lab manuals and case studies - learning.icai.org

Lab Manuals and Case Studies


The Institute of Chartered Accountants of India

Digital Accounting and Assurance Board

(Set up by an Act of Parliament)

New Delhi

Digital Accounting and Assurance BoardThe Institute of Chartered Accountants of IndiaICAI Bhawan,Hostel Block, 7th FloorA-29, Sector-62Noida - 201309, IndiaTel (Direct): +91 120 3045992/961Web: www.icai.org

ISBN - 978-81-8441-995-5

August | 2020 | P2724 (Revised)

INFORMATION SYSTEMS AUDIT 3.0 COURSE

INF

OR

MA

TIO

N S

YS

TE

MS

AU

DIT

3.0

CO

UR

SE


Digital Accounting and Assurance Board

The Institute of Chartered Accountants of India (Set up by an Act of Parliament)

New Delhi

Revised Edition : August, 2020

Committee/Department : Digital Accounting and Assurance Board Email : [email protected] Website : www.icai.org/ https://pqc.icai.org Price : ` 750 ISBN : 978-81-8441-995-5 Published by :

Printed by :

The Publication Directorate on behalf of The Institute of Chartered Accountants of India ICAI Bhawan, Post Box No. 7100, Indraprastha Marg, New Delhi - 110002

Sahitya Bhawan Publications, Hospital Road, Agra – 282 003 August | 2020 | P2724 (Revised)

/- (For Complete Set)

© The Institute of Chartered Accountants of India

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic mechanical, photocopying, recording, or otherwise, without prior permission, in writing, from the publisher. DISCLAIMER

The views expressed in this material are those of author(s). The Institute of Chartered Accountants of India (ICAI) may not necessarily subscribe to the views expressed by the author(s).

The information in this material has been contributed by various authors based on their expertise and research. While every effort have been made to keep the information cited in this material error free, the Institute or its officers do not take the responsibility for any typographical or clerical error which may have crept in while compiling the information provided in this material. There are no warranties/claims for ready use of this material as this material is for educational purpose. The information provided in this material are subject to changes in technology, business and regulatory environment. Hence, members are advised to apply this using professional judgement. Please visit PQC portal for the latest updates. All copyrights are acknowledged. Use of specific hardware/software in the material is not an endorsement by ICAI.

Foreword

The digital revolution is transforming the traditional ways of doing business, necessitating realignment of profession to leverage the multipliers of digital technology - enhanced efficiency, scale and speed, effectiveness, agility and giving access to newer markets. In view of the rapid technological changes, it is imperative for Information System Auditors to adapt, be innovative in aiding organizations to improve its control environment and strengthen governance of IT risks. Adoption of emerging technologies will help them to assimilate vast amount of data and provide value added analysis in the form of data analysis and business intelligence. Chartered Accountants possess unique blend of systems and process understanding and expertise in controls and governance, thereby best suited to be the perfect Information Systems Auditor.

The Institute of Chartered Accountants of India (ICAI), through its Digital Accounting and Assurance Board (DAAB), is continuously monitoring technological developments and taking initiatives to disseminate updated knowledge amongst our members and other stakeholders. In this direction, it is heartening to note that the DAAB is bringing out next version of “Educational Material” for Post Qualification Course on Information Systems Audit. This updated and revised Material combines technology, information assurance and information management expertise that enable Chartered Accountants to be an advisor and handling assurance assignments.

In this updated course curriculum various aspects of emerging technologies like, Blockchain, Robotics Process Automation, etc., have also been introduced to keep members fully abreast. With focus on increased practical aspects, case studies and lab manuals at appropriate places this material is a great learning guide for members aspiring to be Information Systems Auditor.

I compliment CA. Manu Agrawal, Chairman, CA. Dayaniwas Sharma, Vice-Chairman and other members of the Digital Accounting and Assurance Board for generation next material in digital era by taking up this timely initiative.

I am confident that our members would take benefit of these updated modules of post qualification course on Information Systems Audit, so as to render their professional responsibility as Information System Auditor more efficiently and highest standards to achieve global recognition.

CA. Atul Kumar Gupta

President, ICAI

Place: New Delhi

Date: April 12, 2020

Preface

Evolution of digital economy and ever changing dynamic ecosystem presents significant challenges, including new competition, new business and service delivery models, unprecedented transparency, privacy concerns and cyber threats. With a goal to keep members abreast of impact of emerging technologies, Digital Accounting and Assurance Board has come out with the updated Post Qualification Course on Information Systems Audit Modules to equip members with specialised body of knowledge and skill sets so that they become Information Systems Auditors (ISAs) who are technologically adept and are able to utilize and leverage technology to provide reasonable assurance that an organization safeguards it data processing assets, maintains data integrity and achieves system effectiveness and efficiency. This updated syllabus facilitates high level understanding about the role and competence of an IS Auditor to analyse, review, evaluate and provide recommendations on identified control weaknesses in diverse areas of information systems deployment.

Revised Modules of Post Qualification Course on Information Systems Audit has specific objective, i.e., “To provide relevant practical knowledge and develop skills for planning and performing various types of assurance or consulting assignments in the areas of Governance, Risk management, Security, Controls and Compliance of Information Systems.” The core of DISA 3.0 lies in inculcating competence to add to service delivery of the members. The updated course would help the members to apply appropriate strategy, approach, methodology and techniques for auditing information system and perform IS Assurance and consulting assignments by using relevant best practices, IS Audit standards, frameworks, guidelines and procedures.

The updated ISA Course 3.0 has a blend of training and includes e-learning, live case studies and lab manuals, project work in addition to class room lectures. This updated background material also includes a DVD which has e-Learning lectures, PPTs, case studies, DEMO CAAT software, useful checklists and sample audit reports. New Module on “Emerging Technology and Audit” has been added which covers Information System Assurance and Data Analytics, Assurance in Block chain Ecosystem, and Embracing Robotic Process Automation in Assurance Services. In addition to this Artificial Intelligence and Internet of Things (IoT) has also been inducted in the new modules.

We would like to take this opportunity to place on record our deep appreciation for the efforts put in by Convener, Dr. Onkar Nath as well as authors and reviewers of the various modules, viz., CA Anand Prakash Jangid, Mr. N.D. Kundu, Mr. Inder Pal Singh, Mr. Avinash Gokhale, CA Pranay Kochar, CA Naresh Gandhi, Dr Manish Kumar Srivastava, Dr. Saurabh Maheshwari, CA Narasimhan Elangovan and CA Atul Kumar Gupta. It would be also appropriate to express our thanks to all the ISA faculties for giving their inputs/ suggestions for the implementation of DISA 3.0.

vi

We would like to express gratitude to CA. Atul Kumar Gupta, President, ICAI, and CA. Nihar Niranjan Jambusaria, Vice President, ICAI, for their thought leadership and encouragement to the initiatives of the Board. We would also like to place on record our gratitude for all the Board members, co-opted members and special invitees for providing their valuable guidance and support in this initiative of the Board. We also wish to express my sincere appreciation for CA. Amit Gupta, Secretary, DAAB, Ms. Nishi Saraf, Section Officer for their untiring efforts in finalization of the updated Modules.

We are sure that these updated Modules on Post Qualification Course on Information Systems Audit would be of immense help to the members and enable them to enhance service delivery not only in compliance, consulting and assurance of IT services, but also provide new professional avenues in the areas of IT Governance, Cyber Security, Information System Control and assurance services.

CA. Manu Agrawal CA. Dayaniwas Sharma Chairman Vice-Chairman Digital Accounting and Assurance Board Digital Accounting and Assurance Board

Contents

Module 1 Case Study 1: IT Enabled Assurance Services 1 Module 1 Lab Manual 1: Audit Planning 5 Module 1 Case Study 2: CAAT 7 Module 1 Lab manual 2: IS Audit Report 9 Module 2 Case Study 3: Governance 13 Module 2 Lab Manual 3: Asset Classification & Criticality 18 Module 2 Case Study 4: BCP / DRP 22 Module 2 Lab Manual 4: Risk Assessment and Treatment 26 Module 3 Case Study 5: SDLC 33 Module 3 Lab Manual 5: Input Validation 38 Module 3 Case Study 6: Testing 40 Module 3 Lab Manual 6: RACI Matrix & Threat Modelling 44 Module 4 Case Study 7: Healthcare system implementation 51 Module 4 Lab Manual 7: User Management and Security Policies 56 Module 4 Case Study 8: Help Desk Function / Password Management 65 Module 4 Lab Manual 8: SQL 68 Module 5 Case Study 9: Information Security Management 80 Module 5 Lab Manual 9: Security Controls, Auditing and Firewall Configuration 85 Module 5 Case Study 10: Data Centre Security 98 Module 5 Lab Manual 10: Hygiene Check 101 Glossary 103

MODULE 1

Case Study 1 IT Enabled Assurance Services

Scenario AIA Aircrafts Ltd., a Company engaged in the manufacturing of private jets and aviation accessories has implemented a newly conceptualized Firewall System over its legacy ERP Suite. The company has appointed an IS Auditor to audit the effectiveness of the Firewall system along with its interfaces with the ERP System. There were multiple Firewalls installed at the Company but the one placed in between the company intranet and internet is in question and have some issues.

Initially Firewall audit was not in the plan but included at the last moment at the request of the auditee. The IS Auditor included the same in the scope of the audit and finally agreed to conduct the audit.

The IS Auditor, while carrying out an IS Audit, was verifying a sample of Firewall Operation Logs and found that 2 users were constantly trying to access a particular external source which was denied by the Firewall system as per the security policy of the company. The Auditor immediately issued an audit finding and went to seek explanations from the management.

Moreover, while verifying the Firewall Operation Logs further, he observed that a particular site was not prevented by the Firewall which, ideally should be prevented as per the company’s security policy. When, it came to the notice of IT Management, they immediately re-configured the Firewall and made it proper.

Discussion Points 1. What to do and how to audit firewall during an audit process

2. Roles and responsibilities of an auditor during the audit process

3. Meaning of professional independence may also be discussed.

Questions As an IS auditor performing the IS audit, respond to the following:

1. What should an IS Auditor do FIRST, when he observed that two users are constantly trying to access some external sources?


4

A. Issue an Audit Finding

B. Inform the management and expand the sample to get further evidences.

C. Seek Explanations from Management

D. Ask for clarification from the Firewall Vendor

2. An IS Auditor found one security loophole in the System. However, when the IT Management got to know about it, immediately corrected it. The IS Auditor should:

A. Include the same in his Audit Report.

B. Don’t include in the Audit Report as the same is corrected.

C. Don’t include in the Audit Report but discuss the same in Exit Interview for recommendation.

D. Don’t include in the Audit Report and send a letter of appreciation to IT Management.

3. IS Auditor rightly found one weakness in the Firewall implementation and he recommended the name of technical expert to address the weakness. The IS Auditor has failed to maintain:

A. Professional Competence

B. Organizational Independence

C. Professional Independence

D. Personal Competence

Guidelines to Faculty 1. Students may be reminded with the roles and responsibilities of auditor

2. Basics of Firewall

3. Coverage Area: IS Auditor’s Roles and responsibilities.

4. In all questions, explanation of each incorrect option may be given in a properly delineated form for easy understanding.

5. Relevant Standards / regulations / frameworks like COBIT 2019, ISO27001, and GDPR may be referred to and explained in the class while discussing the answers.

6. The faculty can teach some theory which s/he might not have covered during the class.

Lab Manual 1 Audit Planning

Learning Objective To make an effective audit plan covering different aspects of IS Audit process - audit charter, audit planning, audit universe, risk-based audit approach, IS Audit standards, guidelines, regulations, procedures and audit reporting.

Scenario A Bank data centre is manned by around 400 people out of whom 250 are from an outsourced company. There are 50 applications running including their core banking solution. Around 100 plus network devices like firewall, IDS, IPS, Router, Switches, Gateways etc. are there along with 500 plus high end servers. Appropriate communication lines with all required redundancies are present. The asset register maintained by the bank is not updated and not reviewed for the last two years. You will not get the idea of location and ownership of the asset from this information. There is a Network operation centre (NOC), a building management system (BMS) and a security operation centre (SOC) separately placed along the data centre. All infrastructures are managed by the outsourcing agency.

They are having issues with access control mechanism. The menu access was not controlled by any authorization matrices. Anybody can access any menu in the core banking systems. System of frisking is there but not regular. Bank’s data centre needs a biometric access system, but the management feels that implementing biometric control to regulate entry of people in the data centre will be too costly and complex for them. Therefore, they plan to appoint extra security guard as a compensatory control who is instructed to allow only those people into DC who is having appropriate access card and also maintaining a register for entering access details which is supervised by the security officers. There are three cases of violation of logical access control happened in recent passed which was recorded in incident register but no follow-up action was made.

In the data centre, the testing team and development team share the same server and at times with the permission of the system administrator they access the production system and implement the program. There is no librarian to maintain version control. Change management system is also not application driven and done manually. User access review being done once in a year. DBA team controls the patch management system and the network management team takes care of anti-malware system. There are also issues with the management of backup tapes and blank tapes.


6

Activity-1: (Audit Plan) You have to prepare an audit plan to cover the information system audit of this Bank data Centre with a specific goal of covering infrastructure audit and access control system (Physical & logical) including scope of the audit. There is a need to outline the audit methodology as well.

Purpose : E.g., Assurance of IT General Controls

Scope : Specific process/ controls being audited

Objectives : Gather, evaluate, adequate and relevant audit evidence to form an audit opinion on the reliability of information systems

Criteria : Regulatory requirement

Legal Requirement

Auditing Standards/ Frameworks

Company’s IT/IS policies

Audit dates : From (dd/mm/yyyy) to (dd/mm/yyyy)

Audit Team : Audit Leader, Auditor’s name

Key Personnel : Audit committee chair, Process owner etc.

Audit Agenda : Detailed plan

Hardware and Software Requirements:

Laptop with Windows 10 and MS-Office 2010 or office 365

Step-by-Step Activities:

Activity to be performed in a group (4 or 5 groups depending on number of participants).

Each group will present the output within 5 minutes presentation.

Case Study 2 CAAT

Scenario The IS Auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment, and accordingly will assess management’s review and testing of the general IT controls. Areas to be assessed include logical and physical security, change management, operations control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work so that sufficient time should be available. It should be noted that in previous years, problems have been identified and reported in the areas of logical security and change management. Hence these areas would most likely require some degree of remediation. Logical security deficiencies noted include the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies include improper segregation of incompatible duties and failure to document all changes. Additionally, the process of deploying operating systems update to servers was found to be only partially effective. Chief Information Officer directed the IS Auditor to report to him directly. CIO also instructed IT department to make changes in the process flow. Accordingly, the actions were taken and approval was made by the relevant process owners as well as the CIO, and then forwarded to the IS auditor for examination.

Discussion points 1. Various types of CAATs

2. Uses of CAATs in continuous audit

3. Change Management process.

Questions 1. What should IS auditor do first?

A. Perform an IT Risk assessment

B. Perform a survey audit of logical access control

C. Revise the Audit plan to focus on risk-based auditing

D. Begin testing controls that the IS Auditor feels are most critical


8

2. While auditing program change management, how the sample should be selected?

A. Change management documents should be selected at random and examined for appropriateness

B. Changes to production code should be sampled and traced to the appropriate authorizing documents

C. Change management documents should be selected based on system criticality and examined for appropriateness

D. Changes to production code should be sampled and traced back to system- produced logs indicating the date and time of the change.

3. The most appropriate CAAT tools the auditor should use to test security configuration settings for the entire application system is:

A. Generalised Audit Software (GAS)

B. Test data

C. Utility software

D. Expert system.

Guidelines to Faculty 1. Various types of CAATS may be explained again, if necessary

2. Change management process may also be explained.

3. Coverage area: Change Management and CAAT Tools

4. In all questions, explanation of each incorrect option may be given in a properly delineated form for easy understanding.



Lab Manual 2 IS Audit Report

Learning Objective To write an IS Audit report, essential information, applicable general IT controls & application controls and maintaining quality.

Scenario A Bank data centre is manned by around 400 people out of which 250 are from an outsourced company. There are 50 applications running including their core banking solution. Around 100 plus network devices like firewall, IDS, IPS, Router, Switches, Gateways etc. are there along with 500 plus high end servers. Appropriate communication lines with all required redundancies are present. The asset register maintained by the bank is not updated and not reviewed for the last two years. You will not get the idea of location and ownership of the asset from this information. There is a Network operation centre (NOC), a building management system (BMS) and a security operation centre (SOC) separately placed along the data centre. All infrastructures are managed by the outsourcing agency.

They are having issues with access control mechanism. The menu access was not controlled by any authorization matrices. Anybody can access any menu in the core banking systems. System of frisking is there but not regular. Bank’s data centre needs a biometric access system, but the management feels that implementing biometric control to regulate entry of people in the data centre will be too costly and complex for them. Therefore, they plan to appoint extra security guard as a compensatory control who is instructed to allow only those people into DC who is having appropriate access card and also maintaining a register for entering access details which is supervised by the security officers. There are three cases of violation of logical access control happened in recent passed which was recorded in incident register but no follow-up action was made.

In the data centre, the testing team and development team share the same server and at times with the permission of the system administrator they access the production system and implement the program. There is no librarian to maintain version control. Change management system is also not application driven and done manually. User access review being done once in a year. DBA team controls the patch management system and the network management team takes care of anti-malware system. There are also issues with the management of backup tapes and blank tapes.


10

Activity - 2: (Audit Report) For the same scenario as mentioned above, please prepare an IS Audit report. You should use the format given below and follow the guidelines as stated:

(a) Detailed Audit report should contain minimum of these columns mentioning control description, audit methodology, observations, impact, risk category (CIA), risk ranking (Very High / High / Medium / Low / Negligible) and recommendations.

(b) You should cover the aspect of organizational structure and IS security policy in the report.

(c) Your findings should have minimum of ten technical controls (you may consider controls based on the above scenario).

(d) You have to also consider applicable laws and regulations while preparing the audit report.

Some of the formats attached:

1. Format of the report

2. Content of the report

3. Coverage of various controls

Hardware and Software Requirements:

Laptop with Windows 10 and MS-Office 2010 or office 365

Step-by-Step Activities:

Activities to be performed in a group (4 or 5 groups depending on number of participants).

Each group will present the output within 5 minutes presentation.

Sample Formats

1. Classification Criteria for Risk

Classification Implication

Very High Breach could result in financial losses, or in exceptionally grave injury to individual or the organization and the business process will fail

High Breach could result in very serious loss or injury, and the business process could fail

Module 1

11

Medium Breach could result in serious loss or injury, and the business process could be negatively affected

Low Breach could result in minor loss or injury

Negligible Breach could result in little or no loss or injury 2. Summary Table of Number of Observations classified by Risk

Audit Area / Name of Application

Very High

High Medium Low Negligible Total

Core Banking Application Name

2 4 3 1 0 10

3. Graphical Distribution of Observations

0 1 2 3 4

Very High

High

Medium

Low

Neglible Alerts Distribution

The observations have been classified into five categories based on their Risk / Implication viz., ’Very High’, 'High', 'Medium', 'Low' and ‘Negligible’. This classification is subjective and is based on the business criticality, desired correction timeline and on the judgment of the Business / Infosec team who performed this review. 4. Sample list of summary observations for Core Banking Application:

# Observations Severity

1. Privileged access menu links were accessible from low profile user id (Junior Officer Role).

High

2. There are 48 generic user available in the system with privileged access like administrator

High

3. Menus could be accessed directly without any authentication. High


12

5. Sample format of Audit Report

Sr. No.

Control Objective

Audit Procedures

Risk Ranking

(VH/H/M/L/N)

Observation Impact on C, I, A

Recommendation

1 (Issue Headings) User Access Control

(Inspection, Observations, Inquiry, Confirmation, Recalculation, re-performance, Analytical procedures)

H It was observed that privileged access menu links for admin modules and authorization were accessible from low profile user id (e.g. clerk, Junior Officer etc.). The application doesn’t validate access privileges at the server level, all the restricted pages could be accessed directly after login with low profile user id.

C I A A malicious user would gain access to privileged menus and carry out nefarious activities on the core banking application.

The application should validate the user privileges on each privileged access links before processing the requests

Evidences: <Give reference to the Screen Prints here>

MODULE 2

Case Study 3 Governance

Scenario A small organization’s structure consists of the following hierarchy:

The board has approved development of Customer Relationship Management (CRM) software by the In-house application programmer. In the absence of a full time CTO, the CFO has been entrusted to monitor the progress of the software being developed and report on its progress to the Board on a periodic basis. The Data Protection Officer of the company ensures that the organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.

The application programmer reports to the Database Administrator and seeks his approval for any changes to the software code and to access the production data. The database administrator also migrates the program codes to the production environment.

The CISO had recommended that the development environment (where changes are originally made) and production environment (what end users use) should be separated, to ensure


16

phased deployment (rollout), testing, and rollback in case of problems. However, due to lack of funds the company declined his idea.

The Information Systems Auditor carried out an Information Security Audit of the CRM software and has identified that the software as designed, may be missing several critical controls regarding how the system stores the sensitive customer information. The audit report has been submitted to the CFO and to the CISO who in turn presents the audit findings to the Board. The financial results of the entity are reviewed in detail and signed off by the business managers for correctness of data contained therein.

Discussion points 1. What should be the Correct Organizational Structures to meet governance objectives?

2. How Segregation of Duties between incompatible functions should be achieved?

3. Distinction between roles of CTO, CISO, CFO, DPO.

4. Change Management Process and its importance.

Questions 1. What would be of GREATEST concern from an IT governance perspective?

A. The organization does not have a full-time CTO.

B. The organization does not have an IT steering committee.

C. The CFO plays a major role in monitoring IT initiatives.

D. The information systems Auditor reports to the CFO.

2. What would be of GREATEST concern from a segregation of duties perspective?

A. Application programmers are required to obtain approval only from the DBA for direct write access to data.

B. Application programmers are required to turn over the developed program code to the program librarian for migration to production.

C. The internal audit department reports to the CFO.

D. Business performance reviews are required to be signed off only by the business managers.

3. Which of the following would BEST address data integrity concerns from a mitigating control standpoint?

Module 2

17

A. Application programmers are required to obtain approval from DBA for direct access to data.

B. Application programmers are required to hand over the developed program codes to the program librarian for transfer to production.

C. The internal audit department reports to the CFO.

D. Business performance results are required to be reviewed and signed off by the business managers.

4. The auditor has identified that the software may be missing several critical controls regarding how the system stores sensitive customer information. The IS auditor should FIRST:

A. Determine whether application programmers have proper training on adequate security measures.

B. Determine whether system administrators have disabled security controls for any reason.

C. Verify that security requirements have been properly specified in the project plan.

D. Validate whether security controls are based on requirements which are no longer valid.

5. The application programmer performs program modifications and migration to the production environment. Which of the following should the IS auditor recommend?

A. Automated logging of changes to development libraries

B. Additional staff to provide separation of duties

C. Procedures that verify that only approved program changes are implemented

D. Access controls to prevent the operator from making program modifications

Guidelines to Faculty 1. In all questions, explanation of each incorrect option may be given in a properly

delineated form for easy understanding.

2. Standards / regulations / frameworks like COBIT 2019, ISO27001, and GDPR may be referred to and explained in the class while discussing the answers.


Lab Manual 3 Asset Classification & Criticality

Learning Objectives Review the risk optimization processes and practices in place to assess whether these are appropriate to mitigate risks as per risk management strategy.

Objective This exercise is aimed at determining the correct information security classification level for an information asset for a business process.

An impact assessment matrix is used to assess the impact of the information asset being compromised, and to guide the determination of the information security classification.

Scenario GRC Marketing Pvt. Ltd. is an email marketing company in India. It works with leading companies to send marketing emails to prospective customers on behalf of the client. The Database of the prospective customers is generated, owned and maintained by GRC Marketing Pvt. Ltd.

The various business process / departments in the company are as follows:

Email Marketing Department

Finance and Accounts Department

Information Technology Department

Human Resource Department

Compliance Department

You are nominated by the management to classify the assets as per their criticality so that it can help in the process of conducting a risk assessment.

Hardware and Software Requirements Asset Classification Template

Microsoft Excel

Module 2

19

Step-by-Step Activities to be performed

Step1: Asset Identification

You are required to identify 10 assets (2 from each department) that the company wants to safeguard and give each asset a value. Classify the assets under each category as defined below:

All information assets of the company (along with their Owner), whether in digital or non-digital form, have to be identified and are to be listed as part of the excel template. All the other resources such as People, Process and Technology that are required to support business processes also have to be identified. The following categories of assets have to be identified during this stage:

Information Assets: Databases and Data Files, Research Information, Log files, Audit trails etc.

Software Assets: Application Software, System Software, Development tools, and Utilities etc.

Physical / Infrastructure Assets: Servers, routers, switches, firewalls, VPN appliances, desktops, laptops and blackberry/ palmtop devices etc.

Document Assets: System Documentation, User Manuals, Training Material, Operational or Support Procedures etc.

Services Assets: Computing and Communications Services, Supporting Utilities such as HVAC, DG Sets, UPS, CCTV Cameras and Contracts and Agreements signed with Third Party Service Providers etc.

People Assets: all the personnel involved in handling organization assets – Permanent employees, IT Support Staff, contract personnel such as Housekeeping, Security Staff etc.

Step 2: Asset Classification

For each asset, its sensitivity has to be determined on the basis of the Impact in terms of

Service Loss

Financial Loss

Legal Implication

Loss of Trust

For each of the above impact criteria, an individual score has to be assigned from 1 to 5. The following table represents the basis of assigning the individual score:


20

Guidelines for assigning CIA values

Information Security Attribute

Impact Details Severity of Impact across criticality levels

Negligible

1

Low

2

Medium

3

High

4

Very High

5

Confidentiality

The extent of adverse effect on organizational operations, organizational assets, or individuals as a result of unauthorized disclosure of information

Breach could result in little or no loss or injury

Breach could result in minor loss or injury

Breach could result in serious loss or injury, and the business process could be negatively affected

Breach could result in very serious loss or injury, and the business process could fail

Breach could result in financial losses, or in exceptionally grave injury to individual or the organization and the business process will fail

Integrity

The extent of adverse effect on organizational operations, organizational assets, or individuals as a result of modification or destruction of information






Availability

The extent of adverse effect on organizational operations, organizational assets, or individuals as a result of disruption of access to or use of information






Module 2

21

Based on the individual scores assigned to each impact type due to loss of Confidentiality, Integrity and availability, an average score is calculated for each asset.

Formula to calculate the average:

(Confidentiality Value + Integrity Value + Availability Value) 3

Depending on the average score of the asset, Asset Criticality to the organization is determined as per the following table:

Asset Criticality Category

Criteria for Asset Rating Asset Criticality

Valuation Score >= 5 Very High

5 < Valuation Score <=4 High

4 < Valuation Score <=3 Medium

3 < Valuation Score <=2 Low

2 < Valuation Score <=1 Negligible

List out all the critical assets for which the risk assessment has to be performed for the next activity.

Case Study 4 BCP / DRP

Scenario A small co-operative bank is updating its BCPs and DRPs for its Head / Corporate office and a network of 25 branch offices. The plan was developed 5 years back, however due to lack of resources the plan has not been updated since then. Although the plan has been implemented by the bank and is in force, it has not been tested in any of the years. The new MD of the bank has decided to update the BCP / DRP and also test the plans for its effectiveness.

The following describes the IT setup of the Bank.

Head Office Infrastructure

At the Head Office, there are approximately 1000 employees. All employees are on the corporate LAN network. The bank has a corporate data centre housed within the same premises which houses the core banking server along with more than 60 application, database and file servers.

Brach Office Infrastructure

Each branch office has between 25 to 30 employees with each employee having access to a desktop computer. Each branch office has its own email server and file server for local data storage. The main applications are accessed from the corporate data centre. The branch offices are located within a periphery of 100 kms.

Network and Connectivity

The users within the head office access the servers through the LAN and users at the branch offices connect via Leased Lines / MPLS or V-SAT Connectivity. The sales and travelling users access the corporate systems remotely over the Internet using virtual private network (VPN).

The bank has a firewall and proxy at the corporate data centre. Internet is through redundant Leased Lines. Internet access to the head office and branch users is through proxy server.

Data Backup Systems and Process

The Database Management team performs a daily backup of each server. The backup is stored on tape drives, labelled adequately and stored in Turtle Boxes duly locked for moving to offsite locations. The bank has entered into an agreement with a third party records and information management company that works with the bank to identify records for relocation to

Module 2

23

their secure off-site records storage facilities, where they’ll be classified and tagged using the bank’s schema, tracked with RFID labels, and made available to the bank on demand.

The Branch office data not being so critical follows a different policy. Backup of the data is performed on a daily basis on tapes. The branches have entered into reciprocal agreements with the nearby branches of the bank. Daily backup tapes are sent to the reciprocal branch for offsite storage.

Current BCP / DR Setup

Critical applications have a Recovery Time Objective (RTO) of between three and five days. This was decided by the previous MD based on his judgment. The MD also decided in consultation with the technology team, the priority in which the business applications and processes shall be recovered. A formal Business Impact Analysis was not carried out prior to development of the plan. In the current year the new MD has decided to carry out a BIA activity.

In the current scenario, the bank has entered into an agreement with a third-party hot site provider. As part of the agreement the vendor shall provide 25 compatible servers and a work area space equipped with desktop computers to accommodate 100 individuals. The bank also has an agreement with the same vendor to arrange for up to 2 servers and 10 desktop computers to be sent to any branch office in case of emergency.

Both the contracts with the vendor are for a 3 year period. The contract has to be renewed periodically however equipment upgrades occur only at renewal time. The hot site provider has multiple facilities throughout the country in case the primary facility is in use by another customer or rendered unavailable by the disaster.

The MD desires that any changes or enhancements to be made to the plans be as cost effective as possible.

Discussion Points 1. Concepts of MPLS and Turtle Box to be discussed.

2. Difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO of 3 to 5 days for critical applications for a financial institution may have an adverse impact on business and creditability.

3. Need for VSAT connectivity (advantages / disadvantages), VPN, Proxy servers, Firewall

4. Issues like testing, workability concerned with Reciprocal arrangements among branches. Particularly so, when some of the branches are on VSAT.


24

5. In view of small size of the bank, are the contracted facilities at Hot Site not over-estimated?

6. Some of the branches may not have a nearby branch wherein daily transportation of back-up might not be feasible.

7. Whether the required time-lines will be met by the hot-site service provider in case of disaster / disruption of services and facilities at its site. How this issue has been addressed in the contract.

Questions 1. On the basis of the above information, which of the following should the IS auditor

recommend concerning the hot site?

A. Desktops at the hot site should be increased to 1000.

B. An additional 35 servers should be added to the hot site contract.

C. All backup media should be stored at the hot site to shorten the RTO.

D. Desktop and server equipment requirements should be reviewed quarterly.

2. On the basis of the above information, which of the following should the IS auditor recommend concerning branch office recovery?

A. Add each of the branches to the existing hot site contract.

B. Ensure branches have sufficient capacity to back each other up.

C. Relocate all branch mail and file/print servers to the data centre.

D. Add additional capacity to the hot site contract equal to the largest branch.

3. When developing a disaster recovery plan (DRP), the criteria for determining the acceptable downtime should be the:

A. Annualized loss expectancy (ALE).

B. Service delivery objective.

C. Quantity of orphan data.

D. Maximum tolerable outage.

4. The PRIMARY outcome of a business impact analysis (BIA) is:

A. A plan for resuming operations after a disaster.

B. A commitment of the organization to physical and logical security.

Module 2

25

C. A framework for an effective disaster recovery plan (DRP).

D. An understanding of the cost of an interruption.

5. The GREATEST concern to an IS auditor who is reviewing the bank’s disaster recovery plan (DRP) is that the plan:

A. Is not stored offsite.

B. Was not updated within the last year.

C. Was not tested within the last year.

D. Does not identify individuals responsible for different activities of the plan.

6. The bank’s disaster recovery plan (DRP) should address early recovery of:

A. All information systems processes.

B. All financial processing applications.

C. Only those applications designated by the IS manager.

D. Processing in priority order, as defined by business management.



2. Relevant Standards / regulations / frameworks like COBIT 2019; ISO22301 may be referred to and explained in the class while discussing the answers.


Lab Manual 4 Risk Assessment and Treatment

Learning Objectives Review the risk optimization processes and practices in place to assess whether these are appropriate to mitigate risks as per risk management strategy.

Objective This exercise is aimed at illustrating the Risk Assessment methodologies and tools and

how these relate to the requirements of the Information Security Management System of an organization.

It gives the candidate a chance to consider options for evaluating risks and identifying realistic assessments shown to them during audits. Auditing the risk assessment demonstrates that the organisation has performed the risk assessment in accordance with their stated process, and allows the auditor to determine whether or not the risk assessment is repeatable and logical.

To prepare the candidate for conducting risk assessment by identifying and classifying assets

To familiarize the candidate with the risk assessment process.

To familiarize the candidate with the risk management process.

To familiarize the candidate with controls to mitigate the risk.

Scenario In continuation to our previous lab activity, you are nominated by the management to conduct a risk assessment process of the company. The objective of the assignment is to assess plausible information security risks to the company.

Hardware and Software Requirements Risk Assessment Template

Microsoft Excel

Module 2

27


Step 1: Process and Asset Identification

From the output of the previous activity, list out all the critical assets for which the risk assessment has to be performed for this activity.

Step 2: Threat Identification & Valuation

A threat is the potential for a particular threat-source to successfully exploit a particular vulnerability. A threat-source does not present a risk when there is no vulnerability that can be exploited. In determining the value of a threat, we have considered threat-sources, nature of threat, potential impact of threat occurs and level of existing controls.

Threat Source is defined as any circumstance or event with the potential to cause harm to asset. The common threat sources can be natural, human, or environmental.

A list of threats has been identified based on the business activities, information processing environment and geo-political environment.

Threat Examples

Hacking

Virus

Unauthorized access

Earthquake

Flood

Loss of data

Note: Threat environment for business processes will differ from threats to assets and would be based on the assessment of all internal / external / market threats that could impact the particular business process.

Threat Examples (Business Processes)

Historical liabilities

People skills

Competitor Behaviour

Product failure / Recall

The Sample list of Threats and Threat Source is given in the Risk Assessment Template


28

Step 3: Vulnerability Identification & Valuation

Vulnerability is a weakness of an asset or group of assets than can be exploited by one or more threats. The analysis of the threat to an IT system must include an analysis of the vulnerabilities associated with the system environment. The value of the vulnerability is determined after considering the existing control and nature of threat.

The goal of this step is to develop a list of vulnerabilities (flaws or weaknesses) that could be exploited by the potential threat-sources.

Vulnerability Examples

Inadequate access control

Anti-virus software is not installed

Backup is not taken

Roles and responsibilities are not defined

Lack of training and awareness

The Sample list of Threats specific vulnerabilities are given in the Risk Assessment Template.

Step 4: Consequences Identification & Valuation

Calculate and describe the potential consequence should the threat exploit the vulnerability, ideally in business terms. The consequences levels are evaluated based on the following scenarios:

Legal Consequences

Loss of Image or Reputation

Impact on Business Process

Financial Impact

Module 2

29

Level of Consequences

Consequence Value

Consequences

Legal consequences

Loss of image and Reputation

Impact on business process

Financial impact

Negligible 1 No Legal Consequences

No Loss of image and Reputation

No impact on business process

No financial impact

Low 2 No Legal Consequences


Little impact on business process

Little financial impact

Low 2 Little Legal Consequences


Little impact on business process

No financial impact

Medium 3 Medium Legal Consequences


Medium impact but the business process can continue

No financial impact

Medium 3 No Legal Consequences

Medium Loss of image and Reputation


Medium financial impact but the business can continue

Medium 3 Medium Legal Consequences



Medium financial impact but the business can continue

High 4 Major Legal Consequences

Major Loss of image and reputation

Major impact, the business process cannot function

Major financial impact resulting in major losses

High 4 No Legal Consequence

No Loss of image and reputation



High 4 Medium Legal Consequences




Very High 5 Major Legal Consequences

Major Loss of image and Reputation




30

Step 5: Likelihood Determination

To derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment; the following governing factors are considered:

Threat-source motivation and capability

Nature of the vulnerability

Existence and effectiveness of current controls

The likelihood that a potential vulnerability could be exploited by a given threat-source can be described. Below table describes the likelihood levels.

Assigning Likelihood Level

Likelihood Level

Value Likelihood Definition

Very High 5

The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are absent/ ineffective. Occurrence is frequent.

High 4

The threat-source is motivated and capable, and controls that impede successful exercise of vulnerability or detect the impact are ineffective. Occurrence is regular.

Medium 3

The threat-source is motivated, but not sufficiently capable or controls that may detect the exercise of the vulnerability are present. Occurrence is periodic.

Low 2

The threat-source is motivated, but not sufficiently capable or controls that may impede successful exercise of the vulnerability are present. Occurrence is low.

Negligible 1

The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised. Not occurred till now and may not occur in future.

Module 2

31

Step 6: Risk Assessment

The objective of risk assessment is to identify and assess the risks based on the consequences and the likelihood of their occurrence.

The purpose of this step is to assess the level of risk to the process / assets in the scope. The determination of risk for a particular threat/vulnerability pair can be expressed as a function of

the magnitude of the impact, should a threat-source successfully exploit the vulnerability

the adequacy of planned or existing security controls for reducing or eliminating risk.

the likelihood of a given threat-source's attempting to exploit a given vulnerability

Risk is calculated as Risk = Consequence Value x Probability Value

The Management seeks to identify all high risk areas which can have a devastating impact on the business, with low or high probability of occurrence.

Step 7: Risk Ranking

Risk Ranking

Risk Level Final Risk Score Risk Description and Necessary Actions

Very High More than 16

Less than equal to 25

These are very high risk areas and require mitigation. This indicates that there is a strong need for preventive measures. Such risks require immediate attention from the Management and the Concerned Process Owner.

High More than 12 Less than 16

These are high risk areas and require mitigation. This indicates that there is a need for preventive measures. Such risks require attention from the Management and should be mitigated in a time bound manner. These risks can be treated after addressing the very high risk areas.

Medium More than 8 Less than 12

These are Medium risk areas. This indicates the requirement for strong detective controls with reasonably good preventive controls, as per business requirement. These risks can be treated after addressing high risk areas.

Low More than 4 Less than 8

If an observation is described as low risk, then it indicates a requirement for detective or corrective controls as per business requirements. These risks can be treated after addressing Medium risk areas.

Negligible More than 1 Less than 4

If an observation is described as negligible risk, then it must be determined whether any treatment is required or the same is acceptable to the Management and no further treatments are required.


32

Risk Level Ranking Heat Map

Probability

Consequences Negligible Low Medium High Very High

Value 1 2 3 4 5

Very High 5 5 10 15 20 25 High 4 4 8 12 16 20

Medium 3 3 6 9 12 15 Low 2 2 4 6 8 10

Negligible 1 1 2 3 4 5

Step 8: Risk Treatment

Unacceptable risks need to be treated with suitable controls in order to bring them down to an acceptable level. This involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. The concerned Process Owner will be responsible to ensure implementation of controls with the approval from the Management.

The risks can be treated with one of the following treatment options:

Mitigate – by applying suitable controls

Transfer – by transferring to other parties, e.g. insurance, suppliers

Avoid – Deciding by not going ahead with an activity likely to generate risk

Acceptance – by knowingly and objectively accepting risks

The Risk Treatment Plan will include the following:

Risk Management Decision

Suggested Controls to Mitigate the Risk

Likelihood of Occurrence after Treatment

Revised Risk Level

Management Decision on the Residual Risk

MODULE 3

Case Study 5 SDLC

Scenario EasyCash Pvt Ltd is a virtual pre-paid cards company operating in India. It has its corporate and registered office in Mumbai. There are various franchisee and distributors of the EasyCash for distribution of prepaid cards. The cards issued by the company are of 2 types. One is a virtual card to be used on Internet and the other is a mobile based card to be used on mobile phones as mobile wallets. The company has its IT systems, but outsourced the data centre to a company located in Hyderabad called as Netizens India Pvt Ltd. The DR site of the company is located in Chennai.

EasyCash has about 15 in-house programmers, system administrators, database administrators, network administrators and security manager. It also outsources key development of code for new systems which are being planned. HR dept looks after recruitment, termination, and other HR related matters. Legal dept has about 3 people who look after agreements and initiating changes to the financials in the agreement, thru back-end system. All changes to the data are done by IT dept. IT dept also has operations team which looks after various IT operations such as monitoring of servers and networking devices, firewall administration, network monitoring, security monitoring, database monitoring and tune up, transaction logs monitoring and resorting to customer / merchants / franchisees queries. Since the business of the company is fast expanding, the company has set-up a separate call centre which is outsourced.

IT Dept has recently developed a MIS system in-house which has gone live recently. However, users are facing many functionality and other issues in the system. Therefore, users are suggesting changes to be made to the software. This was also going on when the system was under development. The management feels that the method used by IT Dept for developing system is not proper. Users should have been involved more in the system development. The management also feels that the testing of the software has not been carried out properly.

Later on, System Audit was initiated by the company. Some important observations of the System Auditors are given below:

1. The system accepts any amount even zero or –ve amounts are accepted by the system

2. All the users can view all the columns of important database tables such as customer master, customer’s ledgers etc.

3. DBA carries out direct updation of database tables by accessing database directly

4. Developers have followed agile development methodology


36

5. Patches for operating system have not been installed

6. The same old hardware is being used for the system, which hampers the efficiency of the system

Discussion points 1. Roles & responsibilities of programmers, system administrators, database

administrators, network administrators and security manager should be discussed.

2. Various types of Application Controls – Source data generation, Input, Processing, Output etc

3. Various types of Information Systems viz Operator Information System, MIS, DSS etc

4. Various types of operations carried out by IT Dept – e.g. monitoring of centralised IT equipment, configuration management, user creation etc

5. Importance of users’ involvement in various stages of SDLC

Questions Based on the above case study, please answer the following questions

1. The management wants to know from the auditor about this recently developed project. The IS auditor should evaluate which of the following?

A. Business case document

B. Requirements gathered so far

C. Feasibility study document

D. Design and development document

2. The management feeling that, high level of user interaction and participation is required for system development, will be satisfied by which of the following methodology?

A. Prototyping model

B. Waterfall model

C. V-model

D. Object oriented model

3. System auditor has stated that users are able to view all the columns of some important tables, to which IT Dept claims that, only authorised users can modify the data in the important master tables. System auditor should point out which of the following risks?

Module 3

37

A. Confidentiality

B. Integrity

C. Availability

D. Hacking

4. Direct back-end database correction of data by DBA poses which of the following risks, which is GREATEST?

A. Misappropriation by DBA cannot be ruled out

B. Wrong updation of data by DBA

C. There is no risk, this is a standard practice

D. Users will not know about the changes done by DBA

5. Which of the following will help IT Dept in identifying issues due to lack of applying operating system patches?

A. A simulated test server for testing patches

B. Install the patches since security is most important

C. Do not install patches for smooth functioning of business application software

D. Modify the business application software

Guidelines to Faculty: 1. In all questions, explanation of each incorrect option may be given in a properly




Lab Manual 5 Input Validation

Learning Objective Student shall learn about various Input Validations, which are a part of Application Controls. Input validations ensure that errors are prevented or detected and users are forewarned about the errors.

Scenario

A company wishes to analyse the bills submitted by various employees for reimbursement. The newly joined DISA qualified CA from Accounts & Finance Dept has been asked to develop a system in Excel to enter the mobile bills submitted by the employees. The company also wants to analyse age wise, amount of bills. The required data items (fields/columns) were identified by the CA and designed the Excel sheet accordingly. However, when the data was entered by the accounts dept clerks, on a test basis, it was observed that, erroneous data is being entered in various columns of excel. Therefore, the CA decided to redesign the Excel sheet by providing certain Input controls, so that the errors would be minimum.

Certain columns of excel table designed for above purpose are shown in the following table:-

Column A

B C D E F G H

Claim No

Date of bill

Date of receipt of

claim

Date of approval

Employee ID Check Digit

Dept ID Dept Name

I J K L M N O P

Mobile No

Mobile Bill No

Mob bill issued by (mobile

company ID)

Mobile bill no+ Mob bill issued by

company(Concatenate)

Bill amount

Bill period Ending on

Date of payment

Mode of payment

C/N

The following input validation checks were to be designed. You may help the CA to design these validation checks, in Excel as given below.

Module 3

39

Hardware and Software Requirements Student’s laptop, Microsoft Excel

Step-by-Step Activities to be performed 1. Sequence Check – Claim number entered by a user should be in sequence only. 2. Duplicate Check – Details of Bill No. and mobile company ID entered by a user should

not be duplicate in subsequent rows

3. Completeness, Length Check and Numeric Check - Employee ID column entered by a user should always contain data rather than 0s or blanks. Here employee ID is identified as a key field. If the field is left blank record will be rejected

4. Check Digit - Employee ID entered by user should be appended with a check digit calculated by modulus 11 or any other prime number

5. Existence Check - User should be able to enter under mode of payment only C or N (ie., Cheque or NEFT).

6. Range Check - Date of approval should not be prior to date of receipt of claim. Date of receipt of claim should not be prior to date of bill. Bill period should not be later than date of bill.

The following logic applies to dates : “Date of bill” should be <= “Date of receipt of claim” should be <= “Date of approval”. “Bill period Ending on” should be <= “Date of Bill”

7. Logical relationship Check - Birth date and age should match

8. Validation Check - Gender should be either ‘M’, ‘F’, ‘T’ – validity check

9. Table Lookup - – Dept ID should be picked up from list of departments popup from master.

10. Limit Check - Amount – Should be > 0 and <= 10000 – Limit check

Note: 2 more input validation checks are not given in the above list which are: Reasonableness check and Key verification check. Reasonableness check requires history of transactions should be built. Key verification check requires input by two separate operators.

Case Study 6 Testing

Scenario Newline Software Systems Pvt Ltd is a software development company based in Pune, India undertakes software projects in India and outside India. The company has many developers and other staff such as quality assurance, testers, functional experts, DBAs etc.

Newline has many developers and undertakes development in various platforms. The company was very small about 5 years ago but has rapidly grown since and now employs about 400 people.

A new CIO joined the company. After about 6 months in the company, the CIO got a grip on the company’s software division. CIO discussed and called for meetings with various teams, users, departmental heads, testers, developers etc.

CIO has made the following observations and put forth them in several meetings:

1. We are undertaking feasibility studies before going ahead with the purchase of the software or development of a software. However, we are doing only technical studies. We have to carry out all types of feasibility studies.

2. Recently we have purchased a software based on Internet information. Have we taken management approval for such a procedure?

3. We carry out UAT which is good. But what about other testing? E.g. have we carried out a stress testing for our recent web site project for a university? University users have complained about a very slow response for the web site.

4. Some of the old systems were being reworked to take advantage of new technology. These systems were successfully implemented and were operational and useful. In doing so, the old system’s design and some of the developed code was reused and reengineered. This has been done nicely and I want to congratulate the team for it.

5. How do we decide cost of developing a software? Our accounts department has no clue about it and when I enquired, I was told that, the developers count the number of lines of source codes and arrive at the size or the software and number of days it would take. This is very old method and may not work correctly for modern development methodology. We have to use latest methods of software size estimation and then arrive at its cost.

Module 3

41

6. I have also found that, we are not using project management practices. We manage projects haphazardly. We have to follow project management techniques such as PERT/CPM.

7. Our project on medical diagnosis, which is based on artificial intelligence and which we are developing on a pilot basis for a super speciality hospital has been halted. It was informed to me that, some expert doctors working on this project have left this hospital and joined another hospital. This new hospital is now launching the same product which we thought of.

8. In one of the banking projects, there was a conflict between company’s developers and bank’s user management. The bank management insisted on exact mapping of the software modules with the current manual processing done in the bank, which involves heavy customisation of the software. The bank has appointed an IS auditor to review the development done by the company so far.

9. Developers are using their own laptops and also take them home, which pose security threats. Can we eliminate this?

Discussion points 1. What other areas should be included in a Feasibility Study? Can the company accept or

reject in part or full, the feasibility study done by an expert? Who will approve the Feasibility Study?

2. What are the different types of testing which need to be carried out apart from UAT?

3. How to decide cost of the software? Who will decide it? As mentioned in the case, if Accounts dept should decide the cost of software, what inputs/training the accounts dept will require? Which costing model/methods will be used for arriving at cost of software development?

4. What are important considerations for developing and protecting AI based systems?

5. What is meant by customisation of software? Why it is needed? Can a customisation be done on a purchased software?

6. If developers have to work from home, should company provide them the laptops or can company have BYOD policy? If so, what are the precautions the company/developers should take?


42

Questions Based on the above case study, please answer the following questions

1. Which of the following testing will be done to check by putting limit on the hard disk space availability or memory space availability?

A. Stress Testing

B. Functional Testing

C. Structural Testing

D. Performance Testing

2. The technique of reworking old systems into new systems, is known as :

A. reengineering.

B. reverse engineering.

C. prototyping.

D. software reuse.

3. Which of the following shall be checked to ensure availability of technical and skilled human resources required for developing/acquiring and implementing the required solution?

A. Resources Feasibility

B. Technical Feasibility

C. Economic Feasibility

D. Operational Feasibility

4. In a software development project, if the project is going to overrun, which of the following should be critically examined? Activities :

A. that have zero slack time.

B. whose sum of activity time is the shortest.

C. that give the longest possible completion time.

D. whose sum of slack time is the shortest.

5. Which of the following method is MOST useful when the project manager is faced with challenge in delivering on time and with acceptable quality?

A. Assign expert resources to complete critical path activities of the project

Module 3

43

B. Use GANTT chart to allocate 100% of time of expert resources for 90% of work

C. Use GANTT chart to define milestones and make experts responsible for milestones

D. Identify some activities with slack times and allocate them to expert resources to reduce slack time.





Lab Manual 6 RACI Matrix & Threat Modelling

Learning Objective Learn RACI matrix for various roles in requirement analysis phase of SDLC

Identify security objectives of the software, threats to software, vulnerabilities in the software being developed

Scenario RACI Matrix is the name given to a table, which is used to describe the type and degree of involvement that stakeholders have in completing tasks or deliverables for a project or business process. Also sometimes called the Responsibility Assignment Matrix or Linear Responsibility Chart, it is a common tool used by business analysts and project managers for establishing roles and responsibilities early on in a project. In this way it reduces project risk and sets expectations about the level of involvement that is expected by various stakeholders.

Hardware/ Software Requirements Windows OS 7, 8 or 10

MS-Office (Word and Excel)

Suggested Time is 1 Hour 30 Minutes

This is a group activity.


1. Activity 1: Identifying Responsibility, Accountability, Consulted or Informed definitions to different roles for requirement analysis phase.

Steps for development of RACI matrix:

Identification of all the tasks involved in delivering the project.

Identification of all the project roles

Identification of who has responsibility, accountability and who will be consulted and informed for each task.

Ensure every task has a role responsible and a role accountable for it.

Module 3

45

No tasks should have more than one role accountable. Resolve any conflicts where there is more than one for a particular task.

Share, discuss and agree the RACI Matrix with your stakeholders before your project starts.

RACI Definitions

R Responsible: person or role responsible for doing or completing the item A Accountable: person or role accountable for ensuring that the item is

completed C Consulted: person or role whose subject matter expertise is required in order

to complete the item I Informed: person or role that must be kept informed of the status of item

completion

Activities and Roles are given in the table for Requirement Analysis phase of SDLC. You need to identify and map the RACI role definitions for various activities and roles.

Roles Definitions

Project Manager Project managers have the responsibility of the planning, procurement and execution of a project, in any undertaking that has a defined scope, defined start and a defined finish; regardless of industry.

Application Developer

An Application Developer is responsible for developing and modifying source code for software applications.

Business Analyst A business analyst analyzes an organization or business domain and documents its business or processes or systems, assessing the business model or its integration with technology.

Solution Architect A solution architect is responsible for the design of one or more applications or services within an organization, and is typically part of a solution development team. A solution architect is the person in charge of leading the practice and introducing the overall technical vision for a particular solution.

Enterprise Architect

An enterprise architect is someone who is responsible for making sure that a company's business strategy uses proper technology systems architecture to achieve its goals.


46

Roles Definitions

Technology Architect

Technology architects are responsible for designing the high-level structure of new technology solutions, including the emerging technologies that development teams may use. This also includes planning the resources needed to implement the new solution and identifying potential roadblocks.

Technology Support

Technical Support provides assistance and maintenance to all computer systems and hardware. Their work may include installing, configuring, and updating hardware and software, as well as fixing any issue related to the equipment that may come up on a daily basis.

Program/Project Sponsor

The Program/Project Sponsor is an executive with overall accountability for the project. A Program/Project Sponsor acts as the link between the project, the business community, and strategic level decision-making groups.

Account Manager The account manager role is to ensure that client needs are understood and satisfied. They build and manage client relationships, collect information, and ensure that company offerings meet the individual needs of clients.

Work Product Reviewer

Work Product Reviewer prepares the test scenarios executes tests on product usability, analyzes test results on database impacts, errors or bugs, and usability. Also Participates in design reviews and provides input on requirements, product design, and potential problems.

Key User A key user is a representative of a number of its own business processes and they have a leading role within a system implementation. They represent during (and after) the project some of the processes in which they are involved.

Steering Committee

The Steering Committee’s role is to provide advice, ensure delivery of the project outputs and the achievement of project outcomes.

Module 3

47

Sr. No.

Requirements Analysis Phase

Roles

Activity

Proj

ect M

anag

er

App

licat

ion

Dev

elop

er

Bus

ines

s A

naly

st

Solu

tion

Arc

hite

ct

Ente

rpri

se A

rchi

tect

Tech

nolo

gy A

rchi

tect

Tech

nolo

gy S

uppo

rt

Prog

ram

/Pro

ject

Spo

nsor

Acc

ount

Man

ager

/Ser

vice

M

anag

er

Wor

k Pr

oduc

t Rev

iew

er

Key

Use

r

Stee

ring

Com

mitt

ee

1 Confirmation of Requirement Definition from Subject Matter Expert

2 Development of Process model

3 Development of Use Cases 4 Identification of Technology

Platform 5 Evaluation of Technology

Vendor 6 Definition of Reliability,

Availability, SLA Requirements

7 Definition of performance needs

8 Identification of Security, legal, Regulatory and Compliance Requirements

9 Mapping Existing Solution to Requirements

10 Identification of Functional Gaps

11 Identification of phases for implementation

12 Conducting Requirements Review


48

2. Activity 2: Model the Secure SDLC process.

Threat modelling is a systematic, iterative, and structured security technique that should be taken into consideration during the design phase of the software development. It should be performed to identify security objectives of the software, threats to software, vulnerabilities in the software being developed. It provides the software development team an attacker’s or hostile users’ view point, as the threat modelling exercise aims at identifying entry and exit points that an attacker can exploit. It also helps the team to make design and engineering trade-off decisions by providing insight into the areas where attention is to be prioritized and focused, from a security viewpoint.

The primary benefit of threat modelling during the design phase of the project is that design flaws can be addressed before a single line of code is written, thereby reducing the need to redesign and fix security issues in code at a later time.

Before we start the process of threat modelling, we must first determine the security objectives that need to be met by the software itself. This is some times referred to as the “Security Vision” for the software in threat modelling terminology. These include the requirements that impact the core security concepts such as confidentiality, integrity, availability, authentication, authorization, and accountability.

Threat Modelling Process

1. Diagram

Application Architecture

2. Identify Threats

3. Identify

Priorities and Implement Controls

4. Document

and Validate

Module 3

49

Classify the following items into four groups of “Threat Modelling Process”

Technologies (physical /Logical) Categorized Threat list

(STRIDE/ OWASP top 10/ CWE Top 25) Error handling Authorization Data Elements Verification and Validation report Dependencies Entry and exit points Mis-actors Input Validation Residual Risk

Services, Port and Protocols Attack trees Identities and Authentication Replication Multi-factor authentication Access control lists Logging Parameterized Queries Documented Threat Profile Encryption Hashing Auditing controls Trust boundaries Actors Data flows

1. Diagram Application Architecture

3. Identify, Prioritize and Implement controls

2. Identify Threats

4. Document and Validate

MODULE 4

Case Study 7 Healthcare System Implementation

Scenario Star Hospital located in Kolkata, is one of the largest hospitals and has seven Clinics with Out Patient Department and Pathological facilities. The Hospital has invested to upgrade the facilities and has been recently rated as one of the best Super Specialty Hospitals in the country. The Hospital has seen steady growth over the past 3 years. The existing IT infrastructure including application software was inadequate to support such volume and the management recently implemented a client-server based Healthcare Information System (HIS) called Superb-10000. Superb-10000 is an enterprise resource planning software developed on tier-2 technology. HIS is package software and has been implemented by ABC Consultants in all 7 Clinics of the Hospital as well.

Each clinic has a high-end PC serving as server, which synchronizes data with the main server located in the Hospital. Synchronization is scheduled twice a day, once at 12 am and again at 12 pm.

Post implementation, users observed that the functionalities related to Pathology are not working as per their requirements and the users started using old standalone Pathology system. As a result consolidated MIS report could not be generated. Senior management of the Hospital was facing problem with consolidation of reports in time.

ABC Consultant confirmed that the problems would be addressed in their next version, which would be ready for release only next year as they are migrating to 3-tier technology. ABC consultants also informed that company would not provide further support for the current 2-tier technology. However, they agreed to develop an Interface for the Pathology system for free.

The Interface will work as under:

— HIS will automatically generate text file with necessary data as required by the users at each clinic in a designated folder in the local server twice a day.

— Data once generated in Clinics will not be selected again by the Interface program.

— Identified Users having access to the folder will upload the text file through FTP to a designated folder in the Central server of the Hospital.

— No users would have access to this folder in the Hospital, HIS will run a schedule process every 12 hours to upload the data to central HIS.

— Text file once uploaded in the central HIS will be automatically deleted from the folder and will be saved in a backup folder.


54

Alternately they suggest that:

The users in the hospital will generate reports from various standalone applications and this spread sheet will be imported into the interface application located centrally to generate the consolidated MIS and CXO Reports. The HIS will generate reports at each satellite HIS system in a marked folder and users will email this to its central facility of the Hospital for consolidation of these various reports using outlook mail. The system is scheduled to generate the excel sheet automatically at midnight at each of these satellite location in a separate folder for the entire day’s transactions similar to a batch processing i.e. one file per day. A transaction once posted in the spread sheet will not be considered again by the system since it will be marked as posted flag yes in the database to avoid duplicate postings.

Discussion Points: 1. What are the step-by-step processes to be followed while acquiring new application

systems?

2. What are the basic control points/ security of interface software?

3. What are the different testing mechanisms before implementation of software?

4. What are the strength and weaknesses of centralized and distributed systems?

5. What are the correct processes of generating MIS?

Questions As an IS Auditor, while performing post-implementation audit, for validating Healthcare Information System, please address the following:

1. Which of the following may be greatest concern for an IS auditor, while reviewing the proposed new interface for the Pathology system?

A. System generated text files are uploaded in the Central server by users.

B. HIS is a de-centralized system resulting in various interface problems. .

C. The system is based on an outdated client-server technology.

D. Users do not have access to the folder from which data is uploaded in the central server.

2. Which of the following could have identified problems with Pathology system before implementation?

A. Documentation of Users’ Requirements.

Module 4

55

B. Detail SLA should have been signed with the ABC Consultants, so that support is provided.

C. Quality Assurance (QA) of the software should have been done before implementation.

D. User Acceptance Testing should have been conducted detail testing. 3. Which of the following is the best control in the new Interface over the others:

A. System uploads file in central server. B. Users upload files through FTP. C. Text files are deleted once they are uploaded in central server. D. Text files are generated twice a day.

4. Which is the following is identified as GREATEST risk by the IS Auditor, while reviewing the process of generating the consolidated report? A. The system is a de-centralized system hosted at various locations. B. The system is based on a tier-2 client-server technology. C. The reports are generated by the system automatically and are emailed by the

users manually. D. The reports are generated by the users by running a batch program and are

emailed by the system automatically. 5. Which of the following should be the first preference for an IS auditor, while reviewing

the HIS system post implementation? A. Evaluating the gap between the functionalities in RFP (Request for Proposal) with

the functionalities provided in HIS. B. The additional functionalities, which were added after implementation of HIS. C. The additional functionalities which are available in the new HIS but not used by

the client D. The SLA (service Level Agreement) between the ABC Consultants and Star

Hospital.


delineated form for easy understanding. 2. Relevant Standards / regulations / frameworks like COBIT 2019, ISO27001, and GDPR

may be referred to and explained in the class while discussing the answers. 3. The faculty can teach some theory which s/he might not have covered during the class.

Lab Manual 7 User Management and Security Policies

Learning Objective To learn controls in user management process

To learn configuration of local security policy such as “Account lockout Policy” and Password policy

To learn configuration of Access Control List

Scenario A new user has joined the finance department of an organization. His user-id has to be registered and access permission are required to be configured according to his roles and responsibilities. Further, as per information security policy, controls are also to be implemented. For security events, audit logs are to be generated.

Hardware and Software requirement: A desktop / Laptop with Windows OS – 7, 8 or 10 (Ultimate, Enterprise and Professional

version only)

Suggested time for each activity: 20 Minutes


1. Activity – 1: User Management in Windows Environment

Creation of user

Configuring Group Policy

Viewing, understanding activity logs

Go to Start>Control Panel> Administrative tools > Computer Management>Local User and Groups>Users

Right click on user and select New user

Create a user ISA and select the option ‘User must change password at next logon’.

Module 4

57

Now when we switch user and logon as ISA user system will force us to change the password.

You may test the options of “Account is disabled” to Disable and then enable an account.

You should also try the options of making ISA user a member of Administrator group.

Go to Start>Control Panel> Administrative tools > Computer Management>Local User and Groups>Groups > Administrators


58

Go to Start > Control Panel > Administrative tools > Computer Management > Event Viewer > Windows logs > Security

Module 4

59

You may also try filter current log.

2. Activity – 2: Configuring Local Security Policy

Password Policy and Account Lockout Policy

Audit Policy

User Rights Assignments

Go to Start > Control Panel > Administrative tools > Local Security Policy > Account Policy > Password Policy

Try to configure the Password Policy parameters and read the “explain”.

Go to Start > Control Panel > Administrative tools > Local Security Policy > Account Policy > Account Lockout Policy


60

Try to configure the Account Lockout Policy parameters and read the “explain”.

Go to Start > Control Panel > Administrative tools > Local Security Policy > Local Policy > Audit Policy

Try to configure the Audit Policy parameters and read the “explain”.

Module 4

61

Go to Start > Control Panel > Administrative tools > Local Security Policy > Local Policy > User Rights Assignments

Try to configure the User Rights Assignments.

3. Activity – 3: Managing Access Control List

Login as Administrator.

Create a folder “ISA” on the Desktop and create a document file “test” in the ISA folder.

See the properties of the ISA folder.

You may try “Share” option


62

You may add and delete users here and also assign different rights.

By selecting “Security” and then “Advanced”, you may go to the ACL (Access Control List)

Try to give read only permission on test document to a specific user.

After switching to the specific user, verify the access permission.

This activity helps us to understand the access permission assigned to various users accordingly to their roles and responsibilities.

Below is the screen shot of Access Control List.

Module 4

63

4. Activity – 4: Configuring Advanced Audit Policy

Go to Start > Control Panel > Administrative tools > Local Security Policy > Advanced Audit Policy Configuration > System Audit Policies – Local Group Policy


64

You will get various options, for them you may configure audit policy

Click on any option. You will get the audit parameters for that option. Click on any parameter, it will enable you to configure audit policy. In the following screen, we have selected “Account Logon” option and “Audit Credential Validation” parameter.

Case Study 8 Help Desk Function / Password Management

Scenario Safe Bank is having more than 1000 branches across the country. They have implemented Core Banking Solution (CBS), which was maintained by a system integrator along with the Bank’s own staff. A Tire-III Data centre was established in a metro town with its Disaster Recovery centre in another metro about 1500 kms apart. They use their own internal network with mostly leased line, MPLS (Multi Protocol Label Switching) and V-SAT in remote areas.

Operations management activities were mostly managed by Bank’s own staff that controls the user management as well. Help Desk has recently been outsourced to the system integrator who manages the entire IT issues of the branches and offices in close co-ordination with the regional level support personnel from Bank.

One day, a call was received by Help Desk team at Data Centre from a remote Rajasthan Branch to reset the Branch Manager’s password. Though it was not the responsibility of Help Desk, but on repeated request by Branch Head, the Help Desk employee arranged to reset the password through the Bank’s team.

On resetting the password on verbal request, new password was communicated to the user and also confirmed over e-mail by the Bank’s team to the branch head of Rajasthan branch. While on-line with VOIP line, the Branch head asked his colleague to verify correctness of his newly set password which was overheard by the help desk employee.

Help Desk employee was in dire need of some money to repay his debt. For next ten minutes, he was frantically trying to log on into the system with branch head ID and password, but failed. He got the access at 11th minute, search the branch database and found a dormant account having balance of Rs.3,00,000. He immediately informed his friend to deposit Rs. 100 in cash to the said account. On receiving the confirmation from his friend, he transferred Rs 30,000 from the dormant account to his personal account. Afterwards he transferred Rs. 15,000/= from his account to his friend account at Muzaffarpur. The Help Desk employee immediately informed his friend in Muzaffarpur to withdraw Rs. 10,000/= from his account. His friend withdrew Rs. 10,000/= from a remote ATM and finding available fund in the account withdraw another Rs. 5,000/= using nearby ATM at Muzaffarpur Branch.

At the end of the day (during verification process at EOD), Rajasthan branch informed to Data Centre about two outstanding transactions, which happened with branch head ID but actually was not done by Branch Head. On further enquiry, it was found that the IP address of the terminal through which transactions were happened belong to Help Desk. Those transactions


66

were re-verified and on confirmation, instructed the Branch to reverse those transactions and subsequently to close the branch so that central EOD may take place at Data Centre level.

Ultimately with the help of CCTV logs, actual culprit was identified and he lost his job and fraud case was registered with the local Police Station.

Discussion points 1. What should be the mechanism of password creation and distribution to restrict its

leakage?

2. Whether maker-checker system has been violated in this case? If yes, how? If no, detail the process?

3. What should be the process for monitoring error messages?

4. What are the additional control measures may be taken, so that such cases may be avoided in future?

5. What are the guidelines of outsourcing? How much can be done by whom (internal Vs external).

Questions on the Case Study 1. What are the major control weaknesses in the organisation with respect to password

management?

A. Password change mechanism process provides access to Help Desk

B. Mandatory password change was not forced at first login.

C. Password complexity not maintained.

D. Password history not controlled.

2. Maker/ checker is an important control, but not effective in present situation, because:

A. Transaction happened in Dormant Account

B. More than one transactions happened in ATM

C. Branch head is outside the purview of four eye principle

D. For transaction done by branch head, it went to posting stage, after which further transaction was allowed.

3. To identify any access control violations, what is the best solution in the present environment?

A. MAC binding the terminal

Module 4

67

B. Control on IP-range

C. Static IP address

D. Power-on password

4. Find out the best statement relating to outsourcing?

A. Help desk function should not be outsourced

B. No core function should be outsourced

C. Outsourced people should not be accommodated within Data Centre.

D. For each and every operation outsource entity require the prior permission

5. What should be best way of preventing error in the present situation?

A. System should be locked after three/five unsuccessful attempt by the user

B. A higher level of authentication should have been asked when no of attempt exceed pre-defined level.

C. CISO department should be issuing offline explanation on multiple failures of logging attempt

D. Help Desk should not have access to banks’ user log-in screen.





Lab Manual 8 SQL

Learning Objectives 1. What is a database – RDBMS and what are database tables?

2. Concept of unique key constraint for a database table. Concept of referential integrity for two or more database tables

3. What are basic SQL queries such as Select and Update

4. Concept of database audit trail/log with the help of triggers

Scenario A books library wants to create a simple database of Books and types of books in its library. A programmer, who is also a DBA, has given this responsibility. He designs a database having 2 tables viz “Books” and “Category”. Columns and other details of table “Books” and table “Category” are given below. We have to understand the concepts of Primary key, Foreign key, how to select records from a database table, how to update a record in a database table and finally how to make an audit log.

Column Name Data type & width Constraint

Bookid Number(5) Primary key Catcode Varchar(10) Foreign Key Bookname Varchar(25) Not null Authorname Vharchar(30) Not null Bookprice Numeric(6+2) Pubyear Numeric(4) Column Name Data type & width Constraint

Catcode Varchar(10) Primary key Category Varchar(25)

Hardware and Software requirement A desktop/Laptop with Windows OS – 7, 8 or 10

Module 4

69

SQLiteStudio (It can be downloaded from the following link)

https://github.com/pawelsalawa/sqlitestudio/releases/tag/3.2.1

Suggested time: 1 hour 30 minutes


1. Activity 1: Install SQLliteStudio 3.2.1 from EXE file.

From the link provided above, install SQLliteStudio 3.2.1

Press Windows key + Sqllite - you will get SQL Lite Studio screen as given below, double click on SQLiteStudio


70

You will get a screen as given below

2. Activity 2: Adding a Database to SQLite.

Click on menu “Database” and then “Add a database”. You will get the following screen

Module 4

71

For this activity a database has already been provided by the name of “DISA-30” Click on the folder symbol and search folder where you have copied the database file “DISA-30”, select “DISA-30” and click on “OK”. The database will be added to the SQLiteStudio screen.

Now, below your database you will see “Tables” and “Views”. You will find 2 tables viz. “Category” and “Books”.

Table Books – has 6 columns –

(i) Bookid – Integer as Primary Key

(ii) Catcode – Varchar(10)

(iii) Bookname – Varchar(25)

(iv) Authorname – Varchar(30)

(v) Bookprice – Numeric(6,2) ---- 2 decimal places

(vi) Pubyear – Numeric(4)

Table Category – has 2 columns –

(vii) Catcode – Varchar(10) as Primary Key

(viii) Category – Varchar(25), as shown below


72

3. Activity 3: Understanding Unique key Constraint

Select table Category. In this table column Catcode is defined as a Primary key – Key symbol in Primary Key column

Module 4

73

Select tab “Data”. You will find that this table contains 7 records. Add a new record, by

clicking on the “+” tab. Type in Catcode column “Law” and in Category column “Law Books”. Since this record is already present, you will not be able to add another record due to Primary Key constraint defined in the table. You will get an error as shown below.

Remove the record by clicking on “-“ tab and refresh the table by clicking on


74

4. Activity 4: Understanding Foreign key constraint (Referential Integrity)

Select table “Books” and add the following data(by clicking on “+”)

31 Audit Information Systems Control and Audit

Ron Weber

550 2011

You will not be able to add the record and will get an error as shown in above diagram. This is because; we are trying to add a book with Catcode as “Audit”. But this category is not present in the Category table. This is because, in Books table definition, we have defined the Catcode column as a “Foreign key” and which is the “Primary key” of Category table, as given below.

Module 4

75

Notice that in “Books” table “catcode” is defined as “Foreign key”.

Now, add the same record, by making the Catcode column as “Null”

31 Null Information Systems Control and Audit

Ron Weber

550 2011

You will find that, now you are able to add the above record to the “Books” table. This is because by definition of Referential Integrity “The foreign key column should be either a valid value or should be Null”.

5. Activity 5: Understanding “Select Query”

Select the table “Books”. Select menu option “Tools” and “Open “SQL editor”


76

Run the following different types of queries and analyse the results.

Objective Query Format

Select all rows by giving select query (* means all columns)

select * from books

Select only columns Catcode and Bookname

select catcode,bookname from books

Selecting number of records and sum of bookprice by Category

Select Catcode, count(*), sum(bookprice) from books group by catcode

Sorting of records Select all records order by catcode, then bookname

Doing calculation in Select query : select bookprice, bookprice *2/100 as CGST, bookprice *2/100 as SGST from books

Note: You can type all the commands given below in upper or lower case. The case of the characters typed does not matter.

6. Activity 6: Generating activity logs through trigger.

Create a new table “Audit” – by right clicking on Tables

To run query click on this

Module 4

77

Add Columns to this newly created “Audit” table : ID –Integer, oldname – Text 25, newname - Text 25, oldprice - Double, newprice – Double, Datetime – datetime

Now, create a trigger on table books :

o Right click on “Books” table and create trigger as given below.

o Give name to the trigger “audit”.

o Select “AFTER” in column “When”.

o Select “Update OF” and click on next small box. You will get “Triggering columns” as shown. In that, select “Bookprice”.

o Thus, we are defining a trigger “audit”, to run “After” “Update Of” “Bookprice”.

o Now type the command given in the column “Code”

In Code type the following query

o INSERT INTO Audit (ID, oldname, newname, oldprice, newprice, DATETIME) VALUES (old.Bookid, old.bookname, new.bookname, old.bookprice, new.bookprice, datetime('now');;


78

Explanation – The command given in “Code” section, inserts a record into table “Audit” and updates columns mentioned.

Now, give the command

update books set bookprice = 1000 where bookid = 1”.

By giving this command we are updating a record of “bookid = 1”. You will notice that system gives message that 2 rows are affected. I.e. one row added in Audit table. This will create a new record in the “Audit” table.

2 Management Accounting Management Accounting 1000 5000 2020-07-11 13:10:11

Note that the time updated is not the current time of your machine, but time set in SQLiteStudio. If you want your machine’s time, then, change the command in Code section as (‘now’,’localtime’), instead of just ‘now’.

Faculty Notes This exercise is supposed to complete in 1.5 hours. However, depending upon batch size and students, it may take less or more time.

MODULE 5

Case Study 9 Information Security Management

Scenario

The IS auditor has recently been asked to perform an external and internal network security assessment for an organization that processes health insurance claims. The organization has a complex network infrastructure with multiple local area and wireless networks; a VPN network connects the head office to the branch offices. Additionally, there is a web site that is accessed by doctors and hospitals through Internet.

The web site has both public areas and sections containing medical claim information that requires an ID and password to access. Another web site is also available, which is accessed through Intranet and allows employees to check on the status of their personal medical claims and purchase prescription drugs at a discount using a credit card. The VPN network carries unencrypted non-sensitive statistical data that are sent to regulatory agencies but do not include any customer identifiable information.

The last review of network security was performed more than five years ago. At that time, numerous exposures were noted as follows:

1. Firewall rule management was not adequate

2. Patch management for application servers were not being performed.

3. Internet applications were found to be susceptible to SQL injection.

4. Anti Virus software was not installed within the organization.

5. The wireless access points had Dynamic Host Configuration Protocol (DHCP) enabled for assigning IP addresses to the connected devices.

Since the last review, the following measures have been implemented:

1. A new firewall has been installed.

2. Patch management is now controlled by a centralized mechanism for pushing patches out to all servers.

3. Internet applications have been upgraded to take advantage of newer technologies.

4. An intrusion detection system has been added, and reports produced by this system are monitored on a daily basis.

5. Dynamic Host Configuration Protocol (DHCP) also has been disabled at all wireless access points.

Module 5

83

Management is also contemplating implementation of an Anti Virus Solution but is not sure which type of solution should be implemented given the scale of operations. Traffic over the network involves a mix of protocols, as a number of legacy systems are still in use. All sensitive network traffic traversing the Internet is first encrypted prior to being sent. Traffic on the internal local area and wireless networks is encoded in hexadecimal so that no data appears in clear text. A number of devices also utilize Bluetooth to transmit data between PDAs and laptop computers.

Discussion points: 1. Discuss about the security in Virtual Private Network (VPN) 2. Discuss about the best practices for patch management 3. Discuss about the DHCP and SQL Injection

Questions 1. In performing an external network security assessment, which of the following should

normally be performed FIRST? A. Exploitation B. Enumeration C. Reconnaissance D. Vulnerability scanning

2. The Dynamic Host Configuration Protocol (DHCP) is disabled at all wireless access points. This practice: A. reduces the risk of unauthorized access to the network. B. is not suitable for small networks. C. automatically provides an IP address to anyone. D. increases the risk associated with Wireless Encryption Protocol (WEP).

3. Which of the following antivirus software implementation strategies would be the MOST effective in the interconnected corporate network of the organization? A. Server-based antivirus software B. Enterprise-based antivirus software C. Workstation-based antivirus software D. Perimeter-based antivirus software


84

4. Which of the following attacks is MOST likely to impact the availability of a network resource?

A. Man-in-the-middle

B. Denial-of-service (DoS)

C. Phishing

D. Structured Query Language (SQL) injection

5. Which of the following should be of MOST concern to the IS auditor while reviewing the corporate web server?

A. System patches are not applied.

B. The server is not accessed through a virtual private network (VPN).

C. Server logs are not being captured.

D. The network address translation is not enabled.

Guidelines to Faculty: 1. In all questions, explanation of each incorrect option may be given in a properly




Lab Manual 9 Security Controls, Auditing and Firewall

Configuration

Learning Objectives Learn firewall configuration for enabling and disabling services, application or websites Learn to enable and disable USB mass storage Learn to use discovery tool for identifying vulnerabilities.

Scenario An IS auditor has been assigned to audit the end point security controls in an organization. There are 200 desktops, and 20 laptops in the organization. These end point devices are running Different versions of Microsoft Windows operating system and some stand alone applications like MS-Office. Some users are having access to Internet for discharging their responsibilities. As an IS auditor, you need to verify the compliance of information security policy of the organization.

Hardware and Software Requirements

Laptops or Desktops with OS: Windows 7, 8, 10 versions Professional / Enterprise / Ultimate (No other version)

Links for downloading Lab’s other material / tools 1. USB Pratirodh: https://cdac.in/index.aspx?id=cs_eps_usb_pra (Works with Microsoft Windows 7 and Windows 10) 2. Belarc Advisor: http://www.belarc.com/free_download.html

Step-by-Step Activities to be performed:

1. Activity-1: To understand Enabling / Disabling USB Storage Device.

Suggested time: 15 Min

USB Mass storage device can be disabled through Registry Settings, apart from applications available for the purpose.


86

CAUTION: Tampering with registry is always a huge risk, please backup registry before doing this exercise and with utmost caution.

1. Run Regedit.exe

2. Go to HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Services\USBSTOR

3. Under start value 3 signifies USB port will accept Storage device.

4. To disable we should make the value as 4.

5. By changing the value to 4, USB storage device will be disabled.

2. Activity 2: USB Pratirodh - USB mass storage device control solution


USB Pratirodh controls the usage of removable storage media like pen drives, external hard drives, cell phones and other supported USB mass storage devices. Only authenticated users can access the removable storage media.

Module 5

87

Features 1 Device Control : 2 All USB devices are uniquely identified. User can add or remove the devices to the

database. User can bind one or more USB devices to be accessed using enabled username. Any unauthorized new USB device cannot be accessed, unless it is registered.

3 User Authentication : 4 Whenever a USB device gets plugged in, the user is asked to authenticate with

username and password. Only authenticated user can access the device. If the user fails to authenticate, he gets access denied message.

5 Secure Storage : 6 Data on the USB storage devices can be encrypted. 7 Malware Detection: 8 USB Pratirodh scans the plugged USB device for malware. Benefits

USB device control with password protection Data Encryption on USB devices Auto run protection and Malware Detection Configurable read/write privilege protection


88

3. Activity-3: Using Discovery tool for in depth discovery and security analysis.


The Belarc Advisor builds a detailed profile of your installed software and hardware, network inventory, any missing Microsoft hotfixes, anti-virus status, security benchmarks, and displays the results in your Web browser.

Module 5

89

4. Activity-4: To understand the Configuration of a Windows personal firewall.


Start > Control Panel > Windows Firewall.

On the left pane, we can see various links like, Change notification settings, Turn Windows Firewall on or off, Restore defaults and Advanced settings etc.

On the right pane, there are two types of networks link for which we can set firewall settings. They are Home or Work (Private) networks and Public networks

By default the Firewall state is ON for both the networks.

Click the Change Notification settings button in the Allowed Programs window.

Click Allow an app or feature through Windows Firewall in the left column of the window. Click Advanced settings.

We can see the options of Inbound Rules, Outbound Rules, Connection Security Rules and Monitoring.

Click on the Inbound Rules link in the left pane. A list of all Inbound Rules is displayed.

We can see the properties of a rule by selecting a rule and then its properties.


90

A. Create a rule to block a program – We are blocking Google chrome on our machine.

First, take a note of the path of Google Chrome. In this example the path of Google chrome is “C:\Program Files (x86)\Google\Chrome\Application\Chrome.exe”.

Click Advanced settings > Outbound Rules > New Rule

Select program and click on next.

Enter the path of the program and click on next.

Module 5

91

Select block the connection and click on next.


92

Select all the three viz. Domain, Private and Public and click on Next.

Module 5

93

Give name to the rule. Here we have given “Chrome Block”. Click finish.

After this try to run Google Chrome. You should not be able to run Google Chrome.

B. Create a rule to block a website:

In our example we are blocking “icai.org”. Before creating a rule, we need to know the IP address of the website. For this go to the command prompt after entering “CMD” in Run and at command prompt write “ping icai.org” and press enter. You will get the IP address of icai.org.

Click Advanced settings > Outbound Rules > New Rule

The new Rule could be based on Program, Port, Predefined or Custom. We will build a Custom rule.


94

Select All Programs and click on Next

Click on Next.

Module 5

95

We need to enter IP address of the website in Remote IP address. In our case IP address is 54.169.194.86.


96

Select Block the Connection and click on Next.

Select all the three viz. Domain, Private and Public and click on Next

Give name to the rule. Here we have given “ICAI block”. Click finish

Module 5

97

Note: Windows Firewall will not work if endpoint security software is installed on your machine. To make windows firewall effective, you need to disable endpoint security software.

Case Study 10 Data Centre Security

Scenario Client company, Silver Cloud Technologies Inc., a cloud service provider has recently setup a data centre in Bengaluru, India to serve its clientele from Asia and middle east. This data centre is supposed to be a Tier-IV data centre with all the redundancies available for all the facilities. The data centre is setup on a RCC structure with state of the art technology and equipment. The data centre is secured with high end physical as well as logical security mechanisms with IT Security policy. IS auditor is appointed to carry out the compliance audit for IT security and submit the report to the BODs.

The data centre has an electronic badge system as a part of access control mechanism under which all the employees are allotted a badge having the photo identification as well as a smart card to gain entry inside the data centre as well as high secured zones of the data centre.

It was also observed that all the access control cards for the visitors are not available in full at the end of the day and there is no periodical reconciliation of these cards. It may be possible that some of the cards are missing and not returned by the visitors.

Apart from this, there are Biometric control devices installed at each critical entry points which are programmed to give access to only those persons who are specifically authorized by the data centre authorization committee. But the retina scan available at the entry point is not effective as the female staffs are not willing to come too close to scanner and hence there are many instances of false rejection cases.

Whenever, a visitor wants to enter the data centre, a written recommendation letter is asked for. Moreover, a temporary badge is created along with photo identification by registering the person on the spot. In spite of all these strict measures, when a security guard is busy in checking the formalities of one visitor, other visitors can bypass the checking process. It was also observed that no frisking was done at any point of time since inception of the data centre.

Discussion Points 1. Discuss about the various physical access control procedures.

2. What are pros and cons of various bio-metric control procedures?

3. Is there any special logical access control for cloud service providers?

4. What is the meaning of Tier-III or Tier-IV data centre?

Module 5

99

Questions As an IS auditor performing the IS audit, respond to the following:

1. Which of the following rate should compulsorily be LOWEST for preventing the unauthorized user gain entry through biometric devices?

A. False Acceptance Rate (FAR)

B. False Rejection Rate (FRR)

C. Equal Error Rate (EER)

D. Average Error Rate (AER)

2. While verifying the security policy on visitors, the auditor will consider it MOST effective when

A. A visitor’s photo ID and address proof is scanned and stored for future reference.

B. A visitor is escorted by a specially appointed escort team.

C. A visitor is scanned through x-ray machine and metal detector before entering into the data centre facility.

D. A log of visitor is maintained with signature and contact number.

3. IS Auditor finds that the Data Centre has a good number of employees working inside it as well as plenty of servers and network devices. Which of the following fire extinguishers will BEST suit the needs of the data centre?

A. Wet pipe – Water based sprinkler

B. Carbon Dioxide – air based

C. Halon Gas – air based

D. Dry Pipe – Water based sprinkler

4. Which of the following is the strongest access control mechanism for Data Centre?

A. Finger printing

B. Finger printing with PIN and access card

C. Retina scan, access card and PIN

D. Authority letter, retina scan and access card.

5. What is the immediate action to be taken to improve the access control mechanism?

A. Reconcile the access control cards on daily basis.


100

B. Instruct the watchman to be more strict during entry process

C. Employ more security guard to avoid piggy-backing

D. Force the female staff to use the retina scan effectively.





Lab Manual 10 Hygiene Check

Suggested Time: Hygiene Check – 1 hour and Discussion 30 minutes

Basic Hygiene Checklist for Desktops/ Laptops

IP or MAC Address of the Machine: Date: OS of the Machine: Location:

S. No

Control Description Yes / No

Audit Procedure

Observation

Risk Level

Risk Category

Recommendation

Auditee Response

1 Whether files and folders are shared? If Yes then which groups/ users have access to them

2 Whether there is any access for groups such as Everyone and Guest on sensitive Folders/files (If any),

3 Whether unlicensed/freeware/shareware/demo software has been installed?

4 Whether Pen drives (USB Port) have been disabled? (Desktop)

5 Whether screen lock / screensaver password has been enabled? (screen saver enabled / timing

6 Whether Anti-virus has been installed with the


102

latest update? How frequently updated?

7 Whether system access password enabled?

8 Whether Boot up BIOS password for setup has been put in place - to be used by Admin only?

9 Whether the system has all required service packs, hotfixes, patches, etc. installed on it?

10 Whether the system prompts for password change after 45-60 days? (P/W Policy to be checked )

11 Whether OS audits each instance of attempts to change user rights assignment policy

12 Whether Password History of at least five passwords is enabled

13 Whether Password meets complexity requirement enabled or not

14 Whether Account lockout is set to 3 invalid attempts

Glossary

1 A proof of concept (POC)

A proof of concept (POC) is a demonstration, the purpose of which is to verify that certain concepts or theories have the potential for real-world application. POC is therefore a prototype that is designed to determine feasibility, but does not represent deliverables.

2 Acceptable Use Policy (AUP)

A policy that establishes an agreement between users and the enterprise and defines for all parties’ the ranges of use that are approved before gaining access to a network, the Internet or the services. An AUP clearly states what the user is allowed and what it is not allowed to do with these resources.

3 Acceptance Testing Acceptance testing is a test conducted to determine if the requirements of a specification or contract are met. It may involve physical tests or performance tests.

4 Access Control The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises.

5 Access Control List An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals. With respect to a computer file system, it lists permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Also referred to as access control tables.

6 Access Control Matrix In computer science, an Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems that characterize the rights of each subject with respect to every object in the system.

7 Active Wiretap Active wiretapping is an attack that attempts to alter data being communicated or otherwise affect data flow.

8 Adaptive software development (ASD)

Adaptive Software Development (ASD) is a direct outgrowth of an earlier agile framework, Rapid Application Development (RAD). It aims to enable teams to quickly and effectively adapt to changing requirements or market needs


104

by evolving their products with lightweight planning and continuous learning.

9 Address Resolution Protocol (ARP)

The Address Resolution Protocol (ARP) is a telecommunication protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks.

10 Advanced Persistent Threats (APT)

An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organizations and/or nations for business or political motives.

11 Adware A software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used. In most cases, this is done without any notification to the user or without the user’s consent. The term adware may also refer to software that displays advertisements, whether or not it does so with the user’s consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as adware in the sense of advertising supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user and provides the user with a specific service.

12 Agile development Agile development is an alternative to traditional project management where emphasis is placed on empowering people to collaborate and make team decisions in addition to continuous planning, continuous testing and continuous integration.

13 Alpha testing Alpha testing is simulated or actual operational testing by potential users/customers or an independent test team at the developers' site. Alpha testing is often employed for off-the-shelf software as a form of internal acceptance testing, before the software goes to beta testing.

14 Alternate Site Site which may be used for temporary relocation of office or IT facilities during an emergency.

15 Anti-Virus Antivirus or anti-virus software (often abbreviated as AV), sometimes known as anti-malware software, is computer

Glossary

105

software used to prevent, detect and remove malicious software.

16 Application controls The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved

17 Application program interface (API)

A set of routines, protocols and tools referred to as building blocks used in business application software development. A good API makes it easier to develop a program by providing all the building blocks related to functional characteristics of an operating system that applications need to specify, for example, when interfacing with the operating system (e.g., provided by Microsoft Windows, different versions of UNIX). A programmer uses these APIs in developing applications that can operate effectively and efficiently on the platform chosen.

18 Application Software Application Software is a program or a set of computer programs designed to enable the user to perform a group of coordinated functions, tasks, or activities. Application software cannot run on itself but is dependent on system software to execute.

19 Application System Programmers (ASP)

Application system programming is the activity of programming computer system software. The primary distinguishing characteristic of systems programming when compared to application programming is that application programming aims to produce software which provides services to the user directly (e.g. word processor), whereas systems programming aims to produce software and software platforms which provide services to other software.

20 Arithmetic Logical Unit (ALU)

ALU is a digital electronic circuit that performs arithmetic and bitwise logical operations on integer binary numbers and is the fundamental building block of the central processing unit (CPU) of a computer.

21 Artificial intelligence(AI)

Advanced computer systems that can simulate human capabilities, such as analysis, based on a predetermined set of rules

22 Assembler A program that takes as input a program written in assembly language and translates it into machine code or machine language.


106

23 Asset Risk Asset Risk is the risk associated with the asset, when any of the three get compromised: - Integrity, Confidentiality and Availability. In the context of Investment portfolio, Asset Risk also refers to market changes or poor investment performance of a financial asset (e.g. shares, options, futures, currency).

24 Asset-Liability Committee - ALCO'

Asset-Liability Committee – ALCO is a risk-management committee in a bank or other lending institution that generally comprises the senior-management levels of the institution. The ALCO's primary goal is to evaluate, monitor and approve practices relating to risk due to imbalances in the capital structure.

25 Assurance Part of corporate governance in which, a management provides accurate and current information to the stakeholders about the efficiency and effectiveness of its policies and operations, and the status of its compliance with the statutory obligations.

26 Asymmetric cryptography

Asymmetric cryptography, also known as Public-key cryptography is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and the other is public. Although different, the two parts of this key pair are mathematically linked.

27 Asynchronous Transfer Mode (ATM)

A high-bandwidth low-delay switching and multiplexing technology that allows integration of real-time voice, video and data. It is a data link layer protocol. ATM is a protocol independent transport mechanism. It allows high-speed data transfer rates at up to 155 Mbit/s. The acronym ATM should not be confused with the alternate usage for ATM, which refers to an automated teller machine.

28 Attenuation Attenuation is the gradual loss in intensity of signal as it travels over a media.

29 Availability Availability, in the context of a computer system, refers to the ability of a user to access information or resources in a specified location and in the correct format. This term is also used by some computer storage manufacturers and storage service providers (SSPs) to describe products and services that ensure that data continues to be available at a required

Glossary

107

level of performance in situations ranging from normal through disastrous.

30 Back End The back-end, or the "server-side", is basically how the site works, updates, and changes. This refers to everything the user can't see in the browser, like databases and servers.

31 Balance Score Card (BSC)

The balanced scorecard is a strategic planning and management system that is used extensively in business and industry, government, and non-profit organizations worldwide to align business activities to the vision and strategy of the organization, improve internal and external communications, and monitor organization performance against strategic goals.

32 BaNCS TCS BaNCS is a core banking software suite developed by Tata Consultancy Services for use by retail banks. It includes functions for universal banking, core banking, payments, compliance, Wealth Management, Forex and Money Markets, financial inclusion, Islamic banking and treasury operations.

33 Base-lining Base-lining is a method for analyzing computer network performance. The method is marked by comparing current performance to a historical metric, or "baseline".

34 Bastion host A Bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.

35 Battle Box The Battle Box is the popular name of the underground command centre constructed under Fort Canning, Singapore, as an emergency, bomb-proof command centre during the Malayan campaign and the Battle of Singapore. The Battle Box is now a museum and tourist attraction.

36 Benefits realisation Benefits realisation is the process for the identification, definition, tracking, realisation and optimisation of benefits ensuring that potential benefits arising from a programme of change are actually realised.

37 Beta testing In software development, applications are subjected to real world testing by the intended audience for the software. The experiences of the early users are forwarded back to the developers who make final changes before releasing the


108

software commercially. 38 Big data Big data is a broad term for data sets, both structured and

unstructured, so large or complex that traditional data processing applications are inadequate. It is used to provide customer insights for transparent and simpler products, by analyzing and predicting customer behaviour through data derived from various sources, both internal and external.

39 Biometric Access Control Devices

Biometric access control is the science and technology of the business as it relates to analyzing biological data as a means to control access. Devices which help in these controls are called Biometric Access control devices.

40 Biometric Mouse A Biometric Mouse includes a fingerprint reader on the thumb side of the device. It takes less than a second for the EyeD Mouse to verify a fingerprint.

41 Biometrics Biometrics is the measurement and statistical analysis of people's unique physical and behavioural characteristics, such as a fingerprint, retina scan etc. The technology is mainly used for identification and access controls.

42 Black-box testing A testing approach that focuses on the functionality of the application or product, as per specifications and does not require knowledge of the internal design, structure or logic.

43 Botnet A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet.

44 Bring your own device (BYOD)

Bring your own device (BYOD)—also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC)—refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications.

45 Brute force Brute force is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.

Glossary

109

46 Buffer Overflow In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety.

47 BUS Common path or channel between hardware devices. Can be located between components internal to a computer or between external computers in a communications network

48 Business application software

Business software or business application is any software or set of computer programs that are used by business users to perform various business functions. These business applications are used to increase productivity, to measure productivity and to perform business functions accurately.

49 Business Application System

Business application refers to any application that is important to running your business. Business applications can range from large line-of-business systems to specialized tools. Consider all the applications that run on either client computers or servers, including commercial off-the-shelf products, customized third-party systems, and internally developed systems.

50 Business Case Documentation of the rationale for making a business investment, used to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle

51 Business Continuity Coordinator

A member of the Business Continuity Management team who is assigned the overall responsibility for co-coordination of the recovery planning programme including team member training, testing and maintenance of recovery plans

52 Business Continuity Maturity Model

The Business Continuity Maturity Model (BCMM) is a tool to assist businesses in building and maintaining a sustainable BC program.

53 Business Continuity Steering Committee

A committee of decision makers(including one or more members of executive management appointed to this committee), business owners, technology experts and business continuity professionals, tasked with making strategic recovery and continuity planning decisions for the


110

organization. 54 Business Drivers A business driver is a resource, process or condition that is

vital for the continued success and growth of a business. A company must identify its business drivers and attempt to maximize any that are under their control.

55 Business model In theory and practice, the term business model is used for a broad range of informal and formal descriptions to represent core aspects of a business, including purpose, business process, target customers, offerings, strategies, infrastructure, organizational structures, sourcing, trading practices, and operational processes and policies.

56 Business process A business process is a collection of linked tasks which find their end in the delivery of a service or product to a client. A business process has also been defined as a set of activities and tasks that, once completed, will accomplish an organizational goal.

57 CAAT Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities which helps in analysing and evaluating data.

58 Call Tree A call tree, sometimes referred to a phone tree, call list, phone chain or text chain, is a layered hierarchical communication model used for notifying specific individuals of an event.

59 Capability Maturity Model Integration (CMMI)

Capability Maturity Model Integration (CMMI) is a model used by many organizations to identify best practices useful in helping them assess and increase the maturity of their software development processes.

60 Capacity Planning

In information technology, capacity planning is the science and art of estimating the space, computer hardware, software and connection infrastructure resources that will be needed over some future period of time.

61 Cash Reserve Ratio (CRR)

Cash Reserve Ratio (CRR) is a specified minimum fraction of the total deposits of customers, which commercial banks have to hold as reserves either in cash or as deposits with the central bank. CRR is set according to the guidelines of the central bank of a country.

62 Certification & Certification and Accreditation (C&A or CnA) is a process for

Glossary

111

Accreditation implementing any formal process. It is a systematic procedure for evaluating, describing, testing and authorizing systems or activities prior to or after a system is in operation.

63 CERT Computer Emergency Response Team (CERT) is a group of information security experts responsible for the protection against, detection of and response to an organization's cyber security incidents. This group acts as an efficient corrective control and as a single point of contact for all incidents and issues related to information systems.

64 Change Management Change management is an approach to transition individuals, teams, and organizations to a desired future state. In a project management context, change management may refer to a project management process wherein changes to the scope of a project are formally introduced and approved.

65 Chartered Institute of Management Accountants (CIMA)

The Chartered Institute of Management Accountants (CIMA) is a United Kingdom-based professional body offering training and qualification in management accountancy and related subjects, focused on accounting for business; together with ongoing support for members.

66 Chief Information Officer (CIO)

Chief Information Officer (CIO) or Information Technology (IT) Director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals. Generally, the CIO reports to the chief executive officer, chief operating officer or chief financial officer.

67 Children's Online Privacy Protection Act of 1998 (COPPA)

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law, enacted on October 21, 1998). The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet.

68 Cipher Text Information generated by an encryption algorithm to protect the plaintext and that is unintelligible to the unauthorized reader.


112

69 Citrix Farm A Farm is a group of Citrix servers which provides published applications to all users that can be managed as a unit, enabling the administrator to configure features and settings for the entire farm rather than configuring each server individually. All the servers in the farm share a single data store.

70 Class Classes and Objects are basic concepts of Object Oriented Programming which revolve around the real life entities. Class is a user defined blueprint or prototype from which objects are created. It represents the set of properties or methods that are common to all objects of one type.

71 Client Server The client-server model describes how a server provides resources and services to one or more clients. Examples of servers include web servers, mail servers, and file servers. Each of these servers provide resources to client devices, such as desktop computers, laptops, tablets, and smart phones

72 Cloud computing A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

73 COBIT Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. COBIT 2019 is the latest edition of ISACA’s globally accepted framework, providing an end-to-end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises.

74 Code Library The Code Library is a collection of articles, applications and resource files. The goal of the Code Library is to provide user with sample applications and supplemental information to help them create or customize their own Toolkit applications or other customized content. These can be used for simple functions, such as changing the font, or for complex functions such as multi-step financial calculations. By the nature of their use, code libraries are inherently shareable content.

Glossary

113

75 Cognitive science Cognitive science is the scientific study of the human mind. The field is highly interdisciplinary, combining ideas and methods from psychology, computer science, linguistics, philosophy, and neuroscience.

76 Command Centre A command center or command centre(often called a war room) is any place that is used to provide centralized command for some purpose. While frequently considered to be a military facility, these can be used in many other cases by governments or businesses.

77 Committee of Sponsoring Organizations of the Treadway Commission (COSO)

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting.

78 Common Object Request Broker Architecture (CORBA)

The Common Object Request Broker Architecture (CORBA) is a standard defined by the Object Management Group (OMG) designed to facilitate the communication of systems that are deployed on diverse platforms. CORBA enables collaboration between systems on different operating systems, programming languages, and computing hardware.

79 Compliance Compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance is a prevalent business concern because of an ever-increasing number of regulations that require companies to be vigilant about maintaining a full understanding of their regulatory compliance requirements.

80 Compliance testing Tests of controls designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period.

81 Compiler A program that translates code written in programming language (source code) into machine executable instructions (object code).

82 Component Object Component Object Model (COM) is a binary-interface standard for software components introduced by Microsoft in


114

Model (COM) 1993. It is used to enable inter-process communication and dynamic object creation in a large range of programming languages.

83 Computer Information System (CIS)

A computer Information System is a system composed of people and computers that processes or interprets information. The term is also sometimes used in more restricted sense to refer to only the software used to run a computerized database or to refer to only a computer system.

84 Computer Peripherals A peripheral device is generally defined as any auxiliary device such as a computer mouse or keyboard that connects to and works with the computer in some way. Other examples of peripherals are image scanners, tape drives, microphones, loudspeakers, webcams, and digital cameras.

85 Computer Security Incident

A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable user policies, or standard security practices.

86 Computer-aided design (CAD)

Computer-aided design (CAD) is the use of computer systems to assist in the creation, modification, analysis, or optimization of a design.

87 Computer-aided software engineering (CASE)

The use of software packages that aid in the development of different phases of an information system like system analysis, design, programming and documentation. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access.

88 Conceptualisation The ability to invent or formulate an idea or concept. The conceptualization phase of a project occurs in the initial design activity when the scope of the project is drafted and a list of the desired design features and requirements is created.

89 Concurrency control Refers to a class of controls used in database management systems (DBMS) to ensure that transactions are processed in an atomic, consistent, isolated and durable manner (ACID). Concurrency control is important because the simultaneous execution of transactions over a shared database can create several data integrity and consistency problems. The three main problems are lost updates, uncommitted data, and inconsistent retrievals. This

Glossary

115

implies that only serial and recoverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions.

90 Confidentiality Confidentiality is a set of rules or a promise that limits access or places restrictions on certain types of information.

91 Configuration The way a system is set up. Configuration can refer to either hardware or software, or the combination of both.

92 Configuration items (CI)

Configuration items (CI) are components of an infrastructure that currently is, or soon will be under configuration management. CIs may be a single module such as a monitor or tape drive, or more complex items, such as a complete system.

93 Configuration management (CM)

Configuration management (CM) refers to a discipline for evaluating, coordinating, approving or disapproving, and implementing changes in artefacts that are used to construct and maintain software systems. An artifact may be a piece of hardware or software or documentation.

94 Continuity of Operations Plan (COOP)

Continuity of Operations (COOP) is the United States initiative to ensures that Federal Government departments and agencies are able to continue operation of their essential functions under a broad range of circumstances including all-hazard emergencies as well as natural, man-made, and technological threats and national security emergencies. Today's threat environment makes COOP planning even more critical.

95 Continuity Requirements Analysis

Continuity Requirements Analysis(CRA) is the process to collect information on the resources required to resume and continue the business activities at a level required to support the organization’s objectives and obligations.

96 Continuous and intermittent simulation (CIS)

CIS is a concurrent auditing technique that simulates the instruction execution of the application at the time the application is processing a transaction. All data and input to the application is accessible by and shared with the simulation. This means that the simulation is notified about each transaction that is entered to the application and accesses to database by the DBMS.

97 Contract In common law legal systems, a contract (or informally known as an agreement in some jurisdictions) is an


116

agreement having a lawful object entered into voluntarily by two or more parties, each of whom intends to create one or more legal obligations between them.

98 Central Processing Unit (CPU)

CPU is the electronic circuitry within a computer that carries out the instructions of a computer program by performing the basic arithmetic, logical, control and input/output (I/O) operations specified by the instructions.

99 Control Self-assessment

Control self-assessment is a technique developed in 1987 that is used by a range of organisations including corporations, charities and government departments, to assess the effectiveness of their risk management and control processes.

100 Control Unit The control unit (CU) is a component of a computer's central processing unit (CPU) that directs operation of the processor. It tells the computer's memory, arithmetic/logic unit and input and output devices how to respond to a program's instructions.

101 Cookies A message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them. The first time a cookie is set, a user may be required to go through a registration process. Subsequent to this, whenever the cookie’s message is sent to the server, a customized view based on that user’s preferences can be produced. The browser’s implementation of cookies has, however, brought several security concerns, allowing breaches of security and the theft of personal information (e.g., user passwords that validate the user’s identity and enable restricted web services).

102 Core banking software (CBS)

A software solution to provide banking service functionalities through a group of networked bank branches where customers may access their bank accounts and perform basic transactions from any of the member branch offices.

103 Corporate governance The system of rules, practices, and processes by which organizations are directed and controlled. The board of directors are responsible for the governance of their organizations. It consists of the leadership and organizational structures and processes that ensure that the organization sustains and extends strategies and objectives.

104 Crisis Management A Crisis Management Team is formed to protect an organization against the adverse effects of crisis. Crisis

Glossary

117

Team (CMT) Management team prepares an organization for inevitable threats.

105 Critical Business Function (CBF)

Critical Business Function(CBF) are Vital functions without which an organization will either not survive or will lose the capability to effectively achieve its critical objectives.

106 Critical Path Method (CPM)

The Critical Path Method (CPM) is one of several related techniques for doing project planning. CPM is for projects that are made up of a number of individual "activities." If some of the activities require other activities to finish before they can start, then the project becomes a complex web of activities.

107 Crossover Error Rate (CER)

The error rate obtained at the threshold that provides the same False Acceptance Rate and False Rejection Rate.

108 Cross-site request forgery

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

109 Cryptanalysis Cryptanalysis refers to the study of ciphers, cipher text, or cryptosystems (i.e. secret coding systems) with a view to find weaknesses in them that will permit retrieval of the plaintext from the cipher text, without necessarily knowing the key or the algorithm.

110 Cryptography Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. The term is most often associated with scrambling plaintext (ordinary text, sometimes referred to as clear text) into cipher text (a process called encryption), then back again (known as decryption).

111 Cyber crime Computer crime, or cyber crime, is any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Net crime is criminal exploitation of the Internet, inherently a cyber crime.

112 Data analytics Data analytics is the process of examining big data to uncover hidden patterns, unknown correlations and other useful information that can be used to make better decisions.


118

113 Data Base Administrator (DBA)

An individual or department responsible for the security and information classification implementation of the shared data stored on a database system. This responsibility includes the design, definition and maintenance of the database.

114 Data Base Management System (DBMS)

A software system that controls the organization, storage and retrieval of data in a database.

115 Data Diddling Data diddling is the changing of data before or during entry into the computer system. Examples include forging or counterfeiting documents used for data entry and exchanging valid disks and tapes with modified replacements.

116 Data Encryption Standard (DES)

An algorithm for encoding binary data. It is a secret key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES was defined as a Federal Information Processing Standard (FIPS) in 1976 and has been used commonly for data encryption in the forms of software and hardware implementation. (See private key cryptosystem).

117 Data Flow Diagrams (DFD)

A data flow diagram (DFD) is a graphical representation of the "flow" of data through an information system, modelling its process aspects. A DFD is often used as a preliminary step to create an overview of the system, which can later be elaborated.

118 Data Leak /loss Prevention (DLP)

Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

119 Data Management Data management is the development, execution and supervision of plans, policies, programs and practices that control, protect, deliver and enhance the value of data and information assets.

120 Data Migration Data migration is the process of transferring data between storage types, formats, or computer systems. It is a key consideration for any system implementation, upgrade or consolidation.

Glossary

119

121 Data Normalisation Normalization involves decomposing a table into less redundant (and smaller) tables but without losing information; defining foreign keys in the old table referencing the primary keys of the new ones.

122 Data Transmission Data Transmission is the physical transfer of data (a digital bit stream or a digitized analog signal) over a point-to-point or point-to-multipoint communication channel. Examples of such channels are copper wires, optical fibres, wireless communication channels, storage media and computer buses.

123 Data Vault The Data Vault is a detail oriented, historical tracking and uniquely linked set of normalized tables that support one or more functional areas of business. It is a hybrid approach encompassing the best of breed between 3rd normal form (3NF) and star schema. The design is flexible, scalable, consistent and adaptable to the needs of the enterprise. It is a data model that is architected specifically to meet the needs of today’s enterprise data warehouses.

124 Data warehouse In computing, a data warehouse (DW or DWH), also known as an enterprise data warehouse (EDW), is a system used for reporting and data analysis. DWs are central repositories of integrated data from one or more disparate sources.

125 Database Replication The process of creating and managing duplicate versions of a database. Replication not only copies a database but also synchronizes a set of replicas so that changes made to one replica are reflected in all of the others. The beauty of replication is that it enables many users to work with their own local copy of a database, but have the database updated as if they were working on a single centralized database. For database applications in which, users are geographically distributed widely, replication is often the most efficient method of database access.

126 Database architecture Database architecture focuses on the design, development, implementation and maintenance of computer programs that store and organize information for businesses, agencies and institutions.

127 Deadman A mantrap or dead man door is a physical security access


120

Doors/Mantrap Systems

control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens.

128 Debugger A debugger or debugging tool is a computer program that is used to test and debug other programs (the "target" program).

129 Decision Support System (DSS)

An interactive system that provides the user with easy access to decision models and data, to support semi-structured decision-making tasks.

130 Demilitarized zone (DMZ)

DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical sub-network that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network.

131 Denial Of Service (DoS)

A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.

132 Desk checking Desk checking is a manual (non-computerised) technique for checking the logic of an algorithm. The person performing the desk check effectively acts as the computer, using pen and paper to record results.

133 Dictionary attack In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.

134 Digital Access Management (DAM)

Digital asset management (DAM) consists of management tasks and decisions surrounding the ingestion, annotation, cataloguing, storage, retrieval and distribution of digital assets.

135 Digital rights management (DRM)

Digital rights management (DRM) refers to any scheme that controls access to copyrighted material using technological means and specifically copyright protection for digital media.

Glossary

121

The purpose of DRM is to prevent unauthorized redistribution of digital media and restrict the ways consumers can copy content they've purchased.

136 Discretionary Access Control

A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject

137 Distributed Component Object Model (DCOM)

Distributed Component Object Model (DCOM) is a proprietary Microsoft technology for communication among software components distributed across networked computers. DCOM, which originally was called "Network OLE", extends Microsoft's COM, and provides the communication substrate under Microsoft's COM+ application server infrastructure.

138 Distributed denial-of-service (DDoS) attack

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic.

139 DNS Attacks DNS spoofing or Attack is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer).

140 Domain Name System (DNS)

A hierarchical database that is distributed across the Internet that allows names to be resolved into IP addresses (and vice versa) to locate services, such as web and email servers Domain name system.

141 Domain Specialist A domain specialist is a person with special knowledge or skills in a particular area of endeavour. An accountant is an expert in the domain of accountancy.

142 Downtime Downtime or outage duration refers to a period of time that a system fails to provide or perform its primary function. Reliability, availability, recovery, and unavailability are related concepts. The unavailability is the proportion of a


122

time-span that a system is unavailable or offline. 143 Dumpster Diving In the world of information technology, dumpster diving is a

technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes.

144 Duplex A "duplex" communication channel requires two simplex channels operating in opposite directions.

145 Dynamic systems development method (DSDM)

Dynamic systems development method (DSDM) is an agile project delivery framework, primarily used as a software development method. It is an iterative and incremental approach that embraces principles of Agile development, including continuous user/customer involvement.

146 Dynamic testing Dynamic testing (or dynamic analysis) is a term used in software engineering to describe the testing of the dynamic behavior of code. That is, dynamic analysis refers to the examination of the physical response from the system to variables that are not constant and change with time. In dynamic testing the software must actually be compiled and run.

147 Earned Value Analysis (EVA)

Earned Value Analysis (EVA) is an industry standard method of measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds.

148 Eavesdropping Eavesdropping or network sniffing is a network layer attack consisting of capturing packets from the network transmitted by others' computers and reading the data content in search of sensitive information like passwords, session tokens, or any kind of confidential information.

149 E-commerce E-commerce (also written as e-Commerce, eCommerce or similar variants), short for electronic commerce, is trading in products or services using computer networks, such as the Internet.

150 Economic Feasibility The purpose of the economic feasibility assessment is to determine the positive economic benefits to the organization

Glossary

123

that the proposed system will provide. It includes quantification and identification of all the benefits expected. This assessment typically involves a cost/ benefits analysis.

151 Electronic Data Interchange (EDI)

The electronic transmission of transactions (information) between two organizations. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents, including invoices or purchase orders

152 Editor A program that enables user to create and edit text files.

153 Electronic Communications Privacy Act of 1986 (ECPA)

Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computer and provisions prohibiting access to stored electronic communications.

154 Electronic discovery (e-discovery)

Electronic discovery (or e-discovery) refers to discovery in litigation or government investigations which deal with the exchange of information in electronic format (often referred to as electronically stored information or ESI).

155 Electronic funds transfer (EFT)

The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account to another.

156 Electrostatic discharge (ESD)

Electrostatic discharge (ESD) is the sudden flow of electricity between two electrically charged objects caused by contact, an electrical short, or dielectric breakdown. A build-up of static electricity can be caused by tribo-charging or by electrostatic induction.

157 Elicitation Elicitation is a technique used to discreetly gather information. It is a conversation with a specific purpose: collect information that is not readily available and do so without raising suspicion that specific facts are being sought. It is usually non-threatening, easy to disguise, deniable, and effective.

158 Embedded audit Module

Integral part of an application system that is designed to identify and report specific transactions or other information based on predetermined criteria. Identification of reportable items occurs as part of real-time processing. Reporting may


124

be real-time online or may use store and forward methods. Also known as integrated test facility or continuous auditing module.

159 Emergency operations center (EOC)

An emergency operations center (EOC) is a central command and control facility responsible for carrying out the principles of emergency preparedness and emergency management, or disaster management functions at a strategic level in an emergency situation, and ensuring the continuity of operations of an organization.

160 EMI (electromagnetic interference)

EMI (electromagnetic interference) is the disruption of operation of an electronic device when it is in the vicinity of an electromagnetic field (EM field) in the radio frequency (RF) spectrum that is caused by another electronic device.

161 Encryption The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (cipher text).

162 Endpoint security In network security, endpoint security refers to a methodology of protecting the corporate network when accessed via remote devices such as laptops or other wireless and mobile devices. Each device with a remote connection to the network creates a potential entry point for security threats.

163 Enterprise Java Beans (EJB)

Enterprise Java Beans (EJB) is a development architecture for building highly scalable and robust enterprise level applications to be deployed on J2EE compliant Application Server such as JBOSS, Web Logic etc. EJB 3.0 is a great shift from EJB 2.0 and makes development of EJB based applications quite easy.

164 Enterprise resource planning (ERP)

A packaged business software system that allows an organization to automate and integrate the majority of its business processes, share common data and practices across the entire organization, and produce and access information in a real-time environment with the objective of optimizing its resource utilization. Examples of ERP include SAP, Oracle Financials and J.D. Edwards.

165 Enterprise risk Enterprise risk management (ERM) in business includes the

Glossary

125

Management (ERM) methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress.

166 Extranet A private network that resides on the Internet and allows a company to securely share business information with customers, suppliers, or other businesses as well as to execute electronic transactions. different from an intranet in that it is located beyond the company’s firewall. Therefore, an extranet relies on the use of securely issued digital certificates (or alternative methods of user authentication) and encryption of messages. A virtual private network (VPN) and tunneling are often used to implement extranets, to ensure security and privacy

167 Extreme programming (XP)

Extreme programming (XP) is a software development methodology which is intended to improve software quality and responsiveness to changing customer requirements.

168 False acceptance rate(FAR)

The false acceptance rate, or FAR, is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. A system's FAR typically is stated as the ratio of the number of false acceptances divided by the number of identification attempts.

169 False rejection rate (FRR)

The false rejection rate is the measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user. A system's FRR typically is stated as the ratio of the number of false rejections divided by the number of identification attempts.

170 Feasibility The state or degree of being easily or conveniently done.

171 Feasibility Study A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need.


126

172 Finacle Finacle is a core banking software package developed by Indian technology corporation Infosys. It is used by multiple banks across several countries and can handle multi-currency transactions.

173 Fire Wall A system or combination of systems that enforces a boundary between two or more networks typically forming a barrier between a secure and an open environment, such as the Internet.

174 First responder A first responder is an employee of an emergency service who is likely to be among the first people to arrive at and assist at the scene of an emergency, such as an accident, natural disaster, or terrorist attack. First responders typically include police officers, fire fighters, paramedics, and emergency medical technicians

175 Flexcube Flexcube is an internationally recognized core banking software developed by Oracle Financial Solutions [ previously known as iFlex Solutions Limited ]. It is currently used by top banks worldwide. It is user-friendly and flexible to add value to banking operations.

176 FM200 FM200 ( inert gas) systems reach extinguishing levels in 10 seconds or less, stopping ordinary combustible, electrical, and flammable liquid fires before they cause significant damage. FM200 extinguishes the fire quickly, which means less damage, lower repair costs.

177 Forward engineering Forward engineering is the opposite of reverse engineering. Forward engineering is the process of building from a high-level model or concept to build in complexities and lower-level details and represents the normal development process. This type of engineering has different principles in various software and database processes.

178 Four Eyes principle The four eyes principle is a requirement that two individuals approve some action before it can be taken. The four eyes principle is sometimes called the two-man rule or the two-person rule.

179 Front End User interface which works with Data base. The part of a website that user interacts with directly is termed as front end. It is also referred to as the ‘client side’ of the application.

Glossary

127

180 Function Point Analysis (FPA)

Function Point Analysis (FPA) is a sizing measure of clear business significance. First made public by Allan Albrecht of IBM in 1979, the FPA technique quantifies the functions contained within software in terms that are meaningful to the software users.

181 Functional organization

Functional organization is a type of organizational structure that uses the principle of specialization based on function or role.

182 Functional Requirement

In software engineering (and systems engineering), a functional requirement defines a function of a system and its components. A function is described as a set of inputs, the behaviour, and outputs. Functional requirements may be calculations, technical details, data manipulation and processing and other specific functionality that define what a system is supposed to accomplish.

183 Functional testing Functional testing is a quality assurance (QA) process and a type of black box testing that bases its test cases on the specifications of the software component under test.

184 Gantt Chart A Gantt chart is a horizontal bar chart developed as a production control tool in 1917 by Henry L. Gantt, an American engineer and social scientist. Frequently used in project management, a Gantt chart provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project.

185 Gateway A device (router, firewall) on a network that connects two networks using different transmission protocols as an entry/exit point for a network.

186 Generalized audit software (GAS)

Multipurpose audit software that can be used for general processes, such as record selection, matching, recalculation and reporting.

187 Governance The collection of mechanisms, processes and relations by which corporations are controlled and operated so that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed on direction and objectives.


128

188 Governance of enterprise IT (GEIT)

Governance of enterprise IT (GEIT) is the system by which IT activities in a company are directed and controlled to achieve business objectives and deliver value to stakeholders. It is based on three pillars of benefit realization, resource optimization and optimization of risk.

189 Gramm–Leach–Bliley Act (GLBA)

Also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.

190 Graphical user interface (GUI)

A graphical user interface (GUI) is a human-computer interface (i.e., a way for humans to interact with computers) that uses windows, icons and menus and which can be manipulated by a mouse (and often to a limited extent by a keyboard as well).

191 Gray-box testing Gray-box testing (International English spelling: grey-box testing) is a combination of white-box testing and black-box testing. The aim of this testing is to search for the defects if any due to improper structure or improper usage of applications.

192 Hacking Hacking is to gain unauthorized access to data in a system or computer.

193 HADOOP Hadoop is an open-source framework that allows to store and process big data in a distributed environment across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage.

194 Half Duplex Is a communications channel that operates in one direction at a time. Each device in a half-duplex system can send and receive data, but only one device can transmit at a time.

195 Hardware Computer hardware is the physical parts or components of a computer, such as the monitor, mouse, keyboard, computer data storage, hard disk drive (HDD), system unit (graphic cards, sound cards, memory, motherboard and chips), and so on, all of which are physical objects that can be touched.

196 Heat map A heat map is a two-dimensional representation of data in

Glossary

129

which values are represented by colors. A simple heat map provides an immediate visual summary of information. More elaborate heat maps allow the viewer to understand complex data sets.

197 HIPAA HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.

198 Hosts file The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The hosts file is a plain text file, and is conventionally named hosts.

199 IaaS IaaS is defined as computer infrastructure, such as virtualization, being delivered as a service. IaaS is popular in the data center where software and servers are purchased as a fully outsourced service and usually billed on usage and how much of the resource is used.

200 IDE (Integrated Development Environment)

An integrated development environment (IDE) is a programming environment that has been packaged as an application program, typically consisting of a code editor, a compiler, a debugger, and a graphical user interface (GUI) builder.

201 IDEA Tool IDEA is a powerful and user-friendly data analysis tool designed to help auditors, accountants and other finance professionals perform data analysis quickly to help improve audits and identify control breakdowns.

202 Identity & Access Management (IDAM)

Identity and Access Management (IAM) Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.

203 Implementation The process of putting a decision or plan into effect; execution.

204 Incremental Model Incremental Model is combination of one or more Waterfall Models. In Incremental Model, Project requirements are divided into multiple modules and each module is developed separately.


130

205 Information Assets An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

206 Information processing facility (IPF)

An information processing facility is defined as any system, service, or infrastructure, or any physical location that houses these things. A facility can be either an activity or a place; it can be either tangible or intangible.

207 Information Security Governance

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s resources are used responsibly

208 Information Technology Assurance Framework (ITAF)

The Information Technology Assurance Framework (ITAF), published by ISACA, is a comprehensive and good-practice-setting model that: Provides guidance on the design, conduct and reporting of IT audit and assurance assignments; Defines terms and concepts specific to IT assurance.

209 Information Technology Infrastructure Library (ITIL)

ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of practices for IT Service Management (ITSM) that focuses on aligning IT services with the needs of business.

210 Integrated Test Facility (ITF)

A testing methodology where test data are processed in production systems. The data usually represent a set of fictitious entities, such as departments, customers and products. Output reports are verified to confirm the correctness of the processing.

211 Integration testing Integration testing (sometimes called integration and testing, abbreviated I&T) is the phase in software testing in which individual software modules are combined and tested as a group. It occurs after unit testing and before validation testing.

212 Integrity Integrity refers to maintaining and assuring the accuracy and consistency of data over its entire life-cycle, and is a critical aspect to the design, implementation and usage of any

Glossary

131

system which stores, processes, or retrieves data. 213 Internal control Internal control, as defined in accounting and auditing, is a

process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.

214 International Federation of Accountants (IFAC)

International Federation of Accountants (IFAC) is the global organization for the accountancy profession. Founded in 1977, IFAC has 175 members and associates in 130 countries and jurisdictions, representing more than 2.5 million accountants employed in public practice, industry and commerce, government, and academe.

215 Internet Engineering Task Force (IETF)

An organization with international affiliates as network industry representatives that sets Internet standards. This includes all network industry developers and researchers concerned with the evolution and planned growth of the Internet.

216 Internet Protocol Network

IP Network is a communication network that uses Internet Protocol to send and receive messages between one and more computers.

217 Internet Protocol Security (IPsec)

A set of protocols developed by the Internet Engineering Task Force (IETF) to support the secure exchange of packets

218 Interpreter In computer science, an interpreter is a computer program that directly executes, i.e. performs, instructions written in a programming or scripting language, without previously compiling them into a machine language program.

219 Intrusion

detection system (IDS)

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.

220 Intrusion Prevention System (IPS)

Intrusion prevention systems (IPS), are network security appliances that monitor network and/or system activities and prevents malicious activity. In contrast to IDS it is a preventive control activity.


132

221 Ionosphere The ionosphere is the part of the atmosphere that is ionized by solar radiation. It plays an important part in atmospheric electricity and forms the inner edge of the magnetosphere. It has practical importance because, among other functions, it influences radio propagation to distant places on the Earth. It forms the boundary between Earth's lower atmosphere - where we live and breathe and the vacuum of space.

222 IP Spoofing An attack using packets with the spoofed source Internet packet (IP) addresses. This technique exploits applications that use authentication based on IP addresses. This technique also may enable an unauthorized user to gain root access on the target system.

223 ISACA ISACA is an international professional association focused on IT Governance. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

224 ISMS (Information Security Management System)

An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

225 ISO 27001 ISO 27001:2013 is an information security standard that was published on the 25th September 2013. It is a specification for an information security management system (ISMS).

226 ISO 31000 ISO 31000:2009, Risk management – Principles and guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.

227 ISO/IEC 15504 ISO/IEC 15504 Information technology — Process assessment, also known as SPICE (Software Process Improvement and Capability Determination), is a set of technical standards documents for the computer software development process and related business management functions.

228 ISO/IEC 27001 The ISO 27000 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching

Glossary

133

management framework through which the organization identifies, analyzes and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

229 ISO/IEC 38500 ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.

230 IT governance IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its overall business objectives.

231 IT Governance Institute (ITGI)

The IT Governance Institute (ITGI) was formed by ISACA in 1998 to advance international thinking on GEIT.

232 IT Security Policy An IT security policy is a strategy for how your company will implement Information Security principles and technologies. It is essentially a business plan that applies only to the Information Security aspects of a business.

233 Joint Application Development (JAD)

Joint Application Development (JAD) is a development methodology system originally used for designing a computer-based system, but can be applied to any development process. It involves continuous interaction with the users and different designers of the system in development.

234 Kerberos Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

235 Key Goal Indicators (KGI)

KGI / Key Goal Indicators refers to pre-set indicators of process objectives (goals) that indicate what should be achieved by a process (they define an objective).

236 Key Logger A key logger is a type of surveillance software (considered to be either software or spyware) that has the capability to


134

record every keystroke you make to a log file, usually encrypted. A key logger recorder can record instant messages, e-mail, and any information you type at any time using your keyboard.

237 Key Man policies An employer may take out a key person insurance policy on the life or health of any employee whose knowledge, work, or overall contribution is considered uniquely valuable to the company. The employer does this to offset the costs (such as hiring temporary help or recruiting a successor) and losses (such as a decreased ability to transact business until successors are trained) which the employer is likely to suffer in the event of the loss of a key person.

238 Key Performance Indicator (KPI)

A measure that determines how well the process is performing in enabling the goal to be reached. A lead indicator of whether a goal will likely be reached or not, and a good indicator of capabilities, practices and skills. It measures the activity goal, which is an action that the process owner must take to achieve effective process performance.

239 Key Risk Indicator (KRI)

A Key Risk Indicator, also known as a KRI, is a measure used in management to indicate how risky an activity is.

240 Kickoff Meeting The Kickoff Meeting is the first meeting with the project team and the client of the project. This meeting would follow definition of the base elements for the project and other project planning activities.

241 Linker a linker or link editor is a computer program that takes one or more object files generated by a compiler and combines them into a single executable file, library file, or another object file.

242 LISP Acronym for list processor, a high-level programming language especially popular for artificial intelligence applications.

243 Loader In computing, a loader is the part of an operating system that is responsible for loading programs and libraries. It is one of the essential stages in the process of starting a program, as it places programs into memory and prepares them for execution.

244 Logic bomb A logic bomb is a piece of code intentionally inserted into a

Glossary

135

software system that will set off a malicious function when specified conditions are met.

245 logic error In computer programming, a logic error is a bug in a program that causes it to operate incorrectly, but not to terminate abnormally (or crash). A logic error produces unintended or undesired output or other behaviour, although it may not immediately be recognised as such.

246 MAC spoofing MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address is hard-coded on a network interface controller (NIC) and cannot be changed.

247 Machine Cycle The steps performed by the computer processor for each machine language instruction received. The machine cycle is a 4 process cycle that includes reading and interpreting the machine language, executing the code and then storing that code.

248 Macro virus A macro virus is a computer virus written in the same macro language used for software programs, including Microsoft Excel or word processors such as Microsoft Word. When a macro virus infects a software application, it causes a sequence of actions to begin automatically when the application is opened.

249 Magnetic Ink Character Recognition Code (MICR Code)

Magnetic Ink Character Recognition Code (MICR Code) is a character-recognition technology used mainly by the banking industry to ease the processing and clearance of cheques and other documents.

250 Malware Short for malicious software. Designed to infiltrate, damage or obtain information from a computer system without the owner’s consent. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware.

251 Management Management in businesses and organizations is the function that coordinates the efforts of people to accomplish goals and objectives by using available resources efficiently and effectively.

252 Mandatory Access A means of restricting access to data based on varying degrees of security requirements for information contained in


136

Control the objects and the corresponding security clearance of users or programs acting on their behalf.

253 Man-in-the-middle attack

In cryptography and computer security, a man-in-the-middle attack (often abbreviated to MITM, MitM, MIM, MiM or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

254 MapReduce MapReduce is a programming model and an associated implementation for processing and generating large data sets with a parallel, distributed algorithm on a cluster. A MapReduce program is composed of a map procedure, which performs filtering and sorting, and a reduce method, which performs a summary operation.

255 Masquerading Masquerade is a disguise. In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for.

256 Master Boot Record Virus

Many destructive viruses damage the Master Boot Record and make it impossible to start the computer from the hard disk. Because the code in the Master Boot Record executes before any operating system is started, no operating system can detect or recover from corruption of the Master Boot Record.

257 Matrix organization The matrix organization structure is a combination of two or more types of organization structure, such as the projectized organization structure and the functional organization structure. These two types of organization structures represent the two extreme points of a string, while the matrix organization structure is a balance of these two.

258 Mean time between failures (MTBF)

Mean time between failures (MTBF) is the predicted elapsed time between inherent failures of a system during operation. MTBF can be calculated as the arithmetic mean(average) time between failures of a system.

259 Mean Time To Repair (MTTR)

Mean Time To Repair (MTTR) is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device. Expressed mathematically, it is the total corrective maintenance time for failures divided by the total number of

Glossary

137

corrective maintenance actions for failures during a given period of time.

260 Media Access Control (MAC) address

Applied to the hardware at the factory and cannot be modified, MAC is a unique, 48-bit, hard-coded address of a physical layer device, such as an Ethernet local area network (LAN) or a wireless network card.

261 Memory Unit of computer system that stores data and programs.

262 Microsoft Transaction Server (MTS)

Microsoft Transaction Server is a component-based transaction processing system that allows developers to build, deploy, and administer robust network applications. In being component based, Microsoft Transaction Server (MTS) uses standard COM components to encapsulate business logic that forms applications.

263 Milestone A terminal element that marks the completion of a work package or phase. Typically marked by a high-level event, such as project completion, receipt, endorsement or signing of a previously-defined deliverable or a high level review meeting at which the appropriate level of project completion is determined and agreed to. A milestone is associated with some sort of decision that outlines the future of a project and, for an outsourced project, may have a payment to the contractor associated with it.

264 Mobile banking Mobile banking is a term used to refer to systems that allow customers of a financial institution to conduct different types of financial transactions through a mobile device such as a mobile phone or tablet.

265 Mobile technology Mobile technology is the technology used for cellular communication. Mobile code division multiple access (CDMA) technology has evolved rapidly over the past few years.

266 Multiplexing Multiplexing (sometimes contracted to muxing) is a method by which multiple analog message signals or digital data streams are combined into one signal over a shared medium. The aim is to share an expensive resource.

267 Naive Users Naive Users are unsophisticated users who interact with the system by using permanent application programs (e.g.


138

automated teller machine). 268 National Electronic

Funds Transfer (NEFT) National Electronic Funds Transfer (NEFT) is one of the most prominent electronic funds transfer systems of India. Started in Nov.-2005,] NEFT is a facility provided to bank customers to enable them to transfer inter-bank funds electronically easily and securely on a one-to-one basis.

269 National Financial Reporting Authority (NFRA)

National Financial Reporting Authority (NFRA), is an independent regulator to oversee the auditing profession and accounting standards in India under Companies Act 2013. with powers to probe and review audits of companies, including those which have securities listed outside India

270 Natural language Processing

Natural language processing (NLP) is a field of computer science, artificial intelligence, and computational linguistics concerned with the interactions between computers and human (natural) languages. As such, NLP is related to the area of human–computer interaction.

271 Negative testing Negative testing ensures that your application can gracefully handle invalid input or unexpected user behaviour.

272 Network address translation (NAT)

Network address translation (NAT) is a methodology of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.

273 Network Interface Card (NIC)

A communication card that when inserted into a computer, allows it to communicate with other computers on a network. Most NICs are designed for a particular type of network or protocol.

274 Network Protocol Network protocols are formal standards and policies made up of rules, procedures and formats that define communication between two or more devices over a network. They define rules and conventions for communication.

275 Noise Disturbances in data transmissions, such as static, that cause messages to be misinterpreted by the receiver.

276 Non Disclosure Agreement (NDA)

A legal contract between at least two parties that outlines confidential materials the parties wish to share with one another for certain purposes but wish to restrict from

Glossary

139

generalized use; a contract through which the parties agree not to disclose information covered by the agreement. Also called a confidential disclosure agreement (CDA), confidentiality agreement or secrecy agreement. An NDA creates a confidential relationship between the parties to protect any type of trade secret. As such, an NDA can protect non-public business information. In the case of certain governmental entities, the confidentiality of information other than trade secrets may be subject to applicable statutory requirements and, in some cases, may be required to be revealed to an outside party requesting the information. Generally, the governmental entity will include a provision in the contract to allow the seller to review a request for information the seller identifies as confidential and the seller may appeal such a decision requiring disclosure. NDAs are commonly signed when two companies or individuals are considering doing business together and need to understand the processes used in one another’s businesses solely for the purpose of evaluating the potential business relationship. NDAs can be “mutual,” meaning both parties are restricted in their use of the materials provided, or they can only restrict a single party. It is also possible for an employee to sign an NDA or NDA-like agreement with a company at the time of hiring; in fact, some employment agreements include a clause restricting “confidential information” in general.

277 Non-Functional Requirement

In systems engineering and requirements engineering, a non-functional requirement is a requirement that specifies criteria that can be used to judge the operation of a system, rather than specific behaviours. This should be contrasted with functional requirements that define specific behaviour or functions.

278 NoSQL A NoSQL (originally referring to "non SQL" or "non relational") database provides a mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases.

279 Object An object can be a variable, a data structure, or a function. In the class-based object-oriented programming paradigm,


140

"object" refers to a particular instance of a class where the object can be a combination of variables, functions, and data structures.

280 Object Oriented Software Development (OOSD)

The Object-Oriented Software Development Method (OOSD) includes object-oriented requirements analysis, as well as object-oriented design. OOSD is a practical method of developing a software system which focuses on the objects of a problem throughout development. OOSD's focus on objects early in the development, with attention to generating a useful model, creates a picture of the system that is modifiable, reusable, reliable, and understandable.

281 One Time Password (OTP)

A one-time password (OTP) is a password that is valid for only one login session or transaction, on a computer system or other digital device.

282 Operating System A master control program that runs the computer and acts as a scheduler and traffic controller. The operating system is the first program copied into the computer’s memory after the computer is turned on; it must reside in memory at all times. It is the software that interfaces between the computer hardware (disk, keyboard, mouse, network, modem, printer) and the application software (word processor, spread sheet, email), which also controls access to the devices and is partially responsible for security components and sets the standards for the application programs that run in it.

283 Operational Resilience Operational resilience is a set of techniques that allow people, processes and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions.

284 Operational-level agreement (OLA)

An operational-level agreement (OLA) defines the interdependent relationships in support of a service-level agreement (SLA). The agreement describes the responsibilities of each internal support group toward other support groups, including the process and timeframe for delivery of their services.

285 Outsourcing Outsourcing is an arrangement in which one company hires another company to be responsible for a planned or existing activity that is or could be done internally, Outsourcing is a

Glossary

141

trend that is becoming more common in information technology and other industries for services that have usually been regarded as intrinsic to managing a business

286 PaaS Platform as a service (PaaS) is a category of cloud computing services that provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an application.

287 Parallel testing The process of feeding test data into two systems, the modified system and an alternative system (possibly the original system), and comparing results to demonstrate the consistency and inconsistency between two versions of the application.

288 Parallel Transmission Parallel Transmission is a method of transmitting multiple binary digits (bits) simultaneously through a communication channel

289 Parity Check A general hardware control that helps to detect data errors when data are read from memory or communicated from one computer to another. A 1-bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that data item’s bits is odd or even. When the parity bit disagrees with the sum of the other bits, the computer reports an error. The probability of a parity check detecting an error is 50 percent.

290 Password Policy A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training.

291 Patch Management An area of systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system in order to maintain up-to-date software and often to address security risk. Patch management tasks include: maintaining current knowledge of available patches; deciding what patches are appropriate for particular systems; ensuring that patches are installed properly; testing systems after installation; and documenting all associated procedures, such as specific configurations


142

required. 292 PCI DSS The Payment Card Industry Data Security Standard (PCI

DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

293 Penetration test A live test of the effectiveness of security defenses through mimicking the actions of real life attackers. Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually.

294 Performance testing Comparing the system’s performance to other equivalent systems, using well-defined benchmarks. Performance testing is the process of determining the speed, responsiveness and stability of a computer, network, software program or device under a workload. Performance testing can involve quantitative tests done in a lab, or occur in the production environment in limited scenarios.

295 Personal Identification Number (PIN)

A type of password (i.e., a secret number assigned to an individual) that, in conjunction with some means of identifying the individual, serves to verify the authenticity of the individual. PINs have been adopted by financial institutions as the primary means of verifying customers in an electronic funds transfer (EFT) system.

296 Personally identifiable information (PII)

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.

297 Phishing This is a type of electronic mail (email) attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering. Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.

Glossary

143

298 Photoelectric sensor A photoelectric sensor, or photo eye, is a device used to detect the distance, absence, or presence of an object by using a light transmitter, often infrared, and a photoelectric receiver.

299 Piggybacking Piggybacking means to ride over something. One form is a physical security breach in which an unauthorized person follows an authorized individual to enter a secured premise. Another form would be gaining access to a restricted communications channel by using the session already established by another user.

300 Ping of death On the Internet, ping of death is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol.

301 Phreakers Those who crack security, most frequently phone and other communication networks.

302 Pluggable authentication module (PAM)

A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independently of the underlying authentication scheme.

303 Point of sale (POS) Enable the capture of data at the time and place of transaction. POS terminals may include use of optical scanners for use with bar codes or magnetic card readers for use with credit cards. POS systems may be online to a central computer or may use stand-alone terminals or microcomputers that hold the transactions until the end of a specified period when they are sent to the main computer for batch processing.

304 Polymorphic virus A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program.

305 Port In computer networking, a port serves as an endpoint in an operating system for many types of communication. It is not a hardware device, but a logical construct that identifies a service or process.


144

306 Port Scan A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well-known" port number, the computer provides.

307 Positive Acknowledgment with Re-Transmission (PAR),

Positive Acknowledgment with Re-Transmission (PAR), is a method used by TCP to verify receipt of transmitted data. PAR operates by re-transmitting data at an established period of time until the receiving host acknowledges receipt of the data.

308 Positive testing Positive testing is a testing technique to show that a product or application under test does what it is supposed to do. Positive testing verifies how the application behaves for the positive set of data.

309 Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.

310 PRINCE PRINCE2 (an acronym for Projects IN Controlled Environments) is a de facto process-based method for effective project management. Used extensively by the UK Government, PRINCE2 is also widely recognised and used in the private sector, both in the UK and internationally.

311 Process Flow Diagram (PFD)

Process Flow Diagrams (PFDs) are a graphical way of describing a process, its constituent tasks, and their sequence. In the context of software engineering, both Data Flow Diagrams (DFD) and Flowcharts are used in describing, step by step, the path of a process or data. Both diagrams are used to make it easier to understand the way a process is taking place or data is being processed.

312 Production Environment

Production environment is a term used mostly by developers to describe the setting where software and other products are actually put into operation for their intended uses by end users. A production environment can be thought of as a real-time setting where programs are run and hardware setups are installed and relied on for organization or commercial daily operations.

Glossary

145

313 Program Coding Language

A programming language is a formal constructed language designed to communicate instructions to a machine, particularly a computer. Programming languages can be used to create programs to control the behaviour of a machine or to express algorithms.

314 Program Coding Standards

Coding standards are a set of guidelines for a specific programming language that recommend programming style, practices and methods for each aspect of a program written in that language.

315 Program Evaluation and Review Technique (PERT)

A project management technique used in the planning and control of system projects. The program evaluation and review technique is a statistical tool used in project management, which was designed to analyze and represent the tasks involved in completing a given project. Using the technique helps project planners identify start and end dates, as well as interim required tasks and their timelines.

316 Program Management Program management or programme management is the process of managing several related projects, often with the intention of improving an organization's performance. In practice and in its aims it is often closely related to systems engineering and industrial engineering.

317 Programmer A programmer, computer programmer, developer, or coderis a person who codes computer software as per specifications. The term computer programmer can refer to a specialist in one area of computer programming or to a generalist who writes code for many kinds of software.

318 Project Initiation The project initiation phase is the critical phase within the project life-cycle. It is also called the project pre-planning phase and about stating the basic characteristics of the project. It is at this point where the opportunity or reason for the project is identified and a project is developed to take advantage of that opportunity.

319 Project Management Body of Knowledge (PMBOK Guide)

Project Management Body of Knowledge (PMBOK Guide) is a book which presents a set of processes, best practices, standard terminology and guidelines (a body of knowledge) for project management.

320 Project management methodologies

A methodology is a model, which project managers employ for the design, planning, implementation and achievement of


146

their project objectives. There are different project management methodologies to benefit different projects.

321 Project Planning The Project Planning Phase is the second phase in the project life cycle. It involves creating of a set of plans to help guide your team through the execution and closure phases of the project.

322 Project Sponsor A senior management role that typically involves approving or supporting the allocation of resources for a venture, defining its goals and assessing the venture's eventual success. Furthermore, a project sponsor might also advocate for the project to be adopted with other members of senior management within the business.

323 Projectized organization

In projectized organizations, organizations arrange their activities into programs or portfolios, and implement them through the projects. Here, the project manager is in charge of his project, and he has full authority over it. Everyone in his team reports to him.

324 PROLOG PROLOG is a general purpose logic programming language associated with artificial intelligence and computational linguistics. PROLOG has its roots in first-order logic, a formal logic, and unlike many other programming languages, PROLOG is declarative: the program logic is expressed in terms of relations, represented as facts and rules. A computation is initiated by running a query over these relations.

325 Prototyping Model The process of quickly putting together a working model (a prototype) in order to test various aspects of a design, illustrate ideas or features and gather early user feedback. Prototyping uses programmed simulation techniques to represent a model of the final system to the user for advise and critique. The emphasis is on end-user screens and reports. Internal controls are not a priority item since this is only a model.

326 Public key infrastructure (PKI)

A series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued.

327 Qualitative Qualitative descriptions or distinctions are based on some quality or characteristic rather than on some quantity or measured value.

Glossary

147

328 Quality assurance (QA)

A planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements (ISO/IEC 24765).

329 Quality Management The act of overseeing all activities and tasks needed to maintain a desired level of excellence. This includes creating and implementing quality planning and assurance, as well as quality control and quality improvement.

330 Quantitative The term quantitative refers to a type of information or data that is based on quantities obtained using a quantifiable measurement process. In contrast, qualitative information records qualities that are descriptive, subjective or difficult to measure.

331 Query A query is a set of instructions that describes what data to retrieve from a given data source (or sources) and what shape and organization the returned data should have. A query is distinct from the results that it produces.

332 RACI chart A RACI chart is a matrix of all the activities or decision making authorities undertaken in an organisation set against all the people or roles. At each intersection of activity and role it is possible to assign somebody responsible, accountable, consulted or informed for that activity or decision.

333 Random-access memory (RAM)

The computer’s primary working memory. Each byte of RAM can be accessed randomly regardless of adjacent bytes.

334 Rapid application development (RAD)

Rapid application development (RAD) is a software development methodology that uses minimal planning in favour of rapid prototyping. A prototype is a working model that is functionally equivalent to a component of the product.

335 Read-only memory (ROM)

Read-only memory (ROM) is a class of storage medium used in computers and other electronic devices. Data stored in ROM can only be modified slowly, with difficulty, or not at all.

336 Reconnaissance Reconnaissance is a mission to obtain information by visual observation or other detection methods, about the activities and resources of an enemy or potential enemy, or about the


148

meteorologic, hydrographic, or geographic characteristics of a particular area.

337 Recovery testing A test to check the system’s ability to recover after a software or hardware failure.

338 Registers Register is a small amount of storage available as part of a digital processor, such as a central processing unit (CPU). Such registers are typically addressed by mechanisms other than main memory and can be accessed faster.

339 Registration Authority (RA)

The individual institution that validates an entity’s proof of identity and ownership of a key pair.

340 Regression testing A testing technique used to retest earlier program amends or logical errors that occurred during the initial testing phase

341 Relational database management system (RDBMS)

A database that stores data in a structured format, using rows and columns making it easy to locate and access specific values within the database. It is "relational" because the values within each table are related to one another through unique key fields facilitating access across multiple tables.

342 Remote Authentication Dial-In User Service (RADIUS)

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

343 Remote Method Invocation (Java RMI)

Remote Method Invocation (Java RMI) is a Java API that performs the object-oriented equivalent of remote procedure calls (RPC), with support for direct transfer of serialized Java classes and distributed garbage collection.

344 Remote procedure call (RPC)

The traditional Internet service protocol widely used for many years on UNIX-based operating systems and supported by the Internet Engineering Task Force (IETF) that allows a program on one computer to execute a program on another (e.g., server). The primary benefit derived from its use is that a system developer need not develop specific procedures for the targeted computer system. For example, in a client-server arrangement, the client program sends a message to the server with appropriate arguments, and the server returns a message containing the results of the program executed. Common

Glossary

149

Object Request Broker Architecture (CORBA) and Distributed Component Object Model (DCOM) are two newer object-oriented methods for related RPC functionality.

345 Re-performance Re-performance is the auditor's independent execution of procedures or controls that were originally performed as part of the entity's internal control, either manually or through the use of CAATs (computer-assisted audit techniques).

346 Request for proposal (RFP)

A document distributed to software vendors, requesting them to submit a proposal to develop or provide a software product.

347 Resource management

Resource management is the efficient and effective deployment and allocation of an organization's resources when and where they are needed. Such resources may include financial resources, inventory, human skills, production resources, or information technology. Resource optimisation is being one of the major objectives of IT governance and intrinsically connected to Resource Management.

348 Resource optimization

Resource optimization is the set of processes and methods to match the available resources (human, machinery, financial) with the needs of the organization in order to achieve established goals.

349 Reverse engineering A software engineering technique whereby existing application system code can be redesigned and coded using computer-aided software engineering (CASE) technology.

350 Reverse Address Resolution Protocol (RARP)

The Reverse Address Resolution Protocol (RARP) is a computer networking protocol used by a client computer to request its Internet Protocol (IPv4) address from a computer network, when all it has available is its Link Layer or hardware address, such as a MAC address.

351 Risk The combination of the probability of an event and its consequence (ISO/IEC 73). Risk is potential of losing something of value. Values (such as physical health, social status, emotional well being or financial wealth) can be gained or lost when taking risk resulting from a given action, activity and/or inaction, foreseen or unforeseen.


150

352 Risk acceptance Risk acceptance is a risk response technique employed when the risk cannot be avoided/ mitigated or the organization decides to accept the risk and its consequences.

353 Risk and Insurance Management Society, Inc. (RIMS)

The Risk and Insurance Management Society, Inc. (RIMS) is a professional association dedicated to advancing the practice of risk management. It was founded in 1950, and is headquartered in Manhattan. It publishes the industry-focused Risk Management magazine.

354 Risk appetite Risk appetite is a core consideration in an enterprise risk management approach. Risk appetite can be defined as the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives.

355 Risk assessment A process used to identify and evaluate risk and its potential effects. Includes assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization’s exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

356 Risk mitigation Risk mitigation is defined as taking steps to reduce adverse effects. It is an action, consciously taken by management, to counteract, in advance, the effects on the business of risk events materializing. The risk mitigation strategy forms part of the business continuity and disaster recovery project plan, where organizations develop strategies to accept, avoid, reduce, or transfer risks related to potential business disruptions.

357 Risk Optimization Risk Optimization is a dynamic process related to a risk, to minimize the negative and to maximize the positive consequences and their respective probabilities.

358 Risk response Risk response is the process of developing strategic options, and determining actions, to enhance opportunities and reduce threats to the project's objectives. A project team member is assigned to take responsibility for each risk response.

359 Risk tolerance Risk tolerance is an important component in investing. An individual should have a realistic understanding of his or her ability and willingness to stomach large swings in the value

Glossary

151

of his or her investments. Investors who take on too much risk may panic and sell at the wrong time.

360 Risk transfer Risk transfer is a risk management and control strategy that involves the contractual shifting of a pure risk from one party to another. One example is the purchase of an insurance policy, by which a specific risk of loss is passed from the policyholder to the insurer.

361 Robotics Robotics is the branch of mechanical engineering, electrical engineering and computer science that deals with the design, construction, operation, and application of robots, as well as computer systems for their control, sensory feedback, and information processing.

362 Router A networking device that can send (route) data packets from one local area network (LAN) or wide area network (WAN) to another, based on addressing at the network layer (Layer 3) in the open systems interconnection (OSI) model. Networks connected by routers can use different or similar networking protocols. Routers usually are capable of filtering packets based on parameters, such as source address, destination address, protocol and network application (ports).

363 Routing diversity Routing diversity is generally defined as the communications routing between two points over more than one geographic or physical path with no common points.

364 RSAREF RSAREF (RSA Reference) is a free, portable software developer's library of popular encryption and authentication algorithms. RSA Laboratories intends RSAREF to serve as a free, educational reference implementation of modern public-key and secret-key cryptography.

365 SaaS Software as a service (or SaaS) is a way of delivering applications over the Internet—as a service. Instead of installing and maintaining software, you simply access it via the Internet, freeing yourself from complex software and hardware management. SaaS applications are sometimes called Web-based software, on-demand software, or hosted software.

366 SAN (Storage Area Network)

SAN (storage area network) is a high-speed network of storage devices that also connects those storage devices


152

with servers. It provides block-level storage that can be accessed by the applications running on any networked servers.

367 Sarbanes–Oxley Act (SOX)

The Sarbanes–Oxley Act of 2002 (Pub.L. 107–204, 116 Stat. 745, enacted July 30, 2002), also known as the "Public Company Accounting Reform and Investor Protection Act" (in the Senate) and "Corporate and Auditing Accountability and Responsibility Act" (in the House) and more commonly called Sarbanes–Oxley, Sarbox or SOX. It is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. The sections of the bill cover responsibilities of a public corporation's board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law.

368 Scope creep Also called requirement creep; this refers to uncontrolled changes in a project’s scope. Scope creep can occur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consists of either new products or new features of already approved products. Hence, the project team drifts away from its original purpose. Because of one’s tendency to focus on only one dimension of a project, scope creep can also result in a project team overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack of proper identification of what products and features are required to bring about the achievement of project objectives in the first place, or a weak project manager or executive sponsor.

369 Script A small non-compiled program written for a scripting language or command interpreter.

370 Security Awareness Training

Security awareness training is a formal process for educating employees about computer security.

371 Security testing Ensuring that the modified or new system includes appropriate controls and does not introduce any security holes that might compromise other systems or misuses of

Glossary

153

the system or its information.

372 Segregation of Duties (SOD)

A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets. Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection.

373 Serial Transmission Serial transmission is the process of sending data one bit at a time, sequentially, over a communication channel or computer bus.

374 Server Hardening Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment.

375 Secure Socket Layer (SSL)

A protocol that is used to transmit private documents through the Internet. The SSL protocol uses a private key to encrypt the data that is to be transferred through the SSL connection. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP.

376 Service-level agreement (SLA)

A service-level agreement (SLA) is a part of a service contract where a service is formally defined. Particular aspects of the service - scope, quality, responsibilities - are agreed between the service provider and the service user. A common feature of an SLA is a contracted delivery time (of the service or performance).

377 Session Hijacking In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session, sometimes also called a session key, to gain unauthorized access to information or services in a computer system.

378 SIEM (Security Information & Event Management)

Security information and event management (SIEM) is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware


154

and applications.

379 Simple Object Access Protocol (SOAP)

A platform-independent formatted protocol based on extensible markup language (XML) enabling applications to communicate with each other over the Internet. Use of SOAP may provide a significant security risk to web application operations since use of SOAP piggybacks onto a web-based document object model and is transmitted via Hypertext Transfer Protocol (HTTP) (port 80) to penetrate server firewalls, which are usually configured to accept port 80 and port 21 File Transfer Protocol (FTP) requests. Web-based document models define how objects on a web page are associated with each other and how they can be manipulated while being sent from a server to a client browser. SOAP typically relies on XML for presentation formatting and also adds appropriate HTTP-based headers to send it. SOAP forms the foundation layer of the web services stack, providing a basic messaging framework on which more abstract layers can build. There are several different types of messaging patterns in SOAP but, by far the most common is the Remote Procedure Call (RPC) pattern, in which one network node (the client) sends a request message to another node (the server), and the server immediately sends a response message to the client.

380 Simplex Simplex communication is a communication channel that sends information in one direction only.

381 Single Point of Failure A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working.

382 Single sign-on (SSO) Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in with a single ID to gain access to connected systems without being prompted for different usernames or passwords, or in some configurations seamlessly sign on at each system.

383 SMART Objectives SMART is a mnemonic acronym, giving criteria to guide in the setting of objectives. Objective should be: Specific – target a specific area for improvement. Measurable – quantify or at least suggest an indicator of

Glossary

155

progress. Assignable – specify who will do it. Realistic – state what results can realistically be achieved, given available resources. Time-related – specify when the result(s) can be achieved.

384 Snapshot technique The snapshot technique involves having software take "pictures" of a transaction as it flows through an application system. Typically auditors embed the software in the application system at those points where they deem material processing occurs.

385 Social Engineering Social engineering is a non-technical method of intrusion. Hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures and their psychological manipulation into performing actions or divulging confidential information.

386 Social responsibility Social responsibility is an ethical framework which suggests that an entity, be it an organization or individual, has an obligation to act for the benefit of society at large. Social responsibility is a duty every individual has to perform so as to maintain a balance between the economy and the ecosystems.

387 Socket A socket is an endpoint for communication between . two programs running on the network. A socket is bound to a port number so that the TCP layer can identify the application that data is destined to be sent to. An endpoint is a combination of an IP address and a port number.

388 Software Software, in its most general sense, is a set of instructions or programs instructing a computer to do specific tasks. Software is a generic term used to describe computer programs. Scripts, applications, programs and a set of instructions are all terms often used to describe software.

389 Software Asset Management

Software asset management (SAM) is a business practice that involves managing and optimizing the purchase, deployment, monitoring, maintenance, utilization, and disposal of software assets within an organization.

390 Software license A software license is a legal instrument (usually by way of contract law, with or without printed material) governing the


156

use or redistribution of software. It typically provides end users with the right to one or more copies of the software without violating copyrights.

391 Sophisticated Users Sophisticated Users interact with the system without writing programs. They form requests by writing queries in a database query language. These are submitted to a query processor that breaks a DML statement down into instructions for the database manager module.

392 Source Code Source code is a human-readable text written in a specific programming language. The goal of the source code is to set exact rules and specifications for the computer that can be translated into machine's language. Source code is translated into object code by assemblers and compilers. In some cases, source code may be converted automatically into another language by a conversion program. Source code is not executable by the computer directly. It must first be converted into machine language.

393 Source lines of code (SLOC),

Source lines of code (SLOC), also known as lines of code (LOC), is a software metric used to measure the size of a computer program by counting the number of lines in the text of the program's source code. SLOC is typically used to predict the amount of effort that will be required to develop a program, as well as to estimate programming productivity or maintainability once the software is produced.

394 Specialised audit software

Specialised audit software is software written in a procedure-oriented or problem-oriented language to full fill a specific set of audit tasks. The software might have extensive functionality, but it is developed for specific audit users to achieve specific audit goals.

395 Specialized Users Specialized Users are sophisticated users writing special database application programs. These may be CADD systems, knowledge-based and expert systems, complex data systems (audio/video), etc.

396 Spiral Model The spiral model is a risk-driven process model generator for software projects. Based on the unique risk patterns of a given project, the spiral model guides a team to adopt elements of one or more process models, such as incremental, waterfall, or evolutionary prototyping.

Glossary

157

397 Spoofing attack In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.

398 Spyware Software whose purpose is to monitor a computer user’s actions (e.g., websites they visit) and report these actions to a third party, without the informed consent of that machine’s owner or legitimate user. A particularly malicious form of spyware is software that monitors keystrokes to obtain passwords or otherwise gathers sensitive information, such as credit card numbers, which it then transmits to a malicious third party. The term has also come to refer more broadly to software that subverts the computer’s operation for the benefit of a third party.

399 SQL (Structured Query Language)

The primary language used by both application programmers and end users in accessing relational databases.

400 SQL Engine A program which converts SQL statements into machine language.

401 SQL Injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

402 Stakeholders Stakeholders can affect or be affected by the organization's actions, objectives and policies. Some examples of key stakeholders are creditors, directors, employees, government (and its agencies), owners (shareholders), suppliers, unions, and the community from which the business draws its resources.

403 Static testing In software development, static testing, also called dry run testing, is a form of software testing where the actual program or application is not used. Instead this testing method requires programmers to manually read their own code to find any errors.

404 Statutory liquidity ratio (SLR)

Statutory liquidity ratio (SLR) is the Indian government term for reserve requirement that the commercial banks in India require to maintain in the form of gold, government approved securities etc. before providing credit to the customers.

405 Stealth virus A stealth virus is complex malware that hides itself after


158

infecting a computer. Once hidden, it copies information from uninfected data onto itself and relays this to antivirus software during a scan. This makes it a difficult type of virus to detect and delete.

406 Steering committee A steering committee is a group of high-level advisors who have been asked to govern an organization or organizational segment and provide it with direction.

407 Strategic Information Systems Planning (SISP)

Strategic Information Systems Planning (SISP) is an important activity for helping organization to identify strategic applications and to align an organization’s strategy with effective information systems to achieve organization’s objectives.

408 Strategic Score Card The Strategic Scorecard was developed in 2004 by CIMA, in collaboration with the Professional Accountants in Business Committee (PAIB) of the International Federation of Accountants (IFAC). The scorecard aims to help boards of any organisation engage effectively in the strategic process.

409 Stress testing Stress testing is a software testing activity that determines the stability, reliability and error handling capabilities of software by testing beyond the limits of normal operation. it is done to make sure that the system would not crash under crunch situations.

410 Structured Financial Messaging System (SFMS)

Structured Financial Messaging System (SFMS) is a secure messaging standard developed to serve as a platform for intra-bank and inter-bank applications.

411 Substantive testing Obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.

412 Symmetric cryptography

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of cipher text. The keys may be identical or there may be a simple transformation to go between the two keys.

413 Syntax Syntax is the set of rules, principles, and processes that govern the structure of sentences in a given language, including word order.

414 System Landscape Landscape is like a server system or like a layout of the servers / the architecture of the servers.

Glossary

159

415 System Software A collection of computer programs used in the design, processing and control of all applications. In its ambit are the programs and processing routines that control the computer hardware, including the operating system and utility programs.

416 System testing Testing conducted on a complete, integrated system to evaluate the system’s compliance with its specified requirements. System test procedures typically are performed by the system maintenance staff in their development library.

417 Systems analyst A systems analyst is a person who uses analysis and design techniques to solve business problems using information technology. Systems analysts may serve as change agents who identify the organizational improvements needed, design systems to implement those changes, and train and motivate others to use the systems.

418 Systems development life cycle (SDLC)

The phases deployed in the development or acquisition of a software system. SDLC is an approach used to plan, design, develop, test and implement an application system or a major modification to an application system. Typical phases of the SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and post implementation review.

419 Systems Development Methodology (SDM)

A system development methodology refers to the framework that is used to structure, plan, and control the process of developing an information system. A wide variety of such frameworks have evolved over the years, each with its own recognized strengths and weaknesses.

420 TCP Wrapper TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or sub-network IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.

421 Technical Feasibility Technical feasibility is a process to help organizations determine whether the technical resources meet capacity and whether the technical team is capable of converting the


160

ideas into working systems. Technical feasibility also involves the evaluation of the hardware, software, and other technical requirements of the proposed system.

422 Technology Specialist Technology specialist applies technical expertise to the implementation, monitoring, or maintenance of IT systems. Specialists typically focus on a specific computer network, database, or systems administration function.

423 Teeming and lading fraud

Teeming and lading is a bookkeeping fraud also known as short banking, delayed accounting and lapping. It involves the allocation of one customer's payment to another in order to make the books balance; often to hide a shortfall or theft.

424 Terminal Access Controller Access-Control System (TACACS)

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a family of related protocols handling remote authentication and related services for networked access control through a centralized server.

425 Test Data Generator Test Data Generator is any tool which creates random and/or large quantities of data for testing purposes.

426 The Video Privacy Protection Act (VPPA)

The USA Video Privacy Protection Act (VPPA) 1988 regulates the disclosure of information about consumers' consumption of video content, imposing prescriptive requirements to obtain consumers' consent to such disclosure.

427 Topology The physical layout of how computers and other network devices are linked together. Topologies may define both physical and logical aspects of the network.

428 Topology - Bus Bus topology is a network type in where every computer and network device is connected to a single main cable through drop lines.

429 Topology - Mesh It is a point-to-point connection to other nodes or devices. Traffic is carried only between two devices or nodes to which it is connected. Mesh has n*(n-2)/2 physical channels to link devices.

430 Topology - Ring Ring topology forms a ring as each device is connected with the two devices on either side of it. There are two dedicated point to point links a device has with the devices on the either side of it with the last one connected to the first thus

Glossary

161

having exactly two neighbours for each device.

431 Topology - Star In Star topology all the computers are connected to a single hub through a cable. This hub is the central node and all others nodes are connected to the central node. The Star topology doesn’t allow direct communication between devices, a device must have to communicate through hub.

432 Training simulation A program that allows the user to observe an operation through simulation without actually performing that operation. A training simulation is a virtual medium through which various types of skills can be acquired. Training simulations can be used in a wide variety of genres; however they are most commonly used in corporate situations to improve business awareness and management skills

433 Trojan horse Purposefully hidden malicious or damaging code within a legitimate code (software). . Unlike viruses, they do not replicate themselves, but they can be just as destructive to a single computer.

434 Unified Modeling Language (UML)

The Unified Modeling Language (UML) is a general-purpose modeling language in the field of software engineering, which is designed to provide a standard way to visualize the design of a system.

435 Uninterruptible power supply (UPS)

An uninterruptible power supply, UPS is an electrical apparatus that provides emergency power to a load when the input power source, typically mains power, fails. A UPS differs from an auxiliary or emergency power system or standby generator in that it will provide near-instantaneous protection from input power interruptions, by supplying energy stored in batteries, super capacitors, or flywheels.

436 Unit testing A testing technique that is used to test program logic within a particular program or module. The purpose of the test is to ensure that the internal operation of the program performs according to specification. It uses a set of test cases that focus on the control structure of the procedural design.

437 User Acceptance Testing (UAT)

Testing of the software by the user or client to determine whether it can be accepted or not. This is the final testing performed once the functional, system and regression testing are completed. The main purpose of this testing is to


162

validate the software against the business requirements and is carried out by the end-users who are familiar with the business requirements.

438 Virtual Memory Virtual memory is a memory management capability of an operating system (OS) that uses hardware and software to allow a computer to compensate for physical memory shortages by temporarily transferring data from random access memory (RAM) to disk storage. It maps memory addresses used by a program, called virtual addresses, into physical addresses in computer memory.

439 Virtual private network (VPN)

A virtual private network (VPN) is a method for the extension of a private network across a public network, such as the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, and thus are benefiting from the functionality, security and management policies of the private network.

440 Virtualization Virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system, a server, a storage device or network resources.

441 Virus A program with the ability to reproduce by modifying other programs to include a copy of itself. A virus may contain destructive code that can move into multiple programs, data files or devices on a system and spread through multiple systems in a network.

442 Voice over IP (VoIP) Also called IP Telephony, Internet Telephony and Broadband Phone, a technology that makes it possible to have a voice conversation over the Internet or over any dedicated Internet Protocol (IP) network instead of dedicated voice transmission lines.

443 Vulnerability assessment

Vulnerability is a weakness which allows an attacker to reduce a system's information assurance. A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.

444 Vulnerability management

Vulnerability management is the "cyclical practice of identifying, classifying, remediation, and mitigating vulnerabilities", especially in software and firmware.

Glossary

163

Vulnerability management is integral to computer security and network security.

445 War dialing War dialling is a technique of using a modem to automatically scan a list of telephone numbers, usually dialling every number in a local area code to search for computers, bulletin board systems (computer servers) and fax machines.

446 Water fall Model The waterfall model is a sequential design process, used in software development processes, in which progress is seen as flowing steadily downwards (like a waterfall) through the phases of conception, initiation, analysis, design, construction, testing, production/implementation and maintenance.

447 Web Service Description Language (WSDL)

WSDL is an XML format for describing network services as a set of endpoints operating on messages containing either document-oriented or procedure-oriented information. The operations and messages are described abstractly, and then bound to a concrete network protocol and message format to define an endpoint.

448 White-box testing White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality.

449 Wi-Fi Wireless networking technology that uses radio waves to provide high speed internet and network connection.

450 Work breakdown structure (WBS)

A work breakdown structure (WBS), in project management and systems engineering, is a deliverable-oriented decomposition of a project into smaller components. A work breakdown structure is a key project deliverable that organizes the team's work into manageable sections.

451 Work package (WP) In project management, a work package (WP) is a subset of a project that can be assigned to a specific part for execution.

452 Worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other


164

computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program

453 XBRL XBRL (extensible Business Reporting Language) is a freely available and global standard for exchanging business information. XBRL allows the expression of semantic meaning commonly required in business reporting.

lab manuals and case studies - learning.icai.org

Documents