complex systems.
• DevOps refers to the integration of development and operations processes to eliminate con icts and barriers. • e term “Agile” designed to exibly handle changes, Scrum is the rst project management approach.
• is integration can create a great deal of bene ts, but it can also create new risk. • Agile processes such as Extreme Programming (XP), Crystal, Adaptive Soware Development, Feature Driven
• DevOps changes the environment and oen impacts an organization’s control environment and accepted level of risk Development and Dynamic Systems Development Method have since emerged.
• an IS Auditor should ensure that there is a proper separation of duties.
• Implementing DevOps processes can be done in a logical and systematic manner and used to enhance the maturity SDLC Phase Security Steps
of soware development. Requirement • To identify security requirements including compliance for privacy and data loss.
DevSecOps De nition • To determine risks associated with security and prepare mitigation plan.
• Building security into app development from end to end. • To train users on identi cation and xing of security bugs.
• e con uence of soware development, Information Security and IT operations groups and Design Phase • To ensure security requirements are considered during design phase e.g. access controls for
• e use of automation in those activities. privacy sensitive data.
Development Controls: • To identify possible attacks and design controls e.g. implementing least privilege principle
• Automated Soware Scanning for sensitive data, and apply layered principle for modules.
• Documented Policies and Procedures Development • To develop and implement security coding practices such as input data validation and
• Automated Vulnerability Scanning
• Application Performance Management Phase avoiding complex coding.
• Web Application Firewall
• Asset Management and inventorying • To train developers on security coding practices.
• Developer Application Security Training
• Continuous Auditing and/or Monitoring Testing Phase • To review code for compliance of secure coding practices.
• Soware Dependency Management
• Encrypt Data between Apps and Services • To develop test cases for security requirement testing.
• Access and Activity Logging
• To ensure security requirements are tested during testing.
• To test application for identi ed attacks.
Implementation • To analyze all functions and interfaces are secured.
Phase • To perform security scan of application aer implementation.
Maintenance • To monitor for vulnerabilities on a continuous basis,
Phase • To issue the patches for xing the reported vulnerabilities, accordingly,
• To evaluate the effectiveness of countermeasures periodically.

MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION CHAPTER 3: SOFTWARE TESTING AND IMPLEMENTATION
CHAPTER 3 :
SOFTWARE TESTING AND IMPLEMENTATION
SDLC Phases Testing as per ANSI/IEEE 1059 standard Importance of Soware Testing
A process of analyzing a soware item to detect the • Point out the defects and errors development phase. • Very expensive in the future or in
• Phase 1: Feasibility Study • Phase 4: Development Phase
differences between existing and required conditions • Reliable satisfaction the later stages of the development.
• Phase 2: Requirement De nation • Phase 5: Testing Phase (that is defects/errors/bugs) and to evaluate the features • high-quality product lower maintenance cost. • Bugs and issues are detected early.
• Phase 3a: System Analysis • Phase 6: Implementation Phase of the soware item. To evaluate complete system's • Effective performance • Stability of the application.
• Phase 3b: Design Phase • Phase 7: Maintanence Phase functionality should be the objective of these tests.
Methods of Soware Testing
ere are different methods that can be used for soware testing. is chapter brie y describes the methods available.
1. Black-Box Testing 2. White-Box Testing 3. Grey-Box Testing

Technique of testing without having any knowledge of the interior Detailed investigation of internal logic and structure of the code. Also called Glass Technique to test the application with having a limited knowledge of the internal
workings of the application is called Black-Box testing. e tester testing or Open-Box testing. e tester needs to have a look inside the source workings of an application. In soware testing, the phrase “e more you know, the
is oblivious to the system architecture and does not have access to code and nd out which unit/chunk of the code is behaving inappropriately. better” carries a lot of weight while testing an application. Unlike Black-Box testing,
the source code. Considered as best approach for unit testing. where the tester only tests the application's user interface; in Grey-Box testing, the
Advantages Advantages tester has access to design documents and the database.
•Well suited and efficient for large code segments. •Since
Since tester has kmowledge of source code, type of data can be easily identi ed Advantages
•Code access is not required. which help in testing effectively. •Offers combined bene ts of Black-Box and White-Box testing wherever possible.
•Clearly
Clearly separates user's perspective from the developer's •It
It helps in optimizing the code.. •Grey-Box testers don't rely on the source code; instead they rely on interface
perspective through visibly de ned roles. •Extra
Extra lines of code can be removed which can bring in hidden defects. de nition and functional speci cations.
•Large
Large number of moderately skilled employees can test the •Determining
Determining accuracy of program logics is one of the bene ts of white box •e test is done from the point of view of the user and not the designer.
application. testing. Disadvantages
Disadvantages Disadvantages •Since the access to source code is not available, the ability to go over the code and
•Limited
Limited coverage, since only a selected number of test scenarios is •Due
Due to the fact that a skilled tester is needed to perform white-box testing, the test coverage is limited.
actually performed. costs are increased. •e tests can be redundant if the soware designer has already run a test case.
•Limited
Limited knowledge about an application leads to inefficient testing •Sometimes it is impossible to look into every hidden errors ,some paths may •Testing every possible input stream is unrealistic because it would take an
Blind coverage, since tester cannot target speci c code segment.
•Blind go untested unreasonable amount of time. As a result, many program paths will go untested.
•
e test cases are difficult to design. •It is difficult to maintain white-box testing, as it requires specialized tools like
code analyzers and debugging tools.
BLACKBOX TESTING WHITEBOX TESTING GREYBOX TESTING

e internal workings of an application need not be known. Tester has full knowledge of the internal workings of the application. e tester has limited knowledge of the internal workings of the application.
Also known as Closed-Box testing, Data-Driven testing, or Also known as Clear-Box testing, Structural testing, or Code-Based testing. Also known as Translucent testing, as the tester has
Functional testing. limited knowledge of the insides of the application.
Performed by end-users and also by testers and developers. Normally done by testers and developers. Performed by end-users and also by testers and developers.
Testing is based on external expectations - Internal Internal workings are fully known and the tester can design test data Testing is done on the basis of high-level database diagrams and data ow
behavior of the application is unknown. accordingly. diagrams.
It is exhaustive and the least time-consuming. e most exhaustive and time-consuming type of testing. Partly time-consuming and exhaustive.
Not suited for algorithm testing. Suited for algorithm testing. Not suited for algorithm testing.
is can only be done by trial-and-error method. Data domains and internal boundaries can be better tested. Data domains and internal boundaries can be tested, if known.

CHAPTER 3: SOFTWARE TESTING AND IMPLEMENTATION MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION
Levels of Testing
Levels of testing include different methodologies that can be used while conducting soware testing. e main levels of soware testing are −
Functional Testing Non-Functional Testing

is is a type of Black-Box testing that is based on the speci cations of the soware that is to be tested. ere are ve steps that are involved Non-Functional testing involves testing a soware from the requirements which are non-
while testing an application for functionality: functionalin nature but important such as performance, security, user interface, etc. Some of
the important and commonly used non-functional testing types are Performancetesting, Load
testing, Stress testing, Usability testing, Security testing, and Portability testing.
Step I Step II Step III Step IV Step V
e determination of e creation of test e output based on e writing of test e comparison of actual
the functionality that the data based on the the test data and the scenarios and the and expected results based
intended application is speci cations of the speci cations of the execution of test cases. on the executed test cases.
meant to perform. application. application.
Strategies of Soware Testing

What is a Test Strategy?
Test strategy is a guideline to be followed to achieve the test objective and execution of test types mentioned in the testing plan. It deals with test objective, test environment, test approach, automation tools and strategy, contingency plan, and
risk analysis. Test approach has two techniques: Proactive and Reactive.
Proactive Reactive Different Test approaches
An approach in which the test design process is initiated as early as An approach in which the testing is not started ere are many strategies that a project can adopt depending on the context and some of them are:
possible in order to nd and x the defects before the build is created. until aer design and coding are completed. • Dynamic and Heuristic approaches
Factors to be considered • Consultative approaches
• Risks of product or risk of failure or the environment and the company • Model-Based approach that uses statistical information about failure rates.
• Expertise and experience of the people in the proposed tools and techniques. • Approaches based on Risk-Based testing where the entire development takes place based on the risk
• Regulatory and legal aspects, such as external and internal regulations of the development process • Methodical approaches which is based on failures.
• e nature of the product and the domain • Standard-Compliant approach speci ed by industry-speci c standards.

TYPES OF SOFTWARE TESTING
Unit Testing Usability Testing
Unit Testing is a veri cation and validation method in which a programmer tests whether individual units of source code are • Usability Testing is a Black-Box Technique and is used to identify any error(s) and improvements in the
t for use. A Unit is the smallest functional part of an application oen called as Module. It can be an individual program, soware by observing the users through their usage and operation.
function, procedure, or may belong to a base/super class, abstract class or derived/child class. • A user-friendly system should ful ll the following ve goals, i.e., easy to Learn, easy to remember, efficient to
1. Functional Tests: 3. Stress Tests: use, satisfactory to use, and easy to understand.
It checks whether programs do what they are supposed to do or not. Test plan speci es It determines the stability of • Some standards and quality models and methods that de ne usability in the form of attributes and sub-
operating conditions, input values & expected result & as per this plan programmer system or entity. It involves attributes such as ISO-9126, ISO-9241-11, ISO-13407, and IEEE std.610.12, etc.
checks by inputting values to see whether the actual & expected result match. testing normal operational Portability Testing
Positive Test: Negative Test: capacity oen to a breaking Portability Testing includes testing a soware with the aim to ensure its reusability and that it can be moved from
Where tester collects the expected Where tester provides value sets that point to observe results. It is another soware as well. Following are the strategies that can be used for portability testing −
values, the data can possess. Sometimes data should not possess anytime. Here designed to overload program • Transferring an installed soware from one computer to another.
tester may use sanitized live data for the program should ash the error with in various ways to determine • Building executable (.exe) to run the soware on different platforms.
testing. suitable message. its limitation. Live workload Portability Testing can be considered as one of the sub-parts of system testing. Computer hardware, operating
data should be used for better systems, and browsers are the major focus of portability testing. Some of the pre-conditions for portability
2. Performance Tests: accuracy of results. testing are as follows −
It is to verify the response time(time required to receive input and deliver con rmation),
• • Soware should be designed and coded, keeping in mind the portability requirements.
execution time (processing of single data value should be less than 100 microseconds), 4. Structural Tests:
• • Unit testing has been performed on the associated components.
throughput (1000 values must be processed in one second), primary (RAM/CPU) and It examined the internal
• • Integration testing has been performed.
secondary memory (Storage) utilization and rate of traffic ow on data channels and processing logic of a soware
• • Test environment has been established.
communication links (number of messages per second). system.
Integration testing
5. Parallel Tests:
Different modules/functions and programs that are small part of entire information system are expected to
ese are applicable during change management or reengineering where the same test data is used in the new and old system
work together to achieve objectives of information system. For example, Internet Banking is a system consisting
and the output results are then compared.
of various functions like saving account management, time deposit management, loan account management,
Static Testing third-party fund transfer, standing instruction, getting statements of accounts etc. It is carried out in following
It is conducted on source programs & do not require executions in operating conditions. 3 types of static analysis tests are: manner:
Desk Check: Structured Walk-through: Code Inspection: A. Bottom-up interation B. Top-down Integration
In this, programmer himself checks for In this, application developers leads other Program is reviewed by is approach starts with individual modules • Testing starts with the main routine and stubs are
logical syntax errors & deviation from programmer through the text of the program & formal committee with and then covers the full system. For ex: in substituted for subordinate modules.
coding standards. explanation. formal checklists. above example of Internet Banking it will test • An incomplete portion of code put under a function is a
communication between different modules using stub, allowing the function and program to be compiled
Load Testing
smallest level of module like saving bank account, and tested.
• Load testing tests soware by applying maximum load and manipulating large input data.
fund transfer and then statement of accounts to • Once the main module is complete, stubs are replaced
• It's done during normal and peak conditions to evaluate system performance.
ensure previous transaction re ects in statement, with real modules one by one for testing.
• Load testing identi es the soware's maximum capacity and behavior at peak time.
and so on. e disadvantage is that testing of • is process continues until atomic modules are
• Automated tools like Load Runner, Apache JMeter, Silk Performer, Visual Studio Load Test etc. are commonly used for
major decisions/control points is deferred to a reached.
load testing.
later period. • Stub testing is suitable for prototype-based development.
• Virtual Users (V Users) are de ned in the automated testing tool to verify the load testing.
• e number of users can be increased or decreased based on requirements.
Regression Testing System Testing
Each time a new module is added or A Process in which system is tested. It begins either when soware as a whole in operational or well de ned subsets of the soware's functionality have been implemented. Its purpose is to ensure
any modi catin is made in soware, that new or modi ed system functions properly. is test is conducted in non production test environment. e type of system testing are as follows:
it changes. New data ow path are
established, new input, output & control A. Recovery Testing B. Security Testing C. Stress Testing D. Perfomance Testing
logic are invoked. is changes may cause It test how well application is able to It is the process to determine that information It is used to determine stability of given Performed on various parameters like
problems with functions that previously recover from crashes, hardware failure system protects data & maintains intended system. It involves testing beyond normal response time, speed of processing,
worked awlessly. It ensure that changes & other similar problems. It is the forced functionality. It covers basic security concepts operational capacity, oen to a breaking effectiveness use of a resources (RAM, CPU
or correction have not introduced new failure of the soware in variety of like Con dentiality, integrity, Authentication, point to observe result. It is peformed by etc.), network, etc. It compares new system's
faults. It used same data as used in original ways to verify that recovery is properly Authorization & Availability. It ensures existence inputting large quantity of data during peak performance with that of similar system using
test. performed. & execution of access control in new system. hours to test its performance. well de ned benchmarks.

Other types of Testing
When any complex application/soware is intended for general and wide spread use developers want to make sure that product delivers diverse requirements of general users. Organizations may consider Alpha and Beta testing. For example,
Microso performs this type of testing on new product before making it available commercially.
Alpha Testing: Beta Testing: Automated Testing: Accreditation of Soware:
is is the rst stage, It is performed aer the In soware testing, automation of testing is process includes evaluating program documentation and testing effectiveness. e process will result in a nal decision for
oen performed deployment of the system by is performed using special soware deploying the business application system. In case of tailor-made soware certi cation/accreditation should only be performed once
by users within the the external users & involves (separate from the soware being tested) the system is implemented and in operation for some time to produce the evidence needed for certi cation/accreditation processes.
organization by the sending the product outside to control the execution of tests and the Testers generally perform Black Box testing (Penetration Test) by trying to simulate attacks on hosted application. is is then followed
developers, to improve the development environment comparison of actual outcomes with by performing Grey Box and/or White Box testing that includes code review to identify the issues in coding practices that might
and ensure the quality/ for real world exposure and predicted outcomes. Test automation introduce the vulnerabilities in the application. ese can be avoided by including secure coding practices in coding standard developed
functionalities as per receives feedback for analysis can automate some tasks that would be by the organizations.
users’ satisfaction. and modi cations difficult to perform manually. Security Testing: (Application Scans and Penetration While reviewing testing process IS auditors focus on getting
Integrated Testing: Testing) answers to following questions:
Test data usually areprocessed in production-like systems. is con rms the behaviour of the new For information security issues, the evaluation process includes 1. Whether the test-suite prepared by the testers includes the actual
application or modules in real-life conditions. In this environment, IS Auditor will perform their tests reviewing security plans, the risk assessments results along business scenarios?
with a set of ctitious data whereas client representatives use extracts of production data to cover the with response decision, and the evaluation of processes to 2. Whether test data used covers all possible aspects of system?
most possible scenarios.. be deployed. e result of security assessment focuses on 3. Whether CASE tools like ‘Test Data Generators’ have been used?
Some organizations use a subset of production data in a test environment, such production measuring effectiveness of the security controls. Security testing 4. Whether test results have been documented?
data may be altered or scrambled to mask the con dential data. is is oen the case where the provides assurance to the business owner. 5. Whether tests have been performed in their correct order?
acceptance testing is done by team members who, under usual circumstances, would not have Security testing of web application for identi ed external threats 6. Whether modi cations needed based on test results have been
access to such production data. ese tools help in building test cases and also generate test data (like SQL injection, cross site scripting etc.) is necessary to done?
based on conditions. However, using production data may not help in identifying negative test ensure that the application can sustain an attack by the hacker 7. Whether modi cations made have been properly authorized
cases. who is trying to breach the security. and documented?
Final Testing Implementation
It is conducted when system is just ready for implemetation. Results of these testing has Application soware developed shall be implemented once it is tested and UAT has been signed off. However, the planning for implementation must
gretest impacts. It ensures that new system satis es the quality standards adopted by start much earlier in SDLC, many times aer feasibility study. Planning involves Selecting Implementation Strategies, Preparing for implementation,
business & system satis es the user. e two major type of nal acceptance testing are Conversion of data to suit to the requirements of new application. Organization can adopt one of the four strategies, which are described below:
as follows.
Cut-off /Direct Implementation /Abrupt Phased Changeover: Parallel Changeover:
A. Quality Assurance Testing
Change-Over: In this, implementation can be staged Both system (old & new system) runs in parallel
It ensures that new system satis es prescribed quality standards & devolopment processes
It is achieved through abrupt takeover approach. with conversion to the new system for an introductory period independently. If all
as per orgnisation's quality assurance methodology.
e changeover is done in one operation, completly taking place gradually. if one phase is goes well old one is stopped & only new one
B. User Acceptance Testing replacing old system in one go. It takes place on set successfull then next phase is started & carries on. It is time consuming & less risky.
It is a user extensive activity and participation of functional user is a primary requirement date usually aer holiday period to use such time for this process continues till new system is method has the greatest redundancy than
for UAT. It ensures that the system is production-ready and satis es all accepted installatin to minimize disruption. fully replaces the old one. other migration methods.
(baselined) requirements. UAT is a formal process and may include:
• De nition of test strategies and procedures Pilot Changeover:
• Design of test cases and scenarios In this, new system replaces the old one at one location (branch), conversion of one place willl be done & than at next place. For example, converting
• Execution of the tests banking operations to centralized systems are done at one branch. Advantage of pilot implementation is that issues and problems are identi ed
• Utilization of the results to verify system readiness. and recti ed during pilot run and a stabilized system is implemented thus saving cost and enabling faster implementation and stabilized. e same
UAT is a stage in SDLC where end users nally accept the developed application system. process is replicated across all branches.
is is required for all situations of acquiring soware i.e. soware developed in-house,
Preparing for Implementation
or by outsourced team or purchased and con gured by vendor.
A fully functional as well as documented system is a prerequisite for implementation to begin. Moreover, many other issues like defect removal,
UAT should be performed in a secure testing or staging environment where both source
maintenances, reengineering may require to be addressed to assure the desirable quality control of the system in operational environment.
and executable code are protected to ensure that unauthorized or last-minute changes are
not made to the system unless authorized and the standard change management process
is followed. Site Preparation and Installation: Site Preparation: Installation of New Equipment Checkout
Users should develop test cases or use data of live operations of a speci ed period to e hardware required to support the An appropriate location & Hardware / Soware: Equipement must be turned on for
con rm whether the processing of data by new application is providing correct results, new system is selected prior to this prescribed equipment must be e equipment must be testing under normal operating
has required controls and the reports meet the management requirements. phase. Necessary hardware should be availed to provide operating physically installed by the conditions. ough the vendor conduct
e IS Auditor should issue an opinion to management as to whether the system meets ordered and testing in time to allow for environment for equipment manufacturer, connected diagnostic test but implementation
documented business requirements, has incorporated appropriate controls, and may be installation.Installation checklist should that meets vendor's to the power source & inhouse team should device extensive
migrated to production. is report should also identify and explain the risk that the be developed with operating advice tempreature, humidity & dust wired to communication test to ensure equipment functionality
organization might be exposed by implementing the system. from vendor & developer. control speci cations. lines, if required. in actual working condition.

Conversion
Changeover includes all those activities which must be completed to convert from previous system to new information system. e activities are:
Data Conversion: Procedure Conversion:

e requirement of data conversion depends upon the change. If In case change is from old system to new system, it Changes in application systems may require changes in operating procedures and associated controls.
the new application is replacing manual operation to automated involves: For example, during manual operation in banking every transaction is veri ed before being posted to
operation it involves: • 1. Converting electronic data from old format to new account and then the effect of transaction is re ected in general ledger. However in electronic banking
• 1. Capturing of data into electronic form format system transactions are agged with type of transaction and posted to general ledger. Hence veri cation
• 2. Veri cation of data • 2. Veri cation of transaction is most essential in new system.
• 3. Uploading into database • 3. Uploading into new database. System conversion:
Since data conversion is a type of input, controls on conversions are essential to ensure integrity of data. ese controls Aer completing above conversions, daily processing can be shied from existing system to new system
generally include: development team shold assist & in conversion process. System development team members should
be present to assist and to answer any questions that might develop. Consideration should be given to
operating old system for some more time to permit checking, matching and balancing the total results
1. Completeness Check: 2. Accuracy Check: of both systems.
Using number of records, control totals, batch totals, hash totals. For example, verifying Manual veri cation or key veri cation Scheduling Personnel and Equipment:
number of employee’s record, checking trial balance before and aer conversion etc. (manual to electronic conversion) Schedules should be in conjuction with departmental managers of operational units. Master schedule
should provide sufficent computer time for the next period to handle the required processing.
Change Management Process
Application maintenance refers to the process of managing changes in the application and IT triggered or prompted due to changes in processes, regulatory compliances, and strategic changes in business, technology changes and so on.
Changes also arise due to issues, problems, incidents faced. In order to handle changes organization should have a de ned process. is process generally includes:
1. Raising Change Request: 7. Carrying out Changes: While reviewing change
Formal process for requesting change with a cost justi cation System Analyst shall review the changes and decide appropriate resources to carry out changes. Records of all management IS Auditor should
analysis, if possible and the expected bene ts of the change. program changes should be maintained. Library management soware may help in automating this process and ensure that:
also maintaining audit trail. e maintenance information usually consists of the programmer ID, time and date of • Access to source program is
2. De ning Requirements:
change, project or request number associated with the change, and before and aer images of the lines of code that restricted.
De ning details of changes required, like functional changes,
were changed. is also helps in preventing and/or detecting unauthorized changes. • Change Requests are approved and
appearance changes, processing changes. (e.g. change in tax
8. System Document Maintenance: record is maintained to trace and
structure may require processing changes, if tax slabs are
All relevant System Documentation updating sometimes is neglected area during change management. It is essential track the changes.
displayed then appearance changes and so on)
to ensure the effective utilization and future maintenance of a system, Documentation requiring revision may consist • Impact assessment is performed
3. Analysing Requirements: of program and/or system owcharts, program narratives, data dictionaries, entity relationship models, data ow before approving changes.
Getting answers to the questions such as: why change is required, diagrams (DFDs), operator run books and end-user procedural manuals. In case of infrastructure changes network • e Change Request should be
when it should be effective, who needs it, where the changes are diagrams, data centre block diagrams, electrical and facility diagrams etc. are likely to undergo changes. documented in standard format
required, what programs/modules/function is affected, how the covering at the minimum:
9. Testing the Changes:
changes will be carried out and so on. • Change speci cations, bene t
Changes will be tested as per testing process (Please refer subsection on testing). However, for testing changes,
4. Impact Analysis: following points must be considered: analysis developed and a target date.
What will be impact of changes on processes and other related • Existing functionalities are not affected by the change • Change form has been reviewed and
programs that interface with application that need to be changed • System performance is as expected impact assessment is recorded.
or how changes in technology shall affect the processing. • Security vulnerabilities are not introduced • Change Request has been approved
is also includes conducting user acceptance testing and formal sign-off from users/owners. (E-mail, electronic formally
5. Approval of change: • Verify records of changes for sample
Changes must be approved by the asset owners, i.e. application approval in automated system, document etc.)
changes made and trace end-to-end
owners in case of application change and other stakeholders 10. Releasing Changes:
(from request till closure) con rm
that might be impacted. Sometimes it is difficult to decide who Changes shall be released to production once approved by stakeholders (UAT). Ensure fall-back procedures in place
that the changes are authorized,
has appropriate authority to approve change due to impact on in case operations are affected due to change. Automation of this process shall help management in restricting one
approved, and moved to production
multiple processes. To overcome such situations organizations person requiring access to production, test and development environment.
aer UAT.
forms a Change Approval Board or Committee (CAB) consisting 11. Review:
of representatives from multiple business functions. Post implementation/release review may be conducted.
6. Prioritizing the Change Requests: 12. Record Maintenance:
is is required to resolve the con ict due to multiple Change Change Requests should be maintained in a format that will ensure that all changes associated with primary change
Requests from different users. requests are considered. is allows the management to easily track the changes to change requests. e process must
be formal and maintain record of all approvals and rejections.

Emergency Changes
In exceptional situations there may be need to make changes to production to resolve Procedures should focus to ensure that emergency changes can be performed without compromising the integrity of the system.
issues in time. is requirement can arise due to one or more reasons like: Organization should have a process for carrying out emergency changes. e process may consist of following steps:
• Events/incidents • Identify need for emergency change (process issue, incident/event etc.)
• Short notice requirement changes (due to external incidents/events: terrorist attacks, • Determine activities involved. Generally, it may involve providing all accesses to one person. A special user ID may be created with higher
natural disasters, etc.) privileges for this purpose and all activities are logged and reviewed.
• Infrastructure failure • A post-facto change management process must be followed, so as to ensure consistency in documents, source-code library, network diagram
• Production issues due to unexpected data conditions etc. as applicable.
e IS Auditor has to ensure that emergency changes are handled in a controlled manner.
Implementing Changes into Production Segregation of Duties
Changes are implemented into production
environment once they are approved by the user Uncontrolled change management has risk associated Some such situations may arise due to: In order to control unauthorized changes
management (UAT sign-off ). e best practices with unauthorized changes. An unauthorized change 1. e developer is also the operator due to small IT department. In segregation of duties has to be implemented
suggest that this implementation should be done by occurs due to various reasons: this case user management required to ensure proper authorization and at organization level. e typical segregation
independent team not involved in development or •Developer has access to production libraries monitoring of changes and upgrades made by the programmer. includes following controls at the minimum:
testing of changes. In case of client-server applications containing programs and data including object code. 2. Emergency changes to resolve the issues in production. •Development, Test and Production
or distributed systems, such as point-of-sale systems, •User has not approved change or not aware of the 3. In case separate release team is not possible, compensating control by environments to be physically separated.
the process should be properly documented and change enabling user ID of user who moves changes from development to test •Developers’ team, Testing team and
implemented over a period of time to ensure: •A
A change procedure has not been formally and/or test to production only aer approval, and monitoring activities Production user should not have access to
• Conversion of data established. may work as compensating control. other areas.
• Training of users •
e change has not been reviewed or tested. 4. Developers should not have written, modify or delete access to •Source code must be maintained by librarian.
• Support process for changes •Developer
Developer inserted extra logic for personal bene t production data. Depending on the type of information in production, •A separate change control team or release
• Rollback plan •In
In case of vendor soware, changes received were not programmers may not have readonly team should be appointed.
• All points are updated tested. access to personally identi able information.
Con guration Management
• Con guration Management refers to automated processes that organizations install to maintain information assets and work ows required to maintain them.
• e backend of such system is a database called a Con guration Management Database (CMDB).
• A Con guration Management system helps in maintaining information about a system as a collection of Con guration Items (CI).
• Work ows around the CMDB consist of work ows for Change Management, Con guration Management, etc.
• Change Management requests must be formally documented and approved by a change control group within CMDB.
• CMDB then manages the change process via checkpoints, reviews, and sign-off procedures that generate audit trails.
• Con guration Management may provide procedures throughout the soware life cycle to identify, de ne, and baseline soware items in the system and
provide a basis for Problem Management, Change Management, and Release Management.
• Proper implementation of CMDB is a necessary requirement that must follow the SDLC process for acquired Soware.
A Con guration Management Tool supports change and release management by supporting following activities: Soware Con guration Management requires following tasks to be performed:
1. Identi cation of items affected by a proposed change 1. Develop Con guration Management Plan.
2. Help in impact assessment by providing information 2. Baseline Application and Associated Assets.
3. Recording con guration items affected by changes 3. Analyze results of Con guration Control.
4. Implementation of changes as per authorization 4. Develop Monitoring of Con guration Status.
5. Registering of con guration item changes when authorized changes and releases are implemented 5. Develop Release Procedures.
6. Recording of original con guration to enable rollback if an implemented change fails 6. De ne and implement Con guration Control activities (such as identi cation and recording of Change Requests.)
7. Preparing a release to avoid human errors and resource costs 7. Update the Con guration Status Accounting Database.
Post-implementation review
Process of determining and evaluating whether system is working as per requirement and objective of the business. e objective of these
reviews are to how much project meets its requirement is aligned with business needs. Also used nd out the outcomes, faults which can be used
in future to improve thier performances. IS auditor's should focus on adequacy and effectiveness of these security controls during these reviews.

MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION CHAPTER 4: APPLICATION CPNTROLS
CHAPTER 4 :
APPLICATION CONTROLS
Application Control Key features and bene ts of Application Control:
e main objective of Application Control is to help ensure the privacy and security of data used by and • Identify and control which applications are in your IT environment and which to add to the IT environment.
transmitted between applications. • Automatically identify trusted soware that has authorization to run.
It includes: • Prevent all other, unauthorized applications from executing – they may be malicious, untrusted, or simply unwanted.
• Logical access controls • Review and follow-up of application- • Eliminate unknown and unwanted applications in your network to reduce IT complexity and application risk.
• Data entry/ eld validations generated exception reports • Reduce the risks and costs associated with malware.
• Business rules • Reconciliations • Improve your overall network stability
• Work ow rules • Automated activity logs • Identify all applications running within the endpoint environment
• Field entries being enforced based on prede ned values • Automated calculations • Protect against exploits of unpatched OS and third-party application vulnerabilities
• Work steps being enforced based on prede ned status transitions • Management and audit trails
Types of Application Controls:
Application Controls are controls over input, processing and output functions. Application Control ensures that:
•Only complete, accurate and valid data are entered and updated in a information system • Processing accomplishes the intended task • Processing results meet expectations and • Integrity of data is maintained
Input Controls Processing Controls Output Controls

Input Control procedures ensure accurate and •Processing Controls ensure the reliability of application program processing. Output Controls provide assurance that the data delivered to
complete processing and recording of every •IS
IS Auditor need to understand the procedures and controls that can be evaluated. users will be presented, formatted and delivered in a consistent
transaction. •Data
Data Validation and Editing Procedures should be established to ensure that input data are validated and edited as and secure manner. ese include:
Input Authorization close to the time and point of origination as possible. •Logging and storage of negotiable, sensitive and critical forms
Veri es that all transactions have been authorized •
ere should be system of logging in case any override happens and logs should be reviewed. in a secure place
and approved by management. •Processing
Processing Controls ensure the completeness and accuracy of accumulated data. •Control over computer generated negotiable instruments,
Types of authorization include: •Data
Data File Procedures ensure that only authorized processing occurs to stored data. forms and signatures
•Signature on batch forms and source •Report accuracy, completeness and timeliness
documents Processing control techniques Data le controls Control over data les or •Report generated from the system
•Online access controls •Manual
Manual recalculation •Before and aer image processing database tables •Report distribution
•Unique passwords •Editing
Editing •Maintenance of error reporting and handling •System control parameters •Balancing and reconciling
•Terminal
Terminal or client workstation •Run-to-run totals ••Source documentation • Standing data •Output error handling
identi cation •Programmed controls •Internal and external labeling •Master data/ balance data •Output report retention
•Source documents ••Reasonable
Reasonable veri cation of •Version usage •Transaction les •Veri cation of receipt of reports
Batch Controls calculated amounts •Data le security Business Process Control Assurance
Group input transactions to provide control •Limit check on amounts •One-for-one checkingAccepting the batch and Business Process Control Assurance evaluates controls at process
totals. e batch control can be based on total •Reconciliation
Reconciliation of le totals agging error transactions and activity level and may be a combination of management,
monetary amount, total items, total documents •Exception reports •Pre-recorded input programmed and manual controls. In general Business Process
or hash totals. •Transaction logs Control Assurance considers:
Input processing require that controls be •File updating and maintenance authorization •Process and data ow mapping
identi ed such that only correct data are accepted •Parity checking •Process controls
into the system and input errors are recognized •Assessing business risks within the process
and corrected. •Benchmarking with best practices
Input Error Handling •Roles and responsibilities
Can be processed by: •Activities and tasks
•Rejecting only transactions with errors •Data restrictions
•Rejecting the whole batch of transactions
•Holding the batch in suspense
•Accepting the batch and agging error
transactions

CHAPTER 4: APPLICATION CPNTROLS MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION
APPLICATION CONTROL OBJECTIVES
Application Controls are intended to provide reasonable assurance that management’s objectives relative to a given application have been achieved. Management’s objectives are typically articulated through the de nition of speci c functional
requirements for the solution, the de nition of business rules for information processing and the de nition of supporting manual procedures.
Management's Objective Control criteria:

Completeness Accuracy Policies Effectiveness Efficiency Con dentiality Integrity
e application processes All transactions are Application Controls Can be viewed as those Deals with information being Concerns the provision of Concerns the protection Relates to the accuracy and
all transactions and the processed accurately and as policies, procedures and activities designed to provide relevant and pertinent to information through the of sensitive information completeness of information
resulting information is intended and the resulting reasonable assurance that objectives relevant to a given the process as well as being optimal (most productive from unauthorized as well as to its validity in
complete. information is accurate. automated solution are achieved. delivered in a timely, correct, and economical) use of disclosure. accordance with business
consistent and usable manner resources values and expectations.
Validity Authorization Segregation of Duties Availability Compliance Reliability
Only valid transactions are Only appropriately authorized e application provides for and supports Relates to information being available Deals with complying with the laws, Relates to the provision of
processed and the resulting transactions have been appropriate segregation of duties and when required by the process now regulations and contractual arrangements appropriate information for
information is valid. processed. responsibilities as de ned by management. and in the future. It also concerns the to which the process is subject, i.e., management to operate the
safeguarding of necessary resources externally imposed business criteria as entity and exercise its duciary
and associated capabilities. well as internal policies. and governance responsibilities
Designs and Implementation of Application Controls BUSINESS PROCESSES AND APPLICATION CONTROLS
Management should identify control requirements based on business risks and include them in functional Business Process controls are activities designed to achieve the broad range of management objectives for the
requirements. process as a whole. Application Controls, on the other hand, are the sub-set of Business Process controls that
Management can optimize control design through a balance of various control activities, such as: relate speci cally to the applications and related information used to enable those business processes.
•Choosing whether a control should be manual, automated, or a hybrid
•Deciding whether to design a control to prevent errors or detect them Business Risks and Information Processing
•Determining the frequency, proximity, and role of individuals in control activities Automated solutions can be much more reliable than manual procedures, this will be the case only if the key
•Assessing the cost-bene t of adding control activities to reduce risks. risks within the automated solutions have been identi ed and appropriate controls have been implemented.
Testing of control activities is essential to ensure they operate as intended, and should be included in system Examples of some key information-related risks and information processing-related risks include:
accreditation activities. Incomplete and/or inaccurate information processing
A clearly documented trail of testing automated application controls and manual controls associated with hybrid is risk relates to errors that may be made during the collection, input or processing of information.
controls can provide necessary evidence to demonstrate their effective operation and reinforce their viability and Invalid or unauthorized transactions being processed
user understanding. While the previous risk relates to errors that may be made relative to processing legitimate business
Business management and IT management share responsibility for designing and implementing Application transactions, this risk relates to the risk of erroneous or illegitimate transactions being processed.
Controls, with business management accountable for ensuring control requirements are met and IT management Unauthorized changes to standing data
responsible for developing controls in line with requirements. is is the risk of unauthorized changes to information subsequent to processing by the system.
Bypasses, overrides, manual entries that circumvent controls
APPLICATION CONTROLS AND THE SYSTEM DEVELOPMENT LIFE CYCLE is is the risk of misuse of bypasses, overrides or manual entries to avoid automated Application
• Various SDLC models exist for application development or acquisition, including the popular Waterfall and Controls (these functions are inherent in most, if not all, application systems).
Agile approaches. Inefficiencies
• Waterfall is based on sequential phases of development, while Agile includes multiple iterations of small pieces Risk relates to incurring unnecessary cost or delays during collection, input, processing, output or
of functionality. transfer of information.
• Regardless of the SDLC approach, integrating design, development, and implementation of Application Loss of con dentiality
Controls is crucial. is risk relates to the inadvertent or intentional disclosure of information that has been identi ed by
• De ning Application Controls should be a discrete step in each SDLC process, along with steps associated with management to be sensitive or con dential (such as for business or regulatory compliance reasons).
de ning other business functionality requirements. Unavailability of information
Information is not available when required, causing unnecessary processing delays and inability to
make appropriate decisions.
Control criteria:

MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION CHAPTER 4: APPLICATION CPNTROLS
APPLICATION CONTROLS ASSURANCE
What is Assurance?
Formal standards such as the IAASB’s may be referenced for concepts and guidance for assurance. However, these standards are developed and presented from the perspective of an independent auditor providing assurance to third parties.
TOPIC ASSURANCE PROVIDER INTERESTED PARTIES SUBJECT MATTER CONCLUSION CRITERIA

Financial Statement Audit Opinion Independent Auditors Board Of Directors And Enterprise's Financial Fairly Stated Generally Accepted Accounting
Shareholders Statements Principles
Internal Audit Report On Review Of A Internal Auditor Management And e Board Of Risks Within e Given Appropriately Mitigated Coso Erm Framework
Given Business Process Directors Business Process
Iso 27001 Accreditation Conducted By An Authorized Public Display Enterprise's Information  Criteria Established By Iso
Accreditation Enterprise Security Management System 27001
Service Auditor Reports Independent Service Auditor Interest To e User Enterprises Internal Control Activities Of Appropriately Designed And Control Objectives
And eir Auditors e Service Enterprise Operate Effectively
Management Assertion On Internal Assertion By Management Shareholders And Capital Internal Controls Over Appropriately Designed And Are Internal Control Framework
Controls Markets Financial Reporting Operating Effectively Such As Coso
Cio "Sub-Certi cation To e Chief 'Certi cation' By e Cio  Control And Relevant To Appropriately Designed Accordance With Cobilt
Financial Officer (Cfo)/Ceo Financial Reporting
Assurance over Application Controls Materiality

Application Controls are designed to ensure the accuracy, integrity, reliability, and con dentiality of the information • Materiality should be considered when determining if Application Controls are sufficient to meet control objectives
and validity of entries made in transactions and standing data. ey are speci c to each application and are applicable and criteria
to both manual and automated processing. e objectives relevant for Application Controls generally involve ensuring • Materiality can be used as a factor in determining the amount of evidence necessary to support the assurance
that: provider's conclusion.
• Data prepared for entry are authorized, complete, valid and reliable. • Materiality can also be used as a measure of the signi cance of a nding relative to the subject matter.
• Data are converted to an automated form and entered into the application accurately, completely and on time. • e value of assets controlled by the system and the value of transactions processed should be considered when
• Data are processed by the application accurately, completely and on time, and in accordance with established assessing materiality for nancial transaction processing systems.
requirements. For systems and controls not affecting nancial transactions, the following are examples of measures that
• Data are protected throughout processing to maintain integrity and validity. could be considered to assess materiality:
• Output is protected from unauthorized modi cation or damage and distributed in accordance with prescribed • Criticality of the business processes supported by the system or operation .
policies. • Cost of the system or operation
Providing assurance over Application Controls typically involves an assurance provider (the process/application • Nature, timing and extent of reports prepared and les maintained
owner, internal auditor, external auditor, etc.) following a process for gathering sufficient evidence that the Application • SLA requirements and cost of potential penalties
Controls (subject matter) are appropriately designed and are operating effectively (conclusion) relative to established • Loss of end-user productivity
criteria (such as COBIT Application Control objectives). • Degradation of end-user efficiencies
Detection Risk
e risk of incorrect conclusions being drawn by an assurance provider regarding material misstatements in the subject matter
is known as detection risk. It is affected by the risk of material error or control failure and the risk that the assurance provider
will not detect these errors or control failures. e risk of material error has two components:
Inherent Risk Control Risk

e susceptibility of the subject e risk that a material misstatement could occur in an assertion and not be prevented,
matter (such as an assertion detected or corrected on a timely basis by the entity’s internal controls When planning
by the responsible party) to an assurance activity, it is important to consider the inherent risk associated with the
a misstatement that could be subject matter to determine the nature and extent of procedures and to design those
material procedures to reduce detection risk to an acceptable level.

Chapter 1 Information Systems Management Module - 4 Information Systems Operations and Management
CHAPTER 1:
INFORMATION SYSTEMS MANAGEMENT
Business organisation Information System
Information System Organisation
Collection of Business Functions Using computer system (of hardware and soware) to automate (either fully or
Manufacturing, Sales partly) Business Processes, which result in Business Application Systems. e Information System Based on Desison Based on Processing Based on Hierarchy
following processes can be identi ed for today’s Information Technology: making- Decisions Requirement Requirement
Marketing Accounts
Strategies for an Organization Support the Business Process Transaction Processing System Operational Basic Data Operators & Workers
Finance Purchasing Support a business to help in by automating business processes within Decisions
formulating the strategies by the business function. account opening
Line of Business providing information when supported with the account opening Office Support System Basic Data
Collection of Business Processes. needed. application module Management Information System Tactical Decisions Information Middle Managers
Business Process Support Decision Making Support Operations of an Organization:
Process data to produce Operating a Business Application cycle Decision Support System Explicit Knowledge Senior Managers
Business Activity Information. and then processing of entering(capturing) data into Business
information leading to knowledge. Application System, involves many Executive Support System Strategic Decisions Tacit knowledge Executives
Business Task
is helps in providing a support operations to be performed with the help of
to take business decisions. Information Systems.
Information Systems Service Management
IS Service Management (ISSM) is an implementation, management and delivery of IT services to ensure that IT services are aligned with business needs and actively support the organization/company.
Information Systems
Information Technology Infrastructure Library (ITIL) version 4. service lifecycle
Business processes in an organisation.
Information Technology Performance
use of today’s computers and microprocessor-based Measurement
devices to automate the Information Systems. Available Resources
Business cases
investment in
service assets and Transition Planning &
service management Design Coordination Support Service Desk
Capabilities?
Service Level Change Management IT Operations
Value Creation
Management Management
rough Finacial Service Validation &
Management? Capacity Management Testing
Strategy Management Applicaton
for IT Services Service of Service Management
Providers Availibility Release & Deployment
Business Relationship Management Management Technical Management
Measure Value
Management Potential Competition Change Evaluation Event Management
IT Service Continuty
Demand Management Internal and External Management Service Asset & Incident Management
Marketplaces Con guration
Service Portfolio Developed Infor Security Request Ful llment
Management
Management Management
To whom Assess Management
Knowledge
Finacial Management What Sevice Supplier Management Management Problem Management
Strategy Design Transition Operation
Continual Service Improvement

CSI needs upfront planning, training and awareness, ongoing scheduling, Continual Cotinuous
roles created, ownership assigned, and activities identi ed, to be successful. Proactive V/S Reactive
www.prokhata.com 55
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 1 Information Systems Management
Roles & Responsibilities :
Every task in on organisatin is divided into process & each process owner has a speci c job to perform.
User Data System Administrator Steering Committee
Term user data explains the position of the data, in the data hierarchy of the Responsible for creating new system user accounts and changing permissions Ensures that all stakeholders impacted by security considerations are involved
organisation. of existing user accounts in the Information Security Management process.
Data /InformationOwner Database Administrator Security Manager
Responsible for the protection, classi cation, backup strategies and for use of A technical expert who maintains the database and provides all due care to Responsible for implementing the Information and Cyber Security & de ning
this information. ey ensures that security controls have been implemented ensure data security and data integrity. security strategy and policies for an organisation
in accordance with the information classi cation Network Administrator CISO
Data Custodian Responsible for installing, supporting, maintaining and upgrading computer Responsible for Information and Cyber Security and data privacy of the
Responsible for storing, maintaining, backup, provisioning and protecting the networks to run the computer networks up and running. organisation.
data on behalf of Data Owner. Process Owner CIO
System Owner Responsible for effective and efficient working of one or more process, each Responsible for digital initiatives of the organisation.
Responsible for design, development, integration, operation and maintenance of which may process and store data owned by different information owners.
of these equipment is called as a System Owner. It also ensure that adequate CTO
User Manager Responsible for Information and Communication Technologies
security is built once the applications and systems have been acquired and are User manager have ultimate responsibility for all user IDs and information
ready for use in the production department (infrastructure) of an organisation.
assets owned by company employees.
Human Resource Management
Human Resource Management (HRM) is the management of personnel in an organisation. e role of HRM in Information and Cyber Security is three-fold, as per ISO 27001, and is given below –
Prior to employment During employment Termination or change of employment
Background checking of personnel before employment and de ning Information Security awareness, education and training apart from Information Security related checks during exit of employees, terms & conditions
functional and Information and Cyber Security related terms of employment functional training. Rewarding or penalising for security breach. in respect of Information Security shall continue aer employee exit as well.
Training & Education
Intruction Led Training E-Learning Simulation Based Training Hands on Coaching or Group Discussions Role Playing Management Speci c
Traditional type of O n - d e m a n d Training provided through training mentoring A trainer gives a case study A trainer assigns roles to students Activities
employee training which Computer Based computer soware on virtual A student is given A trainer gives in the group of students and by providing a real-life Training is for nding
takes place in a classroom Training (CBT) given reality device. is type of actual equipment personal attention to and asks them to discuss situation, asks them to perform managerial and leadership
with a trainer in the role through videos, training is available for highly or system, which students and guides the case in the group these roles. observe the role played qualities, behavioural skills,
of a teacher. presentations, tests skilled sectors such as, aviation, can be used to them to enhance observes the performance and then discuss, deliberate and project management skills in
and various courses. energy and power. become familiar. their skills. of the groups. learn the subjects students.
Supply Chain Management (SCM) Customer Relationship Management (CRM)
Management of the entire chain of producing nished foods from raw materials. Information Systems brought dramatic Helps in delivering this value by exacting customer needs regarding quality, price pre and post sales
changes in the way in which SCM was managed prior to Information Systems. ese are listed below – support etc. Satisfy customer needs, Information Systems have done a substantial progress.
E-Commerce, Electronic Data Interchange (EDI), Barcode Scanning, Data Warehouse, Enterprise Resource Planning E-Commerce, Data Warehouse, Enterprise Resource, Internet Technologies, Payment Gateways, Soware &
(ERP), Internet Technologies, Mobile Communications, Payment Gateways, Fin-Techs, Soware & Applications. Applications, Data Mining, Arti cial Intelligence, Business Analytics.
Issues and Challenges of Information Systems Management
1. New Technology 2. Personal Devices 3. Interoperability 4. User Systems 5. Cyber Security reats 6. Data Control
Technology is changing Due to portable and hand-held Challenges of managing Security hazards such as data Weak security policies & procedures, Lack To overcome challenges like Data Corruption, Data
double fold. devices organisations nd it difficult interoperability with existing or leakage, through alternative of standardisation, Lack of Proper Control unavailability, Data leakage, Data e, Data privacy,
to control the use of such devices. legacy systems. connectivity. & user training about security are reason proper cyber security measures such as Data Leakage
for Cyber Security reats. Protection (DLP) solutions need to be implemented.
7. Trained manpower 8. Management Support Outsourced Vendors
IT Department (Vendors) Manufacturing Department (Customer)
Providing training on latest technology for work-force Providing senior management
involves heavy costs and difficulties and difficulties are support for monitoring and 10 .Fourth Party Risk 9. Service Level Agreements
also faced in retaining trained work-force. supervisory responsibilities. Risks of data leakage, data privacy, non- Clear scope of service, metrics measurement, responsibilities etc.
compliance to the regulatory guidelines etc. Within Organisation
56 www.prokhata.com
CA Rajat Agrawal
Chapter 2 Information Systems Operations Module - 4 Information Systems Operations and Management
CHAPTER 2:
INFORMATION SYSTEMS OPERATIONS
Information Systems Operations Asset Management
An operation is a procedure to set forth or produce a desired result. Operations • Control and protection of the hardware & soware IT assets Like- installation of Operating system, Applications, Network infrastructure like cabling,
totally depend on business and its objectives. Information systems Operations, in Ethernet switches, Routers and cyber security equipment such as antivirus, rewall, IPS/IDS (Intrusion Protection System, Intrusion Detection
this regard are – : 1.Procurement of IT 5.Con guration System) and SIEM (Security Incident and Event Management System) tools etc
Systems Management • For better monitoring and tracking of IT assets, it is very important for IT head and respective administrators to continuously scrutinise and supervise,
various process requirements in the organisation.
2.Service to the 6.Security
Information IT head need to continuously scrutinise and supervise following process:
users Operations
Systems • Upgrading existing infrastructure • Procurement of new devices and soware
3.Data Operations 7.Log • Phase out the legacy hardware or soware • Licensing of soware
Management Management • Declare and dispose of E-Waste • Development of soware (either in-house or outsourced)
4.Server 8.Application and IT asset management methodology Bene t of IT asset management
Administration Operating System Support IT assets can be managed through the process of IT asset management as follows – • Proper risk assessment & management of assets is possible.
It is worth mentioning here that, IT function should be capable of, to handle the IT • With concept of Stores (Physcial or virtual). • Proper decision making is possible.
operations and be able to assess the user’s requirements. Seven areas of interest need • Tracing system for assets using RFID. • Asset tracking, monitoring and control.
to be met are - • Policy for life of the equipment. • Proper audit is possible
1. Availability of IT 4. Sustained • Concept of check-in and check-out of an asset from asset inventory. • Dealing with asset lifecycle.
manpower training programs • Accountability for Asset Acquisition
2. Approved Policies, Standards, Change Management
5. Cyber Security
procedures and guidelines User’s • Procure new hardware and/or soware or make necessary changes to existing infrastructure
3. Mix of Domain and technical Requirements • Manage changes with Minimum cost, Minimum business disruptions, Good Quality.
6. Data Privacy
Experts Change management process:
7. Management support Change Management results in efficient changes, with proper documentation and continued stability of operations.
Management of IS Operations Request for Change (RFC) Categorize Test Change

IT Infrastructure Interfaces Any change should be initiated Change Categorization is performed to Aer the change is done, it should be tested in a test
Includes Data Centre operations, Help IT department to properly manage through a RFC. Proper request with categorize changes requested by different environment, before it is applied in the live system.
protecting Cabling infrastructure the IT operations by segregating of proper documentation with proper stakeholders in the following way – e reasons for the need for such testing are as
Telecommunication Networking these interfaces. explanation related to what, why, how • Type of Change required following –
including WAN, LAN, HVAC etc. and by whom will have an effective • Time when it should be done • To know impact of change
Change Management Process. • Cost of Change • Compliance – does the change comply with original
Server Operations • Resources needed requirement?
Includes server administration, log RFC Analysis • Process affected • Satisfaction of the change initiator
management, user access management, IT
Purpose of RFC Analysis is to conduct
data backup, Operating system Infrastructure Change Advisory Board (CAB) Implement Change
initial scrutiny of the request,sent by
management, etc. 1 2 the initiator, to check feasibility of the RFC aer categorization is put forth for On the live system in the following manner:
request. approval of Change Advisory Board (CAB). • Immediately,
User Operations 3 CAB is constituted from personnel different • Scheduled based on certain conditions
Includes, providing support to user,
User Change Prioritization departments along with IT and nance • Partial immediate or scheduled partial
email support, internet support, ERP Server Operation is change priority list(portfolio of department.
support etc. 4 Review
changes) is decided based on cost of Aer the implementation, the production
Change Schedule :
change, time required to effect the environment needs to be put under observation for
Aer the approval, the requested change is
change and resources needed, based monitoring and any adverse effect, due to the applied
taken for the actual change based on the date
on impact analysis.
Points to Remember : and time of change. e Schedule of change change. is observation is done for the following –
depends on: Emergency, Urgent, Normal • Logs – they may give important information about
situation
• System les
• Performance of the system
www.prokhata.com 57
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 2 Information Systems Operations
Con guration Management Log Management
Con guration management is planning, identifying, and managing the con guration with proper procedure and A log is a record of the events generated from computer, peripherals, communication networks, rewall, IPS/IDS,
controlled changes, so as to maintain authenticity, accountability and integrity, throughout the life cycle of the UTMs etc.
hardware, rmware (in-built into hardware) or soware. Logs provide the following details – Log management involves
To make con guration management successful, it is important for the organisation to implement following practices - • Date of event • Identi cation of log events to be recorded
Practice For Con guration Management • Time of Event • Log collection – collecting events in a log le
• Details of the user responsible for the event • Log Aggregation
i. Policy, Standards, Procedures and guidelines. ii. Formation of Change control board
• Action details of the user • Storage of aggregated logs
iii. Documentation iv. Pre-Launch Testing • Analysis & Reporting
v. Proper training and skills upgradation of personnel vi. Timeliness
1. Creation of User pro le
vii. Clear Scope of Work viii. Optimisation e HR department creates an employee's user pro le upon joining the company. Aer induction training, the head of
Con guration Management Constraints the department assigns a role and provides a computer to perform the job responsibilities. e employee logs into the
• Lack of IT Manpower. • Incomplete, poor or absence of scope of work system using their assigned role.
• Absence of Change control board. • Delayed Responses User pro le contains following information such as Name of the user, Department, Email address, Intercom Number
• Absence of Policy, Procedure and Guidlines. • No pre-launch testing or Mobile number, Active Directory & Computer name as per active directory.
• Poor Quality of the con guration • No fund availability from the organisation 5. Deleting user pro le 2. User Account types
A User pro le is deleted by a. User account
Con guration Management Process User Management
the IT department on the b. Guest account
Con guration management process in an organisation is generally based on the industry best practice. Adherence to User management requires
request sent by the Human c. Super user account
policies, standards, guidelines and procedures aligns the con guration management process with the objectives of IT creating a user pro le, user account
Resource department. d. Database account
department, which in turn is aligned to the objectives of the organisation. e con guration management process is setup, user account modi cation,
Account termination e. Network user account
explained as follows - account termination(suspension)
request may be based on f. Network Directory account
1. Con guration Items(CI) 3. Con guration Status Accounting(CSA) the following – and deleting a user pro le on the g. Internet Access account
IT department identi es the Con guration Items required CSA is more about documentation and a. Termination of the Information system (IS) of the h. Email account
to be con gured as per the Con guration Management communication of information in forms of status employee organisation. i. Biometric Access account
Policy of the organisation. report, needed to control and monitor con guration. b. Resignation of the j. ERP or other application account
• Device and Soware need to be con gured It may be used for the following – employee 2.1 User account have following
• Present versions i. Operations & Maintenance team c. Death of the employee information
• Test bed for testing con guration changes ii. Security Operations Centre team
4. Account termination a. User name
• Tools & Techniques iii. Information about latest version or con guration
A user Account is terminated by the IT department, only b. password
2. Con guration Control iv. Project or Program Management Team
when the request is approved and sent by the Human c. Mobile number
Con guration control is the term used throughout the v. Audit team
Resource department and not by the employee’s parent d. Department code
lifecycle of any hardware or soware con guration change vi. Soware Developer and Soware testing team
department. Account termination request sent by the e. Network/Cloud Drive associated.
management. Con guration control refers to the following- 4. Con guration Auditing Human Resource department for the employee is based 2.2 Bene ts
i. Description of Change/s Con guration auditing is used to provide quality on the following – •Improved User Management, Access
ii. Approver authority assurance for the con guration changes done. a. Termination of the employee Controls, integration of systems,
iii. Resources, funds and prescribed downtime 5. Locking the Con guration b. Resignation of the employee performance, Accountability,
iv. Change in Scope of work Once the con guration is nalised, to avoid c. Employee on Deputation Authenticity, Authorization & Security.
v. Quality Assurance unauthorised changes, con guration can be locked. d. Employee seriously ill and on long medical leave •Helpdesk setup is easier - either online
vi. Time frame e. Death of the employee or offline
Version Control
Due to changes in hardware or soware, a different release or version of the system is coming in existence. If changes 3. Account Modi cation
are frequent, such as 10-15 changes a week, then it is necessary to keep track of new releases or versions. is is done Account modi cation may be requested by a user to IT department, through his user management. Depending upon
through Version Control. Characteristics of version are Version number, Date, Included and excluded features the change of role of a user, transfer of an employee or promotion of an employee changes are required in the account
VCS provides assistance to IT team with following - Bene ts of a good (VCS) are pro le. Two types of account modi cation described as follows –
• Repository of the contents • Remote team coordination in development
• Record of Previous versions • Improvement in Scalability (growth of system) 3.1 By the Administrative 3.2 By the User
• Provide access to older versions • Fast, Efficient and reliable User department administrator, modi es account for the following- A user may change certain information related
• Maintaining logs for accounting and details of • Integrity in Version is maintained a. Department code to his/her account as detailed below –
changes • Improved Accountability b. Authorisation a. Password
• Immutability (locking of version) c. Drive mapping b. Other demographic details such as contact
• Atomic Transactions (Atomic – lowest possible unit) d. Transfer of account from one office location to another address, mobile phone etc.
58 www.prokhata.com
CA Rajat Agrawal
Chapter 2 Information Systems Operations Module - 4 Information Systems Operations and Management
Operation Helpdesk & User Assistance Operations Performance Measurement
Help desk is a resource intensive function implemented by the IT department, to support users for using Information systems. IT department Some important operations performance metrics are as follows –
caters to users with various services such as –
Availability
Availability is Measurement of continued operation of Information System for a user.
IT department caters to users with Help desk personnel can be contacted by Helpdesk personnel, help the user for various Mean Time Between Failure (MTBF) over a period of time is the metrics of IS system
various services such as – the user in the following manners– hurdles related to the Information systems and availability. It measures the system performance and serviceability to the users of an
• a. Email • a. Intercom try to resolve them as given below – organisation.
• b. Internet • b. Call Centre • a. Password reset
• c. ERP • c. Email Incident
• b. Soware related issues
• d. Database Management System • d. Chatting Incident is a deviation from the normal operations of an IS system. Any incident
• c. Drive related issues
• e. Active Directory • e. Video Conferencing occurred, needs remedial action to restore back the operations of the IS system. e
• d. Network related issues
• f. PC Desktop and Peripherals • f. Messenger Chatting restoration time of the system, including incident period, is the measure of downtime
• e. Database related issues
• g. Soware • g. Physically attending the user of the system.
• f. Email related issues
• h. Network • g. Internet related issues Quality
Levels of Help desk support - Quality of an IS System is a measure of the intended performance in intended time at
ere are following types of help desk support categories available, either through a call centre or in-house help desk facility - intended place.
Productivity
Level 0 Helpdesk - Level 1 Helpdesk - IS system productivity is a measure of rate of doing work of a resource such as a system
Mostly, Level 0 support is automated and self- Level 1 support is given for other basic services such as con guration changes, or human resource. is needs to be measured in combination of quality.
service type of support, wherein a user can solve troubleshooting. Users can talk to helpdesk personnel related to issues such as password
the problem him/herself. Self-services such reset support, email support. If helpdesk personnel is unable to resolve the issue, then the Return on Investment (ROI)
password/s resetting fall in this category of help issue is escalated to the next level i.e. Level 2. Level 1 support is considered as “ rst aid” Return on Investment (ROI), measures the gain or loss generated on an investment
desk. support. relative to the amount of money invested. ROI is usually expressed as a percentage.
Value Creation
Level 2 Helpdesk - Level 3 Helpdesk -
If a system provides desired functioning, is cost effective with desired productivity and
Level 2 support is provided by supervisory staff Level 3 support is next level of advanced trouble shooting. If an incident is not solved
quality, then then the system is said to be creating a “value” for it’s users.
of Level 1 personnel, for escalated issues such and gets elevated to this level, it is considered as a “Problem” and resolution may require
as advance troubleshooting and installation of substantial changes to the system. Change management process may be invoked for this
computing devices or soware. level of support.
Level 4 Helpdesk -
Level 4 support is generally given by the device manufacturer or system developer. If an issue has come to this level, it may be required to be
resolved by launching a new release or version of the device or product.
Note:-
www.prokhata.com 59
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 3 Soware Operations & Management
CHAPTER 3:
SOFTWARE OPERATIONS & MANAGEMENT
Introduction to Soware Infrastructure
Hardware System Soware Application Soware User

All the commands issued in application soware Command Line
Interface
Application Programming Interface (API) are given to the underlying operating system, which Interpreter (CLI)
API provides interfaces to an application completes the command on underlying hardware. DOS
Motherboard Other System Soware
programmer, which are used in programs, so
that, application soware is able to “connect” Graphical User
Installed on Hard disk Packaged Soware – Packaged Soware – Communication Interface (GUI)
Firmware to System Soware. technical use (Middle- Commerce (routine Soware
Commands and Windows
Device driver Operating System Objectives ware) office work) Internet browser,
controls CPU (Central MS Office, Open Office,
soware Intermediary between a •Process Management (Processor Transaction servers, Email soware, chat
Processing Unit) and Office collaboration
Peripherals user of a computer and the Management) Message queuing soware
memory of the system. soware e.g. work ow etc
like printers, computer •Memory Management soware, Databases
scanners, USB hardware. Windows, Unix, •File Management – e.g. SQL Server,
hard drives, Linux, iOS etc •I/O-System Management Oracle, Readymade web
•Secondary
Secondary storage Management development platforms Engineering Soware Knowledge Soware
•Networking – e.g. IBM’s Web-sphere, Computer Aided Design provide information processing
• Protection System Microso (CAD), Computer such as Knowledge Management
•Command-Interpreter
Command-Interpreter System or BizTalk, Joomla, Aided Manufacturing System (KMS), Expert System and
GUI Microso Sharepoint (CAM) Simulation Soware etc.
Soware Testing
Team of soware testers perform soware testing rigorously within a stipulated time-frame and generate defaults report for soware development team. Soware developers do not test their own programs (apart from Unit Testing).
Soware Testing Type Soware testing approaches Soware testing Levels
Manual Testing Automation Testing Hybrid Testing White Box Testing Black Box Testing Grey Box Testing Unit Testing
Tester performs Automation tools such Human perspective is Tester, who is Functional testing Performs both Black Each program(unit) is tested performed by the developer him/herself.
these tests on a test as Selenium, HP-UFT tested during manual knowledgeable about tester does not know Box and to some Integration/Interface Testing
site by preparing test and Ranorex etc. testing whereas internal working of the the internal structure extent White Box (not Top Down Approach, Bottom Up Approach, Sandwich Approach: start
cases and test data. are available, to test automated testing tests soware, performs the of the soware. Tester fully) testing. at top or bottom level and depending on situation move downward or
Results of the test a soware. used for manually cumbersome testing. submits input to the upward.
are documented and modern web-based tests e.g. performance soware and expects
undesired functioning systems. testing with large data. speci ed output. System Testing
is informed to Generally for technical performance, volume of data etc.
developers (e.g. User Acceptance Testing (UAT)
defects, bugs, invalid User department, for which the soware is developed, is given the
cases etc) soware on a test site for user-level testing.
Note:-
60 www.prokhata.com
CA Rajat Agrawal
Chapter 3 Soware Operations & Management Module - 4 Information Systems Operations and Management
Soware Maintenance
Soware maintenance is any changes done to a soware aer it is in operation. Error corrections, Alteration, Deletion, performance Optimization, Security patches updation.
Categories of Maintenance Soware Maintenance Process Challenges of Maintenance
Preventive maintenance Scope of Maintenance Job Change

Proactive approach. Soware developer may do preventive maintenance e purpose of soware maintenance may be preventive, corrective, Programmers who originally developed the soware may not be
since they know design and/or programming level shortcomings. adaptive and perfective. available and new developers may take time to understand work done
Currective Maintenance Plan of the Maintenance by original developers.
Reactive approach. When a defect or error arises in working of a User department along with IT department(in-house or outsourced) Structure of the soware
soware, corrective measure is taken by making changes to program(s). make a proposal for the maintenance activity. Business impact of Hurdles in maintenance because developed programs may be
Adaptive Maintenance change, cost, time and resources needed are discussed and planned. person(programmer)-dependent.
Making soware suitable for new environment, especially, upgraded Soware Maintenance Understanding of Scope of Work
hardware and operating system. Stakeholders are informed about the maintenance schedule and If requirements gathering (of soware) is not done correctly and in an
Perfective Maintenance expected window of downtime. Any delay or scope creep (additional atomic (lowest possible level) manner with users, then soware may not
Proactive approach. Soware developers on their own may keep on scope) makes soware maintenance activity unproductive to the work as desired. Soware baselining should be done along with user
changing the soware and releasing new versions. organisation. department to avoid such situations.
a. Making alteration for betterment e. Scalability Soware testing Scalability issue
b. Fast processing f. Agile Aer maintenance is done soware testing is performed. Capable to expanding business and technical situations. E.g. faster or
c. Addition of features, g. Well documentation Go-Live enhanced hardware.
d. Portability i. Security enhancement Aer successful maintenance and subsequently testing, the soware
is made “Go live” and available for user department and various
stakeholders for day-to-day use.
Note:-
www.prokhata.com 61
CA Rajat Agrawal
System Architecture
DBMS- Database Management System
Data Object oriented
User Web Server Application Business tier or logic tier RDBMS is
Facts and gures about Person entity: Employee, student, patient
Presentation tier / Server Relational most widely
a situation. Data needs
public facing tier used Place entity: State, region, branch etc
to be processed with a Network,
Sequential Query Language (SQL) Database Server program (processing Object entity: Machine, Building, Automobile etc
instructions) to Hierarchical,
Components Event entity: Sale, Registration, Renewal etc.
get meaningful Type of Database
information. Entity Concept entity: Account, Course, Work Centre, Desk
Data De nition Language Data Manipulation Language
DDL – Create table, Drop table, Alter DML – 4 commands Insert, Update, Design of data stored in the database on a
Physical Schema:
table Delete, Select records in a table secondary storage
Data Control Language Logical design of the database into rows and
DCL – Grant access or Revoke access Conceptual columns. mapped to the physical schema.
Schema
Security Schema: used by database designers, DBAs and
Multiple views, Key Reference, ACID Test, Data Integrity, programmers in soware development.
Other related security controls: User views the database at user level. used to
External Schema:
i. Strong and Multifactor authentication interact with the users.
ii. Segregation of web server and RDBMS server
iii. Encrypted data in database
iv. Use of Web application Firewall
RDBMS Table
Rows
Column
Tuple
v. Patching
Relation: Relation is shown through one or more tables.
vi Audit logging
DBMS views Metadata: Data about data similar to index of a book.
Developers ensure name Primary Key No tow row have the same primary key
dependent, content dependent Column/s which can uniquely identify
and context dependent controls Primary key cannot be null
a record(tuple) in a database table.
through views. ACID Properties: A is Atomicity, C is Consistency, I is Isolation Keys If a link (referential link) is established
Foreign Key
and D is Durability. Column in a table which is the primary key cannot be deleted or
Multiuser and
Atomicity primary key of another table. is is modi ed.
Concurrent Access Data Integrity
Concurrency controls “Either a transaction is completed or not done at all”. business for a “Referential Integrity” between
Maintained by programming
(such as ACID transaction has one or more debit and one or more credit the two tables.
various constraints applied
transactions) need to Transaction should be de ned in such a way that both the
to data “check” constraint on Isolation of data and application
be ensured so that, debit/s and credit/s are completed or none takes place.
age column can be set to 18 Data isolation is possible in an RDBMS because the conceptual(logical) schema
transactions are properly to 60 years, Consistency cannot be seen by database designer or DBA or programmer. It is internally
updated in database Transaction should be de ned in such a way that it leaves the mapped to physical schema by RDBMS soware.
tables. database in consistent state.
Normalization
Isolation
Record-design technique developed by Dr Codd to avoid certain design
RDBMS supports transactions of many users at the same time.
anomalies. Process of breaking down a table into more tables until the other
transaction should be de ned in such a way that, another transaction
columns in the table are dependent only on the key/s columns of the table.
does not have effect on any other transaction.
Transaction
Durability
Transaction is a unit of work done on a database. Inserting a record in a table is
longevity of the transaction is committed i.e. completed and saved, it is
an “Insert” transaction.
written to the persistent storage, is secordary storage or hard disk.
62 www.prokhata.com
CA Rajat Agrawal
Chapter 3 Soware Operations & Management Module - 4 Information Systems Operations and Management
Network Services
Interconnected Computers
Local Area Network (LAN) Wide Area Network (WAN) Metropolitan Area Network Personal Area Network (PAN) Storage area Network (SAN) Virtual Private Network
Room or a building Different geographic areas. Requires services of a network service (MAN) Personal workspace storing large amount of data (VPN)
provider. Requires services of a network service provider. Metropolitan area such as a city
TCP/IP DARPA Network Services ISO OSI
TCP/IP protocol is Application Layer Transport Layer Internet Layer Link Layer When packets nally reach the destination,
given in the following data is taken and broken TCP layer assures data Internet Layer (IP and other routing Link layer converts the packets into assembled back into data and are given to the
A user submits his/her down into packets by delivery to the nal receiver protocol) provides a correct path to the bits and puts them on wire (copper application soware of the nal receiver. e
data to be sent to another the Application Layer by taking acknowledgement packets by routing them through network of wire or bre optic etc) or throughair, packets go through reverse journey from Link
connected computer. of TCP/IP. of each data packet. devices such as switches, routers, servers etc. by using Ethernet protocol. Layer to IP to TCP and then to Application Layer.
Internet Services DNS service An E-mail service

When Internet was new, users were connecting t a web site by typing web Outgoing mails
In Home In Organisation site’s IP address in the browser. E.g. http://9.9.9.9. However, as Internet grew, Simple Mail Transfer Protocol service.
it was difficult for users to remember IP addresses. erefore, a DNS (Domain
Broadband Leased telephone System Service) server was introduced, which stores in a database, name of all Incoming emails
Line/MPLS web sites and their respective IP addresses. When a user types a URL (Uniform
Resource Locator) – e.g. http://anywebsite.com, then DNS server provides the Post Office Protocol version 3 Internet Message Access Protocol WebMail
IP address of the website and then browser connects to that IP address. (POP3) Client (IMAP) Email access over
Emails, once downloaded are Mails are retained on the server, even the internet browser.
deleted from the server. aer they are downloaded.
Web service Directory Services Print services DBMS Service Video Conferencing
Organisations can establish integration When organisations need to control • Print server runs print service to make a pool of DBMS provides efficient and With increasing bandwidth facilities, at
of web application with another all the desktops, laptops or other network printers installed in the organisation. smooth process of data storage reducing costs, provided by service providers
organisation. is is done through computing devices, resources and • Print server allows authenticated users to connect, and retrieval. and improved telecommunication technologies,
launching a web service with the help provide proper authentication and either by the print server itself or get authenticated video conferencing can be wide spread and can
of API (Application Programming security, they implement directory by directory services. also be used by small and medium enterprises.
Interface). services. Microso Active Directory, • Print server installation enables an organisation to
Sun Microsystem’s iPlanet Directory enforce printing policy for controlling printing to
services and Novell’s eDirectory, are be done on various printers.
some popular solutions available for • Print server also provides monitoring of print jobs
such controlled access. and provides statistics related to it.
Note:-
www.prokhata.com 63
CA Rajat Agrawal
Backup Strategies
Backup Considerations
1. Backup Policy 2. What to Backup 3. Backup 4. Backup Storage 5. Backup Retention 6. Testing 7. Training 8. Tape Control
Organisations should Decide which data should be Frequency Location Period tested regularly so that Not all data will be backed by IT Many organisations
establish backup policy backed up. E.g. Ecommerce critical data may stored safely and Backup policy decides when needed it can Department. Users may have their use magnetic tapes for
for guiding IT department data, nancial data, employee’s be backed up every securely preferably at how long backup/s be correctly restored. important data stored in their laptops backing up of data. and
and users. de ne retention data, email data, data of day, every hour or a separate geographic should be retained. Organisations setup or desktops. It is the user’s responsibility may require a tape library
period of the backup data. various applications, system immediately (known location. Another copy separate systems for to backup this data. erefore, adequate management system. is
To implement the policy, logs and system con guration as mirroring of data). of the backup can be restoring backup training must be provided to the users system allows automated
management needs to les etc. are critical in nature kept near the primary data and test it about backup policy and backup system. tape backup, management
develop backup procedures and need to be backed up on site, so that if needed, it for correctness of IT personnel also needs training on and restoration of data on
as well. priority basis. can be easily procured. restoration. backup policy and backup procedures. tapes.
Backup Methods
1. A Full backup 2. Incremental Backup 3. Differential Backup 4. Virtual Full Backups
Full database is taken everytime irrespective of earlier backup. Backup of changes only done to the data. Every incremental backup is Backup is taken of all the changes happened A synchronised backup, wherein rst time
It requires more time and storage then other backup types. stored on the media as a separate data. aer the last full backup. a full backup is taken and subsequently
Incremental backup is the fastest & requires least storage amongst all of the It requires more time & storage than whenever change takes place, the backup is
backup methods. incremental backup but less than full backup. synchronised for the changes.
Patch Management
Part of soware maintenance:
1.Acquiring the patch from vendor or vendor approved agency, 2. Testing the patch on a test site, 3. Installing the patch, 4. Reporting about the updation, 5. Audit of patch
Characteristics Bene t
Sound Policy and Patch Scanner Efficient Patch Deployment Review & Report Risk Mitigation Compliances to Soware System Productivity With Latest
Procedure Find out missing Tested in a test environment Comparison between patch mitigates security risks Standards Integrity improves productivity Features
patches and generate before they can be applied on scanner report and patch related to viruses, Trojans, Updating soware of a system, since it improves usage of
a report for review, production site/s. Patching testing report. Review and other security aws latest patches with may incorporate new new features which
by IT team. desktops and laptops can of these reports indicate which were inadvertently is now becoming technology features. are provided by
be done efficiently through bene ts of patches installed. present in the soware. a compliance soware developers.
Active Directory. Soware developers are requirement,
continuously improving their
soware for functionality,
Note:- security, bugs removal.
64 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Incident Response and Management Module - 4 Information Systems Operations and Management
CHAPTER 4:
INCIDENT RESPONSE AND MANAGEMENT
Incident Handling & Response
Incident is de ned as deviation from normal operation of a process. ere are many incidents such as– Cyber attack by hackers, Breach in cyber security, Attack on National Critical Infrastructure, Virus or Malware induction, Hacking &
Advance Persistent threat, Miscon guration of System, Soware malfunction & Human error in IT department.
Organisations need to prepare themselves for handling and responding to these incidents. Organisations need resources, planning and systematic preparation in this regard.
Organisations usually face lot of challenges such as- Identi cation of IT assets, Identi cation of an incident, Analysis of incidents, Scan through bulk of Information and logs, Criteria for zeroing on an incident, IT assets actually damaged
due to incident, loss of data, Source of incident, Modus Operandi, Impact analysis, Forensic Investigation of incident and collecting evidence, Fixing the responsibility.
Incident Response Process
Prepare Identi cation Containment Recovery Follow up

1A. Administrative Preparation:- Identify an incident and then take Isolation of the victimised system and not Incident response team has to assure that, Incident response team of the organisation
Incident policy, procedures, standards and action accordingly. Identifying allowing the incident to spread across many the system performance shall be normal i.e. preserves the evidence (with proper
guidelines, Identi cation of the IT Assets which an incident can be handled by systems. Terminating all sessions of users no deviation, all the risks are mitigated with integrity) for the follow up activities such
are critical to an organisation, Training for incident Incident Response Team. logged, Blocking the source, Block the Socket, necessary controls such as patching, antivirus as -Conducting the root cause analysis,
response team, Awareness for employees, Impact An Incident Response Team can Changing of Administrator or root password. updating, optimisation of ports and services. Search for the culprit, Investigation, Legal
Analysis, Knowledge of business, Brand value, do the following - Notice any Eradication Following Recovery process action, Damage control for reputation
Political system of the country, Laws & Regulations. suspicious events, SIEM; DLP; IPS/ Eradication activities will start, consist of – i.. Reconnection of the network of the isolated restoration, Trend analysis.
1B. Technical Preparation:- IDS and rewall, Generate cyber- i. Marking of infected system, ii. system, ii. All controls restored, iii. Re-Loading Lessons learnt
Risk assessment and Risk Management, Data security Audit reports, Resolve Disconnection from the network, iii. Copying Operating system, applications, antivirus, iv. Post-facto activity incoporated in the
Classi cation, Assessment of Con dentiality, anomalies reported by SOC. logs manually to a USB drive, iv. Malware/ Re-con guring, v. Infected les/folders need to system and security policies, procedures
Integrity and availability of Data, Technology Incidents can be analysed as- Time Trojan/Bot etc need to be analysed, v. Disable be replaced, vi. All disabled accounts of users and guidelines.
Infrastructure, Dependency on certain technology of occurrence, How was it detected the infected accounts of Users, vi. Disable need to be restored, vii. All logs are directed Documentation
providers, Controls, Possible vulnerabilities, Cyber i.e., What impact it is going to have carrier ports, vii. Collect the evidence, viii. to SOC again, viii. Check the integrity of the Incidents should be documented with the
reats, Cyber security posture, Possible source/s of on IT asset, Source of this incident. Clean the system, ix. Re-Scan the system system ix. Scan the system. inputs received, evidences collected, facts,
threats. gures, lessons learnt etc..
Bene ts of Incident Management Cyber-Security Framework

i. Immediate response ensures quick India’s National Security Policy 2013 - e National Cyber-Security Policy 2013 was released on July 2, 2013 by the Government of India.
resolution of the incident, Policy Objectives Strategies
ii. Minimising impact of incident/s, • Create a secure cyber ecosystem in the country • To designate a National nodal agency to coordinate all matters related to cyber security
iii. Keeping intact the Reputation of • 24 x 7 mechanism for obtaining strategic • Chief Information Security Officer (CISO), responsible for cyber security
the organisation, information regarding threats to ICT • To encourage all organizations to develop information security policies
iv. Avoiding damage to Brand • To enhance the protection and resilience of • To ensure that all organizations earmark a speci c budget for implementing cyber security initiatives
Image, Nation's critical information infrastructure by • To provide scal schemes and incentives to encourage entities to install, strengthen and upgrade information infrastructure
v. Con dence of the investors / operating a 24x7 National Critical information • To prevent occurrence and recurrence of cyber incidents by way of incentives for technology development, cyber security compliance and
stakeholders, Infrastructure Protection Centre (NCIIPC) proactive actions.
vi. Business continuity. • To create a workforce of 500,000 professionals • To establish a mechanism for sharing information
skilled in cyber security in the next 5 years. • To promote adoption of global best practices in information security
• To provide scal bene ts to businesses for • To create infrastructure for conformity assessment and certi cation of compliance to cyber security best practices, standards and guidelines
adoption of standard security practices • To enable implementation of global security best practices in formal risk assessment and risk management processes
• To enable effective prevention, investigation • To create National level systems,
and prosecution of cyber-crime • To operate a 24x7 National Level Computer Emergency Response Team (CERT-In)
• To create a culture of cyber security • To operationalize 24x7 sectorial CERTs
• To implement Cyber Crisis Management Plan for dealing with cyber related incidents
• To conduct and facilitate regular cyber security drills business continuity management and cyber crisis management plan
• To encourage wider usage of Public Key Infrastructure (PKI) within Government
• To engage information security professionals / organisations to assist e-Governance
www.prokhata.com 65
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 4 Incident Response and Management
Security Operation Centre (SOC)
Detect, alert and respond to all the activities of IS Infrastructure
SOC Characteristics
Policy, Standards and Guidelines Technology
Organisation must have a sound Technology plays important role in operations of SOC for Log Analysis, Network Analysis, Monitoring
Monitorin
Agent
policy related to the SOC and its Malware Analysis, Forensic Analysis, Cryptosystems, signature database updates, packet LLogs
ogs & Level-1
Computer Events SEM
activities. ltering, packet inspection, data analytics and reverse engineering systems.
It takes the following steps to acquire correct technology – Collection
Top management support
Top management should provide 1. Preparing speci cations for technology by SOC team. Collecter
Co
Collect
cter
er
continuous support in terms of 2. Discussions with various Vendors. Logs SIEM Alertt Incident
investment, resources and people to 3. Getting POCs (Proof of Concept) from vendors. Tool
To
the SOC. Top management should 4. Preparation of Feasibility study report by SOC team. Server Agent
5. Getting quotations/tenders from Vendors based on RFP. Incident
have a meeting at least once in a Infrastructure
IS Infrastruct
Infrastru cture Report Team
Quarter with CISO. 6. Initiating procurement process.
7. Finalising vendor. SIM
Investment 8. PO (Purchase order) to vendor and getting con rmation. Level-2
Leve
Level-l-2
SOC requires adequate investment, 9. Signing Contract with vendor. (Analyse
(Analyse)
for 24x7 operations. Investment may 10. Implementation of Technology by SOC team along with vendor experts.
be for purchasing equipment, Agent
11. Training provided by vendor to SOC.
devices, soware etc (Capex) and Database
day-to-day operational expenditure Environment Analytics & Reporting Physical Controls Investigation
(Opex). Objectives of the SOC use data SOC should also have general physical
SOC should align analytics to create controls & speci c physical controls.
People with business insightful metrics and SOCs are augmented with a different Agent
Two levels of employees. Level 1 ey objectives. performance measures. physical space with no sign boards of the
will be monitoring 24x7. organisation.
Level 2 doing deep analysis of alerts Continuous Improvement Network
and incidents. SOC is always under continuous monitoring of the organisation for the necessary Equipment
Process & Procedures improvements.
To have documented proper Following actions should be taken for continuous improvement of SOC –
procedures and guidelines for speedy 1. Periodic assessment of upgrading skills
IB-CART
identi cation and resolution of cyber 2. 360-degree feedback of SOC from various stakeholders
security incidents. 3. Lessons learned by SOC team aer every incident
4. Augmentation of new technology as per need
5. Budget provisions as needed CERT-in External Intelligence Security Database
6. Top management support
SIEM Tool and their Utility
Deployment of SIEM Tool SIEM Tools Utility
Scope of Work (SOW) SIEM tool provides the following
advantages a. Discover vulnerabilities
Operation: Security: Compliance: SIEM Core b. Uncover threats
• To do continuous monitoring, detecting, alerting Collects logs arranges them in a common SIEM provided auto generated reports related e SIEM core is the logic of the SIEM, which c. Monitoring
and responding to cyber-security incidents. format, assesses them, correlates them to security posture of an organisation can is composed of multiple soware. d. Compliance
• SIEM tool should enable SOC for continuous and then develops the security posture be taken up for audits. For the compliance SIEM core handles the following areas - e. Security pro le
operations for 24x7 throughout year. of the IS infrastructure. e security purpose auditee must ensure the following- 1. Risk Assessment for IS infrastructure f. Internal Intelligence
• Number of correlated les to be stored and kind posture is provided to cyber security a. Asset list maintained in a company vis-a-vis 2. Correlation of events collected by the g. Alerts
of reports need to be provided. team of the organisation as a feedback. asset that SIEM is monitoring collector and external intelligence h. Reporting
Use case details b. Scope of work 3. Any Deviation in normal operations of IS i. Incident Management
c. Logs and events Infrastructure j. Forensic Investigation
d. SOC detail processes 4. Data Mining & Data Analysis
e. Security posture database 5. Real-Time Monitoring and alerts
SIEM f. Reporting 6. Cyber Security posture
g. Latency in conversion of alert into incident 7. Correlated data for Forensic & Investigation
IS Infrastructure Report 8. Reports
66 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Incident Response and Management Module - 4 Information Systems Operations and Management
Computer Emergency Response Team (CERT)
US government, started in 1988, Government of India started CERT-In operational in January 2004.
IT Act 2008 - 70B Indian Computer Emergency Response Team to serve as national agency for incident
response.
• Central Government appoint an agency called the Indian Computer Emergency Response Team.
• Central Government shall provide the agency with a Director General other officers and employees.
• e salary and allowances and terms and conditions of the Director General may be prescribed.
• Performing the following functions:
a. collection, analysis and dissemination of information on cyber incidents
b. forecast and alerts of cyber security incidents
c. Emergency measures
d. Coordination of cyber incidents response activities
e. Issue guidelines, advisories of cyber incidents
• Any service provider who fails to provide the requested information or comply with the requirements shall
be subject to a punishment of one year imprisonment or a ne of one lakh rupees, or both.
Indian Banks – Centre for Analysis of Risks and reat (IB-CART)
IB-CART was established in 2014 to address cybersecurity in the banking sector. It has a total of 90 users
from over 60 public, private and foreign banks in India. e IB-CART advisory council has 9 members with
representation from public and private sector banks and CERT-IN.
www.prokhata.com 67
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 1 Introduction to Protection of Information Assets
CHAPTER 1:
INTRODUCTION TO PROTECTION OF INFORMATION ASSETS
Risk Response Cyber/Computer Attacks
Avoid Backdoor Logic Bomb
Response by deciding not to use technology for select business operation. It is a Bypass which is a means of access for authorised access. ey are Malicious Legitimate programs, to which malicious code has been added. eir
Transfer program that listens for commands on a certain TCP or UDP port. Backdoors destructive action is programmed to “blow up” on occurrence of a logical
Where organizations pass on the responsibility of implementing controls allow an attacker to perform a certain set of actions on a host, such as acquiring event. Anti-malware and use of application from trusted source may be
to another entity. For example, insuring against nancial losses with passwords or executing arbitrary commands. Use of licensed soware, patch preventive controls.
insurance company by paying suitable premium. updates, disabling default users & debugging function and using anti-malware Piggybacking
soware are the controls against backdoor. Unauthorized access using a terminal that is already logged on with an
Accept
Blue Jacking authorized ID and le unattended. idle session timeout.
If risk assessed is within the risk appetite, management may decide not to
Sending of unsolicited messages over Bluetooth to Bluetoothenabled devices. Salami e
implement control and accept the risk.
Turning off Bluetooth, selecting hidden mode, and ignoring and/or deleting Minor attacks those together results in a larger attack. By having proper
Mitigate messages, can prevent blue jacking.
To implement controls by incurring additional cost to reduce the assessed segregation of duties and proper control over code it may be prevented.
Buffer Over ow
impact to bring it within acceptable limits. Sensitive Data Exposure
An Anomaly where a program, while writing data to a buffer, overruns the buffer's
Information Security Objectives Data may be compromised without extra protection, such as encryption
boundary and overwrites adjacent memory locations. Run-time protection features
at rest or in transit, and requires special precautions when exchanged
Con dentiality are controls for buffer over ow.
with the browser. Data leakage prevention tools may prevent.
Preserves authorized restrictions on information access and disclosure, Cyber Stalking
including means for protecting personal privacy and proprietary Use of the Internet or other electronic means to stalk or harass an individual, Injection
information. group, or organization. Maintaining cyber hygiene and avoid disclosing sensitive Occur when untrusted data is sent to an interpreter as part of a command
information are preventive control. or query. Input validation, security audits and vulnerability, threat and
Integrity
risk (VTR) are peventive controls.
Guards against improper information modi cation or destruction, and Cyber Terrorism
includes ensuring information non-repudiation and authenticity. Use of the Internet to conduct violent acts that result in, or threaten, loss of life Trojan
Availability or signi cant bodily harm. Passive defense for this attack is essentially target Self-contained, no replicating program that, while appearing to be
Ensures timely and reliable access to and use of information. hardening. benign, actually has a hidden malicious purpose. Sound policies and
procedures should be in place and anti-malware soware should be
reat Modeling Tools Cyber Warfare
installed.
Process by which potential threats can be identi ed, enumerated, and Use of technology to attack a nation, causing comparable harm to actual warfare.
mitigations can be prioritized. Attack vector is a path or means by which an Limiting employee access to classi ed information and installing soware updates Virus
attacker can gain unauthorized access to a computer or network to deliver a may help to prevent this attack. Virus self-replicates triggered through user interaction, such as opening
payload or malicious outcome. a le or running a program. Sound policies and procedure anti-malware
Data Diddling
OWASP soware.
Changing of data before or during entry into the computer system. File encryption
It works to improve the security of soware. OWASP Top 10 is a standard checksum or message digest may prevent such attacks. Compiled Viruses
awareness document for developers and web application security. Denial of Service Executed by an operating system & includes le infector viruses,
Globally recognized by developers as the rst step towards more secure Attempt to make a machine or network unavailable to its intended users Web which attach themselves to executable programs; boot sector viruses,
coding. application rewall may help toprevent DOS attack. which infect the master boot records of hard drives.
DREAD Model DNS Spoo ng Interpreted Viruses
Categories Description Data is introduced into a (DNS) resolver's cache, causing the name server to Executed by an application, macro viruses take advantage of macro
D Damage potential How many assets can be affected? return an incorrect IP address, diverting traffic to the attacker's computer. Keeping programming language to infect application documents and
R Reproducibility How easily the attack can be reproduced? resolver private and protected is one of the controls against DNS spoo ng. document templates, while scripting viruses infect scripts that are
E Exploitability How easily the attack can be launched? understood by scripting languages processed by services on the OS.
Email Spoo ng
A Affected users What is the number of affected users? Creation of email messages with a forged sender address. core email protocols Worm
D Discoverability How easily the vulnerability can be found? do not have any mechanism for authentication, making it common for spam and Self-replicating, self-contained program Sound policies and procedure
phishing emails Con guring reverse proxy may detect email spoo ng antimalware.
STRIDE Model
Identity e Network Service Worms Mass Mailing Worms
reat Desired Property
Deliberate use of someone else's identity Use of strong password, multi factor Takes advantage of vulnerability in a Similar to an email-borne
S Spoo ng (False identity) Authenticity
authentication, monitoring transactions of the account are some preventive control network service to propagate itself. virus but is self- contained.
T Tampering Integrity
R Repudiation Non-repudiation Keystroke Logger Web Defacement
I Information disclosure(Leak of Data) Con dentiality Monitors and records keyboard use. to retrieve the data from the host, Use of key Attack on a website that changes the visual appearance of a website or a
encryption soware and installing anti malware. web page. Security audits and vulnerability, threat and risk (VTR).
D Denial of service Availability
68 www.prokhata.com
CA Rajat Agrawal
Chapter 1 Introduction to Protection of Information Assets Module - 5 Protection of Information Assets
Information Systems Controls
Control is de ned as Mechanism that provides reasonable assurance that business objective will be achieved and undesired events are prevented, detected or corrected. Information system auditing includes reviewing the implemented system
or providing consultation and evaluating the reliability of operational effectiveness of controls. It ensure the desired outcome from business process is not affected.
1. Need for Control 2. Objectives of Control 4. Types of Internal Controls
•Organizational Costs of Data Loss. Control objective is de ned as "Statement of the desired result or purpose to be achieved by
•Incorrect Decision Making implementing control procedures in a particular IT process or activity". Two main purposes: Preventive Controls Detective Controls Corrective Controls
•Costs of Computer Abuse • Outline the policies of the organization Design to create a desired level or Designed to build a Designed to reduce the
•High Costs of Computer Error • A benchmark for evaluating whether control objectives are met. resistance and its goal is to Predict the historical evidence of impact or correct an error
•Maintenance of Privacy e objective of controls is to reduce or if possible, eradicate the causes of the exposure to probable loss. potential problems before they occur. the events or activities once it has been detected.
•Controlled evolution of computer Some categories of exposures are: Control considerations : Include – Employing quali ed directly related to the directly related to bringing
Use •Errors or omissions in data, procedure, processing, judgment •Lack of understanding of IS risks personnel, segregation of duties, reliability. Ex. Hash back business operations
•Information Systems auditing and comparison. amongst management & user. access control, documentation etc. totals, Check Points, etc. to normal. Ex. Backup &
•Asset Safeguarding •Improper authorizations and improper accountability with •Absence or inadequate IS control Restoration procedure etc.
•Data Integrity regards to procedures, framework. Control Rating By An Auditor:
•System Effectiveness •processing, judgment and comparison. •Complexity
Complexity of implementation Very High : Controls are implemented and are extremely effective.
•System Efficiency •Inefficient activity in procedures, processing and comparison. of controls. High : Controls are implemented and are highly effective.
3. Internal Controls Moderate : Controls are implemented and are moderately effective.
Internal Control Framework: Comprises policies, procedures, practices, and organizational structure that gives reasonable assurance to Low : Low effectiveness.
achieve business objectives.Controls are broken into discrete activities and supporting processes, which can be either manual or automated. Negligible : Controls are not implemented.
Risk and Control Ownership
Each risk should have an owner, owner is a person or position that has close interests in the processes affected due to risks. e owner/s of the risk/s also own any control/s associated with those risks and is accountable for monitoring their
effectiveness. It ensure that all risks have been addressedthrough appropriate controls and that all controls are justi ed by the risks that mandate the requirements for those controls.
Periodic Review and Monitoring of Risk and Controls
Aer implementation of the risk responses, management needs to monitor the actual activities to ensure that the identi ed risk stays within an acceptable threshold. To ensure that risks are reviewed and updated organizations must have a
process that will ensure the review of risks. e best processes are:
e risk assessment exercise may be conducted All incidents and lesson learned must be Change management processes should proactively review the possible New initiatives and projects must be considered
aer prede ned period say at least annually. used to review the identi ed risk risks and ensure that they are part of organization’s risk register. only aer risk assessment.
Controls Assessment Control Self-Assessment Role of IS Auditor in Information Risk Management
The rst step is to review e actual testing of the controls is performed by Facilitator for conducting risk assessment workshops to provide objective assurance to the board on the effectiveness of an organization’s Risk
the risk register & control staff whose day-to day role is within the area of the Management framework plan the audit cycle according to the perceived risk. i.e. plan for higher frequency for high-risk business processes areas.
catalogue and ensure organization that is being examined as they have
that associated risk is the greatest knowledge of how the processes operate.
Key roles that an auditor can perform are: ere are activities, which an auditor should not perform, to maintain his
responded appropriately. e two common techniques for performing the
1. To give assurance on risk management process independence:
next step is to review control evaluations are:
2. To give assurance that the risks are being evaluated correctly 1. Setting the risk appetite
procedure documents. 1.Workshops 2.Surveys or questionnaires.
3. Evaluate Risk Management process 2. Imposing risk management process
4. Review the management of key risks. 3. Taking decision on risk responses
4. To implement risk response on management’s behalf.
www.prokhata.com 69
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 2 Administrative Controls of Information Assets
CHAPTER 2:
ADMINISTRATIVE CONTROLS OF INFORMATION ASSETS
Information Security Management Senior Management Commitment and Support
Ensure con dentiality, integrity and availability (CIA) of information assets. Commitment and support of senior management are imperative for successful establishment and continuance of an information security management
e primary control for implementing protection strategy is de ning and program. Executive management endorsement of essential security requirements provides the basis for ensuring that security expectations are met at all levels
implementing information security policy. of the enterprise.
Key elements of information security management include: Critical Success Factors to Information Security Management
• Senior management commitment and support,
• Policies and procedures, Alignment with business Organizational culture Establish and Adoption of standard Spend resources wisely
• Organization structure and roles and responsibilities, objectives Ensure that the framework enforce an Enable organization to have and transparently
• Security awareness and education, e Management needs to establish followed to implement, information consistent implementation Expenditures on controls
• Monitoring, security policy in line with business maintain, monitor and security program across the enterprise. It helps should be prioritized
• Compliance, objectives, to ensure that all Information improve Information Focus is protecting in providing assurance that all and unnecessary
• Incident handling and response. Security elements are strategically Security is consistent with information assets required aspects of information resource utilization may
• Continual improvement aligned. the organizational culture. of the organization. security have been covered. be avoided.
Information Security Organization
• Information security is responsibility of entire organization and accountability of senior management.
• e position must be strategically placed within the Organization and visibly supported by top management while carrying out the duties in an effective and independent manner.
• De ning security responsibilities for every person and position as part of his/her role within organization and documented in their job description.
Segregation of Duties e ‘Four Eyes’ (Two-Person) Principle Rotation of Duties ‘Key Man’ Policy
Having more than one person required to complete a task. For each transaction, there must be at least two individuals necessary for Rotation of employees’ assigned jobs throughout Where a single individual is critical to
No individual should have the ability to carry out every step of its completion. While one individual may create a transaction, the other their employment. Designed to promote exibility the business, insurance policies may
a sensitive business transaction. SoD implements an appropriate higher designation should be involved in con rmation/ authorization In of employees and to keep employees interested be taken out to cover losses resulting
level of checks and balances upon the activities of individuals. this way, strict control is kept over system soware and data, into staying with the company/ organization. from his or her death or incapacity.
Information Security Policies, Procedures, Standards and Guidelines
Information Security policy will de ne management’s intent on how the security objectives should be achieved. Aer policies are outlined, standards are adopted/de ned to set the mandatory rules that will be used to implement the policies.
Guideline is typically a collection of system speci c or procedural speci c "suggestions" for best practice. Information security management, administrators, and engineers create procedures from the standards and guidelines that follow the
policies. Information Security Policy is an overview or generalization of an organization’s security needs.
1. Components of Information Security Policies 3. Controls over Policy
Statement, Scope, Objective, Ownership, Roles and Responsibility, Business requirement of Information security, Policy Exceptions, Compliance & Periodic review. Information security policies need to be
2. Other Common Security Policies maintained, reviewed and updated regularly.
It is necessary to review the security policies
Data Classi cation and Privacy Policies: Password Policy to ensure that they are in line with the senior
•Organization
Organization shall hold non-public personal information in strict con dence except as required or authorized by law and only to such persons e policy de nes High-level management’s intent. Security policies are
who are authorized to receive it. con guration of password to be reviewed periodically, generally annually
•Adopt
Adopt procedures for the administrative, technical and physical safeguarding of all non-public personal information. used within organization to access or, aer incident or, as a part of change
•Any
Any entity that utilizes information provided by the organization to carry out its responsibilities, shall have signed and agreed to abide by the the information assets. For ex. management process.
terms of the data privacy and security policy. •Password length must be more •Periodically, generally annually OR
Acceptable Use of Information Assets Policy: than 8 characters •Aer incident OR
Set of rules that restrict the ways in which the information resources (Data, Application Systems, Technology, Facilities and People) may be used. •Password must meet complexity •As a part of change management process
AUP oen reduces the potential for legal action that may be taken by a user, and oen with little prospect of enforcement. requirements, such as upper
Physical Access and Security Policy 4. Exceptions to the Policy
case, lower case, numeric and Policies are generic and sometimes cannot
Security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and assets from special characters
damage or harm. It involves the use of multiple layers of interdependent systems, which include CCTV surveillance, security guards, Biometric •Password must have de ned be enforced in speci c situations; In such
access, RFID cards, etc. situations, it is necessary to ensure there are
maximum age suitable compensating controls so that the risks
Asset Management Policy
•Password must have de ned mitigated by enforcement of policy are within
De nes the business requirements for Information assets protection. It includes assets like servers, desktops, handhelds, soware, network devices.
Network Security Policy minimum age acceptable level.
Overall rules for organization’s network access, determines how policies are enforced and lays down some of the basic architecture of the company •Password must have history
security/ network security environment. control
70 www.prokhata.com
CA Rajat Agrawal
Chapter 2 Administrative Controls of Information Assets Module - 5 Protection of Information Assets
Information Classi cation
Provide organizations with a systematic approach to protect information consistently across the organization. · Databases, · Data les, · Back-up media, · On-line magnetic media, · Off-line magnetic media, · Paper, · System documentation, ·
User manuals, · Training material, · Operational or support procedures, · Continuity plans, · Fall-back arrangements.
Information follows a life cycle consisting stages such as :- origination, dra, approved/signed, received, stored, processed, transmission, archived, discarded, destruction etc.
Bene ts from Information Classi cation Information Classi cation Policy
• It provides a systematic approach to protecting information consistently • Structure of classi cation schema.
• Help in determining the risk associated in case of loss and thus prevent ‘over-protecting’ and/or ‘under-protecting’. • Information owners and custodians.
• Used to demonstrate that the organization is meeting compliance requirements. • Protection levels for each class of information de ned by schema.
• Ensure that security controls are only applied to information that requires such protection which reduces operational costs of protecting information. Owners are responsible for assigning classi cations to information assets.
• Enforce access control policies by using the classi cation label to determine if an individual can gain access to a piece of information. Information classi cation shall be embedded in the information itself.
Classi cation Schema
Information Description When unauthorized disclosure, alteration Examples
Category or destruction of that data could:
Information is not con dential and can be made public without any implications for Cause low or no risk Product brochures widely distributed | Information widely available in the public
Unclassi ed/ Company. domain, including publicly available Company web site areas | Sample downloads
Public of Company soware that is for sale | Financial reports required by regulatory
authorities | Newsletters for external transmission
• Requires special precautions to ensure the integrity and con dentiality of the data by Cause a moderate level of risk • Passwords and information on corporate security procedures
protecting it from unauthorized modi cation or deletion. • Know-how used to process client information
Sensitive
• Requires higher than normal assurance of accuracy and completeness. • Standard Operating Procedures used in all parts of Company’s business
• All Company-developed soware code, whether used internally or sold to clients
Information received from clients in any form for processing in production by Company. Cause a signi cant level of risk • Client media
Client
e original copy of such information must not be changed in any way without written • Electronic transmissions from clients
Con dential
permission from the client. e highest possible levels of integrity, con dentiality, and • Product information generated for the client by company
Data
restricted availability are vital.
Information collected and used by Company in the conduct of its business to employ Cause a highest level of risk • Salaries and other personnel data
Company
people, to log and ful l client orders, and to manage all aspects of corporate nance. • Accounting data and internal nancial reports
Con dential
Access to this information is very restricted within the company. e highest possible • Con dential customer business data and con dential contracts
Data
levels of integrity, con dentiality, and restricted availability are vital. • Company business plans
e Concept of Responsibility in Information Security Training & Education
A broad program that includes training, education, awareness, and outreach must be developed to deliver
Ownership
a multitude of security messages through various means to all employees. Formal, instructor led training,
For security and control the ownership is delegated to an employee or group of employees who need to use these assets. Users
computer or Internet-based training, videos, conferences, forums, and other technology based and traditional
not only have right to use the asset but also are responsible to ensure that the asset is well maintained, accurate and up to date.
delivery methods are all examples of what must be part of the integrated security training, education, and
Custodianship
awareness program.
Owner may delegate responsibility to a custodian. Owner should clearly state the responsibilities and associated levels of
Important considerations for security awareness training program are:
authority of the custodian on the assets, but nally management responsibility will always reside with the owner.
Controlling Mandatory security awareness
In all information, security areas there are key tasks, which can be called control points. It is at these control points that the actual Ensure that security awareness training is mandatory for all staff
information security mechanism has its application. Training for third parties:
Ensure that all third parties who are having access to an organization's information assets
Human Resources Security
Training is required before access is granted:
e management of human resources security and privacy risks is necessary during all phases of employees’ association with
Security awareness training commences with a formal induction process designed to introduce the
the organization. Following are the some of the recommended safeguards: Job descriptions and screening, User awareness and
organization's information security policies and expectations before access granted to information or services.
training, A disciplinary process, and An exit process must exist.
Acknowledge policy:
Pre-employment: Ensure that all have acknowledged that they have read and understood the organization's information
De ning roles and responsibilities of the job, de ning appropriate access to sensitive information for the job, and security / acceptable use policy.
determining candidate's screening levels. Training at least annually:
During employment: Ensure that all target audience including the third party are given security awareness training at least once
Receive periodic reminders of their responsibilities and receive ongoing, updated security awareness training in a year.
Termination or change of employment:
Access must be revoked immediately upon termination of an employee and third parties from the organization.
www.prokhata.com 71
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 2 Administrative Controls of Information Assets
Implementation of Information Security Policies Issues and Challenges of Information Security Management
Appropriate implementation of information security policy helps in minimizing internal security breaches that are accidental and unintentional.
Organization’s strategic drivers
Following may help in smooth and successful implementation of information security policies.
Strategic drivers and needs of the organization may con ict with the
Increasing Awareness actions required to ensure that assets and processes remain productive.
Information security department should understand the level of employee awareness in order to determine the effectiveness of information security
policy. Regulatory requirements
Just as the organization must expose itself to its environment to operate, so
Communicating Effectively
must it be willing to accept the limitations imposed by regulators.
Ensuring that employees understand the reason to comply with information security policies communications guidelines include:
• Target communications for various user communities. Information security as an aerthought
• Provide a list of policy updates in the annual training. It is a norm to follow a checklist to understand whether any of the security
• Supplement primary communications vehicles with website and newsletter articles. ‘holes’ remained unplugged.
Simplify Enforcement Lack of integration in system design and security design
• Creating a manageable number of policies & convincing employees to comply with every policy. Development duality is a phenomenon where systems and security design
• Making policies understandable for target audiences by Using language that is suited for target users. are undertaken in parallel rather than in an integrated manner.
• Making it easy to comply
• Integrating security with business processes so employees will not need to bypass security procedures while doing business operations.
• Aligning policies with job requirements
• Generating a higher level of compliance by creating realistic, workable policies shall help.
Integrating Security with the Corporate Culture
Making employees a partner in the security Making security policy part of a larger Tying security policies to company's code of
challenge: compliance initiative: business conduct:
• e security team is there to help them • Work with human resources, legal, and • Educate employees on vital compliance -
instead of to police them. other compliance teams information security for overall success.
72 www.prokhata.com
CA Rajat Agrawal
Chapter 3 Physical and Environmental Controls Module - 5 Protection of Information Assets
CHAPTER 3:
PHYSICAL AND ENVIRONMENTAL CONTROLS
Objectives of Physical Access Controls
An access control system determines who is allowed, where they are allowed, and when they are allowed to enter or exit. Physical access controls restrict physical access to resources and protect them from intentional and unintentional loss
or impairment. Assets to be protected could include: Primary computer facilities, Cooling system facilities, Microcomputers, Telecommunications equipment and lines, including wiring closets Sensitive areas such as buildings, individual
rooms or equipment.
Physical Security reats and Exposures Physical Access Exposures to Assets

reat means occurence of which have an adverse impact on well being of an assets. e perpetrators or source of physical threats can be as follows: Unintentional or Accidental
Sources of Physical Security reats Authorized/Unauthorised unintentionally gaining
e sources of physical access threats can be broadly divided into the following based on the nature of access. e perpetrators or source of physical threats can be as follows: physical access to IS resources.
• Physical access to IS resources by unauthorized personnel • Accidental/Ignorant who unknowingly perpetrates a violation Deliberate
• Authorized personnel gaining access to information systems resources for • Discontented or disgruntled employees. Unauthorized personnel may deliberately gain access for
• which they are not authorized. • Employees on strike or issues at outsourced agency which they are not permitted.
• Interested or Informed outsiders • Employees under termination Losses
• Addicted to substances or gamblers • Experiencing nancial or emotional problems Improper physical access to IS resources may result in
• Authorized personnel having pre-determined rights of access misusing their rights in a manner prejudicial to the interests of the organization losses to organization.
www.prokhata.com 73
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 3 Physical and Environmental Controls
Physical Security Control Techniques
Choosing and Designing a Secure Site Perimeter Security
Local considerations Guards Perimeter Intrusion Detectors Secured Distribution Carts
What is the local rate of crime. Guards are commonly deployed in perimeter control, Photoelectric Sensors Dry Contact Switches One of the concerns in batch
External services depending on cost and sensitivity of resource to be Photoelectric sensors Metallic foil tape on output control is to get the
e relative proximity of local emergency services. secured. While guards are capable of applying subjective receive a beam of light from windows or metal printed hardcopy reports
Visibility intelligence, they are also subject to the risks of social a light-emitting device, contact switches (which may include con dential
Facilities such as data centres should not be visible or identi able from the engineering. creating a Grid of white on doorframes to materials) securely by the
outside, i.e. no windows or directional sign. Dogs light, or invisible infrared detect when a door intended recipients. Distribution
Windows ey are reliable, and have a keen sense of smell and light. An alarm is activated or window has been trolleys with xed containers
Windows are normally not acceptable in a data centre(if exists it must be hearing but can't make judgement calls. when the beams are broken. opened. secured by locks respective
translucent & shatterproof) to avoid data leakage through electromagnetic Compound Walls and Perimeter Fencing Video Cameras user team holds the keys of the
radiation emitted by monitors. Securing against unauthorized boundary access helps Provide preventive and detective control. It have to relevant container.
Doors in deterring casual intruders. Ineffective against a be supplemented by security monitoring and guards Controlled Single Point Access
Doors in the computer centre must resist forcible entry and have a re-rating determined intruder. for taking corrective action. Identifying and eliminating or
equal to the walls. Emergency exits must be clearly marked and monitored Lighting Identi cation Badge disabling entry from all entry
or alarmed. Extensive outside lighting of entrances or parking areas Special identi cation badge such as employee cards, points except one.
Security Management can discourage casual intruders. privileged access pass, and visitor passes etc. enable Cable Locks
Dead Man Doors tracking movement of personnel. Plastic-covered steel cable that
Controlled user registration procedure Pair of doors. First entry door must close and lock so Manual Logging chain a PC, laptop or peripherals
Rights of physical access are given only to persons entitled thereto, based on that only one person is permitted. Used to reduce the All visitors to the premises are prompted to sign a to the desk or other immovable
the principles of least privileges. risk of piggy backing visitor’s register/log. objects.
Audit trails Bolting Door Locks Electronic Logging Port Controls
Audit trails and access control logs are vital because management needs to It requires traditional metal key to gain entry. Record the date and time of entry and exit of the Devices that secure data ports
know when access attempts occurred and who attempted them. is must Combination or Cipher Locks cardholder by requiring the person to swipe the card (such as a oppy drive
record: Also known as cipher locks, use a numeric keypad or can be made with electronic or biometric devices or a serial or parallel port) and
• e date and time of the access attempt dial to gain entry. Controlled Single Point Access prevent their use.
• Whether the attempt was successful or not Electronic Door Locks Identifying and eliminating or disabling entry from Switch Controls
• Where the access was granted Use electronic card readers, smart card readers or optical all entry points except one. Cover for the on/off switch
• Who attempted the access? scanners to gain entry. It has following advantages: Controlled Visitor Access Peripheral Switch Controls
• Who modi ed the access privileges •Provide high level of securities than others. Pre-designated responsible employee or security Lockable switches that prevent a
Reporting and incident handling procedure •Distinguish between various categories of users. staff escorts all visitors. device such as a keyboard from
Once an Unauthorized event is detected, appropriate procedures should be in ••Restricted through special internal code. Bonded Personnel being used.
place to enable reporting. Security administrator should be kept noti ed. •Duplication is difficult. Contractors or employees being required to execute Biometric Mouse
Emergency Procedures •Can be deactivated from central electronic control a nancial bond. Such bond does not improve Specially designed mouse usable
e implementation of emergency procedures and employee training and mechanism. security but reduces nancial impact due to only by pre-determined/pre-
knowledge of these procedures is an important part of administrative physical •Includes card swallow which aer number of failed improper access/misuse of information resources. registered person based on the
controls. ese procedures should be clearly documented, readily accessible attempts activates audible alarm. Wireless Proximity Readers physiological features
(including copies stored of-site in the event of a disaster), and updated Biometric Door Locks Card reader senses the card in possession of a user Laptops Security
periodically. Enable access based on physiological features such as in the general area (proximity) and enables faster Cable locks, biometric mice/
voice, ngerprint, hand geometry, Retina scan etc. and access. ngerprint/iris recognition and
Human Resource Controls known as more sophisticated method. It has High cost Alarm Systems/Motion Detectors encryption of the data available
ese includes providing identity cards, , provided training in physical security, of acquisition, implementation and maintenance. It is Provide detective controls and highlight security to protect laptops and data
monitoring behaviour etc. One of most important control is process of providing time consuming. breaches to prohibited areas. therein.
access cards to employees, vendor personnel working onsite and visitors.
Smart Cards
Photo-Image Cards Digital-Coded Cards Wireless Proximity Readers

Simple identi cation Contain chips or magnetically encoded Card reader senses the card in
cards with the photo strips. e card reader may be programmed possession of a user in the general
of the bearer to accept or deny entry based on an online area (proximity) and enables
access control computer access.
74 www.prokhata.com
CA Rajat Agrawal
Chapter 3 Physical and Environmental Controls Module - 5 Protection of Information Assets
Auditing Physical Access Controls
Auditing physical access requires that the auditor to review the physical access risks and controls to form an opinion on the effectiveness of these controls. is involves risk assessment, review of documentation and testing of controls.
Risk Assessment Controls Assessment Review of Documentation Testing of Controls is involves:
e auditor should satisfy himself that e auditor based on the risk Planning for review of physical • Tour of organizational facilities • Printer rooms. • Interviewing personnel to get information of
the risk assessment procedure adequately pro le evaluates whether access controls requires examination • Computer storage rooms. • Disposal yards and bins. procedures.
covers periodic and timely assessment physical access controls are in of relevant documentation such as • Communication closets. • All points of entry/exit • Observation of safeguards and physical
of all assets, physical access threats, place and adequate to protect the security policy and procedures, • Backup and Off-site facilities. • Glass windows and walls access procedures.
vulnerabilities of safeguards and exposures. the IS assets against the risks. premises plans, building plans, etc • Review of Physical access procedures including user registration and authorization, special access authorization,
logging, periodic review, supervision etc.
• Employee termination procedures should provide withdrawal of rights such as retrieval of physical devices such as
smart cards, access tokens, deactivation of access rights and its appropriate communication to relevant constituents
in the organization.
• Examination of physical access logs and reports includes examination of incident reporting logs and problem
resolution reports.
Environmental Controls
Environmental threats to information assets include threats primarily relating to facilities and supporting infrastructure, which house and support the computing equipment, media and people. IS Auditor should review all factors that
adversely affect con dentiality, integrity and availability of the information, due to undesired changes in the environment or ineffective environmental controls.
Objectives of Environmental Environmental reats and Exposures

Controls Exposures from environmental threats may lead to total or partial loss of computing facilities, equipment, documentation and supplies causing loss or damage to organizational data and
Objects are same as discussed in information and more importantly people. It may signi cantly and adversely impact the availability, integrity and con dentiality of information.
the section on physical controls. Natural reats and Exposure Man-made reats Exposure
Perspective of environmental exposures • Natural disasters such as earthquakes, oods, volcanoes, • Fire due to negligence and human action • Structural damages due to human action/inaction and
and controls may be categorized as: hurricanes and tornadoes • reats from terrorist activities negligence
• Hardware and Media • Extreme variations in temperature such as heat or cold, • Power – uncontrolled/unconditioned power, blackout, • Electrical and Electromagnetic Interference (EMI) from
• Information Systems Supporting snow, sunlight, etc. transient, spikes, surges, low Generators, motors.
Infrastructure or Facilities • Static electricity • voltage • Radiation
• Documentation • Humidity, vapours, smoke and suspended particles • Equipment failure • Chemical/liquid spills or gas leaks due to human carelessness
• Supplies • Insects and organisms such as rodents, termites and fungi • Failure of Air-conditioning, Humidi ers, Heaters or negligence
• People • Structural damages due to disasters • Food particles and residues, undesired activities in
• Pandemic due to virus etc. computer facilities such as smoking.
Techniques of Environmental Controls
e IS supporting infrastructure and facilities should provide the conducive environment for the effective and efficient functioning of the information processing facility (IPF). Based on the risk assessment, computing equipment, supporting
equipment, supplies, documentation and facilities should be appropriately protected to reduce level of risks from environmental threats
Choosing and Designing a Safe Site
Natural disasters. Windows Doors

While establishing IPF, organization should consider issues related to probability of natural disaster. Not acceptable in the data centre. If exist, must be translucent and shatterproof. Must resist forcible entry and have a re-rating equal to the walls.
Facilities Planning
As part of facilities planning, the security policy should provide for speci c procedures for analysis and approval of facilities building and refurbishment plan. e documentation of physical and geographical location and arrangement of
computing facilities and environmental security procedures should be modi ed promptly for any changes thereto. Access to such documentation should be strictly controlled.
Walls Ceilings Floors Fire-resistant walls, oors and Concealed protective wiring Media protection
Walls must Issues of concern If the oor is a concrete slab, the concerns are the physical weight it can bear and its ceilings Power and Communication Location of media libraries,
have acceptable regarding ceilings are the re rating. Electrical cables must be enclosed in metal conduit, and data cables must e construction of IPF should cables should be laid in reproof cabinets, kind of
re rating. weight-bearing rating be enclosed in raceways, Ideally, an IPF should be located between oors and not at use re resistant materials for separate re-resistant panels media used (fungi resistant,
and the re rating. or near the ground oor, nor should it be located at or near the top oor. walls, oors and ceilings. and ducts. heat resistant)
Emergency Plan
Disasters can cause environmental threats & to mitigate these risks, organizations should have evacuation plans, prominently display evacuation paths, and establish reporting procedures. Regular inspections, testing, and supervision of
environmental controls should be carried out, with results escalated as needed. Emergency evacuation plans should account for the layout of premises, shut down of equipment, & activation of re suppression systems. Incident handling
procedures and protocols should also be included in administrative procedures.
www.prokhata.com 75
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 3 Physical and Environmental Controls
Maintenance Plans Ventilation and Air Conditioning
MTBF and MTTR: Controlled temperature in the IPF is crucial for the maintenance
A comprehensive maintenance and inspection plan is critical to the success of environmental of internal components of equipment and processing. Dedicated
security and controls. Failure modes of each utility, risks of utility failure, should be identi ed, parameterized and documented. is includes estimating the MTBF power circuits for air conditioning units should be installed, and
(Mean Time between Failures) and MTTR (Mean Time to Repair). Planning for Environmental controls would need to evaluate alternatives with low MTBF or installing intake vents should be protected to prevent toxins from entering
redundant units. Stocking spare parts on site and training maintenance personnel can reduce MTTR. It is better that MTBF should be high and MTTR should be low. the facility.
Power Supplies
Many aspects may threaten power system, the most common being noise and voltage uctuations. Noise in power systems refers to the presence of electrical radiation in the system. ere are several types of noise, the most common being
electromagnetic interference (EMI) and radio frequency interference (RFI). Voltage uctuations are classi ed as Sag (momentary low voltage), Brownout (prolonged low voltage), and Spike (momentary high voltage), Surge (prolonged high
voltage) and Blackouts (complete loss of power).
Uninterruptible power supply (UPS)/generator Electrical surge protectors/line conditioners Power leads from two sub-stations
UPS consist of battery backup that interfaces with the external power. Cleanses the incoming power supply of such quality problems and deliver Electric power lines may be exposed to many environmental and physical
On interruption in external power supply, the power continues to supply clean power for the equipment. ese are most effective control to protect threats. To protect against such exposures, redundant power lines from a
from the battery. UPS can be on-line or off-line, but for computerized against short-term reduction in electrical power as well as against a high- different grid supply should be provided for. Interruption of one power supply
environment, on-line UPS is mandated. voltage power burst. should result in the system immediately switching over to the stand-by line.
Fire Detection and Suppression System
Improper maintenance of temperature leads to damage of internal components.
Smoke and Fire Detectors Fire Alarms Emergency Power Off Water Detectors Fire Suppression Systems
Smoke and re detectors activate audible Manually activated re When necessity of immediate Risks to IPF equipment Rated as either Class A, B, or C based upon their material composition. Fires caused by
alarms or re suppression systems on sensing a alarms switches should power shutdown arises from ooding and common combustibles (like wood, cloth, paper, rubber, most plastics) are classed as Class A
particular degree of smoke or re. Such detectors be located at appropriate emergency power-off switches water logging can be and are suppressed by water or soda acid (or sodium bicarbonate). Fires caused by ammable
should be placed at appropriate places, above locations prominently should be provided. ere controlled by use of liquids
and below the false ceiling, in ventilation and visible and easily accessible should be one within the water detectors placed and gases are classed as Class B and are suppressed by Carbon Dioxide (CO), soda acid, or
cabling ducts. In case of critical facilities, such in case of re (but should computer facility and another under false ooring or FM200. Electrical res are classi ed as Class C res and are suppressed by Carbon Dioxide(CO),
devices must be linked to a monitoring station not be easily capable just outside the computer near drain hole. or FM200. Fire caused by ammable chemicals and metals (such as magnesium and sodium)
(such as re station). Smoke detector should of misuse during other facility. Such switches should are classed as Class D and are suppressed by Dry Powder (a special smothering and coating
supplement and not replace re suppression times). be easily accessible agent). Class D res usually occur only at places like chemical laboratories and rarely occur in
systems. office environments.
(a) Water Based Systems (b) Gas Based Systems
Wet pipe sprinklers Dry-pipe sprinklers Pre-action Carbon dioxide FM200

In this case, sprinklers are provided at various places in In these, the water is not kept charged in pipes It combines both the dry and wet pipe Discharge CO2 thus effectively FM200 is an inert gas, does not
the ceiling or on the walls and water is charged in the but pipes remain dry and upon detection of heat systems by rst releasing the water into the cutting of oxygen supply from the damage equipment as water systems
pipes. As generally implemented, a fusible link in the rise by a sensor, water is pumped into the pipes. pipes when heat is detected (dry pipe) and air, which is a critical component do and does not leave any liquid or
nozzle melts in the event of a heat rise, causing a valve is overcomes the disadvantage with wet pipe then releasing the water ow when the link for combustion. recommended only solid residues, not safe for humans as
to open and allowing water to ow. systems of water leakages etc. in the nozzle melts (wet pipe). in unmanned computer facilities it reduces the levels of oxygen.
Auditing Environmental Controls- Include the following activities:
• Inspect the IPF and examine the construction with regard to the type of materials used for construction by referring to the appropriate • Examine power sources and conduct tests to assure quality of power, effectiveness of power conditioning
documentation. equipment, generators, simulate power supply interruptions to testeffectiveness of back-up power.
• Visually examine the presence of water and smoke detectors, examine power supply arrangements to such devices, testing logs, etc. • Examine environmental control equipment such as air-conditioning, dehumidi ers heaters, ionizers etc.
• Examine location of re extinguishers, re- ghting equipment and re lling date of re extinguishers and ensure they are adequate • Examine complaint logs and maintenance logs to assess if MTBF and MTTR are within acceptable levels.
and appropriate. • Observe activities in the IPF for any undesired activities such as smoking, consumption of eatables etc.
• Examine emergency procedures, evacuation plan and marking of re exits. Ifconsidered necessary, the IS Auditor can also require a • As part of the audit procedures, the IS auditor should document all ndings as part of working papers.
mock drill to test the preparedness with respect to disaster. e working papers could include audit assessment, audit plan, audit procedure, questionnaires, and
• Examine documents for compliance with legal and regulatory requirements as regards re safety equipment, external inspection interview sheets, inspection charts, etc
certi cate, shortcomings pointed out by other inspectors/auditors.
76 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Logical Access Controls Module - 5 Protection of Information Assets
CHAPTER 4:
LOGICAL ACCESS CONTROLS
Objectives of Logical Access Controls Paths of Logical Access
To ensure that authorized users can access the information resources as per their role and responsibilities by providing access on “need to Auditor has to identify and document the possible logical access paths permitting access to
know and need to do” basis. It is all about protection of information assets in all three states, namely: rest, in transit and at process. information resources, which may involve testing security at various systems.
Logical Access Attacks and Exposures Access Control Mechanism
e primary function of logical access control is to allow authorized access and prevent unauthorized access. Access control
Masquerading Social Engineering mechanism is actually a three-step process as depicted in the gure below:
It mean Disguising or Impersonation. is is an attack on the weakest link i.e. human .Different
It may be attempted through Stolen means including spoo ng and masquerading resulting in Identi cation: Authentication: Authorization:
logon IDs and passwords, through person revealing con dential information. Identi cation is a process by which a Authentication is a mechanism e authenticated user is allowed
nding security gaps in programs, Phishing user provides a claimed identity to the through which the user’s claim to perform a pre-determined set
or bypassing the authentication User receives a mail requesting to provide authentication system such as an account number. is veri ed by the system. of actions on eligible resources.
mechanism. information. e mail and link appear to be actual
Piggybacking originator. Ignorant users click on the link and provide It is necessary to apply access control at each layer of an organization’s information system architecture to control and monitor access
Unauthorized access to information con dential information. in and around the controlled area.
by using a terminal that is already Vishing Identi cation Techniques
logged on with an authorized ID Uses the similar technique as Phishing over telephone. Identi cation is a process by which a user provides a claimed identity to the system such as an account number. Authentication is the
(identi cation) and le unattended. Key Logger process of verifying that the identity claimed by the user is actually true or false. e three categories of authentication factors are:
Wiretapping Perpetrator installs soware that captures the key sequence Something the user knows (e.g., a password) , Something the user has (e.g., a token or smart card), and Something the user is (a
Tapping a communication cable to used by the user including login information. ere physical / biometric comparison)
collect information being transmitted. are hardware key loggers available that are connected to Individual authentication strength increases when multiple authentication technologiesand techniques are combined and used.
Denial of Service system where keyboard is attached. Single-factor authentication uses any one of these authentication factors. Two-factor or dual factor authentication uses two factors
Perpetrator attempts to send multiple Malware and the three-factor authentication uses all the three factors. Once the user is authenticated, the system must be con gured to
sessions requests, resulting in non- Captures and transmits the information from compromised validate that the user is authorized (has a valid need-to-know) for the resource and can be held accountable for any actions taken. A
availability of sessions for legitimate system. Intentionally causes disruption and harm or default denial policy, where access to the information resource is denied unless explicitly permitted should be mandated.
users. circumvent or subvert the existing system’s function.
Authentication Techniques
1. Passwords and PINs 2. One-Time Passwords 3. Challenge Response System 4. Passphrase

Password One-time passwords solve the problems User identi es himself to the server, A passphrase is similar to a password
is is the most common authentication technique that depends on remembered information. Once the of user-derived passwords. With one-time by presenting his user ID. Server then in usage, but is generally longer for
system is able to match and is successful for both elds, the system authenticates the user and enables passwords, each time the user tries to log responds with a challenge, user types added security. Passphrases are
access to resources based on the access control matrix. However, if a match is not successful,the system on he is given a new password. Even if an the challenge into the device, device oen used to control both access
returns a message (such as “Invalid User-id or password”) attacker intercepts the password, he will not responds with an output, user sends to, and operation of, cryptographic
Personal Identi cation Numbers (PINs): be able to use it to gain access because it is that output to the server. It allows the programs and systems, especially
Type of password, usually a 4-digit numeric value. e PIN should be randomly generated such that a good for only one session and predetermined password to be based on changing those that derive an encryption key
person or a computer cannot guess it in sufficient time and attempt by using a guess and check method. limited time period. It is more secure. input rather than just time. from a passphrase.
Logon Mechanism
Weaknesses of Logon Mechanism Recommended Practices for Strong Passwords Attacks on Logon/Password Systems
•Passwords are easily shared. •System should be con gured to must change password on rst
•Users
Users oen advertently or login. Brute Force Dictionary Attack Trojan Spoo ng Attacks Piggybacking
inadvertently reveal passwords •System should be con gured to force password change Attacker tries out every Based on the Malicious Attacker plants a Trojan Unauthorized user may wait for
•Repeated use of the same password periodically e.g. once in 60 days. possible technique to hit assumption that soware, can program, which masquerades an authorized user to log in and
•If a password is too short or too •System should be con gured for minimum age of the password. on the successful match. users tend to use be used to as the system’s logon screen, leave a terminal unattended..
easy, it can be guessed •Concurrent logins should not be permitted. e attacker may also common words as steal access gets the logon and password is can be controlled by
•Password is too long or too •Passwords should not be too short and should not use name of use various password passwords which control lists, information and returns automatically logging out
complex, may be forgotton user, pet names, cracking soware tools can be found in a passwords control to the genuine access from the session aer a pre-
•Common words found in dictionary or such other attributes. that assist in this effort. dictionary. control mechanism. determined period of inactivity
www.prokhata.com 77
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 4 Logical Access Controls
5. Token Based Authentication 6. Biometric Authentication
Biometrics offers authentication based on “what the user is”. Biometrics are automated mechanism, which
Memory tokens Smart tokens uses physiological and behavioural characteristics to determine or verify identity. Fingerprint,Facial Scan
e cards contain visible information such as name, identi cation number, photograph and such A small processor chip, ,Hand Geometry Signature etc are example.
other information about the user and a magnetic strip or memory chip. To gain access to a system, which enables storing Due to the complexity of data, biometrics suffer from two types of error viz. False Rejection Rate (FRR) which
the user in possession of a memory token may be required to swipe his card through a card reader, dynamic information is wrongfully rejecting a rightful user and False Acceptance Rate (FAR) which involves an unauthorized user
which reads the information on the magnetic strip/memory token and passes onto the computer on the card. being wrongfully authenticated as a right user. us, FRR and FAR tend to inversely related. An overall metric
for veri cation to enable access. used is the Crossover/Equal Error Rate, which is the point at which FRR equals FAR.
Authorization Techniques: Operating Systems
Operating systems are fundamental to provide security to computing systems. e operating system supports the execution of applications and any security constraints de ned at that level must be enforced by the operating system. e
operating system must also protect itself because compromise would give access to all the user accounts and all the data in their les. Most operating systems use the access matrix as security model. An access matrix de nes which processes
have what types of access to speci c resources. General operating systems access control functions include:
• Authentication of the user & User Management • Restrict Logon IDs to speci c workstations and / or speci c times • Manage :Password Policy, Account Lockout Policy • Manage audit policy • Log events and report capabilities
Pluggable Authentication Modules File Permissions Access Control Lists (ACL)

• e pluggable authentication module (PAM) framework provides system administrators Every le is owned by a user and can be accessed by When the system receives a request, it determines access by consulting a hierarchy of
with the ability to incorporate multiple authentication mechanisms into an existing system. its owner, group or public, depending upon access rules in the ACL. ACL has one or more access control entries (ACEs), each consisting
• Add new authentication service modules without modifying existing applications permissions. When a user creates a le or directory, of the name of a user or a group of users. e user can also be a role name, such as
• Use a previously entered password for authentication with multiple modules that user becomes the default owner of that le programmer or tester. For each of these users, groups, or roles, the access privileges are
• A general Authentication scheme independent of the authentication mechanism may be or directory. ree types of le permissions; read, stated in a string of bits called an access mask. Generally, the system, administrator or
used. write and execute the object owner creates the access control list for an object.
Logical Access Control Techniques
Logical Access Controls Policy and Procedures
Access control policy is part of overall information Security policy . It states a set of rules, principles, and practices that determine how access controls are to be implemented.
User Management
User Registration Privilege User Management Default Users Management Password Management User Access Rights Management
is is generally done based on the job Access privileges are to be Applications, operating systems and databases purchased • Allocations of password which is generally done by system Periodic review of user's access
responsibilities and con rmed by User aligned with job requirements from vendor have provision for default users with administrators rights is essential process to detect
manager. is must be approved by and responsibilities. ese are administrative privileges required for implementation • Secure communication of password to appropriate user possible excess rights due to changes
information owner. User registration de ned and approved by the and/or maintenance of application, OS or database. • Force change on rst login by the user so as to prevent possible in responsibilities, emergencies,
process must answer: information asset owner. It is expected that these password must be changed misuse by system administrators and other changes. ese reviews
• Why the user is granted the access? In these cases manual immediately as soon as system is implemented. While • Storage of password is generally should not be done in plain must be conducted by information
• Has the data owner approved the monitoring and periodic reviewing these access controls IS auditor must ensure text. Most system stores password as hash of actual password. owner and administrators
access? reviews are compensating that these user ID are either disabled, or passwords • Password expiry must be managed as per policy. Users facilitates by providing available
• Has the user accepted the controls to correct the have been changed and suitably controlled by the must change passwords periodically and system should be accesses recorded in system.
responsibility? situation. organization. con gured to expire the password aer prede ned period.
Network Access Control
Process of managing access for use of network-based services
Policy on use of network services Segregation of networks Network connection and Enforced path Clock synchronization
An enterprise wide applicable Based on the sensitive information handling routing control Based on risk assessment, it is necessary to specify the Clock synchronization is useful control to ensure
internet service requirements function; say a VPN connection between e traffic between networks exact path or route connecting the networks; say for that event and audit logs maintained across an
aligned with the business need policy a branch office and the head-office this should be restricted, based on example internet access by employees will be routed enterprise are in synch and can be correlated.
based on business needs for using the network is to be isolated from the internet identi cation of source and through a rewall. And to maintain a hierarchical access In modern networks this function is centralized
Internet services is the rst step. usage service availability for employees. authentication access policies. levels for both internal and external user logging. and automated.
78 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Logical Access Controls Module - 5 Protection of Information Assets
Application Access Controls Database Access Controls
Applications are most common assets that accesses information. Hence it is necessary to control the accesses to application. Most modern applications provide independent user and DBA can build pro le with settings de ned
access privilege management mechanism for example ERP, Core Banking applications. Ideally database administrators and system administrators are only roles that need to have access to by security policies. ese pro les are then
database and operating system respectively. IS auditors may have to review accesses at all layers i.e. application, database and/or operating systems. e access to information is prevented assigned to roles de nes to performs functions
by application speci c menu interfaces, which limit access to system function. A user is allowed to access only to those items he is authorized to access. on database like view, update, delete, commit.
ese roles are then assigned to users created
Sensitive system isolation Event logging Monitor system use on database. Generally these are stored in
Based on the critical constitution of a system in an enterprise it may even be necessary to run maintain extensive logs for all types Based on the risk assessment a constant user table. Databases also provide storing of
the system in an isolated environment. Monitoring system access and use is a detective control, of events. It is necessary to review if monitoring of some critical systems is password hash for each user thus DBA can
to check if preventive controls discussed so far are working. If not, this control will detect and logging is enabled and the logs are essential. the frequency of the review would access but may not nd out the password of
report any unauthorized activities. archived properly. be based on criticality of operation users.
Operating System Access Control
Automated Terminal log-on User identi cation and Password Use of system utilities Duress alarm to safeguard Terminal/Session Limitation of connection
terminal procedures authentication management system Programs that help to manage users time out time
identi cation e log-on procedure e users must be identi ed and An operating system critical functions of the operating If users are forced to execute Log out the user De ne the available time
Ensures a particular does not provide authenticated in a fool proof could enforce system. system—for example, some instruction under threat, if the terminal slot. Do not allow any
session could only unnecessary help or manner. Depending on risk selection of good addition or deletion of users. the system should provide a is inactive for a transaction beyond this time
be initiated from a information, which assessment, more stringent methods passwords. Internal Obviously, this utility should not means to alert the authorities. de ned period. is period. For example, no
particular location or could be misused by like Biometric Authentication or storage of password be accessible to a general user. Use An example could be forcing will prevent misuse computer access aer 8.00
computer terminal. an intruder. Cryptographic means like Digital should use one-way and access to these utilities should a person to withdraw money in absence of the p.m. and before 8.00 a.m.—
Certi cates should be employed. encryption algorithms be strictly controlled and logged. from the ATM. legitimate user. or on a Saturday or Sunday
Identify Management and Access Controls
Identity Management, also called IDAM, is the task of controlling the User Access Provisioning Lifecycle on Information Systems. It includes the task of maintaining the identity of a user, actions they are authorized to perform. It also includes
the management of descriptive information about the user and how and by whom that information can be accessed and modi ed. e core objective of an IdM system in a corporate setting is: one identity per individual. And once that
digital ID has been established, it has to be maintained, modi ed and monitored throughout what is called the "User access lifecycle." So IdM systems provide administrators with the tools and technologies to change a user's role, to track
user activities and to enforce policies
Privileged Logons
Privileged user is a user who has been allocated powers within the computer system, which are signi cantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and Network
administrator(s) who are responsible for keeping the system available and may need powers to create new user pro les as well as add to or amend the powers and access rights of existing users. Privileged access should be assigned based upon
function and job necessity and are subject to approval by the information owner.
Single Sign-On (SSO)
Single Sign-On addresses the practical challenge of logging on multiple times to access different resources. In SSO, a user provides one ID and password per work session and is automatically logged on to all the required applications. For SSO
security, the passwords should not be stored or transmitted in the clear. SSO can be implemented by using scripts that replay the users’ multiple logins or by using authentication servers to verify a user’s identity. Most popular being LDAP
(Open Source) and Active directory (AD) (Microso directory service based on LDAP) where user groups and roles are de ned for every user and accesses are granted based on access control matrix. ere are some applications like Kerberos
are also available
Active Directory (AD) Kerberos Weakness of Single Sign-on

AD is a directory service implemented by Microso for Windows domain networks. Kerberos may be one of the best-tested authentication mechanism available today. Kerberos was intended • It is a single point of failure. One
An AD domain controller authenticates and authorizes all users and computers in a to have three elements to guard a network’s entrance: authentication, accounting, and auditing. Kerberos is password is compromised, and attacker
Windows domain type network. Active Directory makes use of Lightweight Directory effective in open, distributed environments where network connections to other heterogeneous machines can have access to all privileges of users
Access Protocol (LDAP) versions 2 and 3, Microso's version of Kerberos, and DNS. are supported and the user must prove identity for each application and service. Kerberos assumes a whose password is compromised.
e Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, distributed architecture and employs one or more Kerberos servers to provide an authentication service. • Vulnerable to password guessing.
industry standard application protocol for accessing and maintaining distributed is redundancy can avoid a potential single point of failure issue. e primary use of Kerberos is to verify • Does not protect network traffic.
directory information services over an Internet Protocol (IP) network. A common that users are who they claim to be and the network components they use are contained within their • It is difficult to implement
usage of LDAP is to provide a "single sign on" where one password for a user is shared permission pro le. To accomplish this, a trusted Kerberos server issues “tickets” to users. ese tickets have • Maintaining SSO is tedious and prone
between many services, such as applying a company login code to web pages. a limited life span and are stored in the user’s credential cache. to human errors.
www.prokhata.com 79
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 4 Logical Access Controls
Access Controls in Operating Systems
is topic covers how authorization mechanism is applied to subjects and objects. Subject of operating systems are (active) entities that communicate with the system and use its resources. Objects on the other hand are entities of the operating
system that are accessed (requested) by the subject. e access control mechanism should ensure that subjects gain access to objects only if they are authorized to. Depending on areas of usage, there are three types of access control used:
Mandatory access control Discretionary access control Role based access control:
It is a multi-level secure access control In this type of access control, every object has an owner. e owner (subject) grants access to his resources (objects) for other In some environments, it is problematical to determine who the
mechanism. It de nes a hierarchy of levels users and/or groups. ere are two ways how to implement the matrix. Either the system assigns the rights to the objects or to the owner of resources is. In role based systems, users get assigned
of security. A security policy de nes rules subjects. On the other hand capability matrixes are used to store rights together with subjects. In the case of capability matrixes roles based on their functions in that system. ese systems are
by which the access is controlled. we would have to deal with biometrics, so in common operating systems access control lists are used to implement discretionary centrally administered, they are nondiscretionary. An example
access control. is a hospital.
Audit Trail
Primary objective of access controls is x the accountability to individual user for the activities performed by them. is can be done only by generating and reviewing activity logs. Logs are also called ‘audit trail’. It is a record of
system activities that enables the reconstruction and examination of the sequence of events of a transaction, from its inception to output of nal results. Because of their importance, audit logs should be protected at the highest level
of security in the information system.
Internal and external attempts to gain Patterns and history of Unauthorized privileges Occurrences of intrusions and their
unauthorized access to a system accesses granted to users resulting consequences
Auditing Logical Access Controls
Following are some of factors critical while evaluating logical access controls:
• Understanding of an organization’s information security framework
• Selection and implementation of appropriate access controls
• Top management’s commitment
• Management controls
• Explicit access permission to information or systems
• Periodic review / audit of access permission
Audit Test Procedures
Evaluate whether logical Interview information Evaluate the existence and Evaluate the various logical Test the effectiveness Test the Evaluate and review Evaluate mechanisms
access policies and owners, users and custodians implementation of procedures security techniques and and efficiency appropriateness of the documentation for vulnerability
standards exist and are to evaluate their knowledge and mechanisms for logical mechanisms for their effective of logical access system con guration of controls over analysis in access
effectively communicated and skills on implementation access to ensure protection of implementation, operation and controls and parameter privileged and special control features and
and implemented. of logical access controls. organizational information assets. administration. settings. purpose logons. soware
80 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Network Security Controls Module - 5 Protection of Information Assets
CHAPTER 5:
NETWORK SECURITY CONTROLS
Network related controls are important since it is the rst layer of architecture that is generally is focus of attacker. erefore networks are also far more vulnerable to external and internal threats than are standalone systems. Organization
level general controls like physical security (cables, intruders trying to connect to network), environmental security (ensuring segregation between electrical and data cables, protecting cables from rodents), access controls, security policies
(acceptable usage of internet) are applicable to network security. In addition one needs to look at network speci c controls
Network reats and Vulnerabilities
Objective of Network Security Controls: ere are three main objectives of network security controls.
Con dentiality: Maintaining the con dentiality and privacy of information and information assets, Integrity: Maintaining the con dentiality and privacy of information and information assets,
assets,Availability:
Availability: Keeping the information and
network resources available to the authorisedstakeholders.
1. Information Gathering 2. Exploiting communication subsystem 3. Protocol Flaws 5. Message Con dentiality reats
A serious attacker will spend a lot of time obtaining vulnerabilities Internet protocols are publicly posted for scrutiny. Many problems Mis-delivery:
as much information as s/he can about the target Eavesdropping and wiretapping: with protocols have been identi ed by reviewers and corrected before Message mis-delivery happens mainly due to
before launching an attack. e techniques to gather An attacker (or a system administrator) is the protocol was established as a standard. ese aws can be exploited congestion at network elements which causes
information about the networks are examined below: eavesdropping by monitoring all traffic passing by an attacker. For example FTP is known to transmit communication buffers to over ow and packets dropped.
Port scan: through a node. (e administrator might including user id and password in plain text. Sometimes messages are mis-delivered
Easy way to gather information is to use a port have a legitimate purpose, such as watching for 4. Impersonation because of some aw in the network hardware
scanner. For a particular IP address, reports which inappropriate use of resources.) A more hostile To impersonate another person or process. An impersonator may foil or soware.
ports respond to messages and which of several term is wiretap, which means intercepting authentication by any of the following means: Occasionally, however, a destination address
known vulnerabilities seem to be present. communications through some effort. Passive will be modi ed or some router or protocol
Authentication foiled by guessing:
Social engineering: wiretapping is just “listening,” just like will malfunction, causing a message to be
Guess the identity and authentication details of the target, by using
Involves using social skills and personal interaction eavesdropping. But active wiretapping means delivered to someone other than the intended
common passwords, the words in a dictionary, variations of the user
to get someone to reveal security-relevant injecting something into the communication recipient. All of these “random” events are
name, default passwords, etc.
information. stream quite uncommon.
Authentication foiled by eavesdropping or wiretapping:
Reconnaissance: Microwave signal tapping: Exposure:
Account and authentication details are passed on the network without
Gathering discrete bits of information from various An attacker can intercept a microwave e content of a message may be exposed
encryption, they are exposed to anyone observing the communication.
sources and then putting them together to make transmission by interfering with the line of sight in temporary buffers, at switches, routers,
Authentication foiled by avoidance:
a coherent picture. Ex : Dumpster Diving which between sender and receiver. It is also possible to gateways, and intermediate hosts throughout
A awed operating system may be such that the buffer for typed
means looking through items that have been pick up the signal from an antenna located close the network.
characters in a password is of xed size, counting all characters typed,
discarded in garbage bins or waste paper baskets. to the legitimate antenna. Traffic analysis (or traffic ow analysis):
including backspaces for correction. If a user types more characters
One might nd network diagrams, printouts of Satellite signal interception: Sometimes not only is the message itself
than the buffer would hold, the over ow causes the operating system
security device con gurations, system designs and Potential for interception in satellite sensitive but the fact that a message exists is
to by-pass password comparison.
source code, telephone and employee lists, and more. communication are high but due to multiplexed also sensitive.
Non-existent authentication:
Reconnaissance may also involve eavesdropping. communication, the cost of extracting is high. Some systems have “guest” or “anonymous” accounts to allow 6. Message Integrity reats
Operating system and application ngerprinting: Wireless: outsiders to access things the systems want to release to the public. • Changing some or all of the content of a
Here the attacker wants to know which commercial reats arise in the ability of intruders to ese accounts allow access to unauthenticated users. message
server application is running, what version, and intercept and spoof a connection. Wireless Well-Known authentication: • Replacing a message entirely, including the
what the underlying operating system and version signals are strong upto 60 meters. One system administration account installed, having a default date, time, and sender/ receiver identi cation
are. While the network protocols are standard and Optical ber: password. Administrators fail to change the passwords or delete these • Reusing (replaying) an old message
vendor independent, each vendor has implemented It is not possible to tap an optical system without accounts, creating vulnerability. • Combining pieces of different messages into
the standard independently, so there may be minor detection because Optical ber carries light Spoo ng and masquerading: one false message
variations in interpretation and behaviour. energy which does not emanate a magnetic eld. Both of them are impersonation. • Changing the apparent source of a message.
Bulletin boards and chats: Zombies and BOTnet: Session hijacking: • Redirecting or destroying or deleting a
Support exchange of information among the BOTnets is a term (robotic network) used for Session hijacking is intercepting and carrying on a session begun by message.
hackers. virtual network of zombies. BOTnet operator another entity. In this case the attacker intercepts the session of one
Documentation: launches malware/virus on system that once of the two entities. In an e-commerce transaction, just before a user Attacks:
Vendors themselves sometimes distribute activated remains on system and can be activated places his order and gives his address, credit number etc. the session Active wiretrap
information that is useful to an attacker. remotely.Zombies have been used extensively could be hijacked by an attacker. Trojan horse impersonation
Malware: to send e-mail spam. is allows spammers to Man-in-the-middle attack: Compromised host
Attacker use malware like virus or worms to avoid detection and presumably reduces their Man-in-the-middle usually participates from the start of the session,
scavenge the system receive information over bandwidth costs, since the owners of zombies whereas a session hijacking occurs aer a session has been established.
network. pay for their own bandwidth.
www.prokhata.com 81
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 5 Network Security Controls
7. Web Site Defacement Distributed Denial of Service
Web sites are designed so that their code is downloaded and executed in the client (browser). is enables In distributed denial of service (DDoS) attack more than one machine are used by the attacker to attack the target. ese multiple
an attacker to obtain the full hypertext document and all programs and references programs embedded machines are called zombies that act on the direction of the attacker and they don’t belong to the attacker.
in the browser. Most websites have quite a few common and well known vulnerabilities that an attacker
reats from Cookies, Scripts and Active or Mobile Code
can exploit.
Cookies:
8. Denial of Service
Cookies are NOT executable. ey are data les created by the server that can be stored on the client machine and fetched
Connection ooding: by a remote server usually containing information about the user on the client machine. Anyone intercepting or retrieving
is is the oldest type of attack where an attacker sends more data than what a communication a cookie can impersonate the cookie’s legitimate owner.
system can handle, thereby preventing the system from receiving any other legitimate data. Even if an Scripts:
occasional legitimate packet reaches the system, communication will be seriously degraded. Clients can invoke services by executing scripts on servers. A malicious user can monitor the communication between a
Ping of death: browser and a server to see how changing a web page entry affects what the browser sends and then how the server reacts.
Ping is an ICMP protocol which requests a destination to return a reply, intended to show that the e common scripting languages for web servers, CGI (Common Gateway Interface), and Microso’s active server pages
destination system is reachable and functioning. Since ping requires the recipient to respond to the (ASP) have vulnerabilities that can be exploited by an attacker.
ping request, all the attacker needs to do is send a ood of pings to the intended victim. It is possible Active code:
to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from Active code or mobile code is a general name for code that is downloaded from the server by the client and executed on
a remote machine. the client machine. e popular types of active code languages are Java, JavaScript, VBScript and ActiveX controls. Such
Traffic redirection: executable code is also called applet. A hostile applet is downloadable code that can cause harm on the client’s system.
A router is a device that forwards traffic on its way through intermediate networks between a source Because an applet is not screened for safety when it is downloaded and because it typically runs with the privileges of its
host’s network and a destination’s. So if an attacker can corrupt the routing, traffic can disappear. invoking user, a hostile applet can cause serious damage.
DNS attacks:
By corrupting a name server or causing it to cache spurious entries, an attacker can redirect the routing
of any traffic, or ensure that packets intended for a particular host never reach their destination.
CURRENT TRENDS IN ATTACKS

Exploiting Application Vulnerabilities Advanced Persistent reat (APT)
Application that can be accessd from internet &/or internet might Since malware is speci cally written antivirus may not be able to detect it. is malware is designed to send small bits of information from system to attacker without
contain vulnerabilities & can compromise security of information. getting detected by network based controls like anomaly detection, traffic analysis etc. e attack continues for a longer duration till all required con dential information
about organization is received by the attacker.
Broken authentication: Cross-site XSS: Insecure deserialization: Security Sensitive data exposure:
Application functions application takes untrusted data A direct object reference occurs when miscon guration: Many web applications do not
related to authentication and sends it to a web browser a developer exposes a reference to Secure settings should be properly protect sensitive data,
Injection and session management without proper validation or an internal implementation object, de ned, implemented, such as credit cards, tax IDs, and
Injection aws, such as SQL, OS, and LDAP injection occur are oen not escaping. XSS allows attackers such as a le, directory, or database and maintained, as authentication credentials. Sensitive
when untrusted data is sent to an interpreter as part of a implemented correctly, to execute scripts in the victim’s key. Without an access control defaults are oen data deserves extra protection such
command or query. e attacker’s hostile data can trick the allowing attackers to browser which can hijack user check or other protection, attackers insecure. Additionally, as encryption at rest or in transit,
interpreter into executing unintended commands or accessing compromise passwords, sessions, deface web sites, or can manipulate these references to soware should be kept as well as special precautions when
data without proper authorization. keys, or session tokens redirect the user to malicious sites. access unauthorized data. up to date. exchanged with the browser.
OWASP TOP 10 SECURITY THREATS

Broken access control: Insufficient logging & monitoring:
Restrictions on what authenticated users are XML external entities (XXE): Using components with known vulnerabilities: Insufficient logging and monitoring, missing or ineffective
allowed to do are oen not properly enforced. External entities can be used to disclose internal les using the le Applications and APIs using components with integration with incident response, allows attackers to
Attackers can exploit these aws to access URI handler, internal le shares, internal port scanning, remote code known vulnerabilities may undermine application further attack systems, maintain persistence, pivot to
unauthorized functionality and/or data, execution, and denial of service attacks. defenses and enable various attacks and impacts. more systems, and tamper, extract, or destroy data.
82 www.prokhata.com
CA Rajat Agrawal
Network Security Control Mechanism - Network Architecture
Segmentation/zoning: Redundancy: Eliminate single points of failure:

A more secure design will use multiple segments. Another key architectural control is redundancy, allowing a function to be performed on more than one Good network architecture provides for its availability by eliminating single points of
Separate segments and servers reduce the potential node. Instead of having a single web server; a better design would have two servers, using a “failover failure. is is true for all critical components including servers, network devices and
harm should any subsystem be compromised. mode”. If one server is used and that server is down for some reason the whole application is not available. communication channels in a network that will compromise its availability, if it fails.
Cryptography:
Method of protecting information and communications through the use of codes so that only those for whom the information is intended can read and process it. two essential elements of cryptography, algorithm and key.
Types of Cryptography Quantum Cryptography

Symmetric key cryptography Science of exploiting quantum mechanical properties to perform cryptographic tasks. e best-known example of quantum
Encryption methods in which both the sender and receiver share the same key. cryptography is quantum key distribution, which offers an information-theoretically secure solution to the key exchange problem.
Asymmetric key cryptography Application of Cryptographic Systems
A pair of keys is used to encrypt and decrypt messages. A public key is used for encryption and a private To address security concerns, we have cryptographic systems like:
key is used for decryption.
Hash function: Secure Socket Layer (SSL) / Transport Layer Security (TLS)
Used to map data of arbitrary size to xed-size values one-way encryption. Provide a secure channel between two machines operating over the Internet or an internal network. SSL protocol is typically
used when a web browser has to securely connect to a web server over the inherently insecure Internet.
Public Key Infrastructure (PKI)
Transport Layer Security (TLS)
Digital Certi cates: •Browser
Browser connects to a web server (website) secured with SSL. Browser requests that the server identify itself.
Certi cate used to verify that a public key belongs to an individual or web site. signatures on a certi cate •Server
Server sends a copy of its SSL Certi cate, including the server’s public key.
are attestations by the certi cate signer that the identity information and the public key belong together. •Browser
Browser checks the certi cate root against a list of trusted CAs If the browser trusts the certi cate, it creates, encrypts, and
Contents of a Typical Digital Certi cate sends back a symmetric session key, encrypted with the server’s public key.
Serial number, Subject, Signature, Issuer, Valid-from, Valid-to, Public key, umbprint algorithm, •Server
Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the
umbprint. session key to start the encrypted session.
Digital Signatures •Server
Server and Browser now encrypt all transmitted data with the session key.
Process that guarantees that the contents of a message have not been altered in transit. When you, the Internet Protocol Security (IPSEC): Virtual Private Network (VPN)
server, digitally sign a document, you add a oneway hash (encryption) of the message content using VPNs connect private networks through untrusted networks like the Internet; they establish a tunnel and use strong encryption
your private key. to provide privacy and strong authentication to guarantee identity, so they are more secure than traditional networks.
Controller of Certifying Authority IPsec
• e Controller of Certifying Authorities (CCA) has established the Root Certifying Authority (RCAI) IPsec is encryption at protects any application data across IP Network. IPsec is useful for implementing virtual private
of India to digitally sign the public keys of Certifying Authorities (CA) in the country. networks and for remote user access through dial-up connection to private networks.
• e CCA certi es the public keys of CAs using its own private key, which enables users in the IPsec operates in two modes:
cyberspace to verify that a licensed CA issues a given certi cate. Transport mode: secure connection between two end points data is encrypted but the header of the packet is not encrypted.
Certifying Authority (CA) Tunnel mode: the entire IP packet is encrypted and a new header is added to the packet for transmission through the VPN
Trusted ird Parties (TTP) to verify and vouch for the identities of entities in the electronic environment. tunnel.
Certi cate Revocation List (CRL) Secure Shell (SSH): used for UNIX systems and encrypts the commands getting transmitted.
list enumerates revoked certi cates along with the reason(s) for revocation. CRL le is itself signed by Secure Multipurpose Internet Mail Extension (SMIME): Internet standard that extends the format of email messages to
the CA to prevent tampering. support text in character sets other than ASCII, as well as attachments of audio, video, images, and application programs.
Remote Access Security
Data networking technologies that are focused on providing the remote user with access into a network, while maintaining the principal tenets of Con dentiality, Availability, and Integrity advantages.
• Reducing networking costs,
• Providing employees with exible work styles,
• Building more efficient ties with customers, suppliers, and employees
Dial Back Procedures Other Controls Authentication Servers

When a user dials into the server and identi es itself, the server records the request Remote users should never store their Popular applications of remote authentication mechanisms depending on centralized/decentralized
and disconnects the call. en server calls the user at a pre-determined number passwords in plain text login scripts on access authentication implementations are TACACS (Terminal Access Controller Access Control System)
and then enables the user to access the resources. A weakness in this procedure is notebooks and laptops. and RADIUS (Remote Authentication Dial in User Service). Some of the features of such systems are:
call forwarding. • Enable secure remote access
• Facilitates centralized user management • Changes to user access rights made easy
• Facilitates centralized access monitoring and control • Provides event logging and extended audit trails
www.prokhata.com 83
CA Rajat Agrawal
Malicious Code Firewalls
Malicious code is the name used for any program that adds to, deletes or modi es legitimate soware for the purpose of Intranet
intentionally causing disruption. Examples of malicious code include viruses, worms, Trojan Horses, and logic bombs. An intranet is a network that employs the same types of services, applications, and protocols present in an
Newer malicious code is based on mobile Active X and Java applets. Internet implementation, without involving external connectivity. For example, an enterprise network employing
Viruses the TCP/IP protocol suite, along with HTTP for information. Resultant protected network may be referred to as
A computer virus is a type of malware (program) that attaches itself to a le and gets transmitted. When executed, it the personnel intranet. Intranet are typically implemented behind rewall environments.
damages the infected system and also replicates by inserting copies of itself. Viruses oen perform some type of harmful
Extranets
activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data,
An extranet is usually a business-to-business intranet; that is, two intranets are joined via the Internet. ey exist
displaying political or humorous messages on the user's screen, spamming their contacts, or logging their keystrokes.
outside a rewall environment. Extranets employ TCP/IP protocols, along with the same standard applications
Motives for creating viruses can include seeking pro t; desire to send a political message, personal amusement.
and services. Within an extranet, options are available to enforce varying degrees of authentication, logging, and
Master boot record (MBR) viruses: Affects the boot sector of storage device further infects when the storage is accessed.
encryption.
Stealth viruses: Hide themselves by tampering the operating system to fool antivirus
Polymorphic viruses: Can modify themselves and change their identity into two billion different identities thus able to Securing a Firewall
hide themselves from antivirus soware. Firewall platforms should be implemented on systems containing operating system builds that have been
Macro viruses: Most prevalent computer viruses and can easily infect many types of applications, such as Microso stripped down and hardened for security applications. Firewalls should never be placed on systems built with all
Excel and Word. possible installation options.
Logic bomb/Time bomb: Logic bombs are malicious code added to an existing application to be executed at a later date. •Any
Any unused networking protocols should be removed from the rewall operating system build.
ese can be intentional or unintentional. •Any
Any unused network services or applications should be removed or disabled.
Worms •Any
Any unused user or system accounts should be removed or disabled.
Worms are stand-alone viruses that are they are transmitted independently and executes themselves. •Applying
Applying all relevant operating system patches is also critical.
Trojan Horse •Unused
Unused physical network interfaces should be disabled or removed
Malicious code hidden under legitimate program, such as a game or simple utility. Trojans are primarily used by attackers
Intrusion Detection Systems
to infect the system and then get control remotely to make that system work for them.
Perimeter controls, rewall, and authentication and access controls block certain actions, some users are admitted
Malware Protection Mechanisms
to use a computing system. Most of these controls are preventive. Many studies, however, have shown that most
Antivirus computer security incidents are caused by insiders. Intrusion detection systems complement these preventive
Most of the antivirus soware utilizes a method known as signature detection to identify potential virus infections controls as the next line of defence. An intrusion detection system (IDS) is a device, usually another separate
on a system. Essentially, they maintain an extremely large database that contains the known characteristics computer, which monitors activity to identify malicious or suspicious events. An IDS is a sensor that raises an alarm
(signatures) of all viruses.. Antivirus tools have three types of controls :- if speci c things occur. e alarm can range from writing an entry in an audit log. e functions performed by IDS
1. Active monitor: Monitors traffic and activity to check the viruses. are:
2. Repair or quarantine: to remove the virus from le/mail or quarantines and reports. • Monitoring users and system activity
3. Scheduled scan: Users are prompted for scanning the storages to detect virus already present that were not • Auditing system con guration for vulnerabilities and mis-con gurations
detected by active monitors. • Managing audit trails
Incident handling Many intrusion detection systems are also capable of interacting with rewalls. For example, if an intrusion
Incident Handling is an action plan for dealing with virus attack, intrusions, cyber-the, denial of service, detection system detects a denial of service attack in progress, it can instruct certain rewalls to automatically block
re, oods, and other security-related events. It is comprised of a six step process: Preparation, Identi cation, the source of the attack. e two general types of intrusion detection systems are signature based and heuristic.
Containment, Eradication, Recovery, and Lessons Learned. In case of virus incidents it is most essential to nd out Signature-based intrusion detection systems perform simple pattern-matching and report situations that match a
root cause to ensure that the incident does not recur. pattern corresponding to a known attack type. Heuristic intrusion detection systems, also known as anomaly based,
Training and awareness programs: build a model of acceptable behaviour and ag exceptions to that model; for the future, the administrator can mark
is covers: Enforcing policy on use of removable devices, Handling of mail attachments, Accessing Internet, a agged behaviour as acceptable. Intrusion detection devices can be network based or host based. A network-based
Ensuring antivirus is updated. IDS is a stand-alone device attached to the network to monitor traffic throughout that network; a host-based IDS
runs on a single workstation or client or host, to protect that one host.
84 www.prokhata.com
CA Rajat Agrawal
Wireless Security reats and Risk Mitigation
Wireless networking presents many advantages like network con guration and recon guration is easier, faster, and less expensive. However, wireless technology also creates new threats and alters the existing information security risk pro le.
For example, because communication takes place "through the air" using radio frequencies, the risk of interception is greater than with wired networks. If the message is not encrypted, or encrypted with a weak algorithm, the attacker can
intercept and read it. Wireless network has numerous vulnerabilities such as:
Ad-hoc networks: Non-traditional networks: MAC spoo ng: Man-in-the-middle attacks: Accidental association: Denial of service:
Ad-hoc networks are Non-traditional networks such as e MAC address is hard-coded on a attacker secretly intercepts When a user turns on a computer and it latches on to a It is an attempt to make a
de ned as peer-to peer personal network Bluetooth devices are network interface card (NIC) and cannot the electronic messages going wireless access point from a neighbouring organisation’s machine not available to
networks between not safe from cracking and should be be changed. However, there are tools between the sender and the overlapping network, the user may not even know that its intended user. Wireless
wireless computers that regarded as a security risk. Even barcode which can make an operating system receiver and then capture, this has occurred. However, it is a security breach in that network provides numerous
do not have an access readers, handheld PDAs, and wireless believe that the NIC has a MAC address insert and modify messages proprietary organisation information is exposed and now opportunities to increase
point in between them. printers and copiers should be secured. different that it’s real MAC address. during message transmission there could exist a link from one organisation to the other. productivity and manage costs.
Encryption: Signal-hiding techniques: Anti-virus and anti-spyware soware: Default passwords: MAC address:
e best method e easiest options include: Turning off the service set identi er (SSID) broadcasting Computers on a wireless network need Wireless routers generally come with standard Wireless routers usually
for protecting the by wireless access points and reducing signal strength to the lowest level that still the same protections as any computer default password that allows you to set up and have a mechanism
con dentiality of provides requisite coverage. More effective, but also more costly methods for connected to the Internet. Install anti- operate the router. ese default passwords are to allow only devices
information transmitted reducing or hiding signals include: using directional antennas to constrain signal virus and anti-spyware soware, and also available on the web. Default passwords with particular MAC
over wireless networks is to emanations within desired areas of coverage or using signal emanation-shielding keep them up-to-date. If your rewall should be changed immediately aer its addresses access to the
encrypt all wireless traffic. techniques, also referred to as TEMPEST to block emanation of wireless signals. was shipped in the “off ” mode, turn it on. installation. network.
Endpoint Security
Methodology of protecting the corporate network when accessed via remote devices such as laptops or other wireless and mobile devices. Usually, endpoint security is a security system that consists of security soware, located on a centrally
managed and accessible server or gateway within the network, in addition to client soware being installed on each of the endpoints (or devices). While endpoint security soware differs by vendor, you can expect most soware offerings to
provide antivirus, antispyware, personal rewall and also a host intrusion prevention system.
Voice-over IP Security Controls
Voice-over IP VOIP Security: Following are the VoIP security:
Methodology for delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such Encryption:
as the Internet. Other terms commonly associated with VoIP are IP telephony, Internet telephony, voice over broadband Means of preserving the con dentiality of transmitted signals.
(VoBB) and broadband telephony. e term Internet telephony speci cally refers to the provisioning of communications
services (voice, fax, SMS, voice-messaging) over the public Internet, rather than via the public switched telephone Physical security:
network (PSTN). e digital information is packetized and transmission occurs as Internet Protocol (IP) Even if encryption is used, physical access to VoIP servers and gateways
Security reats to VOIP Anti-virus and rewalls:

VoIP systems rely on a data network, which means security weaknesses and the types of attacks associated with any Computers which use soware for VoIP connections should be protected with a personal rewall
data network are possible. But for VoIP, voice is converted into IP packets that may travel through many network access Segregation of voice and data segments:
points. erefore the data is exposed to many more possible points of attack that could be used for interception by Maintain quality of service (QoS), scalability, manageability, and security, voice and data should be separated
intruders. Most of the VoIP traffic over the Internet is not encrypted, so this traffic is exposed to the hackers. Hackers can using different logical networks as far as possible. Segmenting IP voice from a traditional IP data network
intercept the communication or shut down the voice services by ooding servers (supporting VoIP) with bogus traffic. greatly enhances the mitigation of VoIP attacks.
www.prokhata.com 85
CA Rajat Agrawal
Vulnerability Assessment and Penetration Testing
Used by organizations to evaluate the effectiveness of information security implementation. As its name implies, penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities. A penetration test is
performed by team of experts. is team simulates attack using similar tools and techniques used by hackers.
Penetration Testing Scope Types of Penetration Testing Risks Associated with Penetration
e scope of a penetration testing is to determine whether Testing
an organization’s security vulnerabilities can be exploited Application security testing: Penetration test team may fail to
and its systems compromised. Penetration testing can have Many organizations offer access to core business functionality through web-based applications. is type of access introduces identify signi cant vulnerabilities;
a number of secondary objectives, including testing the new security vulnerabilities. e objective of application security testing is to evaluate the controls over the application and its Misunderstandings and mis-
security incident identi cation and response capability of process ow. Areas of evaluation may include the application’s usage of encryption to protect the con dentiality and integrity communications may inadvertently
the organization of information, how users are authenticated, integrity of the Internet user’s session with the host application, and use of cookies trigger events or responses that may not
Penetration Testing Strategies Denial of service (DoS) testing: have been anticipated or planned for
e goal of DoS testing is to evaluate the system’s susceptibility to attacks that will render it inoperable so that it will “deny external experts perform penetration
External testing: service,” that is, drop or deny legitimate access attempts. testing, it is necessary to enforce non-
Refers to attacks on the organization’s network disclosure agreement
perimeter using procedures performed from outside War dialing:
the organization’s systems as they are visible to hacker. Systematically calling a range of telephone numbers in an attempt to identify modems, remote access devices and maintenance
is can be a Blind test where testing expert has been connections of computers. Once a modem or other access device has been identi ed, analysis and exploitation techniques are
provided with limited information. performed to assess whether this connection can be used to penetrate the organization’s information systems network.
Organisation Network Maintenance
Internal testing: connections of
Internal testing is performed from within the Telephone no. to identify
computers analysis
organization’s technology environment. Remote Maintenance and exploitation to
Hacker Modem
Access Device connections of computers penetrate techniques
Targeted testing:
Oen referred to as the “lights-turned-on” approach Wireless network penetration testing:
involves both the organization’s IT team and the Sometimes referred to as “war-driving,” hackers have become pro cient in identifying wireless networks simply by “driving”
penetration testing team being aware of the testing or walking around office buildings with their wireless network equipment. e goal of wireless network testing is to identify
activities. Test is focused more on the technical setting. security gaps or aws in the design, implementation or operation of the organization’s wireless network.
A targeted test typically takes less time and effort to Social engineering:
complete than blind testing, but may not provide as •Oen used in conjunction with blind and double blind testing, this refers to techniques using social interaction
complete a picture security vulnerabilities and response •Posing
Posing as a representative of the IT department’s help desk
capabilities of the organization. •Posing
Posing as an employee and gaining physical access to restricted areas.
•Intercepting mail, courier packages.
Monitoring Controls Auditing Network Security Controls
Most controls implemented for network generates lot of logs related to activities • Locating logical access paths by reviewing network diagrams
as per rule set. ere are various tools available in market that helps organizations • Recognizing logical access threats, risks and exposures
in collecting these logs, co-relating them based on possible use cases and generate • Evaluating logical network security policies and practices
alerts for important logs. ese tools are known as Security Incident and event • Evaluate network event logging and monitoring
management (SIEM) tools. Organizations use these tools and establish a security • Evaluating effectiveness of logical access security with respect to network security components such as:
operations center (SOC) to monitor these logs, analyse alerts and record incidents • Firewalls and ltering routers - architecture, con guration setting as per rewall security policy, port services, anti-virus con guration, reporting and
and events to be responded. Broad Objectives of SOC are: management controls
• Detect attacks and malware • Intrusion detection systems - architecture, con guration, interface with other security applications, reporting and management controls
• Enhance incident response capability • Virtual private networks - architecture, devices, protocol, encryption process integration with rewall security, change management
• Detect Advanced persistent threats • Security protocols - selection of appropriate protocol, seamless security integration of protocols between devices running different protocols
• Compliance requirements • Encryption - selection of appropriate encryption methods to various application processes
• Middleware controls -with respect to identi cation, authentication and authorization, management of components and middleware change management.
86 www.prokhata.com
CA Rajat Agrawal
Chapter 1 Arti cial Intelligence Module - 6 Emerging Technologies
CHAPTER 1:
ARTIFICIAL INTELLIGENCE
Arti cial Intelligence
Simulate human capabilities, based on predetermined set of rules.
Machine Learning :
Use of computing resources that have the ability to learn,
Traditional acquire and apply knowledge and skills. Arti cial Intelligence
DATA ese system that can modify its behaviour on the DATA
Computer Output Rules basis of experience also known as cognitive systems. Computer Program Rules
Program Rules Output Rules
A Neural Network Deep learning Cognitive computing Computer vision Natural language processing (NLP)
Machine learning made up of Uses huge neural networks with many layers of e ultimate goal is for a machine to Relies on pattern recognition and deep learning Ability of computers to analyze,
interconnected units that processes processing units, taking advantage of advances in simulate human processes through the When machines can process, analyze and understand and generate human language,
information by responding to inputs, computing power and improved training techniques ability to interpret images and speech – understand images, they can capture images or including speech. It allows humans to
relaying information between each unit. to learn complex patterns in large amounts of data. and then speak coherently in response. videos in real time and interpret their surroundings. communicate with computers.
Deep Learning
Translation Machine Learning Why AI is important?
Predictive Analytics
Classi cation & Clustering Natural Language Processing (NPL) • AI automates repetitive learning
Speech to text • adds intelligence to existing products
Information Extraction Speech ARTIFICIAL
Text to Speech • analyzes more and deeper data using neural networks
Export System INTELLIGENCE • Achieves incredible accuracy through deep neural networks
Accounting Knowledge Required
Planing Scheduling & Optimization AI • Gets the most out of data.
Robotics • When algorithms are self-learning, the data itself can become intellectual
Image Recognition property.
Vision
Machine Vision
Types of AI
AI: Based on Capabilities AI: Based on functionality
Weak AI or Narrow AI: Reactive Machines eory of Mind

• Able to perform a dedicated task with intelligence. • Most basic types of Arti cial Intelligence systems. • Understand the human emotions, people, beliefs, and be able to interact socially
• Cannot perform beyond its eld or limitations, as it is only trained for one speci c task. • Do not store information like humans.
General AI: • Focus on current scenarios and react as per • Still not developed
• Perform any intellectual task with efficiency like a human. possible best action. Self-Awareness
• No such system exist. Limited Memory • Future of Arti cial Intelligence
Super AI: • Can store past experiences. • Will have their own consciousness, sentiments, and selfawareness
• Level of Intelligence which could surpass human intelligence. • Can use stored data for a limited time period only. • Smarter than human mind.
• A hypothetical concept. • Best example : Self-driving cars • Hypothetical concept.
AI Platforms AI and Speech Recognition

• IBM – Watson Analytics • Amazon – AWS AI Services Technology that can recognize spoken words, which can then be converted to text. A subset of speech recognition is voice recognition, which is the technology
• Google – Deep Mind – Tensor Flow • Facebook – FB Learner Flow for identifying a person based on their voice.
• Microso – Cognitive Services
www.prokhata.com 87
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 1 Arti cial Intelligence
Problem Types & Analytic Techniques used in AI
Type Description Example Technique
Classi cation Categorize new inputs as belonging to one of a set of identifying whether an image contains a specigic type object Dog or Cat? Convolutional Neutral Network ,Logistics Regression
categories.
Continuous Estimate the next numeric value in a sequence. Prediction particularly when it is appied to time series data E.g. forecasting the sales for a product, Feed forward Netural Networks Linear regression
Estimation based on a set of input data such as previous sales gures, consumer sentiment, and weather.
Clustering Individual data instances have a set of common or Creaing a set of consumer segments based on data about individual consumers, including K-means, Affinity propagation
similar characteristics. demographics, perferences, and buyer behavior.
Anomaly Determine whether speci c inputs are out of e Fraud detection Money Laundering Support Vector Machines, K-Nearest neighbors, Neural
Detection ordinary. Networks
Recommendations Systems that provide recommendations, based on a set Suggest the product to buy for a customer, based on the buying patterns of similar individuals, Collaborative ltering
of training data. and the observed behavior of the speci c person E.g. Net ix, Amazon
Advantages of AI Disadvantages of AI
Error Reduction: High Cost:

Helps us in reducing the error and enhances the chance of reaching accuracy applied in various studies such as exploration of space. Creation of arti cial intelligence requires huge costs, repair and maintenance also require
Difficult Exploration: huge costs. ey have soware programs, which need frequent up gradation
Arti cial intelligence and the science of robotics can be put to use in mining and other fuel exploration processes overcome the human No Replicating Humans:
limitations. Machines do not have any emotions and moral values. ey perform what is programmed
Daily Application: and cannot make the judgment of right or wrong.
Computed methods for automated reasoning, learning and perception have become a common phenomenon in our everyday lives. No Improvement with Experience:
Digital Assistants: Unlike humans, arti cial intelligence cannot be improved with experience. Machines are
Saving the need for human resources. Emotions are associated with moods that can cloud judgment and affect human efficiency. is unable to alter their responses to changing environments.
is completely ruled out for machine intelligence.
No Original Creativity:
Repetitive Jobs: ey are no match to the power of thinking that the human brain has or even the originality
Repetitive jobs, which are monotonous in nature, can be carried out with the help of machine intelligence. Machines can be put to to of a creative mind. e inherent intuitive abilities of the human brain cannot be replicated.
carry out dangerous tasks.
Unemployment:
No Breaks:
Replacement of humans with machines can lead to large-scale unemployment.
Machines, unlike humans, do not require frequent breaks and refreshments.
Examples in Finance
Pattern Recognition in Banking
• E.g. customer’s salary account in a bank • Burst in Withdrawals - Number of Transactions
• Multiple credits in account other than salary credit • Burst in Deposits - Amount
• Sizeable increase in Cash to Non-Cash Transaction Ratio - large cash deposits and cash withdrawals • Burst in Withdrawals - Amount
• Many transactions with a few related accounts • Unusual applications for Demand Dras against cash.
• Burst in Deposits - Number of Transactions • Transactions that are too high or low in value in relation to customer’s pro le
Use Cases
AI in nance: JPMorgan Chase: Wells Fargo: Plantation:
AI is disrupting the nancial industry through personal nance A Contract Intelligence (COiN) platform utilizing Natural Language Processing has been Uses an AI-driven chatbot through Recently AI was used in accurate
apps like Mint,Turbo Tax, which collect personal data and provide launched. e platform processes legal documents and extracts essential data from them. the Facebook Messenger platform drone-based planting in mass-
nancial advice. IBM Watson is being used for home buying, and By using machine learning, the platform could review 12,000 commercial credit agreements to communicate with users and scale using seedpods at a much
soware now handles a signi cant portion of trading on Wall Street. in just a few hours instead of the typical 360,000 man-hours required for manual review. provide assistance with passwords and lower cost for the purpose of re-
accounts. greening the planet.
88 www.prokhata.com
CA Rajat Agrawal
Chapter 1 Arti cial Intelligence Module - 6 Emerging Technologies
Impact on Audit
• For all organizations, audit should include AI in its risk assessment and also consider using AI in its risk-based audit plan. • AI must be dealt with, disciplined methods to evaluate and improve the effectiveness of risk management,
• To avoid impairment to both independence and objectivity, auditor should not be responsible for implementation of AI processes, control and governance process.
policies and procedures. • Fraud Investigator can use Arti cial Intelligence in detecting the fraud. While statistical & data analysis is
• Auditor should provide assurance on management of risks related to the reliability of the underlying algorithms and the data on used to detect fraud passively, arti cial intelligence detects fraud actively and directly besides improving
which the algorithms are based. speed of processing.
Scenarios wherein Arti cial intelligence techniques can be used for fraud management:
Data mining Expert system Machine learning and pattern recognition Neural network
To classify, cluster and segment the data and also Store all the human expertise Machine learning can also be unsupervised and be used to learn and Fraud detection system is totally based on the human brain working
automatically nd associations and rules in the data, and then using stored human establish baseline behavioural pro les for various entities and further used inherent nature of neural networks includes the ability to learn and
which may point towards interesting patterns of fraud. intelligence to detect fraud. to nd meaningful anomalies related to fraud or any other transactions. ability to capture and represent complex input/output relationship.
Risks and Chanllenges
Risks of AI Challenges for AI
AI is Unsustainable: Computing is not that Advanced: Probability:
Computer chips have rare earth materials like Selenium Machine Learning and deep learning techniques require a series of calculations to Probability that is the mathematical uncertainty behind AI predictions still remains
increased mining of these materials is irreversibly damaging make very quickly as an unclear region for organizations.
our environment. Fewer people support: Data Privacy and security:
Lesser Jobs: AI does not have enough use cases few organizations interested in putting money into Machine learning systems depend on the data, which is oen sensitive and personal
Businesses prefer machines instead of humans to increase the development of AI-based products. in nature. Due to this systematic learning, these ML systems can become prone to
their pro tability, thus reducing the jobs that are available Creating Trust: data breach and identity the.
for the human workforce. People don’t feel comfortable when they don’t understand how the decision was Algorithm bias:
made. AI has not been able to create trust among people. Bad data is oen associated with, ethnic, communal, gender or racial biases. If the
A threat to Humanity: One Track Minds: bias hidden in the algorithms, which take crucial decisions, goes unrecognized, could
Biggest risk associated with AI is that machines would gain AI implementations are highly specialized. It is built just to perform a single task and lead to unethical and unfair results.
sentience and turn against humans in case they go rogue. keep AIs need to be trained just to make sure that their solutions do not cause other Data Scarcity:
issues. Datasets that are applicable to AI applications to learn are really rare.
Governance and Controls
AI governance establishes accountability and oversight, helps to ensure that those responsible have the necessary skills and expertise to effectively monitor and helps to ensure the organizations values are re ected in its AI activities.
Professional Opportunities
• Provides CAs with the opportunity to automate and de-skill time-consuming and repetitive work and focus on higher value work, so that they can consolidate their role as advisers on nance and business.
• CAs possess the domain knowledge and experience to create the relevant learning algorithms for identifying patterns in Finance and Audit.
• CAs should work closely with AI programmers to convert their functional ideas into reality.
• e profession can exploit technology and potentially change the scope of what it means to be a CA. e CFO of the future will need to know as much about technology as they do about nancial management.
Note:-
www.prokhata.com 89
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 2: Blockchain
CHAPTER 2:
BLOCKCHAIN
Block chain refers to the transparent, thrustless, and publicly accessible ledger that allows us to securely transfer the ownership of units
of value using public key encryption and proof of work methods.
e technology uses decentralized consensus to maintain the network, which means it is not centrally controlled by a bank, corporation,
or government. In fact, the larger the network grows and becomes increasingly decentralized, the more secure it becomes.
At its most basic level, blockchain is literally just a chain of blocks, but not in the traditional sense of those words. When we say the 1 2 3
words “block” and “chain” in this context, we are actually talking about digital information (the “block”) stored in a public database
(the “chain”).
Evolution of Blockchain
In 2008, Satoshi Nakamoto published a paper describing a peer-to-peer electronic cash system, which became the basis for Bitcoin. Hash 1Z8F Hash 6BQ1 Hash 3H4Q
Cryptocurrencies use cryptography to secure transactions and eliminate the need for a centralized entity. An open-source program Previous Hash 0000 Previous Hash 1Z8F Previous Hash 6BQ1
implementing the Bitcoin protocol was released shortly aer, and anyone can join the network by installing it. e cryptocurrency has Data->Hash->Hash Of the Previous Block
since gained popularity.
Technologies at Make Blockchain Possible
Peer-to-peer network (distributed ledger)— Public key infrastructure (blockchain addresses)— Hash function (miner)—
Node is connected to all other nodes and is not reliant on Technology uses both asymmetric and symmetric encryption to ensure secure transactions. Public Key Used to guarantee records are not changed, ensuring the
any central authority. e ledger is “synced” to all nodes Infrastructure (PKI) generates a pair of keys (public and private) for identifying parties and maintaining the integrity of the entire system. takes an input of variable
and becomes public. Nodes trust adjacent nodes, but verify integrity of transactions. e public key is distributed freely, while the private key is kept by the key owner and length and creates a xed-length output known as a message
transactions before recording them (trust, but verify). (P2P) used to decrypt messages and sign them. Parties create private keys to secure their wallet and public keys to submit digest. is is a one-way process, meaning that original
networks are easy to manage, but slow and susceptible to transaction requests. Wallets can be online, soware-based, in a secured drive, or paper-based. input cannot be recreated from the message digest.
attack (such as a denial-ofservice [DoS] attack).
Principles of block chain
Advantages and Desadvantages of Block Chain
Distributed Database: Peer-to-Peer Transmission: Transparency: Irreversibility of Records: Computational Logic:
Pros Each party on a block Communication occurs directly Every transaction and Records cannot be altered, Block chain transactions can be tied to
• Cost reductions by eliminating third-party chain has access to the between peers instead through a its associated value are because they are linked to computational logic and in essence programmed.
veri cation entire database and its central node. Each node stores & visible to anyone with every transaction record So, users can set up algorithms and rules that
• Decentralization makes it harder to tamper with complete history. forwards information to other nodes. access to the system. that came before them automatically trigger transactions between nodes.
• Transactions are secure and efficient
• Transparent technology Examples in Finance
Cons
• Signi cant technology cost associated with mining Payments and reconciliations: Issuance, ownership and transfer of nancial information: Clearing and settlement latency:
bitcoin Transactions can occur directly between two parties A blockchain-based securities market allows traders to buy On the blockchain, the entire lifecycle of a
• Low transactions per second on frictionless P2P basis. e blockchain technology’s or sell stocks directly on exchanges or directly to other market trade, including its execution, clearing and
• History of use in illicit activities application has the potential to reduce risk, transaction costs participants in a P2P manner without the intermediary’s settlement can occur at a trade level, lowering
• Susceptibility to being hacked. and to improve speed, efficiency and transparency. services provided by a broker or clearing house. post-trade latency and reducing counterparty.
Use Cases
Barclays adopted blockchain technology for enhanced security Blockchain technology helps manufacturers track goods, deliveries, and production activities in supply DHL, a global logistics leader, is working with Accenture
and transparency in their transaction processes. ey encrypted chain management, providing transparency to consumers. Projects like Ambrosus and Vechain focus on to integrate blockchain technology with the pharmaceutical
and managed the rst trade documentation on a blockchain food safety and product authenticity, allowing consumers to con rm the source and quality of goods they industry. Transparency, accurate data, security and trust are
network, saving signi cant time and money. purchase. absolute musts for the pharmaceutical sector.
90 www.prokhata.com
CA Rajat Agrawal
Chapter 2: Blockchain Module - 6 Emerging Technologies
Impact on Audit Risks and Challenges Governance and Controls Professional Opportunities
Blockchain technology could be used to streamline Vendor Risks: Governance Framework: Assist in evaluating the functional design:
nancial reporting and audit processes. Each audit Most organizations lack the required technical skills e enterprise has an adequate governance As Chartered Accountants we could assist in
begins with different information and schedules and expertise to design and deploy a blockchain- framework to provide oversight for blockchain analysing the business requirement and decide if
that require an auditor to invest signi cant time based system and implement smart contracts technology. the case is t for blockchain platform.
when planning an audit. completely in-house. Management Oversight: Evaluation of Proof of Concept:
In a blockchain, the auditor could have near real- Credential Security: Provides assurance that the enterprise’s strategic Before the solution is deployed a Prototype oen
time data access via read-only nodes on blockchains. A public Blockchain-based system, any individual objectives are not adversely affected by risk related known as Proof of Concept is prepared. Chartered
By giving auditors access to unalterable audit who has access to the private key of a given user, to blockchain technology Accountants could assist in evaluating / designing
evidence, the pace of nancial reporting and which enables him/her to “sign” transactions on the Proof of Concept. CA Could assist in designiing
Regulatory Risk:
auditing could be improved. the public ledger, will effectively become that user, evaluating Prototypes also known as Proof of
To ensure that the enterprise’s strategic objectives
While the audit process may become more because most current systems do not provide multi- are not adversely affected. concept.
continuous, auditors will still have to apply factor authentication. Assessment of Risks in Implementation:
professional judgment when analysing accounting Business Continuity:
Legal and Compliance: e enterprise business continuity plan Chartered Accountants may assist in assessment of
estimates and other judgments made by It is a new territory in all aspects without any legal risk before implementation of blockchain platform.
management in the preparation of nancial incorporates elements that address the effective
or compliance precedents to follow, which poses a operation of blockchain technology. Impact on Audit:
statements. Auditors will also need to evaluate and serious problem for manufacturers and services
test internal controls over the data integrity of all Vendor Management: Understanding the impact of blockchain on the
providers. accounting and audit profession is of paramount
sources of relevant nancial information. Ensure ongoing alignment between the enterprise’s
Data security and con dentiality: strategic objectives and blockchain solutions. importance for Chartered Accountants.
Smart Contracts and Oracles, which are embedded
into the blockchain, are new roles to take up. Checks It is feasible that hackers may be able to obtain the Audit of Smart Contracts and Oracle:
Secure key distribution and management
such as interface testing, events, which trigger keys to access the data on the disturbed ledger, Contracting parties may want to engage an
policies:
transactions into the blockchain, are areas where considering the users having multiple point of assurance provider to verify that smart contracts
Helps to manage cryptography functions,
the auditors may have to focus. access. are implemented with the correct business logic.
key access control, key rotation methods and
Another area for audit could be in the area of Scalability issues: validations of crypto algorithms’ implementation.
"service audit", where an auditor can give assurance Relating to the size of blockchain ledger that
Secure APIs and Integrations:
on the conformity of controls in place. might lead to centralization as it's grown over time
ird-party remittances, E-KYC and smart
and required some record management which is
contracting applications are integrated with
casting a shadow over the future of the blockchain
blockchain platform. APIs exposed to third
technology.
parties should not reveal any sensitive data to
Interoperability between block chains: adversaries. APIs and its integrations should
ere are new blockchain networks showing handle authentications, payload security, and
up, which lead to new chains that offer different session management.
speeds, network processing, usecases. Blockchain
interoperability aims to improve information
sharing across diverse blockchain networks.
ese cross-chain services improve blockchain
interoperability and also make them more practical
for daily usage
Processing power and time:
Required to perform encryption algorithms for all
the objects involved in Blockchain -based ecosystem
are very diverse and comprised of devices that have
very different computing capabilities, and not all of
them will be capable of running the same encryption
algorithms at the desired speed.
Storage will be a hurdle:
Ledger has to be stored on the nodes themselves,and
the ledger will increase in size as time passes. at
is beyond the capabilities of a wide range of smart
devices such as sensors, which have very low storage
capacity.
www.prokhata.com 91
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 3: Cloud Computing
CHAPTER 3:
CLOUD COMPUTING
Cloud is a set of resources, such as, processors and memory, which are put in a big pool. Cloud computing is using a remote server hosted on internet to store ,manage & process data rather than local server or a personal computer As per
the requirement, cloud assigns resources to the client, who then connects them over the network.
Features / Characteristics Advantages of Cloud Computing Dis-Advantages of Cloud Computing

• Resource Pooling provider Cost Efficiency Internet Connectivity:
abstracts resources and collects Most cost-efficient method to maintain and upgrade. More productivity is achieved with fewer systems Cloud Platforms require Internet Connectivity almost all the times and is difficult to operate
them into a pool, portions of and hence cost per unit of project under certain regions. If the Internet is lost, then access to data and applications are also lost.
which can be allocated to different Reduce spending on technology infrastructure Technical Issues:
consumers. Minimal upfront spending and pay as you go is technology is always prone to outages and other technical issues. Even the best cloud
• On-demand self-service, i.e., Unlimited Storage service providers run into this kind of trouble, in spite of keeping up high standards of
consumers manage their resources Storing information in the cloud gives us almost unlimited storage capacity with an option to scale maintenance.
themselves, without having to talk Backup & Recovery Security in the Cloud:
to a human administrator. e same is relatively much easier than storing the same on a physical device Surrendering all the company’s sensitive information to a thirdparty cloud service provider
• Resources on cloud are available Automatic Soware Integration could potentially put the company to great risk.
Prone to Attack:
over a network no direct physical Soware integration is usually something that occurs automatically and be customized with great ease.
Storing information in the cloud could make the company vulnerable to external hack
access. Easy Access to Information and Globalize the workforce
attacks and threats. Nothing on the Internet is completely secure and hence, there is always
• Rapid elasticity allows consumers Access the information from anywhere
the lurking possibility of stealth of sensitive data.
to expand or contract the Reduce Capital costs
Availability:
resources. No need to spend huge money on hardware, soware etc.
Depending on vendor, customers may face restrictions on availability of applications, OS etc.
• Measured service meters is Quick Deployment Interoperability:
provided to ensure that consumers e entire system can be fully functional in a matter of a few minute depending upon technology Ability of two or more applications to support a business need to work together is an issue
only use what they are allotted, Less Personnel training and minimize maintenance and licensing soware as all applications may not reside with single cloud vendor or two vendors having different
and, if necessary, to charge them Fewer people to do more work application may not co-operate.
for it. Improved Flexibility and effective monitoring of projects
Quick changes possible
Service Models of Cloud Computing
•Cloud
Cloud computing is a model that enables the Private Cloud Infrastructure as a service Platform as a Service Soware as a Service
end users to access the shared pool of resources Application Application Application Application
such as computer, network, storage, database and Soware as Data Data Data Data
SaaS
application as an ondemand service without the Service OS OS OS OS
need to buy or own it. Platform as
PaaS Virtualization Virtualization Virtualization Virtualization
•
e services are provided and managed by the Service
service provider, reducing the management effort Servers Servers Servers Servers
Infrastructure
from the end user side. IaaS Storage Storage Storage Storage
as Service
Networking Networking Networking Networking
Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Soware as a Service (SaaS)

• Iaas provides resources such as memory, storage, • Deliver a computing platform including operating system, • Provides ability to the end users to access an application over the Internet that is hosted and managed by the cloud
processing power etc. programming language execution environment, database, service provider.
• Changes the computing from a physical infrastructure to and web server • End users are exempted from managing or controlling an application the development platform, and the
a virtual infrastructure. • App developers can develop and run their soware underlying infrastructure.
• e users need not maintain the physical servers rather solutions on a cloud platform without the cost and • Delivered as an on-demand service over the Internet, there is no need to install the soware to the end-user’s
they need to use virtual machines as per their requirement. complexity of acquiring hardware /soware devices.
• Examples of IaaS Amazon Web Services (AWS), Google • For example- Google AppEngine, Windows Azure • Provides users to access large variety of applications over Internet that are hosted on service provider’s infrastructure
Compute Engine, OpenStack and Eucalyptus. Compute etc • E.g. Google Drive / Docs, online photo editing soware
92 www.prokhata.com
CA Rajat Agrawal
Chapter 3: Cloud Computing Module - 6 Emerging Technologies
Cloud Computing Deployment Models
Private Cloud Public Cloud Hybrid Cloud Community Cloud
• Resides within the boundaries of an organization and is • Can be used by the general public • Combination of public, private and • exclusive use by a speci c community of consumers from
used exclusively for the organization’s bene ts • Administrated by third parties or vendors over the community cloud. organizations that have shared concerns
• Built primarily by IT departments within enterprises Internet • Normally a vendor has a private cloud • owned, managed, and operated by one or more of the
• Optimize utilization of infrastructure resources • e services are offered on pay-per-use basis and forms a partnership with public cloud organizations in the community, a third party or some
• Can either be Managed by • Business models like SaaS (Soware-as-a-Service) and provider or vice versa combination of them
• Private to the organization and managed by the single other service models are also provided Characteristics of Hybrid Cloud • may exist on or off premises
organization (On-Premise Private Cloud) Public Cloud-Characteristics Scalable: • suitable for organizations that cannot afford a private cloud
• Can be managed by third party (Outsourced Private Highly Scalable: • e hybrid cloud has the property and cannot rely on the public cloud either
Cloud) • e resources in the public cloud are large in number of public cloud with a private cloud Characteristics of Community Cloud
Private Cloud-Characteristics and the service providers make sure that all requests environment and as the public cloud Collaborative and Distributive Maintenance:
Secure are granted. is scalable. • no single company has full control over the whole cloud.
• Deployed and managed by the organization itself Affordable: Partially Secure: • Usually distributive and hence better cooperation
• Least probability of data being leaked out of the cloud. • Offered to the public on a pay-as-you-go basis; • e private cloud is considered as provides better results.
Central Control: • User has to pay only for what he or she is using secured and public cloud has high risk Partially Secure:
• Managed by the organization itself, Less Secure: of security breach. • possibility that the data may be leaked from one
• No need for the organization to rely on anybody other • Offered by a third party & they may have full control Stringent SLAs: organization to another, though it is safe from the
than operations. over the cloud, depending upon the service model. • Overall, the SLAs are more stringent external world.
Weak Service Level Agreements (SLAs): Highly Available: than the private cloud and might be as Cost Effective:
• SLAs are agreements between the user and the service • Anybody from any part of the world can access the per the public cloud service providers. • As the complete cloud is being shared by several
provider public cloud with proper Complex Cloud Management: organizations or community, not only the responsibility
• Formal SLAs do not exist or are weak as it is between Stringent SLAs: • Cloud management is complex as gets shared; the community cloud becomes cost effective
the organization and user of the same organization. • SLAs strictly and violations are not avoided it involves more than one type of too.
• High availability and good service may or may not be Advantages deployment models and also the Advantages of Community Clouds are as follows:
available and is dependent upon SLAs. • Widely used at affordable costs number of users is high. • Establishing a low-cost private cloud.
Advantages • Deliver highly scalable and reliable applications Advantages • Collaborative work on the cloud.
• Improve average server utilization • No need for establishing infrastructure for setting up • Highly scalable and gives the power of • Sharing of responsibilities among the organizations.
• Reduces costs and maintaining the cloud. both private and public clouds. • better security than the public cloud.
• Higher Security & Privacy of User • Strict SLAs are followed. • Provides better security than the Limitation
• Higher automations possible • ere is no limit for the number of users public cloud. • Autonomy of the organization is lost
Limitation Limitations Limitation • some of the security features are not as good as the
• Invest in buying, building and managing the clouds • Security • Security features are not as good as the private cloud
independently • Organizational autonomy are not possible. private cloud and complex to manage • Not suitable in the cases where there is no collaboration.
Security Frameworks in Cloud Impact on Audit and auditors

A security framework is a coordinated system of tools and behaviours in order to monitor data and transactions that are Cloud computing is transforming business IT services, but it also poses signi cant risks that need to be planned
extended to where data utilization occurs, thereby providing end-toend security. e bene ts of security frameworks are to for. e following are few of the additional areas of review for auditors:
protect vital processes and the systems that provide those operations. • Does the organization’s strategy for the cloud link to the overall business strategy?
e leading frameworks and guidelines to meet regulatory requirements are as follows:- • Are the audit teams knowledgeable about the differences in cloud computing services and do they apply the right
•Cyber
Cyber Security Framework (NIST, 2013, 2014; SANS, 2016). approach to deliver effective audit coverage?
•Control
Control Objectives for Information and Related Technology (COBIT 2019). • Is there a clear understanding of the difference between the organization and the cloud, and where the technology
•Statement
Statement on Standards for Attestation Engagements 18 (SSAE 18) reports include SOC 1, boundary starts and stops?
•Financial
Financial reporting; SOC 2, IT controls; and SOC 3, attestation. • What is the IT General Controls on the Cloud enforced by the organization?
•Cloud
Cloud Security Alliance (CSA) provides comprehensive guidance on how to establish a secure baseline for cloud operations. • Have there been any independent audits / review of the Cloud environment?
CSA maintains the Security, Trust and Assurance Registry (STAR) cloud provider registry (CSA, 2015). • Are there periodical audits performed by the Cloud Service Provider and how are the high-risk issues dealt with?
•General Data Protection Regulation (GDPR) lays down rules relating to the protection of natural persons with regard to • Is the existing audit risk assessment process exible enough to differentiate between the ranges of cloud services
the processing of personal data and rules relating to the free that might be used?
•movement of personal data. • How does the audit work complement the wider supplier assessments that are considering both third- and
•ISO/IEC 17788:2014 provides an overview of cloud computing along with a set of terms and de nitions and is applicable fourth-party risks?
to all types of organizations. • Has sufficient explanation been provided to key internal parties, including directors and the audit committee, to
•ISO/IEC 27017:2015: Information technology — Security techniques — Code of practice for information security controls highlight the business reasoning or impact of cloud provision?
based on ISO/IEC 27002 for cloud services.
www.prokhata.com 93
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 3: Cloud Computing
Risks and Challenges
Identity and Access Management Data
Financial • Data segregation and isolation
• User access provisioning
and Vendor Regulatory • Information security and data privacy requiements
• Deprovisining
Management • malicious insider
• Super user access
Financial and Vendor Management Operational
•Under-estimated start-up costs Identity • Service reliability and uptime
•Exit costs or penalties and access Dimensions Data • Disaster recovery
•Management Overhead management of Risk • SLA customization and enforcement
•Run-away variable costs • Control over quality
Regulatory Technology
Technology Operational • Evolving technology
• Compexity to ensure compluance
• Lack of industry standards and certi cation for cloud providers • Cross-vendor compatibility and integration
• Records management/records retention • Customization limitations
• Lack of visibility into service procer operations and ability to monitor r compliance • Technology choice and proprietary lock-in
Governance, generically, may be de ned as an agreed-upon set of policies and standards, which is:
• Based on a risk assessment and an-agreed upon framework,
• Inclusive of audit, measurement, and reporting procedures, as well as enforcement ofpolicies and standards.
• In a multi-enterprise or multi-deployment cloud environment, participants agree to promote and establish joint expectations for security and service levels. Governance will also de ne the process for any response to a breach of protocol,
and the set of decision makers who are responsible for mitigation and communication.
In addition to above, Cloud computing has certain speci c risks:
1. Governance of Cloud Computing Services: 3. IT Risk Management: 5. Legal Compliance: 7. Certi cations:
Governance functions are established to ensure A process to manage IT risk exists and is e service provider and customer establish bilateral agreements and procedures to Service provider security
effective and sustainable management processes that integrated into the organization’s overall ensure contractual obligations are satis ed, and these obligations address the compliance assurance is provided through
result in transparency of business decisions, clear lines ERM framework. IT risk management requirements of both the customer and service provider. Legal issues relating to ISO 27001 Certi cation.
of responsibility, information security in alignment metrics are available for the information functional, jurisdictional and contractual requirements are addressed to protect both
with regulatory and customer organization standards, security function to manage risk within the parties, and these issues are documented, approved and monitored. e use of cloud
and accountability. risk appetite of the data owner. computing should not invalidate or violate any customer compliance requirements.
2. Enterprise Risk Management: 4. ird-party Management: 6. Right to Audit: 8. Service Transition Planning:
Risk management practices are implemented to e customer recognizes the outsourced relationship e right to audit is clearly de ned and satis es the Planning for the migration of data, such as meta data and
evaluate inherent risk within the cloud computing with the service provider. e customer understands its assurance requirements of the customer’s board of access, is essential to reducing operational and nancial risk
model, identify appropriate control mechanisms and responsibilities for controls, and the service provider has directors, audit charter, external auditors and any at the end of the contract. e transition of services should be
ensure that residual risk is within acceptable levels. provided assurances of sustainability of those controls. regulators having jurisdiction over the customer. considered at the beginning of contract negotiations.
Cloud computing provides a host of opportunities. A few of them are detailed below:
(a) Assessment with respect to costs and bene ts on migration to cloud versus in-housetools (d) Consulting with respect to the migration from traditional facilities to cloud based infrastructure.
(b) Cloud based solution Implementation for clients (e) Training to the user staff as regards the operating of these facilities;
(c) Assessment on the model of cloud to be deployed and the variants for the same. (f) IT audit of these facilities
94 www.prokhata.com
CA Rajat Agrawal
Chapter 4: Data Analytics Module - 6 Emerging Technologies
CHAPTER 4:
DATA ANALYSTICS
• Data Analytics is de ned as the science of examining raw and unprocessed data with the intention of drawing conclusions from the information thus derived.
• It involves a series of processes and techniques designed to take the initial data sanitizing the data, removing any irregular or distorting elements and transforming it into a form appropriate for analysis so as to facilitate decision-making.
• In simple terms, data analytics refers to the science of examining raw data with the purpose of drawing conclusions about that information.
• From an accountant’s perspective Data Analytics is a generic term for Computer Assisted Audit Tools and Techniques (CAATTs) and covers the collection of tools, techniques and best practices to access and analyse digital data.
• Data Analytics empowers auditors to use technology to audit digital data thereby giving access to 100% of the data and to analyse data to infer insights from information.
• Data Analytics enables auditors to optimise audit time and add value.
ere are two types of professionals in the eld of Data Analytics.
Data Scientist Data Analyst

• Whose focus is on use of various statistical techniques to data. He/ she is involved in developing • Whose focus is on drawing insights from data from a business perspective. He/she is a business domain expert who uses simple/
intelligent applications, which help users to draw inference from data. easily available features of MS Excel, application soware, querying tools, utilities or data analytics to access, analyze and interrogate
• Developing functionality using memory power and speed of technology, to access and analyse massive data.
amounts of data is the job of data scientist. • What query is to be run on what data and how to draw inference as applicable to real life situations is the job of CAs/Data Analysts.
Common Terminologies Used in Data Analytics
1. Data Warehouse 2. Data Marts 3. Business Intelligence (BI)
It is electronic storage of large amount of data collected from varied sources to provide meaningful ese are the subsets of Data Warehouse used by speci c business It encompasses a variety of data analysis tools & applications
business insights. It is separate from Transactional databases. It is also known as Decision Support groups like HR, Finance, Sales, Inventory, Procurement & that access the data within Data Warehouse and creates
Database or Executive Information System. It has three components: Resourcing. ey are much smaller than Data Warehouses and reports & dashboards used in decision making
• Data sources from operational systems such as ERP, CRM, SCM, Excel usually controlled by a speci c department.
• Data Staging Area when data is cleaned and ordered 4. Database 5. Data Lake 6. Data Science
• Data Access Area where data is warehoused & presented It is generally used to capture It is a central storage for all kinds of structured, semi structured or It is a combination of
Example and store data from a single unstructured raw datacollected from multiple sources even outside three skills: Statistical/
Airlines use it to analyse route pro tability, Retail chains use it for tracking customer buying patterns, source, such as an invoice of company’s operational systems. erefore, it is not a good t for Mathematical, Coding
Banking uses it to analyse the performance of its product. Data Warehouse is an architecture and Big transactional system. Databases average business analytics but used as a playground by Data Scientists & Domain/Business
Data is a technology to handle huge data. If an organization wants to know what is going on in its aren’t designed to run across & other data experts as it allows more types of data analytics. It can knowledge.
operations or next year planning based on current year performance data etc – it is preferable to choose very large data sets. be used for text searches, machine learning & real-time analytics.
data warehousing as it needs reliable data.
Cognitive Analytics: Proactive action and recognizing patterns using Big Data and AI
1. Descriptive Analytics: 2. Diagnostic Analytics: 3. Predictive Analytics: 4. Prescriptive analytics: 5. Cognitive Analytics: Proactive action and recognizing patterns using Big Data and AI.
Provides insight based on past Examines the cause of past Assist in understanding the Analytics assist in identifying
Descriptive Prescriptive Predictive Cognitive
information. It is used in the result and is used in variance future and provide foresight by the best option to choose to
•What Happend? •How to make it •What could •What to do why &
report generation, providing analysis and interactive identifying pattern in historical achieve the desired outcome
•Why did it happen? Happen? Happen? how?
basic editor function along dashboards to examine the data. It can be used to predict an through optimization
with the horizontal and vertical causes of past outcome. accounts receivable balanceand techniques and machine Historical data helps Forecast futre per- Proactive action and
analysis of nancial statement. collection period for each learning. Prescriptive understand past per- Analysis that suggest fomance events and recognising patterns
customer and to develop Analytics is used in identi ng fomance & for root a prescribed action results using big data
models with indicators that actions to reduce the couse analysis
prevent control failures. collection period of accounts Tools Used Tools Used Tools Used Tools Used
receivable and to optimize the •Standard Reports •Business Intelligence •Forecasting •AI
use of payable discounts. •Adhoc Queries •Heuristic mechods •Predictive Mod- •Machine Learning
•Statistical Analyysus •Optimization etc. eling •Neural Networks
•Graphics etc. •Deep Learning
•Pattern Recognition
www.prokhata.com 95
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 4: Data Analytics
Data Analytics Functions
Sn Type of Function Description Where to Apply
1 Column Statistic Displays column wise statistics of all numeric data and numeric, date and character columns. Tp Pro le and analyse data at a Macro Level
2 Identify Duplicates & Gaps Identify Duplicates in a series of data or displays all successive numeric numbers with de ned intervals. Identify Duplicate POs, Duplicate Vendor Payments, Duplicate Vendors, Payments
without descriptions
3 Same-Same Different Identify Duplicates in a series of data which have certain elds which are common and certain elds which are Identify Duplicates based on same GSTN, different location, name etc
different.
4 Pareto Displays items in two separate tabs of 80:20
5 ABC Analysis Displays items in three separate categories as per the same percentage given for each category. Pro ling Payments into High, Medium & Low
6 Quadrant/Pattern Analysis Displays items in four quadrants as per the speci c same percentage given for each category.
7 Relative Size Displays the variation between highest value and 2nd highest value (in terms of difference and proportion). Deriving vendor ratio of highest and 2nd highest bill and check ratios beyond a
Factor (RSF) "x%"
8 Max Variance Factor (MVF) Displays the variation between highest and lowest value (in terms of difference and proportion). Deriving vendor ratio of highest and least bill and check ratios beyond a "x%"
9 Benford Law Displays variance in patterns of numeric data based on Benford Law for rst digit beginning with 1 to 9. Identify Payments which fall as an exception to Benford's Law
It states that lists of numbers from many real-life sources of data are distributed in a speci c and non-uniform way.
Number 1 appears about 30% of the time. Subsequently the number 2 occurs
less frequently, number 3, number 4, all the way down to 9 which occurs less than once in twenty
10 Authentication Check Compare & Verify if the amounts processed are within the limits and approval hierarchy. Verify Segregation of Duties, instances of exceeding limits
11 Pivot Table / MIS Summarizes data by sorting, averaging, or summing and grouping the raw data MIS can summarise by criteria such Summarise and reporting payments based on de ned rules
as day, day of the week, month etc.
12 Outliers Displays instances of transactions beyond "x" times the average, mean, standard deviation etc Identify Payments beyond "x" times the average, standard deviation etc.
13 Sounds Like/ Identify vendors with similar names, which sound same based on the phonetics Identify duplicate / fake Vendors created
Soundex/Fuzzy Match
14 Aging Analysis Computes difference of selected two date columns & strati es on speci ed intervals for computed date difference. Identify cases of payments made beyond a speci ed date
15 Trendlines Displays trendline as per different rules con gured using sparklines or chart.
16 3-Way Matching Displays records aer joining data from up to three worksheets based on common/ uncommon column values. Identify cases of mismatch between PO, RR and Payment
17 Analytical Review Displays the difference between values of two numeric columns in number and in percentage. Analyse the quantitative and other related information
18 Back-Dated Entries Identify back-dated entries, duplicates/gaps based on selected numeric/alphanumeric eld related to date eld based Identify instances of prior period payments and other related checks
19 Beneish MScore e Beneish model is a statistical model that uses nancial ratios calculated with accounting data of a speci c Identify exceptions to the Benish Score and analyse further
company in order to check if it is likely that the reported earnings of the company have been manipulated
20 Identify Outliers by Masks Displays records that do not match a de ned mask where 'C' represents characters and 'N' represents numbers. Identify transactions which do not follow a speci c pattern.
21 Sampling Perform Sampling by Outliers, Characters, Numeric, Risk weightage, statistics, quadrants, clusters, interval Sample based on exceptions to test the controls and perform substantive procedures
22 Splitting Vouchers Multiple vouchers raised on same date or similar dates having cumulatively are higher than the approval limit
23 Rounding off Identify high value and round sum vouchers
24 Weekend Payments Identify entries / payments made on weekends Identify policy exceptions
25 Vouchers with Blank Identifying vouchers of different elds
Reference and Narrations which are blank
96 www.prokhata.com
CA Rajat Agrawal
Chapter 4: Data Analytics Module - 6 Emerging Technologies
Steps involved in applying Analytics on Data
Curate / Cleansing the Data Pro le the Data Analyze the Data Investigate Document
It refers to transforming data in It refers to the act of analyzing It refers to examining the data in detail to discover It refers to observing or querying the data in detail. is involves It refers to automatically
standard structure to be usable for data the data contents to get an essential features by breaking data into speci c systematic examination of data by making a detailed inquiry or documenting functions
analytics as required. is includes overall perspective data. is components by grouping, identifying and reviewing search to discover facts and insights to be arrive at a conclusion. performed using data analytics
speci c functions for cleaning data helps in validating data at speci c features. is includes functions for is includes functions for advanced analysis such as Pareto, ABC, soware. is includes
by removing speci c characters, a macro level and assessing identifying gaps/duplicates, unique, outliers, format, Quadrant, Cluster, MIS, Statistical, querying data; consolidate/ collate functions such as rerun,
transforming data, deleting speci c whether data is correct and and changes between two sets of data, sampling, data, Relative Size Factor, Benford Law and relating, comparing and refresh, audit log, indexing, etc.
data and transposing data. complete. ltering, split data and fuzzy match. joining les based on speci c criteria.
Examples of Data Analytics soware and Testing tools Advance tools for Analytics
e value of Data Analytics is in what it brings through its effective implementation. Data Analytics can be
performed using various types of soware such as: Hadoop Python programming
MS Excel: Open source cloud computing platform allows storage & Very powerful, open source and exible programming
Spreadsheet soware of Microso has various features useful for auditors. processing of massive amount of data language that is easy to learn, use and has powerful
General Audit Soware: R programming libraries for data manipulation, management and analysis.
Add-in for MS Excel with speci c CAAT functions. Examples include eCAAT, Power BI (limited features) Open source programming language soware that provides Matlab
General Audit Soware: data scientists with a variety of features of analyzing data. Its simplest syntax is easy to learn and resembles C or C++
Data Analysis Soware with speci c CAAT functions. Examples include eCAAT, Tableau, Knime, IDEA, Julia
ACL etc. New programming language that can ll the gaps with respect to improving visualization and libraries for data analytics.
Application Soware:
Standard and Ad-hoc Reporting and Query features available or speci c functionalities designed for
auditors. Example Audit modules in certain applications / ERP have a few Data Analytics features.
Specialized Audit Soware:
Audit soware designed to work in speci c soware.
Examples in Finance
BFSI Compliance and Regulation

Banks and nancial services rms use analytics to differentiate fraudulent transactions from legitimate business transactions. By applying Financial services rms operate under a heavy regulatory framework, which requires signi cant
analytics and machine learning, they can de ne normal activity based on a customer’s history and distinguish it from unusual behaviour levels of monitoring and reporting and requires deal monitoring and documentation of the details
indicating fraud. e analysis systems suggest immediate actions, such as blocking irregular transactions, which stops fraud before it occurs of every trade. is data is used for trade surveillance that recognizes abnormal trading patterns.
and improves pro tability.
Use Cases
Uber uses big data extensively to maintain a database of drivers and customers, calculate the best routes and estimate travel time based on traffic and weather conditions. e company also uses data science to determine surge pricing, which
adjusts prices based on demand for rides.
Impact on Audit
Audit rms, both big and small, use data analytics to improve audit quality and add value to their clients. ey may either create their own data analytics platforms or acquire off-the-shelf packages. ese tools use visual methods to present
data, allowing auditors to identify trends and correlations. By extracting and manipulating client data, auditors can better understand the client's information and identify risks. Data analytics tools can turn all the data into pre-structured
presentations and generate audit programs tailored to client-speci c risks or provide data directly into computerized audit procedures. Using data analytics for assurance requires an understanding of business processes and relevant techniques
to speci c areas of control to identify conformances, deviations, exceptions, and variances in the digital data being audited.
Financial Statement Assertions can be evaluated by auditors by using data analytics on the relevant digital data. For example, nancial data can be evaluated for:
Completeness: Accuracy: Validity: Authorization: Segregation of duties: Compliance: Cut off:

Whether all transactions and Whether all transactions are Whether only valid Whether only appropriately Whether controls regarding appropriate Whether all applicable Whether only the transactions
the resulting information are processed accurately and as transactions are processed, authorized transactions have segregation of duties and responsibilities compliances are complied for the period which they
complete. intended and the resulting and the resulting information been processed. as de ned by management are working as with, within the required belong are accounted.
information is accurate. is valid. envisaged. timeframe.
www.prokhata.com 97
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 4: Data Analytics
Risks and Challenges
• 1. e introduction of data • 2. Data privacy and • 3. Completeness and integrity - • 4. Compatibility issues • 5. Train the Audit staff may not • 7. e data obtained must be held for
analytics for audit rms isn’t con dentiality -e copying e extracted client data may not be with client systems be competent to understand the several years in a form which can be retested.
without challenges to overcome. and storage of client data risks guaranteed specialists are oen required may render standard exact nature of the data and output As large volumes will be required rms may
At present there is no speci c breach. is data could be to perform the extraction and there may tests ineffective if data to draw appropriate conclusions, need to invest in hardware to support such
regulation or guidance which misused by the rms or illegal be limitations to the data extraction is not available in the training will need to be provided storage or outsource data storage which
covers all the uses of data analytics access obtained if the rm’s data where either the rm does not have expected formats which can be expensive compounds the risk of lost data or privacy
within an audit and this results security is weak or hacked which the appropriate tools or understanding • 6. Insufficient or inappropriate evidence retained on le due issues.
in difficulty establishing quality may result in serious legal and of the client data to ensure that all data to failure to understand or document the procedures and inputs • 8. An expectation gap among stakeholders
guidelines. Other issues which can reputational consequences is collected. is may especially be the fully. For example, a screen shot on le of the results of an audit who think that because the auditor is testing
arise with the introduction of data case where multiple data systems are procedure performed by the data analytic tool may not record 100% of transactions in a speci c area, the
analytics as an audit tool include: used by a client. the input conditions and detail of the testing. client’s data must be 100% correct.
Organizations in industries across the world are shiing their strategies because of data. Google, Net ix or Amazon, for example. With a data driven approach in mind, companies are looking to hire people to manage their data and uncover
the value and meaning behind the information they are collecting. As such, data-driven career opportunities and careers in data analytics abound for people with data analysis skills.
Chartered Accountants having a domain expertise in the eld of nance, audit, taxes and compliance should now equip themselves with these tools and skill sets. is will enable them to audit digital data with ease, save time and provide value
added services to clients. Since Analytics is utilized in varied elds, there are numerous job titles which are coming into picture:
• Analytics Business Consultant
• Analytics Architect / Engineer
• Business Intelligence and Analytics Consultant
• Metrics and Analytics Specialist
• Preparation of MIS and Dashboards including Visualization Solutions
• Monitor tracking of Key Performance Indicators (KPIs) and Key Result Areas (KRAs).
Note:-
98 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Internet of ings Module - 6 Emerging Technologies
CHAPTER 5:
INTERNET OF THINGS
e Internet of ings, or IoT,, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identi ers (UIDs) and the ability to transfer data over a network
without requiring human-to-human or human-to-computer interaction.
How it works?
An IoT ecosystem consists of web-enabled smart devices that use embedded processors, sensors and communication hardware to collect, send and act on data they acquire from their environments. IoT devices, share the data collected
through sensors by connecting to an IoT gateway or other edge device. From these devices the data is either sent to the cloud to be analysed or analysed locally. Sometimes, these devices communicate with other related devices and act on
the information they get from one another. e devices do most of the work without human intervention, although people can interact with the devices for instance, to set them up, give them instructions or access the data. e connectivity,
networking and communication protocols used with these web-enabled devices largely depend on the speci c IoT applications deployed.
Ecample of an IoT system Bene ts of IoT

e internet of things offers a number of bene ts to organizations, enabling them to:
Collect Data Collate and transfer data Analyze data, take action
• Monitor their overall business processes;
IoT Device User interface • Improve the customer experience;
(e.g. Sensor) (e.g. smartphone human-machine • Save time and money;
Communication Analytics of busness application • Enhance employee productivity;
IoT hub or • Integrate and adapt business models;
hardware (e.g. customer relationship
IoT Gateway • Make better business decisions; and
(e.g. antenna) manaement ERP)
• Generate more revenue.
Embedded Processors IoT encourages companies to rethink the ways they approach their businesses, industries and markets and gives them the
Back-end systems
(e.g. microcontroller) tools to improve their business strategies.
Advantages of IoT
1. Improved business insight and customer 2. Efficiency and productivity gains 3. Asset tracking and waste 4. Cost and downtime reductions 5. Newer business models
experience Ford is using body-tracking technology in a special reduction One of the bene ts of these new insights is e IoT offers companies the opportunity
Companies use IoT to gain insights into their suit for its workers at a plant in Spain to make data- Closely linked to efficiency oen a reduction in operational expenditure to gain insights into their customers and
business operations and improve the customer driven changes to its vehicle production processes, and productivity is the drive and downtime. For example, the rapid their product usage, leading to more
experience. is helps them ful ll customer needs making them safer and more efficient. e technology to reduce waste, to which IoT emergence of digital twin technology - digital efficient and productive processes. It also
better. For example, IoT in a shopping environment tracks workers' movements to design less physically tracking is integral. e more models of physical assets built from real-time allows companies to move towards new
reduces friction in the buying experience and stressful workstations. Ford is enabling data-driven IoT components in a business data, either in pure data form or as exportable revenue streams by offering subscription-
improves inventory control and supply chain changes to its vehicle production processes, making operation, the more it stands to 3D representations - is a key competitive based services that utilize the connected
management. is is done by gathering data about them safer and more efficient. bene t from IoT implementation. differentiator in industrial IoT applications. nature of their products.
popular products and cross-selling opportunities.
Examples in Finance
Inventory Tracking and Management Fraud prevention Optimized capacity management

IoT inventions can help you in tracking and Fraud prevention is a primary concern for nancial institutions, which constantly invest Banks constantly aim to expand their network of offices and ATMs, while managing the
managing inventory by giving you automatically in andseek new ways of curbing misuse of their offerings. Major nancial corporations existing units with maximum efficiency. Using IoT enabled monitoring to track the
controlled options. IoT soware and devices can have already successfully implemented AI based anti-fraud systems. With fraud prevention number of customer units per day, the average queue time can be measured to determine
be installed in your storage units and warehouses, having such a high priority, IoT will be a de nite game changer in this area. the optimal number of personnel and counters at each branch. Decisions regarding new
which can help in managing inventory changes Misuse of debit/credit cards can be prevented by having IoT enabled security systems branches can also be made easier by using the distribution data of customers with respect
while your personnel can invest their time in more at points of use, such as ATMs, which have more personal and secure methods of to location. e same can be done to optimize the number and location of cash dispensing
cognitively demanding tasks. authorization. machines based on usage.
www.prokhata.com 99
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 5 Internet of ings
Use Cases
DeTect
DeTect Technologies is an IoT start-up that offers asset integrity
management solutions, including pipeline condition monitoring
and structural health monitoring for hard-to-reach assets. eir
technology helps reduce productivity losses due to breaches and is
used by several Fortune 500 companies.
TagBox
TagBox uses IoT to create sustainable and reliable cold chains, offering
comprehensive solutions for real-time visibility of the entire chain,
helping reduce product spoilage, meet compliance requirements, cut
energy costs, prevent the and pilferage, and optimize transportation
costs.
IoT and Smart Cities

e IoT plays a crucial role in the development of smart cities, which use ICT
to address urbanization challenges such as traffic, waste management, and
energy consumption. e concept of a smart city involves the convergence
of ICT, energy technologies, and environmental considerations in urban
and residential environments.
Few Bene ts of IoT in creating Smart Cities
•Better Management of traffic and reduced congestion on roads
•Improved crime detection and surveillance
•Reduction in pollution
•Savings in Power and electricity
•Improvised safety for citizens
•Increased efficiency in parking
•Better waste and sewage management
Impact on Audit
IoT based automation and intelligent systems can ensure that the presence of personnel is detected and their physical appearance checked for ensuring the safety measures have been taken care by the worker, every check conducted leaves an
audit trail and if there are exceptions found and alarms raised with evidences. Also, if the situation got corrected the issue or alarm raised could get closed. No longer there may be a need for any such evidences of compliance as the compliance
is ensured automatically.
Yes, IoT assisted accounting has the potential to provide CAs with real-time access to transactional data and increase the IoT makes it easier for organizations to keep tabs on their resources, in relation to Inventory and Assets, and
effectiveness of continuous auditing processes. It can also help with risk evaluation and quick issue assessment and remediation, that has direct implications for the accountants who are responsible for overseeing the budget and its relation
leading to real-time management for businesses and CAs. is can ultimately lead to more efficient and effective accounting to assets.
practices. IoT also helps in reducing time lapse between an event and its recording for more timely decision making and
Quality will hardly need any sample checks as all the items will go through a compulsory test. Every item would have its own facilitating assessment of process-driven activities.
set of quality requirements embedded and would reach out to instruments which can verify a speci c parameter; thus, each end With IoT in place, there would be more data, more action, more observation, and reduction of immediate
product would have its size veri ed by a machine, based on the speci cations embedded. direct human impact.
e documentation is one thing that may be solved on its own since the work ow or process maps which would be used Technologies such as Drone can help gathering evidences to support assertions and perform audit
for automation themselves are good enough documentation. Also, the need for documentation now gets reduced from much faster and in fact in real time. is could be used for physical veri cation of inventory, assessing
instructional purposes since it is the IoT data, which drives the processes. the mines and quarries etc.
100 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Internet of ings Module - 6 Emerging Technologies
Risk and Challenges
Soware update and patches Hardware Lifespan Security and privacy issues
e time for a patch to be released may be longer than the typical cycle for non-IoT devices (if a patch is released at IoT devices have their own life cycle, oen with IoT promises to provide unprecedented and ubiquitous
all). Enterprises as well as individual consumers can review an IoT vendor’s website to determine frequency of patches built-in obsolescence. Components like non- access to the devices that make up everything from assembly
and compare the schedule against vulnerability dates using a Common Vulnerabilities and Exposures database. is replaceable batteries in IoT devices require life cycle lines, health and wellness devices, and transportation
comparison can provide a level of assurance that third-party soware developers have adequate policies regarding planning and asset-management processes speci c systems to weather sensors. Unfettered access to that much
vulnerability assessment and patching. to IoT. data poses major security and privacy challenges, including:
Insufficient authentication/ Lack of transport level Insecure web/mobile interface Default credentials Lack of secure code Privacy concerns
authorization encryption most IoT-based solutions have a web/mobile interface for most devices practices Many devices used in healthcare collect personal
a huge number of users and most devices fail to encrypt device management or for consumption of aggregated and sensors are services and business information, creating privacy risks as they collect
devices rely on weak and simple data that are being transferred, data. is web interface is found to be prone to the Open con gured to use the logic would be developed and aggregate data. e regular purchase of different
passwords and authorizations. even when the devices are Web Application Security Project (OWASP) Top 10 default username/ without adhering to foods, for example, could reveal a buyer's religion
Many devices accept passwords using the Internet. vulnerabilities, such as poor session management, weak passwords. secure coding practices. or health information. is is one of the privacy
such as “1234.” credentials and cross-site scripting vulnerabilities. challenges associated with IoT in healthcare.
Challenges Governance and Controls
ere are many challenges facing the implementation of IoT. e scale of IoT application IoT solutions are complex. e integration of connected devices and IT services poses major challenges in networking, communication, data volume,
services is large, covers different domains and involves multiple ownership entities. real-time data analysis, and security. IoT solutions involve many different technologies and require complex development cycles, including signi cant
ere is a need for a trust framework to enable users of the system to have con dence testing and ongoing monitoring. To overcome these challenges, IT organizations must:
that the information and services are being exchanged in a secure environment. • Develop a comprehensive technical strategy to address the complexity
•Insecure web interface • Insecure cloud interface • Develop a reference architecture for their IoT solution
•Insufficient authentication/authorization • Insecure mobile interface • Develop required skills to design, develop, and deploy the solution
•Insecure network services • Insufficient security con gurability • De ne your IoT governance processes and policies
•Lack of transport encryption • Insecure soware/ rmware IoT solution governance can be viewed as the application of business governance, IT governance, and enterprise architecture (EA) governance. In
•Privacy concerns • Poor physical security effect, IoT governance is an extension to IT governance, where IoT governance is speci cally focused on the lifecycle of IoT devices, data managed by
the IoT solution, and IoT applications in an organization’s IT landscape. IoT governance de nes the changes to IT governance to ensure the concepts
and principles for its distributed architecture are managed appropriately and are able to deliver on the stated business goals.
Professional Opportunies
IoT will bring CAs new opportunities for client service in the areas of business process design and data analysis. Clients will need CAs to help set up accounting and recording systems, such as dashboards that aggregate data received from the
IoT. CAs may also be hired to provide opinions on the security of the IoT. Consumers and industry want assurance that information and systems will be private. When the IoT takes off, CAs will be asked to give their professional opinions on
the systems that third parties rely on, unlike today where we are only asked for assurance in special circumstances.
Note:-
www.prokhata.com 101
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 6 Robotic Process Automation
CHAPTER 6:
ROBOTIC PROCESS AUTOMATION
Robotic process automation is the term used for soware tool that automates human activities that are manual, rule-based and repetitive. ey work by replicating the actions of a human interacting with soware applications to perform tasks
such as data entry, process standard transactions. It is a computer coded soware, programs that perform repeated tasks based on rules de ned, and can work across functions and applications. Example: A process of reviewing the approved
time sheet and raising the invoice in the ERP to the appropriate client and sending an email to the client and following up as a part of receivable management could be automated as the process is standardised and reasonably repetitive..
RPA is Computer-Coded Soware ✔ ✘ RPA is Not Walking, Talking Auto-bots A few of the key objective of implementing RPA are as follows:
RPA is Programs that replace humans performing repetitive rules- based tasks ✔ ✘ RPA is Not Physically existing machines processing paper • Improve accuracy • Skill upgradation of personnel
• Reduction of monotonous work • Cost saving
RPA is Program ✔ ✘ RPA is Not Arti cial intelligence or voice recognition and reply soware
• Higher efficiency • Improve customer experience
Examples in Finance Use Cases, ICICI Bank
Banks are using RPA soware robots to handle the entire RPA soware robots can provide signi cant bene ts RPA is being utilized for KYC Using robotic process automation (RPA), the bank’s operations
credit card application process, including gathering required to e-commerce websites and logistics companies by authentication and updating customer, department deployed 200 robotics soware programs. e
documents, credit and background checks, decision making, automating activities such as fetching data from provider vendor, and employee documentation. development helped the ICICI Bank to process around 10 lakh
and card issuance. e process is highly systematic and can be databases and tracking shipments for delivery through is results in faster processing, error- transactions per day. Today, the RPA is helping to process more
easily managed by the robots. GPS, without the need for human intervention. free results, and increased efficiency. than 2 million transactions daily.
Impact on Audit Risks and Challenges: Robotic Process Automation like all technology and innovation initiatives come with disruption and risks associated.
e following are the areas where auditors should concentrate:
• Free up capacity to focus on higher priorities RPA strategy risks: Tool selection risks: Launch/project risks: Operational/execution risks:
• Enhance ability to add valuable insight RPA can drive innovation ere is a risk of RPA-washing in the market To mitigate the risks of a failed RPA project launch, Operational risks can arise if
• Need to develop new testing approaches and competitiveness, but due to hype, where vendors overstate their organizations need to prevent technical and organizations do not establish a clear
• Consider for changes to internal audit staffing model businesses may fail to fully automation capabilities. Some may only nancial failures. Adopting RPA in departments operating model when deploying RPA
• Need to understand technology realize its potential due to offer screen-scraping which can lead to high with high headcounts just to generate more & can lead to confusion over roles-
• Opportunity to in uence control design wrong goals, expectations, maintenance and errors. Companies need to savings can fail due to the large load of changing responsibilities between humans and
• Potential to increase audit efficiency or under-resourcing. carefully choose the right tools for their needs. processes and exception handling. bots
RPA Challenges
Shortage of skilled resources Lack of proper team structure Unable to automate end-to-end cases Vaguely de ned business continuity plans
•
e demand for RPA is increasing, but there is a shortage of Lack of knowledge about processes and Some processes require integration with Organizations may have unrealistic expectations about RPA projects
skilled resources in the market sharing of resources between multiple machine learning and OCR engines, but these requiring little to no maintenance, but in reality, they do require maintenance
•Experienced
Experienced RPA professionals expect high salaries, which projects can pose risks in achieving set technologies can be costly and may not always for identifying new scenarios and issues in production environments,
may not be nancially viable for some companies. milestones. meet business expectations. de ning execution schedules, and mitigation plans during failures.
A governance structure that de nes roles and responsibilities for automation activities will help deliver successful RPA initiatives. Key elements include:
Ownership Deployment framework Operational risk/ data security Enterprise management RPA Vision/roadmap
involve legal, risk, IT and other teams calibrate production and development create a cross-functional team to communicate the bene ts: RPA helps to eliminate repetitive, non- create a center of excellence (COE) early in the
that are involved in the process due environments to ensure smooth RPA clear temporary backlogs in case value- adding tasks so employees can make greater impact in their journey to accelerate adoption of RPA across
to automated. It includes process- deployment. Ensure IT is aware of of bot failure and maintain people roles. Involve HR to support employee’s up-skilling, which increases the enterprise. Set deadlines for achieving
speci c subject matter expert (SMEs) RPA, enabled processes. Ensure change in critical processes for error free employee morale and improve productivity. Employees should be intelligent automation to leverage the full
for insight in the process nuances. management process is in place. delivery. prepared to work along with the soware robots. value of automation.
Many exciting new jobs will be created by RPA as automation will require a new type of skill set. e creation of new types of job opportunities will outweigh the displaced jobs. is research validates the con dence in the creation of new
types of industries requiring new kinds of functions and skills.
e McKinsey Global Institute estimated in its December 2017 reports that by 2030, automation will drive between 75 and 375 million people to reskill themselves and switch occupations. Robotic Process Automation (RPA) is not replacing
accountants but evolving their role and augmenting their effectiveness through automation. It is a progressive, positive, and necessary shi that is creating the digital workspace for accounting and nance professionals to focus on the greatest
value they can provide to their organisation.
102 www.prokhata.com
CA Rajat Agrawal
ALL INDIA RANKERS FORM PROKHATA
TOPPERS FORM PROKHATA
JOIN OUR COMMUNITY OF TECHNO AUDITORS

H
Follow this Strategy Tested by Thousands of CA Members including All India Rankers
2 Steps Formula
Video Lecture Online Quiz
CONTACT US
www.prokhata.com
support@prokhata.com
+91 8319130080

Module 1 to 6 Printable Chart-book (1)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 1 to 6 Printable Chart-book (1)

Uploaded by

Copyright:

Available Formats

A ChartBook on

FCA RAJAT AGRAWAL

MODULE  2 : GOVERNANCE AND MODULE  5 PROTECTION OF

HOW TO PRACTICE QUESTIONS

Principles of Fiduciary Principles of Quality Principles of Security

Reliability Compliance Eﬃciency Eﬀectiveness Con dentiality Integrity Availability

UNDERSTANDING THE IT ENVIRONMENT OF AUDITEE

Governance System Principles of COBIT 2019

AUDIT DOCUMENTATION Standards on Evidence

Other Business Applications:

Application Controls Review for Specialised Systems

CA Rajat Agrawal www.prokhata.com 17

Enterprise Risk Management

18 www.prokhata.com CA Rajat Agrawal

CA Rajat Agrawal www.prokhata.com 19

COBIT*2019 • Enterprise Strategy

20 www.prokhata.com CA Rajat Agrawal

CA Rajat Agrawal www.prokhata.com 21

22 www.prokhata.com CA Rajat Agrawal

CA Rajat Agrawal www.prokhata.com 23

Components of the Governance System as per COBIT 2019

Chief People Chief Chief Chief Chief

Manager Manager Manager Manager Manager

Teams Teams Teams Teams Teams

24 www.prokhata.com CA Rajat Agrawal

Appointment Responsibilities Objective Chairman Representation

Some examples are: Good practices:

CA Rajat Agrawal www.prokhata.com 25

26 www.prokhata.com CA Rajat Agrawal

CA Rajat Agrawal www.prokhata.com 27

28 www.prokhata.com CA Rajat Agrawal

CA Rajat Agrawal www.prokhata.com 29

30 www.prokhata.com CA Rajat Agrawal

CA Rajat Agrawal www.prokhata.com 31

32 www.prokhata.com CA Rajat Agrawal

Strategies for Data Communications Strategies for Voice

Types of Recovery and Alternative Sites

CA Rajat Agrawal www.prokhata.com 33

34 www.prokhata.com CA Rajat Agrawal

Project Management Frameworks

Instance view/ Individual knowledge Enterprise view/Corporate knowledge

Key Concepts of Project Management

CA Rajat Agrawal www.prokhata.com 35

36 www.prokhata.com CA Rajat Agrawal

Project Risk Risk Management Process

CA Rajat Agrawal www.prokhata.com 37

38 www.prokhata.com CA Rajat Agrawal

Computer-Aided Soware Engineering (CASE) tools Soware Size Estimation

CA Rajat Agrawal www.prokhata.com 39

40 www.prokhata.com CA Rajat Agrawal

CA Rajat Agrawal www.prokhata.com 41

42 www.prokhata.com CA Rajat Agrawal

Selection of SDLC Model

Assess the needs of Stakeholders Is the SDLC suitable for -

CA Rajat Agrawal www.prokhata.com 43

44 www.prokhata.com CA Rajat Agrawal

CA Rajat Agrawal www.prokhata.com 45

1. Black-Box Testing 2. White-Box Testing 3. Grey-Box Testing

BLACKBOX TESTING WHITEBOX TESTING GREYBOX TESTING

46 www.prokhata.com CA Rajat Agrawal

Functional Testing Non-Functional Testing

Strategies of Soware Testing

CA Rajat Agrawal www.prokhata.com 47

48 www.prokhata.com CA Rajat Agrawal