Information System and its Components – CA Inter EIS Notes is designed strictly as per the latest syllabus and exam pattern.
Information System and its Components – CA Inter EIS Study Material
Distinguish between RAM and ROM.
|Random Access Memory (RAM)
|Read Only Memory (ROM)
|Volatile in nature means Information is lost as soon as power is turned off.
|Non-volatile in nature (contents remain intact even in absence of power).
|Purpose is to hold program and data while they are in use.
|Used to store small amount of information for quick reference by CPU.
|Information can be read as well as modified.
|Information can be read not modified.
|Responsible for storing the instructions and data that the computer is using at that present moment.
|Generally used by manufacturers to store data and programs like translators that is used repeatedly.
Explain in brief Virtual Memory.
- Virtual Memory is in fact not a separate device but an imaginary memory area supported by some operating systems (for example, Windows in conjunction with the hardware.
- If a computer lacks the Random-Access memory (RAM) needed to run a program or operation, Windows uses virtual memory to compensate.
- Virtual memory combines computer’s RAM with temporary space on the hard disk. When RAM runs low, virtual memory moves data from RAM to a space called a paging file.
- Moving data to and From the paging file frees up RAM to complete its work. Thus, Virtual memory is an allocation of hard disk space to help RAM.
What do you understand by the term ‘Operating System’? Discuss various operations performed by the Operating System.
- An Operating System (O S) is a set of computer program’ s that manages computer hardware resources.
- It acts as an interface with computer applications programs.
- The operating system is a vital component of the system software in a computer system.
- Application programs usually require an operating system to function that provides a convenient environment to users for executing their programs.
- Some prominent Operating systems used now-a-days are Windows 7, Windows 8, Linux, UNIX, etc. All computing devices run an operating system.
- For personal computers, the most popular operating systems are Microsoft’s Windows, Apple’s OS X, and different versions of Linux.
- Smart phones and tablets run operating systems as well, such as Apple’s iOS, Google Android, Microsoft’s Windows Phone OS, and Research in Motion’s Blackberry OS.
A variety of activities are executed by Operating systems which include:
- Memory Management: Memory Management features of Operating System allow controlling how memory is accessed and maximize available memory & storage.
- Task Management: This facilitates a user to work with more than one application at a time Le. multitasking and allows more than one user to use the system Le. time sharing.
- Networking Capability: Operating systems can provide systems with features & capabilities to help connect computer networks like Linux & Windows 8
- Logical Access Security: Operating systems provide logical security by establishing a procedure for identification & authentication using a User ID and Password.
- File management: The operating system keeps a track of where each file is stored and who can access it, based on which it provides the file retrieval.
- Performing hardware functions: Operating System acts as an intermediary between the application program and the hardware by obtaining input from keyboards, retrieve data from disk and display output on monitors.
- User Interfaces: Nowadays, Operating Systems are Graphic User Interface (GUI) based which uses icons and menus like in the case of Windows.
- Hardware Independence:
- Operating system provides Application Program Interfaces (API),
- which can be used by application developers to create application software,
- thus obviating the need to understand the inner workings of OS j and hardware,
- Thus, OS gives us hardware independence.
Database Management System (DBMS) provides the facility to create and maintain a well organised database for any enterprise. Describe the various advantages of Database Management System used in an organization. (RTP May 2020)
What are the Advantages and Disadvantages of DBMS?
Advantages of DBMS
Major advantages of DBMS are given as follows:
1. Permitting Data Sharing: One of the principle advantages of a DBMS is that the same information can be made available to different users.
2. Minimizing Data Redundancy: In a DBMS duplication of information i or redundancy is, if not eliminated, carefully controlled or reduced i.e. there is no need to repeat the same data over and over again, Minimizing redundancy can therefore significantly reduce the cost of storing information on hard drives and other storage devices.
3. Data Integrity can be maintained: Data integrity is maintained by having accurate, consistent, and up-to-date data. Updates and changes to the data only must be made in one place in DBMS ensuring Integrity, The chances of making a mistake increase if the same data needs to be changed at several different places than making the change in one place.
4. Achieving program/data independence: In a DBMS, data does not reside in applications but data bases program & data are independent of each other.
5. User-friendly: DBMS makes the data access and manipulation easier for the user. DBMS also reduce the reliance of users on computer experts to meet their data needs.
6. Faster Application Development: In the case of deployment of DBMS, application development becomes fast. The data is already therein databases, application developer has to think of only the logic required to retrieve the data in the way a user needs.
7. Program and File Consistency: Using a DBMS, file formats and programs are standardized. This makes the data files easier to maintain because the same rules and guidelines apply across all types of data. The level of consistency across files and programs also makes it easier to manage data when multiple programmers are involved.
8. Improved security: DBMSs allow multiple users to access the same data resources which could lead to risk to an enterprise if not controlled. Security constraints can be defined i.e. rules can be built to give access to sensitive data. Some sources of information should be protected or secured and only viewed by select individuals. Using passwords, database management systems can be used to restrict data access to only those who should see it.
Disadvantages of a DBMS
1. Cost: Implementing a DBMS system in terms of both system and user training can be expensive and time-consuming, especially in large enterprises. Training requirements alone can be quite costly.
2. Security: Even with safeguards in place, it may be possible for some unauthorized users to access the database. If one gets access to database, then it could be an all or nothing proposition.
Data Warehouse extracts data from one or more of the organization’s databases and loads it into another database for storage and analysis purpose. As a Data Warehouse Manager, determine the design criteria, which should be met while designing Date Warehouse. [MAY 2018; 6 Marks]
The Data warehouse is simple: extract data from one or more of the organization’s databases and load it into the data warehouse (which is itself another database) for storage and analysis.
A data warehouse should be designed so that it meets the following criteria:
It uses non-operational data. This means that the data warehouse is using a copy of data from the active databases that the company uses in its day-to-day operations, so the data warehouse must pull data from the existing databases on a regular, scheduled basis.
The data is time-variant. This means that whenever data is loaded into the data warehouse, it receives a time stamp, which allows for comparisons between different time periods.
The data is standardized. Because the data in a data warehouse usually comes from several different sources, it is possible that the data does not use the same definitions or units. For example, our events table in our Student Clubs database lists the event dates using the mm/dd/yyyy format (e.g., 01/10/2013). A table in another database might use the format yy/mm/dd (e.g.13/01/10) for dates.
For the data warehouse to match up dates, a standard date format would have to be agreed upon and all data loaded into the data warehouse would have to be converted to use this standard format. This process is called Extraction-Transformation-Load (ETL).
Share & Care is a multinational FMCG company having various branches in different cities across the country. The company used a centralized Data warehouse to store data of all branches at its headquarters in Mumbai. Elaborate the benefits of Data Warehouse that may be availed by Share & Care company. (RTP Nov 2020)
Organizations find data warehouses quite beneficial for several reasons:
- The process of developing a data warehouse forces an organization to better understand the data that it is currently collecting and, equally important, what data is not being collected.
- A data warehouse provides a centralized view of all data being collected across the enterprise and provides a means for determining data that is inconsistent.
- Once all the data is identified as consistent, an organization can generate one version of the truth. This is important when the company wants to report consistent statistics about itself, such as revenue or number of employees.
- By having a data warehouse, snapshots of data can be taken over time. This creates a historical record of data, which allows for an analysis of trends.
- A data warehouse provides tools to combine data, which can provide new information and analysis.
What are the Steps involved in the Data Mining process?
The steps involved in the Data Mining process are as follows:
- Data Integration: Firstly, the data are collected and integrated from all the different sources.
- Data Selection: It may be possible that all the data collected may not be required in the first step. So, in this step we select only those data which we think useful for data mining.
- Data Cleaning: The data that is collected are not clean and may contain errors, missing values, noisy or inconsistent data. Thus, we need to apply different techniques to get rid of such anomalies.
- Data Transformation: The data even after cleaning are not ready for mining as it needs to be transformed into an appropriate form for mining using different techniques like – smoothing, aggregation, normalization etc.
- Data Mining: In this, various data mining techniques are applied on the data to discover the interesting patterns. Techniques like clustering and association analysis are among the many different techniques used for data mining.
- Pattern Evaluation and Knowledge Presentation: This step involves visualization, transformation, removing redundant patterns etc. from the patterns we generated.
- Decisions/Use of Discovered Knowledge: This step helps user to make use of the knowledge acquired to take better decisions.
What are the important benefits of a Computer Network?
The following are the important benefits of a computer network
1. User communication: Networks allow users to communicate using e-mail, newsgroups, video conferencing, etc.
2. Reliability: Many critical applications should be available 24X7, if such applications are run across different systems which arc distributed across network then the reliability of the application would be high.
E.g. In a city, there could be multiple ATM machines so that if one ATM fails, one could withdraw money from another ATM.
3. Distributed nature of information: There would be many situations where information must be distributed geographically. E.g. in the case of Banking Company, accounting information of various customers could be distributed across various branches but to make Consolidated Balance Sheet at the year-end, it would need networking to access information from all its branches.
4. Resource Sharing: Data could be stored at a central location and can be shared across different systems. Even resource sharing could be in terms of sharing peripherals like printers, which are normally shared by many systems. E.g. In the case of a CBS, Bank data is stored at a Central Data Centre and could be accessed by all branches as well as ATMs.
5. Computational Power: The computational power of most of the applications would increase drastically if the processing is distributed amongst computer systems. For example: processing in an ATM machine in a bank is distributed between ATM machine and the central Computer System in a Bank, thus reducing load on both.
Determine the controls that are classified based on the time when they act, relative to a security incident. (RTP Nov. 2018)
The controls per the time that they act, relative to a security incident can be classified as under:
(A) PREVENTIVE CONTROLS:
- These controls prevent errors, omissions, or security incidents from occurring.
- In other words, Preventive Controls are those inputs, which are designed to prevent an error, omission or malicious act occurring.
- Some of the examples of Preventive Controls are as follows:
- Employing qualified personnel;
- Segregation of duties;
- Access control;
- Training and retraining of staff;
- Anti-virus software (sometimes this acts like a corrective control also), etc.;
- Vaccination against diseases;
- prescribing appropriate books for a course;
- Authorization of transaction;
- Validation, edit checks in the application;
- Examples include simple data-entry edits that block alphabetic characters from being entered in numeric fields, access controls that protect sensitive data/system resources from unauthorized people, and complex and dynamic technical controls such as anti-virus software, firewalls, and intrusion prevention systems.
(B) DETECTIVE CONTROLS:
- These controls are designed to detect errors, omissions or malicious acts that occur and report the occurrence.
- In other words, Detective Controls detect errors or incidents that elude preventive controls.
- Cash counts;
- Bank reconciliation;
- review of payroll reports;
- Compare transactions on reports to source documents;
- Monitor actual expenditures against budget;
- Check points in production jobs;
- Duplicate checking of calculations; (past-due accounts report);
- The internal audit functions;
- Intrusion Detection System;
- The main characteristics of such controls are given as follows:
(a) Clear understanding of lawful activities so that anything which deviates from these is reported as unlawful, malicious, etc.;
(b) An established mechanism to refer the reported unlawful activities to the appropriate person or group;
(c) Surprise checks by supervisor;
(d) Interaction with the preventive control to prevent such acts from occurring; and
- For example, a detective control may identify account numbers of inactive accounts or accounts that have been flagged for monitoring of suspicious activities.
- Detective controls can also include monitoring and analysis to uncover activities or events that exceed authorized limits or violate known patterns in data that may indicate improper manipulation.
- For sensitive electronic communications, detective controls can indicate that a message has been corrupted or the sender’s secure identification cannot be authenticated.
(C) CORRECTIVE CONTROLS:
- It is desirable to correct errors, omissions, or incidents once they have been detected.
- Corrective controls are designed to reduce the impact or correct an error once it has been detected.
- Submit corrective journal entries after discovering an error;
- A Business Continuity Plan (BCP);
- Contingency planning;
- Back-up procedure;
- Rerun procedures;
- Change Input value to an application system; and
- Investigate budget variance and report violations.
- Main Characteristics:
- Identifying the cause of the problem;
- Providing remedy to the problems discovered by detective controls;
- Correcting error arising from a problem;
- Minimizing the impact of the threat;
- Getting feedback from preventive and detective controls;
- Modifying the processing systems to minimize future occurrences of the incidents.
- They vary from simple correction of data-entry errors, to identifying and removing unauthorized users or software from systems or networks, to recovery from incidents, disruptions, or disasters.
- Generally, it is most efficient to prevent errors or detect them as close as possible to their source to simplify correction.
- These corrective processes also should be subject to preventive and detective controls, because they represent another opportunity for errors, omissions, or falsification.
You are Information Technology Consultant to a Firm who is in the process of shortlisting the resources for the controls for the Environmental Exposures- Water Damage and Power Spikes in that firm. Prepare a Checklist for the same. (MTP)
This caused due to very short pulse of energy in power line.
Controls for Environmental Exposures: Some of the major ways of protecting the installation against power spikes as follows:
1. Un-interruptible Power System (UPS)/Generator: In case of a power failure, the UPS provides the back up by providing electrical power from the battery to the computer for a certain span of time. Depending on the sophistication of the UPS, electrical power supply could continue to flow for days or for just a few minutes to permit an orderly computer shutdown.
2. Voltage regulators and circuit breakers protect the hardware from temporary increase or decrease of power.
3. Emergency Power-Off Switch: When the need arises for an immediate power shut down during situations like a computer room fire or an emergency evacuation, an emergency power-off switch at the strategic locations would serve the purpose. They should be easily accessible and yet secured from unauthorized people.
WATER DAMAGE: Water damage to a computer installation can be the outcome of water pipes burst. Water damage may also result from other resources such as cyclones, tornadoes, floods etc.
Controls for Environmental Exposures: Major ways of protecting the installation against water damage are as follows:
- Wherever possible have waterproof ceilings, walls and floors;
- ensure an adequate positive drainage system exists;
- Install alarms at strategic points within the installation;
- In flood areas have the installation above the upper floors but not at top floor;
- Water proofing; and
- Water leakage Alarms.
In Information Systems, Logical Access Controls ensure the access to system, data, and program. Discuss various technical exposures on which logical access controls can be implemented. (RTP Nov. 2020)
Recognize all the technical exposures that include unauthorized imple-mentation or modification of data and software. (MTP)
TECHNICAL EXPOSURES: Technical exposures include unauthorized implementation or modification of data and software. Technical exposures include the following:
Bomb: Bomb is a piece of bad code deliberately planted by an insider or supplier of a program. An event, which is logical, triggers a bomb or time based. The bombs explode when the conditions of explosion get fulfilled causing the damage immediately. However, these programs cannot infect other programs. Since, these programs do not circulate by infecting other programs; chances of a widespread epidemic are relatively low.
Data Diddling: This involves the change of data before or after they entered the system. A limited technical knowledge is required to data diddle and the worst part with this is that it occurs before computer security can protect the data.
Trap Doors: Trap doors allow insertion of specific logic, such as program interrupts that permit a review of data. They also permit insertion of unauthorized logic.
Christmas Card: It is a well-known example of Trojan and was detected on internal E-mail of IBM system. On typing the word ‘Christmas’, it will draw the Christmas tree as expected, but in addition, it will send copies of similar output to all other users connected to the network. Because of this message on other terminals, other users cannot save their half-finished work.
Worm: A worm does not require a host program like a Trojan to relocate itself. Thus, a Worm program copies itself to another machine on the network. Worms are stand-alone programs, and they can be detected easily in comparison to Trojans and computer viruses. Examples of worms are Existential Worm, Alarm clock Worm etc. The Alarm Clock worm places wake-up calls on a list of users. It passes through the network to an outgoing terminal while the sole purpose of existential worm is to remain alive. Existential worm does not cause damage to the system, but only copies itself to several places in a computer network.
Salami Techniques: This involves slicing of small amounts of money from a computerized transaction or account. A Salami technique is slightly different from a rounding technique in the sense a fix amount is deducted. For example, in the rounding off technique, Rs. 21,23,456.39 becomes Rs. 21,23,456.40, while in the Salami technique the transaction amount Rs. 21,23,456.39 is truncated to either Rs. 21,23,456.30 or Rs. 21,23,456.00, depending on the logic.
Rounding Down: This refers to rounding of small fractions of a denomination and transferring these small fractions into an authorized account. As the amount is small, it gets rarely noticed.
Spoofing: A spoofing attack involves forging one’s source address. One machine is used to impersonate the other in spoofing technique. Spoofing occurs only after a particular machine has been identified as vulnerable. A penetrator makes the user think that she/he is interacting with the operating system. For example, a penetrator duplicates the login procedure, captures the user’s password, attempts for a system crash and makes the user login again.
Data that is waiting to be transmitted are liable to unauthorized access called ‘Asynchronous Attack’. Explain various types of Asynchronous attacks on data. (Nov. 2018; 4 Marks)
This is the act of following an authorized person through a secured door or electronically attaching to an authorized telecommunication link that intercepts and alters transmissions. This involves intercepting communication between the operating system and the user and modifying them or substituting new messages.
This involves spying on information being transmitted over communication network.
- DATA LEAKAGE:
This involves leaking information out of the computer by means of dumping files to paper or stealing computer reports and tapes.
- SUBVERSIVE ATTACKS:
These can provide intruders with important information about messages being transmitted and the intruder may attempt to violate the integrity of some components in the sub-system.
An internet connection exposes an organization to the harmful elements of the outside world. As a network administrator, which Network Access controls will you implement in the organization to protect from such harmful elements? (Nov. 2019; 6 Marks)
An Internet connection exposes an organization to the harmful elements of the outside world. The protection can be achieved through the following means:
- Policy on use of network services: An enterprise wide policy applicable to internet service requirements aligned with the business need for using the Internet services is the first step. Selection of appropriate services and approval to access them should be part of this policy.
- Enforced path: Based on risk assessment, it is necessary to specify the exact path or route connecting the networks; e.g., internet access by employees will be routed through a firewall and proxy.
- Segregation of networks: Based on the sensitive information handling function; say a VPN connection between a branch office and the head-office, this net work is to be isolated from the internet usage service.
- Network connection and routing control: The traffic between networks should be restricted, based on identification of source and authentication access policies implemented across the enterprise network facility.
- Security of network services: The techniques of authentication and authorization policy should be implemented across the organization’s network.
- A Firewall is a system that enforces access control between two networks.
- To accomplish this, all traffic between the external network and the organizations Intranet must pass through the firewall that will allow only authorized traffic between the organization and i the outside to pass through it.
- The firewall must be immune to penetrate from both outside and inside the organization.
- In addition to insulating the organization’s network from external networks, firewalls can be used to insulate portions of the j organizations Intranet from internal access also.
- Encryption is the conversion of data into a secret code for storage in databases and transmission over networks.
- The sender uses an encryption algorithm with a key to convert the original message called the Clear text into Cipher text.
- This is decrypted at the receiving end.
- Two general approaches are used for encryption viz. private key and public key encryption.
- Call Back Devices:
- It is based on the principle that the key to network security is to keep the intruder off the Intranet rather than imposing security measure after the criminal has connected to the intranet.
- The call-back device requires the user to enter a password and then the system breaks the connection.
- If the caller is authorized, the call back device dials the caller’s number to establish a new connection.
- This limits access only from authorized terminals or telephone numbers and prevents an intruder masquerading as a legitimate user, masquerading pretending to be someone else)
- This also helps to avoid the call forwarding and man-in-the middle attack.
Mr. A is a System Administrator of the company who must ensure the protection of Operating System used in information system of the company. How can this purpose be achieved? (RTP May 2020)
An operating system allows users and their applications to share and access common computer resources and execute a variety of activities. Hence, protecting operating system access is extremely crucial. Identify various steps through which protection of operating system access can be achieved. (Nov. 2018; 8 Marks)
User identification and authentication:
The users must be identified and authenticated in a foolproof manner. Depending on risk assessment, more stringent methods like Biometric Authentication or Cryptographic means like Digital Certificates should be employed.
Password management system:
An operating system could enforce selection of good passwords. Internal storage of password should use one-way hashing algorithms and the password file should not be accessible to users.
Terminal log-in procedures:
A log-in procedure is the first line of defense against unauthorized access as it does not provide unnecessary help or information, which could be misused by an intruder. When the user initiates the log-on process by entering user-id and password, the system compares the ID and password to a database of valid users and accordingly authorizes the log-in.
If the log on attempt is successful, the Operating System creates an access token that contains key information about the user including user-id, password, user group and privileges granted to the user. The information in the access token is used to approve all actions attempted by the user during the session.
Access Control List:
This list contains information that defines the access privileges for all valid users of the resource. When a user at-tempts to access a resource, the system compasses his or her user-id and privileges contained in the access token with those contained in the access control list. If there is a match, the user is granted access.
Discretionary Access Control:
The system administrator usually determines; who is granted access to specific resources and maintains the access control list. However, in distributed systems, resources may be controlled by the end-user. Resource owners in this setting may be granted discretionary access control, which allows them to grant access privileges to other users. For example, the controller who is owner of the general ledger grants read only privilege to the budgeting [ department while accounts payable manager is granted both read and write permission to the ledger.
Duress alarm to safeguard users:
If users are forced to execute some instruction under threat, the system should provide a means to alert I the authorities. [Duress: threat/force that are used to make somebody to do something
Terminal time out:
Log out the user if the terminal is inactive for a defined period. This will prevent misuse in absence of the legitimate user.
Limitation of connection time:
Define the available time slot. Do not allow any transaction beyond this time. For example, no computer access after 8.00 p.m. and before 8.00 a.m. – or on a Saturday or Sunday.
Use of system utilities:
System utilities are the programs that help to manage critical functions of the operating system e.g. addition or j deletion of users. Obviously’, this utility should not be accessible to a general user. Use and access to these utilities should be strictly controlled and logged.
Automated terminal identification:
This will help to ensure that a specified session could only be initiated from a certain location or computer terminal.
Recognize the activities that deal with System Development Controls in an IT Setup. (RTP Nov. 2018)
The six activities discussed below deal with system development controls in IT setup. These are given as follows:
1. System Authorization Activities: All systems must be properly authorized to ensure their economic justification and feasibility. This requires that each new system request be submitted in written form j by users to systems professionals who have both the expertise and j authority to evaluate and approve (or reject) the request.
2. Technical Design Activities: The technical design activities translate the user specifications into a set of detailed technical specifications of a system that meets the user’s needs.
3. User Specification Activities: Users must be actively involved in the systems development process where in a detailed written descriptive document of the logical needs of the users is created.
4. User Test and Acceptance Procedures: Just before implementation, the individual modules of the system must be tested as a unified whole. A test team comprising user personnel, systems professionals, and internal audit personnel subjects the system to rigorous testing. Once the test team is satisfied that the system meets its stated requirements, the system is formally accepted by the user department(s).
5. Internal Auditor’s Participation: The internal auditor should become involved at the inception of the System Development process to make conceptual suggestions regarding system requirements and controls. Auditor’s involvement should be continued throughout all phases of the development process and into the maintenance phase.
6. Program Testing: All program modules must be thoroughly tested before they are implemented. The results of the tests are then compared against predetermined results to identify programming and logic errors.
A company XYZ is implementing the software using Program Development Life Cycle methodology and applying control phases in parallel to the Development phases to monitor the progress against plan. Being an IT Developer, design the various phases and their controls for Program Development Life Cycle. [May 2019; 6 Marks]
Techniques like Work Breakdown Structures (WBS), Gantt charts and PERT (Program Evaluation & Review Technique) Charts can be used to monitor progress against plan.
2. Operation & Maintenance:
Management establishes formal mechanisms to monitor the status of operational programs so maintenance needs can be identified on a timely basis. Three types of maintenance can be used are as follows:
- Repair Maintenance – in which program errors are corrected;
- Adaptive Maintenance- in which the program is modified to meet changing user requirements; and
- Perfective Maintenance – in which the program is tuned to decrease the resource consumption.
A systematic approach to program design, such as any of the structured design approaches or object-oriented design is adopted.
Programmers must choose a module implementation and integration strategy (like Top-down, Bottom-up and Threads approach), a coding strategy (that follows the percepts of structured programming), and a documentation strategy (to ensure program code is easily readable and understandable).
Three types of testing can be undertaken:
- Unit Testing – which focuses on individual program modules;
- Integration Testing – Which focuses in groups of program modules; and
- Whole-of-Program Testing – which focuses on whole program.
These tests are to ensure that a developed or acquired program achieves its specified requirements.
The Control phase has two major purposes:
- Task progress in various software life-cycle phases should be monitored against plan and corrective action should be taken in case of any deviations.
- Control over software development, acquisition, and implantation tasks should be exercised to ensure software released for production use is authentic, accurate, and complete.
What are the Major Boundary Control Techniques? (Nov. 18; 2 Marks)
Ans. Major Boundary Control are as follows:
It deals with programs for transforming data into cipher text that are meaningless to anyone, who does not possess the authentication to access the respective system resource or File.
A cryptographic technique encrypts data (clear text) into cryptograms (cipher text) and its strength depends on the time and cost to decipher the cipher text by a cryptanalyst.
Three techniques of cryptography are:
- Transposition (permute the order of characters within a set of data),
- substitution (replace text with a key-text), and
- product cipher (combination of transposition and substitution).
User identification by an authentication mechanism with personal characteristics like name, birth date, employee code, function, designation or a combination of two or more of these can be used as a password boundary access control.
3. Personal Identification Numbers (PIN): PIN is similar to a password assigned to a user by an institution a random number stored in its database independent to a user identification details, or a customer selected number. Hence, a PIN may be exposed to vulnerabilities while issuance or delivery, validation, transmission and storage.
4. Identification Cards: Identification cards are used to store information required in an authentication process. These cards are to be controlled through the application for a card, preparation of the card, issue, use and card return or card termination phases.
5. Biometric Devices: Biometric identification e.g. thumb and/or finger impression, eye retina etc. are also used as boundary control techniques.
Explain various types of Data Coding Errors. (May 2018; 4 Marks)
Two types of errors – Transcription and Transposition errors can corrupt a data code and cause processing errors. Any of these errors can cause serious problems in data processing if they go undetected. These simple errors can severely disrupt operations.
(a) Transcription Errors: It is a special type of data entry error that is commonly made by human operators or by Optical Character Recognition (OCR) programs. Like:
- Addition errors (when an extra digit is added to the code);
- Truncation Errors (when a digit is removed from the code); and
- Substitution Errors (replacement of on digit in a code with another).
(b) Transposition Errors: It is a simple error of data entry that occur when two digits that are either individual or part of larger sequence of numbers are reversed (Transpose) when posting a transaction.
For example, a sales order for customer 987654 that is transposed into 897654 will be posted to the wrong customer’s account.
A similar error in an inventory item code on a purchase order could result in ordering unneeded inventory and failing to order inventory that is needed.
Explain in brief: Line Error Control. (Nov. 2018; 2 Marks)
Whenever data is transmitted over a communication line, recall that it can be received in error because of attenuation distortion, or noise that occurs on the line. These errors must be detected and corrected.
What is Information System Auditing? What are the four major objectives of IS Auditing? (May 2018; 4 Marks)
IS Auditing is defined as the process of:
- Attesting objectives (those of the external auditor) that focus on asset safeguarding, data integrity; and
- management objectives (those of the internal auditor) that include effectiveness and efficiency both.
This enables organizations to better achieve four major objectives that are as follows:
- Asset Safeguarding Objectives: The information system assets (hardware, software, data information etc.) must be protected by a system of internal controls from unauthorized access.
- Data Integrity Objectives: It is a fundamental attribute of IS Auditing, The importance to maintain integrity of data of an organization requires all the time. It is also important from the business perspective of the decision maker, competition and the market environment.
- System Effectiveness Objectives: Effectiveness of a system is evaluated by auditing the characteristics and objective of the system to meet business and user requirements.
- System Efficiency Objectives: To optimize the use of various information system resources (machine time, peripherals, system software and labor) along with the impact on its computing environment.
As an Information Systems (IS) Auditor, you need to keep yourself up-to-date with the latest Audit tools, techniques and methodology to meet the demands of the job. Discuss about various Audit Tools that you should be aware about. (RTP 2018)
Types of Audit Tools: Different types of continuous audit techniques may be used. Some modules for obtaining data, audit trails and evidences may be built into the programs. Audit software is available, which could be used for selecting and testing data. Many audit tools are also available; some of them are described below:
- Tracing a transaction is a computerized system can be performed with the help of snapshots or extended records.
- The snapshot software is built into the system at those points where material processing occurs.
- It takes images of the flow of any transaction as it moves through the application.
- These images can be utilized to assess the authenticity, accuracy, and completeness of the processing carried out on the transaction.
- The main areas to dwell upon while involving such a system are to locate the snapshot points based on materiality of transactions when the snapshot will be captured and the reporting system design and implementation to present data in a meaningful way.
(ii) Integrated Test Facility (ITF):
- The ITF technique involves the creation of a dummy entity in the application system files and the processing of audit test data against the entity.
- It is a mean of verifying processing authenticity, accuracy, and completeness.
- This test data would be included with the normal production data used as input to the application system.
- In such cases the auditor must decide what would be the method to be used to enter test data and the methodology for removal of the effects of the ITF transactions.
(iii) System Control Audit Review File (SCARF):
- The SCARF technique involves embedding audit software modules within a host application system to provide continuous monitoring of the system’s transactions.
- The information collected is written onto a special audit file-the SCARF master files.
- Auditors then examine the information contained on this file to see if some aspect of the application system needs follow-up.
- In many ways, the SCARF technique is like the snapshot technique along with other data collection capabilities.
(iv) Continuous and Intermittent Simulation (CIS):
This is a variation of the SCARF continuous audit technique. This technique can be used to trap exceptions whenever the application system uses a database management system. During application system processing, CIS executes in the following way:
- The database management system reads an application system transaction. It is passed to CIS. CIS then determines whether it wants to examine the transaction further. If yes, the next steps are performed or otherwise it waits to receive further data from the database management system.
- CIS replicates or simulates the application system processing.
- Every update to the database that arises from processing the selected transaction will be checked by CIS to determine whether discrepancies exist between the results it produces and those the application system produces.
- Exceptions identified by CIS are written to an exception log file.
- The advantage of CIS is that it does not require modifications to the application system and yet provides an online auditing capability.
(v) Audit Hooks:
- There are audit routines that flag suspicious transactions.
- For example, internal auditors at Insurance Company determined that their policyholder system was vulnerable to fraud every time a policyholder changed his or her name or address and then subsequently withdrew funds from the policy.
- They devised a system of audit hooks to tag records with a name or address change.
- The internal audit department will investigate these tagged records for detecting fraud.
- When audit hooks are employed, auditors can be informed of questionable transactions as soon as they occur.
- This approach of real-time notification displays a message on the auditor’s terminal.
Discuss the key activities, which require special attention for auditing the user access provisioning. (May 2019; 4 Marks)
- Access request processes: The IS auditor should identify all user access request processes and determine if these processes are used consistently throughout the organization.
- Access approvals: The IS auditor needs to determine how requests are approved and by what authority they are approved. The auditor should determine if system or data owners approve access requests, or if any accesses are ever denied.
- New employee provisioning: The IS auditor should examine the new employee provisioning process to see how a new employee’s user accounts are initially set up. The auditor should determine if new employees’ managers are aware of the access requests that their employees are given and if they are excessive.
- Segregation of Duties (SoD): The IS auditor should determine if the organization makes any effort to identify segregation of duties. This may include whether there are any SoD matrices in existence and if they are actively used to make user access request decisions.
- Access reviews: The IS auditor should determine if there are any periodic ! access reviews and what aspects of user accounts are reviewed; this may include termination reviews, internal transfer reviews, SoD reviews, and I dormant account reviews.
Explain any four examples of Segregation of Duties (SoD) controls. (Nov. 2019; 4 Marks)
Information systems can be programmed or configured to require two or more persons to approve certain transactions. Many of us see this in retail establishments where a manager is required to approve a large transaction or a refund. In IT applications, transactions meeting certain criteria (for example, exceeding normally accepted limits or conditions) may require a manager’s approval to be able to proceed.
Split custody of high-value assets:
Assets of high importance or value can be protected using various means of split custody. For example, a password to an encryption key that protects a highly-valued asset can be split in two halves, one half assigned to two persons, and the other half assigned to two persons, so that no single individual knows the entire password. Banks do this for central vaults, where a vault combination is split into two or more pieces so that two or more are required to open it.
Applications that are workflow-enabled can use a second or third level of approval before certain high-value or high-sensitivity activities can take place. For example, a workflow7 application that is used to provision user accounts can include extra management approval steps in requests for administrative privileges.
IT or internal audit personnel can periodically review user access rights to identify whether any segregation of duties issues exist. The access privileges for each worker can be compared against a segregation of duties control matrix.