itmac notes by nowsherwan adil niazi.pdf

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

S o c i e t y P u b l i s h e r s

Arranged by Nowsherwan Adil Niazi


Arranged by Nowsherwan Adil Niazi Page 1

Contents Anum

THE INFORMATION SYSTEMS FUNCTION ORGANIZATIONAL ISUESS ....... 10

IS/IT DIRECTORS .................................................................................................... 10

IS/IT STEERING COMMITTEE .............................................................................. 10

FUNCTIONS OF STEERING COMMITTEE .......................................................... 11

POLICIES .................................................................................................................. 12

PROCEDURES.......................................................................................................... 13

OPERATIONS CONTROL ....................................................................................... 13

INFORMATION CENTRE ....................................................................................... 13

ROLES PERFORMED BY INFORMATION CENTRES (ICs) .............................. 14

CENTRALIZATION ................................................................................................. 16

DECENTRALIZATION: .......................................................................................... 16

ACCOUNTING ISSUES ........................................................................................... 17

1. IT as a Corporate Overhead ............................................................................. 18

2. IT charged at cost ............................................................................................ 18

3. IT charged at market ........................................................................................ 18

ESTABLISHING IT DEPARTMENT AS A SEPARATE COMPANY ...................... 19

LEGACY DATA MANAGEMENT ......................................................................... 19

OUT SOURCING ...................................................................................................... 20

TYPES OF OUTSOURCING.................................................................................... 20

LEVEL OF SERVICE PROVISION ......................................................................... 21

ORGANIZATION INVOLVED IN OUTSOURCING............................................. 21

CATEGORIES OF CONSULTING ACTIVITIES ................................................... 22

DEVELOPMENTS IN OUTSOURCING ................................................................. 23

MANAGEMENT OF OUTSOURCING ARRANGEMENT ................................... 23

SERVICE LEVEL AGREEMENT............................................................................ 24

ADVANTAGES OF OUTSOURCING .................................................................... 25

DISADVANTAGES OF OUTSOURCING .............................................................. 25

BUSINESS RISKS FROM OUTSOURCING .......................................................... 26

TERMINATION POLICIES ..................................................................................... 27

LOGGING SYSTEM................................................................................................. 27

INTRODUCTION TO STRATEGY & INFORMATION STRATEGIES ................... 29

CHARACTERISTICS OF STRATEGIC DECISIONS ............................................ 29

STRATEGY ............................................................................................................... 29



STRATEGIC PLANNING ........................................................................................ 30

Guideline of when Strategic Planning should be done .............................................. 31

Guidelines for Preparing the Strategic Plan ............................................................... 31

Purpose of the Information System Strategy Planning .............................................. 32

GENERAL LEVELS OF STRATEGY ..................................................................... 32

STRATEGIC PLANNING COMPONENTS ............................................................ 35

ELEMENTS OF A IT STRATEGY .......................................................................... 35

CONSIDERATIONS FOR DEVELOPING IT STRATEGY ................................... 36

A DATABASE APPROACH IS CALLED FOR WHEN ......................................... 37

COMPONENTS OF INFORMATION SYSTEM STRATEGY PLAN ................... 37

STRATEGIC SYSTEMS .......................................................................................... 38

IMPACT OF IS/IT ON ORGANIZATION ............................................................... 41

WHY HAVE AN IS/IT STRATEGY ........................................................................ 43

INFORMATION SYSTEM PLAN ........................................................................... 43

METHODOLOGIES AND FRAMEWORKS for establishing the information

requirements of an organization ................................................................................. 43

EARL’S THREE LEG ANALYSIS .......................................................................... 43

ENTERPRISE ANALYSIS ....................................................................................... 44

CRITICAL SUCCESS FACTORS ............................................................................ 45

PARSON’S SIX INFORMATION SYSTEMS STRATEGIES ................................ 47

STRATEGIC MANAGEMENT ................................................................................ 48

THE POLITICAL AND LEGAL ENVIRONMENT ................................................ 50

THE ECONOMIC ENVIRONMENT ....................................................................... 51

THE SOCIAL AND CULTURAL ENVIRONMENT .............................................. 52

DEMOGRAPHIC FACTORS ARE .......................................................................... 52

FUTUROLOGY ........................................................................................................ 53

DEVELOPING AN INFORMATION TECHNOLOGY PLAN ............................... 53

PHASES INVOLVED IN ESTABLISHING THE IT PLAN ................................... 53

IT PLAN .................................................................................................................... 55

KEY STAGES IN DEVELOPING AN INFORMATION STRATEGY PLANNING

PROCESS .................................................................................................................. 55

MANAGING CHANGES TO AN INFORMATION STRATEGY ......................... 58

E-BUSINESS MODELS AND E-BUSINESS PRODUCTS ........................................ 59

E-COMMERCE ......................................................................................................... 59

BUSINESS TO CONSUMER (B-C) E-COMMERCE ............................................. 59

BUSINESS TO BUSINESS (B-B) E-COMMERCE ................................................ 60



BUSINESS TO EMPLOYEE (B-E) E-COMMERCE .............................................. 60

CONSUMER TO CONSUMER (C-C) E-COMMERCE .......................................... 60

GOVERNMENT TO CITIZEN (G-C) E-COMMERCE .......................................... 61

SECURE SOCKETS LAYER (SSL)......................................................................... 61

DIGITAL SIGNATURE:........................................................................................... 62

STEPS ON GETTING ON INTERNET.................................................................... 62

ELECTRONIC PAYMENT METHOD .................................................................... 63

THE INFORMATION SYSTEMS DEVELOPMENT PROCESS ............................... 64

INFORMATION SYSTEM ACQUISITION ............................................................ 64

TURNKEY SYSTEMS ............................................................................................. 64

LEGACY SYSTEM................................................................................................... 65

SYSTEM DEVELOPMENT LIFECYCLES ............................................................ 66

THE WATERFALL MODEL ................................................................................... 66

THE SPIRAL MODEL .............................................................................................. 67

STRUCTURED SYSTEM ANALYSIS & DEVELOPMENT METHODOLOGY

(SSADM) ................................................................................................................... 67

THE STAGES OF SSADM ....................................................................................... 68

ADVANTAGES OF SSADM ................................................................................... 68

DISADVANTAGES OF SSADM ............................................................................. 69

PROTOTYPING ........................................................................................................ 69

STRUCTURED WALKTHROUGHS ...................................................................... 70

SIGNING OFF WORK.............................................................................................. 70

JOINT APPLICATION DEVELOPMENT ............................................................... 70

RAPID APPLICATION DEVELOPMENT .............................................................. 71

COMPUTER AIDED SOFTWARE ENGINEERING TOOLS (CASE) .................. 71

UPPER CASE TOOLS (ANALYSTS’ WORK BENCHES) .................................... 72

LOWER CASE TOOLS (PROGRAMMERS WORK BENCHES) ......................... 72

ADVANTAGES OF USING CASE TOOLS ............................................................ 72

QUALITY ASSURANCE AND TESTING .................................................................. 73

QUALITY ASSURANCE ......................................................................................... 73

APPROACHES TO QUALITY ................................................................................ 74

THE COST OF QUALITY ........................................................................................ 75

QUALITY ASSURANCE TEAM ............................................................................. 75

TOTAL QUALITY MANAGEMENT (TQM) ......................................................... 76

STAGES OF TESTING ............................................................................................. 77

TESTING SYSTEM LOGIC ..................................................................................... 77



PROGRAM TESTING .............................................................................................. 77

SYSTEM TESTING .................................................................................................. 78

USER ACCEPTANCE TESTING ............................................................................ 78

METHODS OF TESTING ........................................................................................ 79

(A) STATIC ANALYSIS TEST ............................................................................ 79

(B) DYNAMIC ANALYSIS TEST ....................................................................... 79

OPERATION AND MAINTENANCE TEST .......................................................... 80

COMPUTER AIDED SOFTWARE TESTING (CAST) .......................................... 80

BETA VERSION ....................................................................................................... 81

LIMITATION OF SOFTWARE TESTING .............................................................. 81

POST IMPLEMENTATION ISSUES ........................................................................... 82

THE POST IMPLEMENTATION REVIEW REPORT ........................................... 82

THE CAUSES OF SYSTEM MAINTENANCE ...................................................... 82

COMPONENTS OF A FORMAL SYSTEM CHANGE PROCEDURE ................. 83

IN – HOUSE MAINTENANCE ................................................................................ 83

OFF THE SHELF SOFTWARE MAINTENANCE ................................................. 84

MAINTENANCE CONTRACTS ............................................................................. 84

HARDWARE MAINTENANCE .............................................................................. 84

END – USER DEVELOPMENT............................................................................... 85

USER GROUPS......................................................................................................... 85

COST BENEFIT REVIEW ....................................................................................... 86

EFFICIENCY ............................................................................................................ 86

EFFECTIVENESS ..................................................................................................... 86

METRICS .................................................................................................................. 87

COMPUTER BASED MONITORING ..................................................................... 87

INDIRECT MEASURES TO EVALUATE SYSTEM PERFORMANCE .............. 89

PERFORMANCE REVIEWS ................................................................................... 89

COMPUTER SYSTEMS EFFICIENCY AUDITS ................................................... 90

ORGANIZING THE IT FUNCTION ............................................................................ 92

INVITATION TO TENDER (ITT) ........................................................................... 92

FINANCING METHODS ......................................................................................... 93

EVALUATION OF SUPPLIER PROPOSALS ........................................................ 93

BENCHMARK TESTS ............................................................................................. 94

SIMULATION TESTS .............................................................................................. 94

INFORMATION SYSTEM MANAGER AS LIAISON .......................................... 95



SUPPLY CHAIN MANAGEMENT & ENTERPRIZE RESOURCE PLANNING ..... 96

SUPPLY CHAIN MANAGEMENT ......................................................................... 96

STRATEGIC GROWTH OPPORTUNITIES FOR SUCESSFUL GROWTH

CONPANISE ............................................................................................................. 96

PRE-REQUISITE FOR GROWTH ........................................................................... 97

MANAGEMENT CONCERNS IN SCM .................................................................. 98

ENTERPRIZE RESOURCE PLANNING (ERP) ..................................................... 99

FEATURES OF ERP ................................................................................................. 99

COMPONENTS OF ERP ........................................................................................ 100

BUSINESS PROCESS RE-ENGINEERING .......................................................... 100

SELECTION OF ERP ............................................................................................. 101

IMPLEMENTATION OF ERP ............................................................................... 101

BENEFITS OF ERP ................................................................................................ 103

WHY DOES IN ERP MATTER FOR A CA .......................................................... 103

CUSTOMER RELATIONSHIP MANAGEMENT & ................................................ 105

CUSTOMER RELATIONSHIP MANAGEMENT ................................................ 105

BENEFITS OF CRM ............................................................................................... 105

CONSIDERATION FOR SELECTION OF CRM SOLUTION............................. 106

CUSTOMER RELATIONSHIP MANAGEMENT (CRM) .................................... 107

BENEFITS OF CRM Tools ..................................................................................... 107

BENEFITS FOR SMALL COMPANIES ............................................................... 108

COLLABORATION SOLUTIONS ........................................................................ 108

SALE FORCE AUTOMATION.............................................................................. 109

BENEFITS OF SALES AUTOMATION SYSTEM ............................................... 110

PRE-REQUISITE FOR SELECTING AND IMPLEMENTING SFA ................... 111

OTHER BENEFITS INCLUDE .............................................................................. 111

COBIT.......................................................................................................................... 112

Control Objectives for Information and Related Technology ..................................... 112

Benefits of implementing COBIT as a Governance Framework over IT ................ 113

IT Governance Maturity Model ............................................................................... 113

IFAC – IT GUIDELINE .............................................................................................. 114

MANAGING SECURITY OF INFORMATION .................................................... 114

PLANNING IT PLANNING FOR BUSINESS IMPACT: ..................................... 115

ACQUISITION OF INFORMATION TECHNOLOGY ........................................ 115

THE IMPLEMENTATION OF IT .......................................................................... 116

IT SERVICE DELIVERY AND SUPPORT ........................................................... 117



IT MONITORING ................................................................................................... 119

WEB TRUST ........................................................................................................... 119

Summary IFAC Guidelines...................................................................................... 121

Management Operation& Controls .............................................................................. 123

CONTROLS: STRUCTURE, ASSESSMENT & MONITORING......................... 123

CONTROL STRUCTURE ...................................................................................... 124

RISK ASSESSMENT .............................................................................................. 126

MONITORING CONTROL SYSTEM ................................................................... 127

APPLICATION CONTROLS ................................................................................. 127

CODES .................................................................................................................... 127

INPUT CONTROL .................................................................................................. 128

INSTRUCTION INPUT .......................................................................................... 129

INSTRUCTION INPUT .......................................................................................... 130

REPORT PROGRAM EXECUTION CONTROLS ............................................... 132

STORAGE CONTROLS ......................................................................................... 132

REPORT DESIGN CONTROLS ............................................................................ 132

PROCESSING CONTROL ..................................................................................... 133

Effective Management of IS ........................................................................................ 134

OPERATIONS MANAGEMENT CONTROL ....................................................... 134

DOCUMENTING & PROGRAM LIBRARY FUNCTIONS ................................. 135

IS Organization Structure and Responsibilities ....................................................... 135

Line Management Structure ..................................................................................... 136

Functional Areas in Information Processing Environment ...................................... 137

Security Administrator’s Functions ......................................................................... 137

Data Entry ................................................................................................................ 138

Tasks Performed in Data Entry ................................................................................ 138

Duties of System Administrator............................................................................... 138

Data Security ............................................................................................................ 138

Processing Controls ................................................................................................. 139

Database Administration .......................................................................................... 139

DBA’s Roles ............................................................................................................ 139

IS Deptt. Exercise Control over Database Administration Through ....................... 140

Reviewing Documentation in review of IT Planning / Strategy .............................. 140

Interviewing and Observing Personnel .................................................................... 141

Examples or IS vision and Mission Statements ....................................................... 141



Indicators of Potential Problems at IPE ................................................................... 142

CRITICAL CHARACTERISTICS OF INFORMATION........................................... 143

INFORMATION SECURITY POLICY, STANDARD & PRACTICES ............... 144

COMPUTER CRIME ISSUES AND EXPOSURES .............................................. 145

INTRUDERS OF COMPUTER CRIMES .............................................................. 145

PHYSICAL EXPOSURE AND CONTROLS ........................................................ 146

PHYSICAL ACCESS EXPOSURES AND CONTROL ........................................ 147

AREAS TO BE COVERED FOR PHYSICAL ACCESS CONTROL ................... 148

LOGICAL ACCESS CONTROLS .......................................................................... 149

LOGICAL THREATS ............................................................................................. 149

VIRUSES ................................................................................................................. 149

TROJANS ................................................................................................................ 150

WORMS .................................................................................................................. 150

TRAP DOOR ........................................................................................................... 150

LOGIC BOMBS ...................................................................................................... 150

TIME BOMBS ......................................................................................................... 150

SPAM ....................................................................................................................... 150

SNIFFERS ............................................................................................................... 151

SPOOFING .............................................................................................................. 151

NON BLIND SPOOFING ....................................................................................... 151

MAN IN THE MIDDLE ATTACK ........................................................................ 151

ROUNDING DOWN (SALAMI TECHNIQUE) .................................................... 152

LOGICAL ACCESS CONTROL SOFTWARE ..................................................... 152

Identification and Authentication (Internal Audit System) ..................................... 152

SECURITY BYPASS FEATURES ......................................................................... 153

NETWORK INFRA STRUCTURE SECURITY .................................................... 153

II. LAN (Client Sever) Security ............................................................................... 153

i. Passive attacks ...................................................................................................... 154

ii. Active attacks....................................................................................................... 154

SUBVERSIVE THREATS – can be active or passive ............................................ 155

IDS (INCLUSION DETECTION SYSTEM) .......................................................... 155

HR Termination policies .......................................................................................... 156

SECURITY PROGRAMME ................................................................................... 156

DISASTER RECOVERY PLAN ............................................................................ 157

BACKUP OPTIONS ............................................................................................... 159



BUSINESS CONTINUITY PLANNING (BCP) .................................................... 160

NETWORK INFRASTRUCTURE SECURITY ......................................................... 162

TCP/IP: THE LANGUAGE OF THE INTERNET ................................................. 162

NETWORK.............................................................................................................. 163

APPLICATION SERVICE PROVIDER (ASP) ...................................................... 164

IP SPOOFING ......................................................................................................... 165

DENIAL OF SERVICE ........................................................................................... 165

DESTRUCTIVE BEHAVIOUR .............................................................................. 166

ROUTER.................................................................................................................. 167

BRIDGE ................................................................................................................... 167

HUBS AND SWITCHES ........................................................................................ 167

DEMILITARIZED ZONE (DMZ) .......................................................................... 167

CRYPTO CAPABLE ROUTERS ........................................................................... 168

VIRTUAL PRIVATE NETWORKS (VPN) ........................................................... 168

NETWORK INFRASTRUCTURE SECURITY CHECKLIST .............................. 168

FIREWALLS ........................................................................................................... 169

FIREWALL ISSUES ............................................................................................... 170

DATABASE AND DATE RESOURCE MANAGEMENT ....................................... 171

MANAGEMENT OF DATA .................................................................................. 171

TASKS OF DATA ADMINISTRATIVE ............................................................... 171

TASKS OF DATABASE ADMINISTRATOR ...................................................... 172

DATA ADMINISTRATOR .................................................................................... 172

DATABASE MANAGEMENT .............................................................................. 173

RECOVERY STRATEGY ...................................................................................... 173

GRANDFATHER, FATHER, SON BACKUP & RECOVERY STRATEGY ...... 174

DUMPING ............................................................................................................... 174

LOGGING ............................................................................................................... 174

RESIDUAL DUMPING .......................................................................................... 174

DIFFERENTIAL FILE/SHADOW PAGING BACKUP AND RECOVERY

STRATEGY ............................................................................................................. 174

MAJOR TYPES OF DATABASE .......................................................................... 175

UPDATE AND REPORT PROTOCOLS ............................................................... 175

DEAD LOCK........................................................................................................... 176

POTENTIAL BENEFITS OF THE DATABASE APPROACH ............................ 176

COMPUTER AUDITING ........................................................................................... 178

INTERNAL AUDIT ................................................................................................ 178



RESPONSIBILITIES OF AN INTERNAL AUDITOR.......................................... 178

TYPES OF INTERNAL AUDITIG WORK ........................................................... 178

WORKING PAPERS PACKAGES ........................................................................ 179

TYPES OF SOFTWARE WHICH THE AUDITOR COULD USE WITH A MICRO

COMPUTER AS AN AID TO AUDIT WORK ...................................................... 179

USE OF MICRO COMPUTR AS AN AUDIT AID ............................................... 179

CONTROLS WHICH MUST BE IN PLACE OVER A MICRO-COMPUTER

USED IN AN AUDIT .............................................................................................. 180

CONTROLS OVER MASTER FILE AND THE STANDING DATA CONTAINED

THEREIN ................................................................................................................ 180

COMPUTER ASSITED AUDIT TECHNIQUES (CAATS) .................................. 180

BENEFITS OF USING CAATS ............................................................................. 181

TEST PACK ............................................................................................................ 181

EMBEDDED AUDIT FACILITIES........................................................................ 182

AUDIT SOFTWARE............................................................................................... 183

OTHER TYPES OF CAATS: .................................................................................. 184

CONTROLS IN ONLINE AND REAL TIME SYSTEMS .................................... 184

CONTROLS IN DATABASE SYSTEM (DBMS) ................................................. 185

BUREAUX AND SOFTWARE HOUSES ............................................................. 186

REASONS FOR USING BUREAU ........................................................................ 186

ADVANTAGES OF BUREAU:.............................................................................. 187

DISADVANTAGES OF BUREAU ........................................................................ 187

Summary of the main control procedures over the in-house development: ............ 188



CHAPTER 01

THE INFORMATION SYSTEMS FUNCTION ORGANIZATIONAL ISUESS

IS/IT DIRECTORS At the head of the IS/IT function will be either the IS/IT manager, IS/IT directors.

This person will be responsible for:-

i) IS/IT Strategy Development:

The IS/IT strategy must compliment the overall strategy of the organization.

The strategy must also be achievable given budgetary constraints. Returns on

investments in IS/IT should be monitored.

ii) IS/IT Risk Management:

This is wide ranging area including legal risks, such as ensuring compliance

with relevant data protection legislation, ensuring adequate IS/IT security

measures and disaster recovery arrangements.

iii) Steering Committee:

The IS/IT director should play a key role in a steering committee set up to

oversee the role of IS/IT within the organization.

iv) IS/IT Infrastructure:

Standards should be set for the purchase and use of hardware and software

within the organization.

v) Ensuring employees have the IS/IT support of tools they require:

Efficient lineless are required b/w IS/IT staff and the rest of the organization.

Technical assistance should be easily obtainable.

IS/IT STEERING COMMITTEE

The general purpose of the IS/IT steering committee is to make decision relating to

the future use and development of IS/IT by the organization. An organization’s senior

management should appoint a planning or steering committee to oversee information

systems department activities. The planning or steering committee should contain



representatives from all departments of the organization. Membership should include

representatives from senior management, the information system department and

user department management.

A high level steering committee for IT is a mechanism to ensure that the IS

department is in harmony with the corporate mission and objectives. Highly desirable

that member of BOD who understands the risks and issues should be responsible for

IT & should chair of this committee.

The committee’s duties and responsibilities should be defined in a formal charter.

Members should know IS department policies, practices, and procedures. Each

member should have the authority to make decisions within the group for his/her

respective areas.

Common TASKS of such a committee could include:

a) Ensuring IS/IT activities comply with IS/IT strategy.

b) Ensuring IS/IT activities compliment the overall organizational strategy.

c) Ensuring resources committed to IS/IT are used effectively.

d) Monitoring IS/IT projects.

e) Providing leadership and guidance on IS/IT.

FUNCTIONS OF STEERING COMMITTEE

i) Review the long and short range plans of the IS division to ensure that

they are in accordance with the corporate objectives.

ii) Review and approve major acquisitions of hardware and software within

limits approved by the BOD.

iii) Approve and monitor major products, establish priorities, approve

standards and procedures and monitor overall IS performance.

iv) Provide liaison b/w the IS deptt. & User deptt.

iv) Approve and monitor major projects, the status of IS plans and annual

budgets.

v) Review adequacy of resources and allocation of resources in terms of time,

personnel an equipment.

vi) Make decisions regarding centralization versus decentralization and

assignment and responsibility.



vii) Review and approve plans for the outsourcing of selected or all IS

activates. The committee should monitor performance and institute

appropriate action of achieve desired results. Formal minutes of the IS

steering committee meetings should be maintained to document the

committee’s activities and decisions and inform the BOD, of IS activities.

Committee members should be chosen with the aim of ensuring the committee

contains the wide range of technical and business knowledge required. The

committee should liase closely with those affected by the decision it will make.

POLICIES

Policies are high level documents. They represent the corporate philosophy of an

organization. To be effective they must be clear and concise. Management must

create a positive control environment by assuming responsibility for formulating,

developing, documenting, promulgating and controlling policies covering general

goals and directives.

In addition to corporate policies that set the tone for the organization as a whole,

individual divisions and depths should define lower level policies. These would apply

to the employees and operations of these units and would focus at the operational

level.

A top-down approach to the development of lower level policies in instances when

they are derived from corporate policies is desirable, as it ensures consistency across

the organization. However, some organization begins by defining operational level

policies as immediate priorities. These companies view this as being the more cost

effective approach since these policies are often derived and implemented as the

results of risk assessment. This is a bottom-up approach, where in corporate policies

are a subsequent development & a synthesis of existing operational policies.

Management should review all policies. Policies need to be updated to reflect

significant changes within the organization or department.



PROCEDURES

Procedures are detailed documents. They must be derived form the parent policy and

must implement the spirit (intent) of the policy statement. Procedures must be

written in a clear and unambiguous manner so that they may be easily and properly

understood by all who will be governed by them.

Generally, procedures are generally more dynamic than their respective parent

policies. They must reflect the regular changes in business focus and environment.

Hence, frequent reviews and updates of procedures are essential if they are to be

relevant. An auditor will find a divergence b/w practice and percept in organizations

that neglect the review process.

An independent review is necessary to ensure that policies and procedures have been

properly understood and executed. The reviewer should maintain independence at all

times and not be influenced by anyone in the group being reviewed. Evidence of

reviewer with a level of confidence that the work was performed in compliance with

established policies and procedures.

OPERATIONS CONTROL Operations control is concerned with ensuring IS/IT systems are working and

available to users. Key tasks include:

a) Maintaining the IS/IT infrastructure.

b) Maintaining network usage and managing network resource.

c) Keeping employs informed e.g. advance working of service interruptions.

d) Virus protection measures e.g. ensuring anti-virus software updates are

loaded.

e) Fault fixing.

INFORMATION CENTRE An information centre (IC) is a small unit of staff with a good technical awareness of

computer systems, whose task is to provide a supportive function to computer users

within the organization. Information centre, sometimes referred to as support

centers, are particularly useful in organization which use distributed systems and so

are likely to have hardware, data and software scattered throughout the

organization. The IC provide a centralized source of support and co-ordination.



ROLES PERFORMED BY INFORMATION CENTRES (ICs)

The IC’s help desk ensures that staff time is spent on customer service

rather than on IT problems:

a) It has sufficient staff and technical expertise to respond quickly to

problems with hardware or software. It maintains good contacts and

relationships with suppliers to ensure that they fulfill their maintenance

obligations and their maintenance staffs are quickly on site when needed.

b) It maintains on record of problems and identifies those that occur most

often. If the problem is that users do not know how to use the system,

training is provided. If the problem is with the system itself, a solution is

found either by modifying the system or by investment in appropriate

hardware or software.

c) It considers the viability of suggestions for improvements to the system

and brings these into effect, where possible, for all users who stand to

benefit.

The IC sets, and encourage users to conform to common standards:

a) Hardware standards ensure that all of the equipment used in the

organization is compatible and can be put into use in different

departments as needed. The recent updates /upgrades of the marketing

departments’ old apple mac computer to IBM compatible Pentium PCs is

an example of this.

b) Software standards ensure the information generated by one department

can easily be shared with and work upon by other department.

c) Programming standards ensure that applications developed by individual

to help them perform their jobs (e.g. word processing macros and

spreadsheets for data analysis) follow best practice, are easy to modify,

and are replicated to others in the organization where this is of benefit.

d) Data processing standards ensure that certain such as the format of file

names are followed throughout the organization. The facilities sharing and

storage and retrieval of information by as many users as possible.



The IC helps to preserve security of data:

a) It has developed a utility program and recommended procedures for

company wide use, to ensure that back-ups are made at regular intervals.

Second copies of back-ups files are stored of site and this system of

archiving is operated and maintained by the IC.

b) The IC helps to preserve the company’s system from attach by computer

viruses. The latest versions of antivirus software are available to all users.

Users are regularly reminded about the dangers of viruses and IC staff

give training in the use of anti-virus software.

IC can improve its services in a number of ways:

a) Training software can be developed or purchased and made available

over the network form a central server. Training applications often contain

analysis software, drawing attention to trainee progress and common

problems (e.g. typing tutor) and the availability of such information will

enable the IC to identify and address specific training needs more closely.

b) Help could be made available directly through user’s computers, using an

e-mail system for queries and responses. Common problems and their

solutions can be posted on a bulletin board for all to read. The network will

speed up the process of sorting out problems & sharing knowledge.

c) Remote diagnostic software is available which enable staff in the IC to

take central of a computer whose user is having problem and sort out the

problem for them without leaving their desk, in the same way that they

would if they paid the user a visit. It will speed up the problem-salving

process.

d) The IC can take responsibility for protecting the system against possible

abuses now that it is linked to the internet. Anti-virus measures will

become even more important in this environment, but network software

should make it easier for the IC to control the problem centrally.

e) The internet link will also make control over access an important issue.

The IC can set up and operate firewalls which disable part of

communication technology that normally allows two-way go out into the

global net to retrieve information but external parts are denied access to

sensitive parts of the company’s system.



CENTRALIZATION

A centralized IS/IT department, involves all IS/IT staff and functions being based out

at a single central location, such as head office.

Advantages:

a) Assuming centralized processing is used, there is only one set of files.

Everyone was the same data and information.

b) It gives better security / central over data and files. It is easier to enforce

standards.

c) Head office is in a better position to know what is going on.

d) There may be economies of scale available in purchasing computer equipment

and supplies.

e) Commuter staff me in a single location, and more expert staff are likely to be

employed career paths may be more clearly defined.

Disadvantages:

a) Local offices might have to wait IS/IT services and assistance.

b) Reliance an head office local office are less self-sufficient.

c) A system fault at head office will impact across the organization.

DECENTRALIZATION:

A decentralized IS/IT department involves IS/IT staff and functions being spread out

throughout the organization.

Advantages:

a) Each office can introduce an information system specially tailored for its

specific needs. Local changes in business requirements can be taken into

account.

b) Each office is more self-sufficient.

c) Offices are likely to have quicker access IS/IT support / advice.



d) A decentralized structure is more likely to facilitate accurate IS/IT cost /

overhead allocations.

Disadvantages:

a) Control may be more difficult different and uncoordinated information systems

may be introduced.

b) Self – sufficiency may encourage a back of coordination b/w departments.

c) Increased risk of data duplication, with different offices holding the same data

on their own separate files.

ACCOUNTING ISSUES

Providing and maintaining information systems to deliver good quality information

involves significant expenditure. There are three broad possibilities when accounting

for costs related to information system.

a) Is costs are treated as administrator overhead.

b) Is costs are charged cut at costs.

c) Is costs are charged out at market rates.

The costs incurred are:-

CAPITAL COST

Hardware purchase

Cabling

System installation

REVENUE COST (ONE – OFF)

System development cost (Programmer & analyst fees, testing cost,

conversion cost)

Initial training cost.

Any redundancy cost attributable to the new system.

REVENUE COST ONGOING

IS/IT staff cost.

Communication & transmission cost.



Power

Maintenance & support.

Ongoing e.g. paper, printer ink, floppy disks, CDs.

1. IT as a Corporate Overhead It implies that all the expenses on IT should be born by the head office. No cost

allocation.

Advantages:

No complexability in calculation.

Encourage innovation because no one is being charged.

Good relations between IT and use department.

Disadvantages:

No cost control

Inefficiency

Substandard services to user department, because no one will complaint for

inefficient working /system.

No true performance picture.

2. IT charged at cost IT cost is allocated to each user department on the basis of services received by

each.

Advantages

Realistic

Efficiency

Good services to user department

True performance picture

Disadvantages

Finding a cost unit, whether per page, per data entry or per print.

No good relations

Inefficiency may be passed e.g. waste pages by IS department may be

claimed as test pages.

3. IT charged at market IS department will charge its services to other user department at market rates.

(This changing is actually on books not on reality)

Advantages

Profit centre

High standard services, because it is being provided at market rates

Cost cutting

Efficiency



Disadvantages

Administrative hassles

No comparable services

ESTABLISHING IT DEPARTMENT AS A SEPARATE COMPANY

Deals it as an outside vendor

Advantages

More skills because outsiders may also hire for different services.

IT department becomes a profit centre

Better career path for IT people

Employees are retained.

Disadvantages

Administrative hassles

Focus is lost (earlier IT department was developing application for the banks

only but now also for other business) No priority for parent company.

LEGACY DATA MANAGEMENT

“LDM involves identifying and converting historical information (paper-based and

archaic doctrines formats) to current electronic standards.”

Legacy data management (LDM) is the process and methodologies developed to

maintain, track, store and use the large volumes of data generated by businesses in

a cost-effective manner. Each new system had its own proprietary data formats and

thus inters ration of various systems become an expensive and different aspect of

implementing computer technology. LDM can help companies effectively and

efficiently do the same.

Advantages:

Cost savings.

Occupies less storage space.

Enhance data consistency.

Increased data availability.

Minimal data less.

Improved Responsiveness Implementing LDM Involves:

Performing a system needs analysis.

Performing a cost benefit analysis.

Developing a conversion plan.



OUT SOURCING

Outsourcing is contracted out of specified operations or services to an external

vender.

There are various outsourcing option available, with different levels of control

maintained “in-house”. Outsourcing has advantage (e.g. use of highly skilled people)

and disadvantage (e.g. back of control). Outsourcing is a contractual agreement

whereby an organization hands over control of part or all of the functions of the

information systems department to an external party. The organization pays a fee

and the contractor delivers a level of service that is defined in a contractually-binding

service level agreement. The contractor provides the resources and expertise

required to perform the agreed service. Outsourcing is becoming increasingly

important in many organizations. The IS auditor must be aware of the various forms

outsourcing can take and the associated risks. Objectives of the outsourcing to

achieve lasting, meaningful improvement in IS, through corporate restructuring to

take advantage of a vendor’s care competencies.

Reasons for Embarking on Outsourcing:

A desire to focus on core activities.

Pressure an profit manager.

Increasing competition that demands cost savings.

Flexibility with respect to both organization & structure.

TYPES OF OUTSOURCING There are four broad classification of outsourcing:

1. AD-HOC: The organization has a short – term requirement for increased

IS/IT skills. An example would be employing programmers on a short – term

contract to help with the programming of bespoke software.

2. PROJECT MANAGEMENT: The development and outsourced. For example, a

new according system. This approach is sometimes referred to as system

integration.

3. PARTIAL: Some IT/IS services are outsourced. Example includes

hardware management.



4. TOTAL: An external supplier provides vast majority of an organization’s

IT/IS services, e.g. third party own or is responsible for IT equipment,

software and staff.

LEVEL OF SERVICE PROVISION

The degree to which the provision and management of IS/IT services are transferred

to the third party varies according to the situation and skills of both organizations.

a. TIME – SHARE: The vender charges for access to an processing system

on a time – used basis. Software ownership may be with either the vender or

the client organization.

b. SERVICE BUREAUS USUALLY FOCUS ON SPECIFIC FUNCTION:

Traditionally bureaus would provide the some type of services to many

organization e.g. payroll processing. An organization have developed their

own IT infrastructure, the use of bureaus has decreased.

c. FACILITIES MANAGEMENT (FM): Facilities management involves an

outside agency managing the organization’s IS/IT facilities. All equipment

usually remains with the client, but the responsibility for providing and

managing the specified services rest with the FM Company.

Facilities management traditionally involved contracts for premises – related services

such as cleaning or site security.

ORGANIZATION INVOLVED IN OUTSOURCING

Facilities management

Software houses

Consultancy firms

Hardware manufacturers and suppliers.

SOFTWARE HOUSE:

Software houses concentrates on the provision of software services. These

include: Feasibility study, system analysis and design, development of OS

software, provision of application program packages, tailor-made application

programming, specialist systems advice and so-on. For example a software



house might be employed to write a computerized system for the London

stock exchange.

CONSULTANCY FIRMS:

Some consultancy firms work at a fairly high level, giving advice to

management on the general approach to solving problems and on the types of

system to use. Other specialize in giving more particular systems advice,

carrying out flexibility studies and recommending computer manufacturers /

software. When a consultancy firm is used, the terms of the contract should

be agreed at the outset.

The use of consultancy services enables management to learn directly or

indirectly form the experience of others. Many large consultancies are owned

by big international accountancy firms, smaller consul Turing many consist of

on-or two person outfit with a high level of specialist experience in one area.

HARDWARE MANUFACTURERS AND SUPPLIERS:

Computer manufacturers or their designated suppliers will provide the

equipment necessary for a system. They will also provide, under a

maintenance contract, engineers who will, deal with any routine servicing and

with any breakdown of the equipment.

CATEGORIES OF CONSULTING ACTIVITIES

a) Strategic studies, involving the development of a business strategy or

an IS strategy for on organization.

b) Specialist studies, where the consultant provide a high level of expertise

in one area, e.g. enterprise resource management software.

c) Project management, invaliding supervision of internal and external

parties in the completion of a particular project.

d) Body-shopping, where the necessary staff, including consultants, project

management systems analysts and programmers, for a project are

identified.

e) Recruitment, involving the supply of permanent or temporary staff.



DEVELOPMENTS IN OUTSOURCING

a) Multiple sourcing.

b) Incremental approach.

c) Joint-venture sourcing.

d) Application Service Provider (ASP).

ASPs are third parties that manage and distribute software service and

solutions to customers across a wide area network.

MANAGEMENT OF OUTSOURCING ARRANGEMENT Managing outsourcing arrangements involves deciding what will be outsourced,

choosing and negotiating with suppliers and managing the supplier relationship.

When considering whether to outsource a patroller service the following questions

are relevant.

a) Is the system of strategic importance?

Strategic Is are generally not suited to outsourcing as they require a high

degree of specific business knowledge that a third party IT specialist not

be expected to possess.

b) Can the system be relatively isolated functions that have only limited

interfaces are most easily outsourced e.g. payroll.

c) Do we know enough about the system to manage the outsourced service

agreement if an organization knows very little about a technology it may

be difficult to know what constitutes good necessary to recruit additional

expertise to manage the relationship with the other party.

d) Are out requirement likely to change? Organizations should avoid tying

themselves into a large term outsourcing agreements if requirement are

likely to change.

THIRD PARTY SERVICES:

• Data entry (mainly airlines follow this route).

• Design and development of new systems. When the in-house staff does not

have the requisite skills or otherwise occupied in higher priority tasks.

• Maintenance of existing applications to free in-house staff to develop new

applications.



• Conversion of legacy application to new plat forms e.g. a specialist company

may web enable on old application.

• Operating the help desk or the cell center.

SERVICE LEVEL AGREEMENT

The contract provides the framework for the relationship b/w the and the service

provider. A key factor when choosing and repudiating with external venders is the

contract offered and subsequently negotiated with the supplier. The contract is

sometimes referred to as the service level contract (SLC) or service level agreement

(SLC).

KEY ELEMENTS OF THE CONTRACT

i) Time scale:

When does the contract expire? Is the timescale suitable for the organization’s

needs or should it be negotiated?

ii) Service level:

The contract should clearly specify the minimum levels of service to be

provided penalties should be specified for failure to meet those standards.

Relevant factors will vary depending on the nature of the services outsourced

but could include:

Response time to requests for assistance / information.

System uptime percentage.

Deadlines for performing relevant tasks.

iii) Exit routes:

Arrangement for an exit route, addressing how transfer to another supplier, or

the move back in house, would be contused.

iv) Software ownership:

Relevant factors include:

Software licensing and security.

If the arrangement include the development of new software who

owns the copyright?

v) Dependencies:

If related services are outsourced the level of service quality agreed should

group these activities together.



vi) Employment Issues:

If the arrangement includes provision for the organization’s IT staff to move

to the third party, an player responsibilities must be specified clearly.

ADVANTAGES OF OUTSOURCING

a) Outsourcing can remove uncertainty about cost, as there is often a long-term

contract where services are specified in advance for a fixed price. If

computing services are inefficient, the costs will be borne by the FM Company.

This is also an incentive to the third party to provide a high quality service.

b) Long-term contracts encourage planning for the future.

c) Outsourcing can bring the benefits of economies of scale. e.g. FM Company

may conduct research into new technologies that benefits a number of clients.

d) A specialist organization is able to retain skills and knowledge. Many

organizations would not have a sufficiently well-developed IT department to

offer IT staff opportunities for career development. Talented staff would leave

to pursue their careers elsewhere.

e) New skills and knowledge become available a specialist company can share

staff with specific expertise b/w several clients. This allows the outsourcing

company to take advantage of new developments without the need to reprint

new people re-train existing staff, and without the cost.

f) Flexibility, resources may be able to be scaled up or down departing upon

demand. For instance, during a major changeover from one system to another

the number of IT staff needed may be twice as large as it will be once the new

system is working satisfactorily.

An outsourcing organization is move able to arrange its work on a project basis,

whereby some staff will expect to move periodically from one project to the next.

DISADVANTAGES OF OUTSOURCING

a) It is arguable that information and its provision is an internet part of the

business and of management. Unlike office cleaning, or catering, an

organization’s IT services may be to too important to be contracted out.

Information is at the heart of organization.



b) A company may have highly confidential information and to let outsiders

handle it could be seen as risky in commercial and/or legal terms.

c) If a third party is handling IS/IT services there is no own upon internal

management to keep up with the new developments or to suggest new ides.

Consequently, opportunities to gain competitive advantages may be missed.

Any new technology or application devised by the third party is likely to be

available to competitors.

d) An organization may find itself locked in to an unsatisfactory level of service,

the effort and expiries the organization would incur to rebuild its own

computing functions.

e) An organization may find itself locked in to an unsatisfactory contract. The

decision may be very difficult to reverse. If the service provider supplier

unsatisfactory levels of service, the effort and expense the organization would

incur to rebuild its own computing function or to move to another provider

could be substantial.

f) The use of an outsides organization does not encourage awareness of the

potential cost and benefits of IS/IT manage in-have IS/IT resources

effectively, then it could be argued that they will not be able to manage an

arrangement to outside effectively either.

Others summarized disadvantages

Costs exceeding customer expectations.

Loss of internal IS experience.

Loss of control IS.

Vender failure.

Limited product access.

Difficulty in reversing or changing outsourced arrangements.

BUSINESS RISKS FROM OUTSOURCING

Hidden costs

Contract terms not being met.

Service costs not being competitive over the period of the entire contract.

Obsolescence of vender IT systems.

Balance of power residing with the vender.



Ways in which such risks can be reduced are:

By establishing measurable partnership-enacted-shared goals and rewards.

Utilization of multiple suppliers or withheld a piece of business as an incentive.

Formation of a cross-functional contract management team.

Contract performance reviews and benchmarking/bench trending.

Implantation of short-term contracts.

Address data ownership in the contract.

TERMINATION POLICIES

Written termination policies should be established to provide clearly-defined steps

employee separation. It is important that policies be structured to provide adequate

protection for the organization’s computer assets and data. Termination practices

should address both voluntary termination and involuntary (immediate) terminations.

In all other cases however, the following control procedures should be applied:

Return of all access keys, ID cards and badges to prevent easy physical

access.

Deletion of assigned lagan-ID and passwords to prohibit system access.

Notification to other staff and facilities security to increase awareness of the

terminated employee’s status.

Arrangement of the final pay routines to remove the employee from active

payroll files.

Performance of a termination interview to gather insight on the employee’s

perception of management.

Return of all company property.

LOGGING SYSTEM The information system department should implement comprehensive logging

systems. These will include manual as well as automated logs. Logs allow managers

to monitor work and compare actual performance with the usual averages. They can

also serve as early warning systems for serious errors. An effective IS department

should have various logs that individuals examine regularly and take appropriate

action on when necessary.



Examples:

i) Data entry staff should keep full details of each bath of work, with

duration and error.

ii) Computer operators should maintain logs of all batch job and the time

taken to complete them.

iii) Backup, storage of data off-site should be logged.

iv) Any problems in hardware or software infrastructure should be indentured

in daily logs.

v) Software application systems may generate their own logs of error.

vi) A security subsystem could maintain detailed logs of who did what and

when and also if there any attempted security violations.



CHAPTER 02

INTRODUCTION TO STRATEGY & INFORMATION STRATEGIES

CHARACTERISTICS OF STRATEGIC DECISIONS 1. Strategic decisions will be concerned with the scope of organization’s

activities.

2. Strategy involves the matching of an organization’s activities to the

environment in which it operates.

3. Strategy involves the matching of an organization’s activities to its resource

capability.

4. Strategic decisions therefore involve major decisions about the allocation or

re-allocation of resources.

5. Strategic decisions will affect operational decisions, because they will set off a

chain of lesser decisions and operational activities, involving the use of

resources.

6. Strategic decisions will be affected by the values and expectations of the

people in power within the organization.

7. Strategic decisions are likely to affect the long term direction that the

organization takes.

8. Strategic decisions have implications for change throughout the organization,

and so are likely to be complex in nature.

STRATEGY

Strategy is a pattern of activities that seek to achieve the objectives of an

organization and adopt its scope, resources and operations to environmental changes

in the long term.

All the organizations carry out some form of strategic management. As the

organization grows larger, and more complex, there is a greater need for

involvement in the strategy process at all levels of the organizations.



STRATEGIC PLANNING Strategic planning is the formulation evaluation and selection of strategies for the

purpose of preparing a long term plan of action to attain objectives. Strategic

information systems are systems at any level of an organization that change goals,

processes, products services or environmental relationships with the aim of gaining

competitive advantage. Strategic level systems are systems used by senior managers

for long term decision making.

Strategic planning is a disciplined effect to produce fundamental decisions and

actions that shape and guides what an organization is, what it does, and why it does

it, with a focus on the future. Being strategic means being clear about the

organization’s objectives, being aware of the organization’s resources, and

incorporating both into being consciously responsive to a dynamic environment.

A strategic plan can provide the foundation and framework for a business plan. The

strategic plan provides:

A framework for decisions or for securing support / approval.

Provide a basis for more detailed planning.

Explain the business to others in order to inform, motivate & involve.

Assist performance monitoring.

Stimulate change and become building black for next plan.

Planning Stage Components of Plan

Strategic analysis Mission what business we in?

Goals where are we going?

Strategic choice Strategies which routes have we selected?

Strategic implementations Policies what sort of frameworks needed?

Decisions what choices do we have?

Actions How shall we do it?

Levels of Planning:

Strategic: Deciding on the objectives of the organization’s on changes in these

objectives, on the resources used to attain these objective and on the

policies that are to govern the acquisition, use and disposition of these

resources.



Tactical: Ensuring that the resources are obtained and used effectively and

efficiently in the accomplishment of the organization’s objective.

Operational: Ensuring that specific tasks are carried out effectively and efficiently.

Guideline of when Strategic Planning should be done The strategic planning scheduling process depends on the nature and needs of the

organization and its immediate external environment.

i) Strategic planning should be done when on organization is just getting

started. It is usually part of an overall business plan, along with a financial

plan, marketing plan, operational plan and management plan.

ii) Strategic planning should also be done in new major venture. e.g. developing

a new department, division, major new product or line of products, etc.

iii) Strategic planning should be conducted at least once a year in order to be

ready for the coming fiscal conducted at least once every three years.

iv) Each year, action plans should be amended and updated.

v) During implementation of the plan, the progress of the implementation should

be reviewed at least on a quarterly basis by the board. Frequency of review

depends on the extent of the rate of change in and around the organization.

Guidelines for Preparing the Strategic Plan

Following guidelines will help ensure that the plan is developed and successfully

implemented.

i) When conducting the planning process, involve the people who will be

responsible for implementing the plan. Use a cross-functional team to ensure

the plan is realistic and collaborative.

ii) Ensure plan is realistic “con really do this”

iii) Organize the overall strategic plan into smaller action plans, often including an

action plan for each committee on the board.

iv) In the overall planning document, specify who is doing what and by when.

v) In an implementation section plan, specify and clarify the plan’s

implementation rules and responsibilities. Build in regular reviews of status of

the implementation of the plan.

vi) Translate the strategic plan’s action into job descriptions and personnel

performance reviews.



vii) Communicate the rule of follow-ups to the plan. If people know the action

plans will be regularly reviewed, implementers tend to do their jobs before

there are checked on.

viii) Be sure to document & distribute the plan, including inviting review input form

all.

ix) Be sure that me internal person has ultimate responsibility that the plan is

enacted in a timely fashion.

x) The chief executive’s support of the plan is a major driver to the plan’s

implementation. Integrate the plan’s goals and objectives into the chief

executive’s performance reviews.

xi) Place huge emphasis on feedback to the board’s executive committee from

the planning participants.

xii) Have designated rotating “checkers” to verify e.g. every quarter, if each

implementer completed their assigned tasks.

Purpose of the Information System Strategy Planning

i) Effective management of expensive and critical assets of the organization.

ii) Improving communication b/w the business and information systems

organization.

iii) Linking the information systems direction to the business direction.

iv) Planning the flow of information and processes.

v) Efficiently and effectively allocating information systems resources.

vi) Information systems life cycle.

GENERAL LEVELS OF STRATEGY Corporate, business and functional/ operational

CORPORATE STRATEGY

Corporate strategy is the most general level of strategy in an organization. Corporate

strategy is concerned with what types of business the company as a whole should be

in and is therefore concerned with decision of scope. Corporate strategy is

concerned with the scope of an organization’s activities and the matching of these to

the organization’s environment, its resource capabilities and the valves and

expectations of its various stakeholders.



Corporate strategy involves issues such as:

(i) Diversifying or limiting the activities of the business

(ii) Investing in existing units, or buying new business.

(iii) Surviving

The is a sense of direction for the entire corporate group. It is primarily concerned

with the determination of ends, e.g. what business or businesses the firm is in or

should be in and how integrated these businesses should be with one another. It

covers a longer time period and has a wider scope than the other levels of corporate

planning. At this level the global objectives e.g. growth, stability or retrenchment and

the general orientation to achieve them are defined.

BUSINESS STRATEGY

Business strategy or competitor strategy is concerned with how each strategic

business unit (SBU) attempts to achieve its mission within its chosen area of activity.

Here strategy is about which products or services should be developed and offered to

which markets and the extent to which the customer needs are met whilst achieving

the objectives of the organization.

These strategies are either cost leadership or differentiation of products and may

encompass an entire market or be focused on a particular segment of it. Business

strategy relates to how an organization approaches to a particular market, or the

activity of a particular business unit. For example, this can involve decisions as to

whether, in principle, a company should:

(i) Segment the market and specialize in particularly profitable areas:

(ii) Compete by offering a wide range of products.

An example of a business strategy is the recent decision by Mercedes-Benz to expand

its products range to include four wheel drive vehicles.

Strategic Business Unit (SBU): It is a unit within the overall corporate entity,

which should have an identifiable and definable product or service range, market

segment competitor set.

OPERATIONAL AND FUNCTIONAL STRATEGIES

These involve decisions of strategic importance, but which are made or determined

at operational levels. These decisions include product pricing, investment in plant,



personnel policy and so forth. The contributions of these different functions

determine the success of the strategy as effectively a strategy is only implemented at

this level.

Functional or operational strategies are concerned with how the various functions of

the organization (marketing, administration, production, corporate and competitive

strategies. To improve performance in the organization, functional strategies harness

the activities, skills and resources available.

Function/operational strategies deal with specialized areas of activity e.g. information

system strategy. It includes:

Information system strategies

Marketing strategies

Production strategies

Finance strategies

Human resources strategies

RLD Strategies

INFORMATION SYSTEM (IS) includes all systems and procedures involved in the

collection, storage, production and distribution of information.

VS.

INFORMATION TECHNOLOGY (IT) describes the equipment used to capture,

store, transmit or present information. IT provides a large part of the information

systems infrastructure.

Information System Strategy: Is strategy indicates what features and

performance the organization will need from the systems. It demonstrates how the

resources will be used and provides policy guidelines for the information resource’s

management and perhaps policies for communication network, hardware

architectures, software infrastructures and management issues such as security,

development methods, organization and allocation of responsibilities.

VS.

Information Technology Strategy: IT strategy defies the policies for software and

hardware, for example any standards to be uses, any stand on preferred suppliers,

what are to be invested, selection of venders. It also describes the activities and

resources required for the development of the new application technology.



INFORMATION MANAGEMENT refers to the approach an organization takes

towards the management of its information systems, including:

Planning is/it development

Organizational environments of IS

Control

Technology

STRATEGIC PLANNING COMPONENTS

i) Identification of where are we today:

Look internally and externally at the business as well as information systems.

Thoroughly understand the business objectives and challenges in addition to

where information systems are currently.

ii) Identification of where we want to be in the future:

Development the version and strategy from business perspective as well as an

information systems perspective. The future business direction must be the main

determinant in the information systems direction.

iii) Identification of the information systems gap between where we are and where

we want to be in the future.

iv) Identification of how to get information systems to where we want to be in the

future. Develop plan that begins with understanding the future business

operating vision. This vision then becomes basis for the IS mission, objective,

strategies and technical computing architecture. Assess the current systems by

comparing them to the future business operating vision and the desired

information systems computing architecture.

ELEMENTS OF A IT STRATEGY

i) Executive Summary: A statement containing the main points of the

schemes. The document should have a section on the goals, specific and

general, of information processing in the organization.

ii) Goals: A general goal might be to provide a different customer service,

whilst a specific goal could be to completely update the datable enquiry

system.



iii) Assumptions: The plan will be based on certain assumptions about the

organization and the current business strategy. It is essential that this

plan is linked to the organization’s strategic plan.

iii) Scenario: It is helpful to draw up a scenario of the information processing

environment that will result from executing the plan.

iv) Application Areas: The plan should outline and set priorities for new

application areas being planned and for that application which are in the

process of development. A report on the progress and status should be

produced. For major new applications there should be a break-down of

costs and schedules. The plan should outline and set priorities for the

application areas.

v) Operations: The current systems will be continuing and the plan should

identify the existing systems and the cost of maintaining them.

vi) Maintenance: The plan should incorporate the budget for the

maintenance of, and enhancements to, the existing system.

vii) Organizational Structure: The plan should describe the existing and

future organizational structure for the technology, in terms of location, and

human and financial resources.

viii) Impact of the plan: Management is interested in the impact of a plan on

the organization, particularly its financial impact.

CONSIDERATIONS FOR DEVELOPING IT STRATEGY

i) What are the key business areas that could benefit most from an investment in

IT, what form should the investment take and how such strategically important

units could be encouraged to effectively use such technology.

ii) How much the system cost in terms of software, hardware, management

commitment and time, education and training, conversion, documentation,

operational manning and maintain ace. The importance of lifetime application

costs must be stressed.



iii) What criteria performance should be set for IT systems.

iv) What are the implications for the existing work force. (Training issues,

redundancies issues etc).

v) Whether such a strategy should be based on a datable approach with depend on

a number of factors.

A DATABASE APPROACH IS CALLED FOR WHEN

a) Application needs are constantly changing, with considerable uncertainty as to

the important data elements, expected update or processing function, and

expected volumes to be handled.

b) Rapid access is frequently required to answer ad hoc questions.

c) There is a need to reduce long lead times and high development costs in

developing new application systems.

d) Many data elements must be shared by users throughout the organization.

e) There is a need to communicate and relate data across functional and

department binderies.

f) There is a need to improve the quality and consistency of the datable and to

control access to that resource.

g) Substantial dedicated programming assistance is not normally available.

COMPONENTS OF INFORMATION SYSTEM STRATEGY PLAN

i) Business Information Strategy:

The indicates how information will be used to support the business. Priorities

that the organization has for systems developments are defined at a general

level, perhaps by suggesting a portfolio of current and required system. It

may outline information requirement via blueprints for application

developments of future.

ii) IS Functionality Strategy:

This indicates what features and performance the organization will need from

the systems. It demonstrates how the resources will be used; and provides

policy guidelines for the information resource’s management and perhaps

policies for communication networks, hardware architectures, software

infrastructures and management issues such as security, development

approaches, organization and the allocation of responsibility.



iii) IS Strategy:

The defines the policies for software and hardware, for example any standards

to be used and any stand on preferred suppliers. This also defines the

organization’s stand on the IS organization, e.g. whether it is to centralized or

distributed, what are to be the investment, vender and human impact policies

and IS accounting techniques.

STRATEGIC SYSTEMS The following items provide a good starting point for organizations planning to use

information systems as strategic weapon against competition, for the betterment of

products and services, and for overall growth of the company.

i) Develop a partnership, relationship with suppliers and venders. e.g. working

with suppliers, to provide production forecasting information based an POS

data for a retail Co. and having retail clerks use hand – held, wireless

scanners to automate inventory records on pricing data.

ii) Support and shape changes in traditional business operations. e.g. TQM

principal in computer operation, software development & maintenance.

Provide information to low level employees for better decision making.

iii) Connect various business functions and users together, regardless of their

location. This means integrating system architecture through

telecommunication networks, and open-systems technology so that

employees work together & share information across business units and

divisions. (Cross–functional systems).

iv) Allow almost every employee to access computer systems so that decision

making is done at the end user level with the information readily available.

v) Search external datable to obtain data on a competitor’s products and

services, general economic and service, general data, and political information

to help executive management prepare well advance for possible moves &

center moves. (This information helps in applying ESS & DSS).

vi) Revisit the information flow b/w the home office and field offices, and b/w

headquarters and manufacturing plants or warehouses. The goal is to move

required data to field offices so that it can be acted upon move quickly and

managed more efficiently in order to serve the customer faster & better. (e.g.

workflow systems).



vii) Have representatives of functional and user groups, present on the

information steering committee. These representative ensures that software

requirements are defined and that new systems are implemented whether the

system is developed in-have or acquired from the third-party vendors. The

goal is to place the decision making in the hands of end-users instead of a few

high-level managers.

viii) Re-engineering the IS organization. This requires reorganizing, dispersing,

and aligning the IS department with units. The goal is to better reflect the

company strategy and link the information system structure to lines of

business. This may require the use of distributed or client / server technology

in business.

ix) Put more focus on bowering the cost of doing business, improving customer

set vice, and cutting the time-to-market of new products and services. New

tools such as information engineering and computer –aided software

engineering (CASE) products can be used to cute time–to-market of new

products.

x) Help reengineer business processes. This requires a focus on achieving

productivity improvement by providing the functional uses with the right

information at the right time. This responsibility puts pressure on IS

management to retrain existing staff to learn new tools & techniques.

In some cases, existing staff may have to be replaced.

xi) Develop a new class of application systems that use existing production data

to improve business decision and, ultimately, customer service. This includes

building decision support application systems that query huge production

databases.

Critical Success Factors

Three factors can summarize all of them: people, process and tools.

People and process need to be related to each other to improve quality and increased

productivity. A process is a sequence of steps or operations used to accomplish a

certain goal. People perfume operations. E.g. all processes need to be changed where

needed, and applications, methodologies tools need to be evaluated. In all these

activities, people are an integral part.



Top management support.

Long-term commitment.

Help quality staffing.

Substantial customer input.

Co-ordination b/w organizations.

Appropriate use of technology.

Good up-front planning.

Need to change corporate culture.

Strategic Planning:

Strategic planning is the process of deciding organizational direction. Managers apply

analytic techniques, creativity and sound judgment to anticipate the requirements of

the future. When properly executed, IS strategic planning helps an organization to

efficiently and effectively carry out its mission. Managers can better position their

organization to meet tomorrow challenges, strategic planning is a key tool for moving

from where one is to where one wants to be.

An IS strategic plan should be a part of the organization strategic plan. Due to their

long-term nature, strategic plans are not updated frequently. External or internal

changes within an organization are often the catalyst for organization strategic

planning.

Key Components of IS Strategic Plan

i) A mission statement that defines the organization’s purpose.

ii) A version to support the mission.

iii) Goals to achieve the vision and mission.

iv) An environmental analysis to identify internal strengths and weakness and

external challenges & opportunities.

v) Strategies to meet vision & goals.

vi) A risk assessment that contrasts the impacts of change versus those of no

change.

vii) CSF that highlight key elements for achieving organization goals.



Success Factors for Strategic Planning

i) Managers must commit to and participate in the planning process.

ii) Managers must nurture strategic thinking.

iii) Managers must communicate with all parties affected by the plan.

iv) Managers must gain staff and customer / client support for the plan.

v) Managers must develop operational plans to guide the implementation of the

strategic vision.

_____________________________________________________________

INFORMATION SYSTEM STRATEGY refers to the long term plan concerned with

exploiting IS and IT either to support business strategies or create new strategic

options. It should be developed with the aim of ensuring IS/IT is utilized as efficiently

and effectively as possible in the pursuit of organizational goals and objectives.

Information system should support corporate and business strategy. In some

circumstances an IS may have a greater influence and actually help determine

corporate / business strategy.

(a) IS/IT may provide a possible source of competitive advantage. This could

involve new technology not yet available to others or simply using existing

technology in a different way.

(b) The IS may help in formulating business strategy by providing information

from internal and external sources.

(c) Developments in IT may provide new channels for distributing and collecting

information, and / or for conducting transactions e.g. the internet.

IMPACT OF IS/IT ON ORGANIZATION

(a) The type of products or services that are made or sold

Consumer markets have been the emergences of PC, CDs, USBs, satellite

dishes for receiving channels, industrial markets have seen the emergence of

custom built microchips, robots and LAN for office IS technological change

such as introduction of tennis and squash rackets with graphite frames, turbo

powered or engines.



(b) The way in which products are made

There is continuing trend towards the use of automation and computer aided

design and manufacture. The manufacturing environment is undergoing rapid

changes with the growth of advanced manufacturing technology. These are

changes in both apparatus and technique.

(c) The way in which services are provided

High street banks encourage customers to use hale-in-the-wall cash

dispenser, or telephone or internet banking, POS terminals at store. Many

organizations use e-commerce: selling products and services over the

internet.

(d) The way in which markets are identified

Database systems make it much easier to analyze the market place.

(e) The way in which employees are mobilized

Computerization encourages delay ring of organizational hierarchies, but

requires greater workforce skills. Using technology often requires changes in

working methods.

(f) The way in which firms are managed

Computerization encourages delay ring of organization hierarchies but

requires greater workforce skills. Using technology of ten requires changes in

working methods.

(g) The means and extent of communications with customers

BENEFITS OF TECHNOLOGICAL CHANGE TO ORGANIZATION

1. To cut production cost and so probably to reduce sale prices to the customer.

2. To develop better quality product and services.

3. To develop products and service that did not exist before.

4. To provide products or services to customers more quickly or effectively.

5. To free staff from repetitive work and to tap their creativity.



WHY HAVE AN IS/IT STRATEGY 1. IT/IS is a high cost activity.

2. IS/IT is critical to the success of many organizations.

3. IS now used as a port of commercial strategy in the battle for competitive

advantage.

4. IT can impact significantly on the business context.

5. IT affects all levels of management.

6. IT and its effect on management information (the way management

information is created and presented)

7. Requires effective management to obtain the maximum benefits.

8. Involves many stakeholders inside and outside the organization.

INFORMATION SYSTEM PLAN Organization should develop an information systems plan that supports their overall

business plan.

The IS plan should contain following:

1. Overall organization goals.

2. How information systems and information technology contributes to attaining

these goals.

3. Key management decision regarding hardware, software, data and

telecommunications.

4. Specific dates and milestones relating to IS/IT projects.

5. Financial information such as budget and cost benefit analysis.

METHODOLOGIES AND FRAMEWORKS for establishing the information requirements of an organization

Earl’s three leg analysis

Enterprise analysis

Critical success factors (CSFs)

EARL’S THREE LEG ANALYSIS Business led (top down emphasis, focus on business plans & goals)

Infrastructure led (bottom up emphasis, focus on current systems)

Mixed (inside out emphasis, focus of IT/IS opportunities)



BUSINESS LED (TOP DOWN)

The overall objectives of an organization are identified and then IS/IT systems are

implemented to enable these objectives to be met. This approach relies on the ability

to break down the organization and its objectives to a series of business objectives

and processes and to be able to identify the information needs of these. This is an

analytical approach. The people usually involved are senior management and

specialist teams.

INFRASTRUCTURE LED (BOTTOM UP)

Computer based transaction systems are critical to business operations. The

organization focuses of systems that facilitate transaction and other basic operations.

This is an evaluative approach. The people usually involved are system users and

specialists.

MIXED (INSIDE OUT)

The organization encourages ideas that will exploit existing IT and IS resources.

Information may come from entrepreneurial managers or individuals outside the

formal planning process.

This is an innovative / creative approach. The people involved are entrepreneurs and

/ or visionaries.

ENTERPRISE ANALYSIS Enterprise analysis involves examining the entire organization in terms of structure,

processes, functions and data elements to identify the key elements and attributes of

organizational data and information.

Enterprise analysis is sometimes referred to as business systems planning. This

approach involves the following steps.

Step 1

Ask a large sample of managers about:

How they use information?

Where they get information?

What the objectives are?

What their data requirements are?

How they make decisions?

The influence of environment.



Step 2

Aggregate the finding from step 1 into sub units, functions, processes and data

metrics. Compile a process / data class matrix to show:

What data classes are required to support particular organizational

processes.

Which processes are the creators and users of data?

Step 3

Use the matrix to identify areas that IS should focus on, e.g. on process that create

data.

The enterprise analysis approach gives a comprehensive view of the organization and

its use of data and systems. The enterprise analysis approach results in a mountain

of data that is expensive to collect and difficult to analyze.

Survey questions tend to focus on how systems and information are currently used,

rather than on how information that is needed to result in existing systems being

automated rather than looking at the wider picture.

CRITICAL SUCCESS FACTORS Critical success factors are small number of key operational goals vital to the success

of an organization.

The use of CSFs can help to determine the information requirements of an

organization. CSFs are operational goals. If operational goals are achieved, the

organization should be successful. Progress towards achieving critical success factors

must be monitored. This is done through the use of key performance indicators

(KPI). KPI are measures designed to track a critical performance variable over time.

The CSF approach is sometimes referred to as the strategic approach. Manager

should focus on a small number of objectives, and information systems should be

focused on providing information is enable managers to monitor these objectives.

TYPES OF CSFs

A monitoring CSF is one that if achieved will contribute towards the

success of existing activities and operations. Monitoring CSFs are

important for maintaining business.



A building CSF helps to measure the progress of new initiatives. Besides

CSFs are important for expanding business.

USING OF CSF APPROACH

The approach involves THREE STEPS

List the organization’s corporate objectives and goals.

Determine which factors are critical for accomplishing the objectives.

Determine a small number of key performance indicators for each CSF.

Where measure KPIs use quantitative data, performance can be measured in number

of ways.

In physical quantities, for example units produced or units sold.

In money terms, for example profit, revenues, casts or variances.

In ratios and percentages

The determination of key performance indicators for CSFs is not necessarily straight

forward. Some measures might use factual, objectively verifiable, data while others

might make use of softer concepts, such as opinions, perceptions and hunches.

Example

The reliability of stock records can be measured by means of physical stock

counts, either at discrete intervals or on a rolling basis. Forecasting of demand

variations will be much harder to measure.

GENERAL SOURCES OF CSFs

The industry that the business is in

The company itself and its situation within the industry

The environment, for example consumer trends, the economy, and

political factors of the country in which the company operates.

Temporal organizational factors, which are areas of corporate activity

which are currently unacceptable and represent a cause of concern, for

example, high stock level.



POSSIBLE SPECIFIC SOURCES OF CSFs& KPIs

(a) The Existing System: The existing system can be used to generate reports

showing failure to meet CSFs.

(b) Customer service deptt: This department will maintain details and

complaints received, refunds handled, customer enquiries etc. these should be

reviewed to ensure all failure types have been identified.

(c) Customers A survey of customers, provided that it is properly designed and

introduced would reveal (or confirm) those areas where satisfaction is high or

low.

(d) Competitors Competitor’s operations, pricing structures and publicity should

be closely monitored.

(e) Accounting system: The profitability of varies aspects of the operation is

probably a key factor in any review of CSFs.

(f) Consultants: A specialist consultancy might be able to perform a detailed

review of the system in order to identify ways of satisfying CSFs.

PARSON’S SIX INFORMATION SYSTEMS STRATEGIES

i) Centrally Planned : The logic of this approach is that those planning IS

development should have an understanding of the overall strategic. Business

and IS strategy are viewed as being closely linked.

ii) Leading edge: There is a belief that innovative technology use can create

competitive advantage, and therefore that risky investment in unproven

technologies may generate large returns. The organization may have the

motivation and ability to commit large amounts of money and other

resources. Users must be enthusiastic and willing to support new initiatives.

iii) Free market: This strategy is based on the belief that the market makes the

best decisions. The IS function is a competitive business unit, which must be

prepared to achieve a return on its resources. The department may have to

compete with outside providers.

iv) Monopoly: The direct opposite to the free market strategy. This strategy is

based upon the belief that information is an organizational asset that should

be controlled by a single service provider.

v) Scare resource: This strategy is based on the premise that IS use limited

resource, and therefore all IS development requires a clear justification.



Budgetary controls are in place and should be adhered to. New projects

should be subject to cost benefit analysis (CBA).

vi) Necessary evil: IS/IT is seen as a necessary evil of modern business. IS/IT

is allocated enough resources only to meet basic needs. This strategy is

usually adopted in organizations that believe that information is not important

to the business.

STRATEGIC MANAGEMENT

It is a district mode of management which proceeds from analysis to

implementation and shares the some functions, planning, organizing, directing

and controlling as operations management.

A) STRATEGIC ANALYSIS

The first step in the process involves analysis of the situation in which the

organization finds itself. This means identifying the conditions prevailing in

both the internal and external environment and the effects of these conditions

on the organization. The following matters to be addressed.

(i) SWOT ANALYSIS (internal strengths and weakness, external opportunities

and threats)

(ii) CUSTOMER ANALYSIS: The organization must analyse who its competitors

are, how and why they are competing, and whether and how competition will

increase. The nature of the industry’s competitive force should be address.

(iii) MARKET ANALYSIS: In many markets the needs / demands of customers

are becoming increasing sophisticated and complex.

(iv) CULTURAL ANALYSIS: The culture or feel of an organization is seen as

being of critical strategic important. An organization which has an

enterprising, innovative and unique culture will be attractive to investors,

customers and employees. Culture must be therefore be analysed to see what

kind of message it is giving out absent the organization.

(v) SOCIAL ANALYSIS: Identify how the complexity of modern society impacts

on the organization and its customers. It will take into account demographic

and economic changes, changes in attitudes in society (such as towards

environmental issues) and changes in political attitudes e.g. the favorable

light in which the Govt. views initiative).



B) STRATEGIC CHOICE

(a) STRATEGIC OPTIONS GENERATION. A variety of alternatives can be

considered:

(i) Increase market share

(ii) Increase mental growth

(iii) Concentration on core competencies

(iv) Acquisition

(b) STRATEGIC OPTIONS EVALUATION:

Each option is then examined on its merits.

Varieties of techniques are used to access and value strategies. Some will be

assessed on financial criteria (such as a net present value). Where this is not

possible or where the uncertainty in the environment is so great, more

sophisticated models are used. Scenario building postulates a number of

possible futures. (E.g. worldwide economic growth interest rates,

competitions)

(c) STRATEGY SELECTION: A strategy is chosen, according to the evaluation

above. Remember, however, that this process is strongly influenced by the

values of the managers selecting them. Developing strategies by which these

objectives may be met.

(d) STRATEGIC IMPLEMENTATION

Having formulated strategies and plans it only remains to implement them.

This will almost certainly involve changes to the way things are done of the

process of strategic management has been followed through from first

principles, areas in which the implementation of strategies is likely to cause

charges are:

(i) The organization’s culture (there may have to be a move from

bureaucracy towards a task culture if it has been identified that the

organization is in an unstable environment.

(ii) The quality of all outputs the may well have to improve;

(iii) Attitude towards innovation, entrepreneurship and individualism.

(iv) The degree of control exercised over sub ordinates given new

emphasis on innovations.

(v) Personnel the organization needs to acquire the services of the right

personnel to put strategies into practice.



THE POLITICAL AND LEGAL ENVIRONMENT The political environment effects an organization in a number of ways.

(a) Laws and legislation provide a legal framework.

(b) Government policy may directly impact upon a business or industry.

(c) The government’s overall conduct of its economic policy is relevant.

Some legal factors that may impact upon organizations are as follows:

General legal framework (contract, tort, agency)

Basic ways of doing business negligence proceedings copyright laws software

licences.

Criminal law : Theft, insider dealing bribery deception

Company law: Directors and their duties, reporting requirements, takeover

proceedings shareholder’s rights insolvency.

Employment law: Trade union recognition, social chapter provisions, minimum

wage, unfair dismissal, redundancy, maternity, equal opportunities.: Health &

Safety: Fire precautions safety procedures workstation design.

Data protection: Use of information about employees and customers e.g. data

protection act 1998 uk, privacy

Marketing and Sale: Laws to protect consumers (e.g. refunds and replacement,

cooling off period after credit agreements) what is or isn’t allowed in advertising.

Environment: Pollution control waste disposal

Tax law : Corporation tax payment, collection of income tax (Paye) and national

insurance contributions, VAT. The political environment is not simply limited to legal

factors.

Governments are responsible for enforcing and creating a stable framework in which

business can be done. The quality of government policy is important in providing the

right:

a) Physical infrastructure 9e.g. transport, communication)

b) Social infrastructure (education, a welfare safety net, law enforcement)

c) Market infrastructure (enforceable contracts, policing corruption)



THE ECONOMIC ENVIRONMENT OVERALL GROWTH OR FALL IN GDP: Increased / decreased demand for goods

and services

LOCAL ECONOMIC TRENDS: Type of industry in the area, office / factory rents.

Labour rates. House prices.

INFLATION: Low in most countries, disrupts business decisions, wage inflation

compensates for price inflation.

TAX LEVELS: Corporation tax affects how much firms can invest or return to

shareholders. Income tax and yat (sales tax) after how much consumers have to

spend, hence demand.

GOVERNMENT SPENDING: Suppliers to the government (e.g. construction firms)

are affected by spending.

THE BUSINESS CYCLE: Economic activity may fluctuate between periods of growth

followed by decline. Govt. policy can cause, exacerbate or mitigate such trends.

EXCHANGE RATES: Cost of imports, selling prices, and value of exports cost of

hedging against fluctuations.

CHARACTERISTICS OF OVERSEAS MARKETS: Desirable overseas market

(demand) or source of supply with the advent of www even the smallest organization

can have an international presence.

CAPITAL FLOWS AND TRADE: Investment opportunities, free trade, cost of

exporting

INTEREST RATES

a) A rise might increase the cost of any borrowing, thereby reducing profitability. It

also raises the cost of capital. An investment project, (new information system)

therefore has a higher hurdle to overcome to be accepted.

b) Interest rate also have a general effect on consumer confidence and liquidity,

and hence demand.

INFLATION

a) Inflation reduces the value of financial assets and the income of these on fixed

incomes.

b) Inflation makes it hard for business to plan, owing to the uncertainty of future

financial returns. Inflation and expectations of it encourages organizations to

focus on the short term (short termism)

c) Inflation requires high nominal interest rates to offer investors a real return



THE SOCIAL AND CULTURAL ENVIRONMENT

Social change involves changes in the nature, attitudes and habits of society. Social

changes occur continually, and trends can be identified which may or may not be

relevant to an organization.

Demography is the analysis of statistics on birth and death rates, age structures of

populations, ethnic groups within communicates etc. It is important because:

a) Labour is a factor of production

b) People create demand for goods, services and resources

c) It has a long term impact on government policies

d) There is a relationship between population growth and living standards.

DEMOGRAPHIC FACTORS ARE Growth: The rate of growth or decline in a national population and in regional

populations.

Age: Changes in the age of the population certain age groups may have a greater or

lesser aptitude for technological developments such as internet.

Geography: The concentration of population into certain geographical areas.

Household and family structure: A household is the basic unit and its size might

be determined by the number of children, whether elderly parents live at home etc.

Social structure: The population of the society can be broken down into a number

of subgroups, with different attitudes and access to economic resources. Social class,

however, is hard to measure (as people’s subjective perceptions vary)

Employment: This is related to changes in work place. There has been some

movement towards a more flexible workforce with greater numbers of workers on

part time or temporary contracts. However, despite some claims, most employees

are in permanent full time employment.

Wealth: Rising standards of living lead to increased demand for many goods and

services.

Culture: The culture of a society can effect an organization in a number of ways

a) Marketers can adopt their products to suit cultural traits (e.g. should

website be tailored for individual national markets?)

b) Human resource managers may need to tackle cultural differences in

recruitment and employment policies.



FUTUROLOGY Futurology is the science and study of sociological and technological developments,

values and trends with a view to planning for the future.

The model involves a panel of exports providing views on various events to be

forecast. Such as inventions and breakthroughs, or even regulations or changes over

a time period into the future. In some cases, instead of technical developments being

used to predict future technologies, future social developments can be predicted, in

order to predict future customer needs.

DEVELOPING AN INFORMATION TECHNOLOGY PLAN a) Alignment

b) Scope

c) Time frame

d) Cost benefit justification

e) Achievability

f) Monitoring and control

g) Reassessment

h) Awareness

i) Accountability

j) Commitment

PHASES INVOLVED IN ESTABLISHING THE IT PLAN Organizations develop IT plan specific to their needs. However, the planning process

used to develop the IT Plan will be similar across a wide range of organizations. The

process can be broken down into four phases.

a) Orientation

b) Assessment

c) Strategic

d) Tactical



ORIENTATION

The first phase establishes the scope of the IT planning process, the methodology

and techniques to be applied and identifies for planning team and reporting lines for

the planning process. The planning process may have been initiated in response to a

major change in the business strategy or as a reaction to changes in the business or

IT assumptions of the existing plan.

ACTIVITIES

1) Establish scope

2) Establish techniques and mobilize resources

ASSESSMENT

In second phase, data is collected and analyzed to describe the existing usage and

management of IT and the extent to which they are unable, or may be unable, to

support business objectives.

This phase also provides an opportunity to identify other potential uses of

information technology which may assist in meeting objectives.

ACTIVITIES

3) Confirm business direction and drives to ensure the key driver for the IT plan

is the business direction of the organization.

4) Review technology trends

5) Outline future requirements

6) Inventory existing information systems

7) Develop an assessment

STRATEGIC PLAN

In the third phase of IT Planning process, appropriate strategies are formulated.

These strategies are funded on the assessment of the business needs and priorities.

IT direction and other related issues considered in the assessment phase.

ACTIVITIES

8) Develop a vision

9) Conduct option analysis

10) Develop a strategic plan



TACTICAL PLAN

In the last phase of the planning process, the tactical or implementation plan is

developed. In the tactical plan, the focus is on the projects that need to be

undertaken to implement each of the strategies.

ACTIVITIES

11) Identify and specify projects

12) Prioritize projects

13) Develop the tactical plan

14) Establish monitoring and control mechanisms

IT PLAN

a) Demonstrate to the organization how it can gain business benefits from IT.

b) Act as a yardstick by which to measure performance

c) Provide a framework for offering incentive to managers

d) Provide a framework for justifying

REQUIREMENTS OF A SUCCESSFUL INFORMATION STRATEGY PLAN

a) Continuous sponsorship and involvement from top management

b) Adequate resources

c) Formulating the first strategy is the only starting point. It needs to be

continuously updated and improved.

d) Strategies often remain on shelves. An organization needs resources,

infrastructure and incentive schemes to implement the strategy.

KEY STAGES IN DEVELOPING AN INFORMATION STRATEGY PLANNING PROCESS

a) Initiate the information strategy planning project

b) Identify your business position

c) Examine capabilities and technologies

d) Develop system and technology roadmap

e) Prioritize solutions



INITIATE THE INFORMATION STRATEGY PLANNING PROJECT

i) Gain senior management approval and sponsorship

ii) Appoint a champion

iii) Appoint team and schedule activities

iv) Involve business managers and employees

IDENTIFY YOUR BUSINESS POSITION

i) Access your current business position

ii) Examine your future business direction

iii) Identify critical external systems and technologies. (video conferencing,

visualization, internet and web intranet/extranet)

DEVELOP SYSTEM AND TECHNOLOGY ROAD MAP

i) Map your project lifecycle process

ii) Examine your information sharing requirements

iii) Explore the relevance of the internet/e-business to your organization

iv) Decide which major systems you will need.

v) Plan your infrastructure requirements

vi) Standardize your systems and technologies.

viii) Plan your people training and requirements.

PRIORITIZE SOLUTIONS

i) Prioritize critical software systems.

ii) Indicate resources and timeframes.

iii) Plan how you will manage changes to the document.

iv) Commutate and seek feedback.

v) Get authorizations.

VIDEO CONFERENCING

Improving communication between project team and between site offices. Hence

eliminating unnecessary travel.

VISUALIZATION

Improve design visualization and communication with clients. This allows clients to

see exactly what a design will look like giving them increased confidence in the

design.



INTERNET AND WEB

Email and company web site these give instant worldwide communication together

with a platform for companies to show cause their services.

INTERNET / EXTERNAL

Internets aid internal company collaboration. Extranets promote project

collaboration, team working and e-commerce. Both help standardization and improve

data flows.

INFORMATION ABOUT TECHNOLOGIES CAN BE FOUND

a) In the IT Press

b) By talking to major suppliers

c) By visiting trade shows

d) Through organizations, such as the computer society of Pakistan, which keep

databases of local industry?

e) From Govt. sponsored initiatives, such as the e-Government projects.

ISSUES INVOLVED IN SUCCESSFULLY IMPLEMENTING THE

INFORMATION STRATEGY PLAN

i) Specification of user requirements: Determining detailed user

requirements for software selection (specification of user requirements)

ii) Software selection: Deciding whether software should be

Package software bought off the shelf

Bespoke software developed by an external

IT supplier or, developed internally (software selection)

iii) Integration and interface: How will new systems integerate and interface

with existing systems. (Integration & Interface)

iv) Sequence of implementation: What is the logical order to implementing

different system?

v) Legacy systems: What are the major issues when replacing expensive

legacy systems?

vi) Time scales and resources: What is the overall time scale for the plan

vii) Managing Expectations: Maintaining user expectations and keeping them

informed

ADVANTAGES OF IMPLEMENTATION AS PILOT PROJECTS



i) Reduced risk of time and cost over runs

ii) Reduced risk in selecting the wrong system

iii) Benefits are achieved earlier thus increasing management and user

confidence.

iv) The organization is able to revise its requirements

v) The level of training required can be assessed.

vi) The approach fits well with the construction industry’s tendency to fund IT

systems on a project basis

vii) An organization can develop its IT skill and experience, assisting it to

successfully select and implement more complex and huge system across the

organization at a larger stage.

MANAGING CHANGES TO AN INFORMATION STRATEGY

Many strategies have ended as shelf ware. But information strategy planning is an

ongoing process, not a document. An organization needs to be capable of

implementing its strategies, then maintaining and updating them. It need s to

manage innovation on an ongoing basis. In particular, ongoing strategic planning will

require:

a) Continuous support and involvement from senior management.

b) In house skills to develop and maintain the strategy.

c) Time and tools, which should be planned for in advance

d) Appropriate incentive schemes, so that in competition with other

organization activities, it receives appropriate priority.

e) A change management plan, setting out who will manage the changes,

and what procedures they will use to do so. This plan should be included in

your initial strategy document.



CHAPTER 03

E-BUSINESS MODELS AND E-BUSINESS PRODUCTS

E-COMMERCE E-business can be defined as commerce conducted via any electric medium, such as

TV, fax or the internet. E-commerce is the ability to buy and sell goods and services

over the internet.

E-commerce is the paperless exchange of routine business information using

electronic data interchange (EDI) and other technologies, including electronic mail

(e-mail), electronic bulletin boards (E BBs), facsimile machines (faxes), electronic

funds transfer (EFT), E-commerce is about web-enabling your core business

processes to improve customer service, reduce cycle time, get more results from

limited resources, and actually sell things.

BUSINESS TO CONSUMER (B-C) E-COMMERCE In this form of electronic commerce, business must develop attractive electronic

marketplaces to out ice and sell products and services to customers e.g. many

compromise offer E-commerce websites that provide virtual storefronts and

multimedia catalogs interactive order processing, scour electronic payment systems,

and online customer support.

FEATURES:

In this model, all is done electronically, remotely through the internet, without

you having to leave the comfort of your house or office.

Customer and suppliers can be 10,000 miles apart, in different cities or

countries, or even different continents, and yet do business as if they were

located in the same city or an the same street.

Since the internet never sleeps or closes, customers can do business 24-

house of the day, 365-days of the year. (weathers, strikes not problems).



BUSINESS TO BUSINESS (B-B) E-COMMERCE This involves both electronic business market and direct market links b/w businesses

e.g. many companies offer score internet or extranet E-commerce websites for their

business customer’s and supplier.

Other may rely on electronic data interchange (EDI) via the internet or extranets for

computer to computer exchange of E-commerce document with their larger business

customers and suppliers. Also very important are BRB E-commerce portals that

provide aviation and exchange markets for businesses.

FEATURES:

Using industry standard such as EDI etc for transmitting data related to

commercial transactions, the manufacture and the supplier are easily and

quickly able to complete a business transaction.

BUSINESS TO EMPLOYEE (B-E) E-COMMERCE It is sometime called intra-business e-commerce, refers to the use of internet

technology to handle activities that take place within a business. An internet is as

internal network that uses internet technologies.

B-E e-commerce does not generate revenue like the previously discussed types of e-

commerce business models. Instead, it increases profiles by reducing expenses

within a company. e.g. using BRE e-commerce employee collaborate with each other,

exchange data and information, and access in-house databases, sales information,

market news, and competitive analysis. By having instantaneous access to this type

of technology, employees do not spend time manually looking up information.

Many professional firms in the west, with central offices in big cities and project

offices or client offices in smaller cities are using BRE to receive and process

employee time sheet, expense claims prepare to invest in secure commotions for

employees to safely access company internets.

CONSUMER TO CONSUMER (C-C) E-COMMERCE The huge success of online actions like e-bay, where consumers (as sell as

business) can buy and sell with each other in an aviation process at an aviation



website, makes this E-commerce model an important E-commerce business strategy.

Thus, participating in or sponsoring consumer s or business aviation is an important

E-commerce. Electronic personal advertising of products or services buy or sell by

consumers at electronic newspapers sites, consumer E-commerce portals, or

personal websites is also an important form of CRC E-commerce.

Examples: E-aviation sites, chest rooms, forums,

GOVERNMENT TO CITIZEN (G-C) E-COMMERCE Government to citizen (GRC) E-commerce refers to the use of ecommerce

technologies by the govt. to handle all or major activities electronically, in which

govt. are involved with. It can be an internet which will be available for citizens to

internet with government or to access different govt. information / records for

example related to property and land details. It can be a helpful electronic way for

two / duties collection and management by the govt. It can also be used by govt. to

provide public health related information to its public. Even government

procurements can all be handled through such type of E-commerce systems.

Example: CBR, FBR, website. SECP website.

CHALLENGES:

Availability of deep & secure access to govt. sites.

Govt. must be cognizant of the fact that such access must be made widely

available to all classes of its citizenry.

SECURE SOCKETS LAYER (SSL) SSL is a layered protocol. The primary goal of the SSL protocol is to provide

privacy and reliability b/w communicating applications. The secure server uses its

private key (known only to itself) to generate a random session key for your

connection. Your browser decodes this encrypted key using the public part of the

server’ key; if it de-codes it is understood that only the secure server could have sent

it. Once that is bone, a secure connection has been established and all further traffic

through it is encrypted using the session key.



The SSL protocol provides connection security that has three basic properties.

i) The connection is private. Encryption is used after an initial handshake to

define a secure key.

ii) Symmetric cryptography is used for data encryption is a program layer

created by Netscape for managing the security of message transmissions in a

network.

iii) The connection is reliable.

DIGITAL SIGNATURE:

The purpose of digital signature is to authenticate both the sender and

message; (i-e. to provide proof to the recipient that the message stems from the

sender, and that the message’s contents have not been altered since leaving the

signatory). Digital signatures are the basis for the security of smart card systems.

A digital signature is based on the actual contents of the message itself. A

digital signature is a small amount of data that is recorded on an electronic medium.

The sender produces it by applying certain calculations to a message. This process is

called the “Signature Function” The resulting signature, which looks like random

data, has meaning only when read in conjunction with the message used to create it.

The recipient of the message checks the digital signature by performing another set

of calculations on the signature and the message. This is called the “verification

functions”. The result of these calculations reveals whether or not the signature is a

genuine authenticator of both sender and message.

STEPS ON GETTING ON INTERNET

1. Upgrade customer interaction

Start doing emails

Make a web site

2. Understand the customer segments:

Wealthy

Youngsters

Educated

3. Understand service process

How many processes do we have?

All the computerized or manual



4. Define the role of live interaction. Some products are bought through live

interaction: e.g perfumes, cars,cloths etc.

5. Technology decide

Zero touch (It has no human interaction)

Low touch (It has human interaction)

6. Deal with tidal waves

7. Create incentives and disincentives (eg. Online shopping , cash transaction)

8. Decide on channel choice

9. Explode the internet (offer them something)

10. Implement (execute the plan made)

ELECTRONIC PAYMENT METHOD

a) Smart cards

b) Credit / charge / debit Cards

c) Online banking

d) Digi – Cash / E- Cash

e) E- Cheque

f) E- Wallets

g) Financial Electronic Data Interchange (FEDI)



CHAPTER 04

THE INFORMATION SYSTEMS DEVELOPMENT PROCESS

INFORMATION SYSTEM ACQUISITION Organization usually acquires information system in two ways:

(vi) They develop customized systems in-house through formal systems

development activities, and

(vii) They purchase commercial systems from software venders.

In-House Development

Many organizations require systems that are highly tuned to their unique operations.

These firms design their own information systems through in house system

development activities. In house development requires maintaining a full time

systems staff of analysts and programmers who identify user information needs and

satisfy their needs with custom systems.

Purchase Commercial Systems

A growing number of systems are purchased from software renders. Faced with

many completing packages each with unique features and attributes, management

must choose the system and the vender that best serves that needs of the

organization. Making the optimal choice requires that this be an informed decision.

TURNKEY SYSTEMS Turnkey systems are completely finished and tested systems that are ready for

implementation. They are often general purpose systems or systems customized to a

specific industry. Turnkey systems are usually sold only as compiled program

modules, and users have limited ability to customize them to their specific needs.

Some turnkey systems have software options that allow the user to customize input,

output, and some processing through menu choices. Other turnkey systems venders

will sell their customers the source code if program changes are desired. For a fee,

the user or the vender can then customize the system by reprogramming the original

source code.



Examples

(a) General Accounting System

(b) Special Purpose System (medial field banking industry)

(c) Office automation system (word processing spreadsheets desktop

publisher systems). These are computer systems that improve the

productivity of office works.

(d) Backbone Systems (SAP)

Backbone systems provide a basic system structure on which to

build. Backbone systems come with all the primary processing modules

programmed. The vender designs and programs the user interface to

suit the clients’ needs.

(e) Vender Supported system

Vender supported systems are hybrids of custom systems and

commercial software. Under this approach, the vender develops

custom systems for its clients. The systems themselves are custom

products, but the system development service is commercially

provided.

Advantages of Commercial Software

Implementation time

Cost

Reliability

Disadvantages of commercial Software

Independence

The need for customized systems

Maintenance & flexibility

LEGACY SYSTEM A legacy system is an old, outdated system which continues to be used because it is

difficult to replace.

The main reason legacy systems continue to be used often include the cost of

replacing it, and the significant time and effort involved in introducing a new system.

Legacy system often requires specialized knowledge to maintain them in a condition

suitable for operation. This may leave an organization exposed should certain staff

leave the organization. Legacy system may also require data to be in a specific, may



be unusual format. This can cause compatibility problems if other systems are

replaced throughout an organization.

File conversion issues are common when replacing legacy systems,

example:

a) Establishing the formats of data files held on the legacy system.

b) Assessing the data held for accuracy and completeness.

c) Automated file conversion procedures may not be applicants due to

system compatibility and data issues.

d) Ensuring transferred data is available in the required format for all

applications that access it.

a) Hardware supplied by different manufacturers that cannot interact.

b) Data duplicated in different areas of the business as separate systems

cannot use the same source.

c) Software that is unable to interact with other packages.

SYSTEM DEVELOPMENT LIFECYCLES SDLC describes the stages a system moves through from inception until it is

discarded or replaced.

Feasibility study

Systems investigation

Systems analysis

Systems design

Systems implementation

Review and maintenance

THE WATERFALL MODEL This model breaks the systems development process into sequential stages with the

output from a stage forming the input to the following stage.

Each stage is divided into two parts the actual work associated with the stage

followed by a procedure to check what has been done. Verification in this context is

concerned with ensuring required specifications have been met. Validation is

concerned with ensuring the system it fit for its operational role.



THE SPIRAL MODEL The spiral model approach involves carrying out the some activities over a number of

cycles in order to clarify requirements and solutions.

The development process starts at the centre of the spiral. At the centre

requirements are not well defined. System requirements are refined with each

rotation around the spiral, the more complex the system and the greater the cost.

The mode is divided into four quadrants.

(a) Top left

(i) Objectives determined

(ii) Alternative and constraints identified

(b) Top right

(i) Alternative evaluated

(ii) Risks identified and resolved

(c) Bottom right

(i) System development

(ii) Cover the activities described in the waterfall model (including

implementation)

(d) Bottom Left

(i) The next phase in the development process is planned

The spiral approach aims to avoid the problems of the waterfall model (lack of

user involvement, long delays). It is usually used in conjunction with

prototyping.

STRUCTURED SYSTEM ANALYSIS & DEVELOPMENT METHODOLOGY (SSADM)

A systems development methodology is a collection of procedures,, techniques, tools

and documentation aids which will help systems developers in their efforts to

implement a new information system.

Characteristics of Methodologies

(a) Separation of logical and physical

(b) User involvement

(c) Diagrammatic documentation

(d) Data Driven

(e) Defined structure



THE STAGES OF SSADM SSADM covers five stages from the early and middle stages of the systems

development process. SSADM refers to stages as modules.

(i) Feasibility Study

If the feasibility study is conducted under SSADM, it focused on investigating

system requirements and conducting a cost benefit analysis.

(ii) Requirement Analysis

Involves on analysis of current operations is followed by the development and

presentation of options for the new system.

(iii) Requirements specification

This stage involves defining the data and processes that will be used in the

new system. The systems specification document will be produced.

(iv) Logical system specification

This focuses initially on technical options for hardware and communications

technology. Then the user interface and associated dialogue is designed.

Logical rules for processing are established.

(v) Physical Design

The logical data structure is converted to actual physical data specifications

for example data specification.

ADVANTAGES OF SSADM Detailed documentation is produced

Standard methods allow less qualified staff to carry out some of the analysis

works, thus cutting the cost of the exercise.

Using a standard development process lead to improved system

specifications.

Systems developed in this way are easier to maintain and improve.

Users are involved with development work from an early stage and are

required to sign off each stage.

The emphasis on diagramming makes it easier for relevant parties, including

users, to understand the system than if purely narrative descriptions were

used.

The structured framework of a methodology helps with planning. This allows

control by reference to actual achievements rather than to estimates the

progress.

A logical design is produced that is independent of hardware and software.



DISADVANTAGES OF SSADM It is inappropriate for information of a strategic nature that is collected on an

ad-hoc basis.

Scope limits the impact on actual work processes or social context of the

system.

Encourage excessive documentation and bureaucracy.

PROTOTYPING

A prototyping is a model of all or part of a system, built to show users early in the

design process how it is envisaged the completed system will appear.

Prototyping enables programmers to write programs more quickly and allows the

user to see a preview of the system that is envisaged.

ADVANTAGES OF PROTOTYPING

It makes possible for the programmers to present a mock up version of an

envisaged system to users before a substantial amount of time and money

has been committed.

The process facilities the production of custom built application software

rather than off the shelf packages which may or may not suit user needs.

Prototyping may speed up the design stage of the systems development

lifecycle.

A prototyping does not necessarily have to be written in the language of what

it is prototyping, so prototyping is not only a tool, but a design technique.

DISADVANTAGES OF PROTOTYPING

Some prototyping tools are tied to a particular make of hardware, or a

particular database system.

It is sometimes argued that prototyping tools are inefficient in the program

codes they produce, so that programs are bigger and require more memory

than a more efficient coded program.

Prototyping may help users to steer the development of a new system

towards an existing system.

Prototyping tools encourage programmers to produce programs quickly, but to

neglect program quality.



STRUCTURED WALKTHROUGHS

Structure walkthroughs are a technique used by those responsible for the design of

some aspect of a system (particularly analysts and programmers) to present their

design to interested user groups in other word to walk them through the design

structured walkthroughs are formal meetings, in which the documentation produced

during development is reviewed and checked for errors or omissions.

Users are involved in structured walkthroughs because their knowledge of the desired

system is more extensive than that of the systems development personnel.

Walkthroughs are sometimes referred to as user validation.

SIGNING OFF WORK

At the end of each stage of development, the resulting output is presented to users

for their approval. There must be a formal sign off of each completed stage before

work on the next stage begins. It clarifies responsibilities and leaves little room for

later disputes.

(a) If the system developers fail to deliver something that both parties formally

agreed to it is the developers’ responsibility to put it right, at their own expense, and

compensate the user for the delay.

(b) If users ask for something extra or different, that was not formally agreed to,

the developers cannot be blamed and the user must pay for further amendments and

be prepared to accept some delay.

JOINT APPLICATION DEVELOPMENT Joint application development (JAD) describes the partnership between users and

system developers. The potential value to an organization may be as follows:

(i) It creates a pool of expertise compromised of interested parties from all

relevant functions.

(ii) Reduced risk of systems being imposed by systems personnel.

(iii) This increases user ownership and responsibility for systems solutions.

(iv) Emphasizes the information needs of users and their relationship to business

needs and decision making.



DISADVANTAGES

(i) The relative inexperience of many users may lead to misunderstandings and

possibly unreasonable demands / expectations on the system performance.

(ii) The danger of lack of coordination leading to fragmented individual possibly

esoteric information systems.

RAPID APPLICATION DEVELOPMENT

Rapid application development (RAD) combines a less structured approach to

systems development with the use of modern software tools such as prototyping.

RAD also involves the end users heavily in the development process. To develop

systems that provide competitive advantage it is often necessary to build and

implement the system quickly.

COMPUTER AIDED SOFTWARE ENGINEERING TOOLS (CASE)

CASE tools are software tools used to automate some tasks in the development of

information system e.g. generating documentation and diagrams. The more

sophisticated tools facilitate software prototyping and code generation.

The ranges of facilities offered by CASE tools are:

(i) Project initiation

Generate project schedules in various formats.

(ii) Analysis and design

Produce diagrams flowcharts DFDs, ERMs generate data dictionary

(iii) Design (logical & physical)

Produce system model diagrams data structure.

(iv) Implementation

Installing schedule program code generator

(v) Maintenance

Version control change specification & tracking



UPPER CASE TOOLS (ANALYSTS’ WORK BENCHES)

Upper case tools are geared towards automating tasks associated with system

analysis. They include:

(a) Diagramming tools that automate the production of diagrams using a range of

modeling techniques.

(b) Analysis tools that check the logic, consistency and completeness of system

diagrams, forms and reports.

(c) A case repository that holds all data and information relating to the system.

The data dictionary records all data items held in the system and control

access to the repository. The dictionary will list all data entities, data flows,

data stories, processes, external and individual data items.

LOWER CASE TOOLS (PROGRAMMERS WORK BENCHES)

Lower case tools are geared towards automating tasks later in the development

process (after analysis and design). They include:

(a) Document generators that automate the production of documents using a

range of modeling techniques.

(b) Screen and report layout generators that allow prototyping of the user

interface to be produced and amended quickly.

(c) Code generators that automate the production of code based on the

processing logic input to the generators.

ADVANTAGES OF USING CASE TOOLS (a) Document / diagram preparation and amendment is quicker and more

efficient.

(b) Accuracy of diagrams is improved. Diagrams drawers can ensure consistency

of terminology and maintain certain standards of documentation.

(c) Prototyping is made easier, as re-design can be effected very quickly.

(d) Blocks of code can be re-used. Many applications incorporate, similar

functions and processes, blocks of software can be retained in a library and

used (or modified) as appropriate.



CHAPTER 05

QUALITY ASSURANCE AND TESTING

QUALITY ASSURANCE

The concept of quality is concerned with “fitness for purpose”. Quality may be

defined as conformance of customer (user) needs.

High quality software should possess the following characteristics.

No Major bugs

Whilst it is unrealistic to expect completely but-free software, any bugs that

significantly impact upon system effectiveness / efficiency should be fixed

before a package is released.

Produce within budget

As with any purchase, software should be cost effective. A realistic budget for

good quality software that will satisfy user requirements should be set, and

then kept to.

Produced on time

Software impact upon organizational activities. It is important therefore that

plans are able to be made for the introduction of new software. Delays to this

schedule will cause disruption.

Meets user needs and specification

Quality software must meet the requirements of users. It is vital therefore

that user requirements are stated clearly and accurately early in the

development process. It should also be user friendly.

Competitive & compatible with other products

Software production is a competitive market a product that ignores trends in

development is likely to become absolute in a short period of time and may

not be compatible with other software packages.

Produced according to “best practices”

There are widely accepted practices and procedures for producing software

(e.g. documentary program design). There are also internationally recognized

standards (issued by the international standard organization) relating to



software development. Using procedures that satisfies these standards should

result in quality software.

APPROACHES TO QUALITY

(a) Quality management

(b) Quality assurance

(c) Quality control

QUALITY MANAGEMENT

Quality management is concerned with controlling activities with the aim of ensuring

that products or services are fit for their purpose, and meet specifications. Quality

management encompasses quality assurance and quality control. The essence of

quality management is that quality should be built in to all processes and materials

used within an organization with the ultimate aim of no substandard output.

Homles proposes an eight stage model for implementing quality management.

1) Find out the problems (e.g. from customers and employees)

2) Select action targets from the number of improvement projects identified, on

the basis of costs, safety, importance and feasibility (with current resources)

3) Collect data about the problem.

4) Analyse data by a variety of techniques to assess common factors behind the

data, to tease out any hidden messages the data might contain.

5) Identify possible cause (eg using brainstorming sessions) no ideas are ruled

out of order.

6) Plan improvement action. Significant help might be required.

7) Monitor the effects of the improvement.

8) Communicate the results.

QUALITY ASSURANCE

Quality assurance schemes involve a supplier guaranteeing meeting the quality of

goods or services supplied. Procedures and standards are devised with the aim of

ensuring defects are eliminated. As quality has been built in the routine inspection of

goods after production should not be required.



QUALITY CONTROL

Quality control is concerned with checking and reviewing work that has been done.

Quality control therefore has a narrower focus than quality assurance. Quality control

focuses on the product or service produced, rather than the production procedures.

Quality control involves establishing standards of quality for a product or service,

implementing procedures that are expected to produce products of the required

standard in most cases and monitoring output to ensure substandard output is

rejected or corrected.

THE COST OF QUALITY Quality involves four types of cost

(a) Prevention Costs: are costs incurred to ensure the work is done correctly for

example ensuring the system design is correct before beginning production.

Prevention costs are the cost of avoiding poor quality.

(b) Appraisal costs are the costs of inspecting and testing for example design

reviews, structured walkthroughs and program testing.

(c) Internal failure costs are the cost of correcting defects discovered before

the system is delivered.

(d) External failure costs These are costs arising to fix defects discovered after

the system has been delivered.

QUALITY ASSURANCE TEAM

Quality assurance teams work independently of the development team. This

structure assures the independence of the work of the QA team. The manager of the

QA function should report directly to the executive.

FUNCTIONS OF QA TEAM

1. To develop quality for the information system function overall to assist n the

development of quality goals for specific information systems.

2. To develop promulgate and maintain IS standards.

3. To monitor compliance with standards.

4. To identify areas of improvement

5. To report to management regular reports on compliance with general

standards and specific standards must be prepared.

6. To train all other IS personnel in QA standards and procedures.



TOTAL QUALITY MANAGEMENT (TQM)

TQM is involving and empowering the entire workforce to improve the quality of

goods and services actively and continuously.

TQM is a system of continuous improvement of employing participative management

and centered on the needs of customers. TQM is a strategic, integrated management

system for achieving customer satisfaction. It is a comprehensive, customer focused

system that many organizations are adopting to improve the quality of their products

and services.

KEY ELEMENTS OF TQM

1. Process Focus

Reduce process variation and advice continuous process improvement.

2. Customer focus

Studying customer’s need and managing customer satisfaction.

3. Measurement and Analysis

Goals oriented measurement system.

4. Human side of quality

Create companywide quality culture by leadership, total participation,

employee empowerment and other social psychological and human factors.

Quality management is the means by which IS department based processes are

controlled, measured and improved.

Areas of control for quality management include:

i) Software development, maintenance and software.

ii) Acquisition of hardware and software.

iii) Day-to-day operations.

iv) Security

v) Human resource management.

vi) General administration.

Insistence on observance of processes and procedures is key to the effectiveness and

efficiency of the IS organization. Various standards have emerged to assist IS



organizations in achieving an operational environment that is predictable,

measurable and repeatable.

Example:

The ISO 9000 series that govern software development processes.

The ISO 9126 standard that focuses on the end result of good software

processes; i-e, the quality of the actual software product.

The capability maturity model developed by the software engineering institute

at Carnegie Mellon University.

STAGES OF TESTING

A system must be thoroughly tested before implementation. A system that is not

thoroughly tested may go live with faults that cause disruption and prove costly. The

scope of tests and trials will vary depending on the size and purpose of the system.

Four basis stages of testing can be identified:

system logic,

programme testing,

system testing and

users acceptance testing.

TESTING SYSTEM LOGIC Before any programs are written logic devised by the systems analyst should be

checked. This process would involve the use of flow charts or structure diagrams

such as data flow diagrams.

The path of different types of data and transactions are manually plotted through the

system, to ensure all possibilities have been catered for and that the processing logic

is correct. When all results are as expected, programs can be written.

PROGRAM TESTING

Program testing involves processing test data through all programs. Test data should

be of type that the program will be required to process and should include



invalid/exceptional items to test whether the program reacts as it should. Program

testing should cover the following areas:

a) Input validity checks

b) Program logic and functioning

c) Interfaces with related modules / systems

d) Output format and validity

The testing process should be fully documented recording data used, expected

results, actual results and action taken. Two types of program testing are unit testing

and unit integration testing.

UNIT TESTING

Means testing one function or part of a program to ensure it operates as intended.

UNIT INTEGRATION TESTING

Involves testing two or more software units to ensure they work together as

intended. The output from unit integration testing is a debugged module.

SYSTEM TESTING

When it has been established that indivisual programs and interfaces are operating

as intended, overall system testing should begin. System testing should extend

beyond areas already tested, to cover:

a) Input documentation and the practicalities of input e.g time taken.

b) Flexibility of system to allow amendments to the ‘normal’ processing cycle.

c) Ability to produce information on time.

d) Ability to cope with peak system resource requirements e.g transaction

volumes, staffing levels.

e) Viability of operating procedures.

System testing will involve testing both before installation (known as off line

testing) after implementation (on-line testing)

USER ACCEPTANCE TESTING

User acceptance testing is carried out by those who will use the system to determine

whether the system meets their needs. These needs should have previously been



stated as acceptance criteria. The aim is for the customer to determine whether or

not to accept the system.

User’s process test data, system performance is closely monitored and users report

how they felt the system meets their needs. Test data may include some historical

data, because it is then possible to check results against the ‘actual’ output from the

old system.

METHODS OF TESTING (a) Static Analysis Test

(b) Dynamic analysis test

(A) STATIC ANALYSIS TEST

This test evaluates the quality of a module through a direct inspection of source

code. Some important types of static analysis checks follow:

(i) Desk checking

Desk checking involves programmer examining the source code for

verification of errors or any irregularities e.g. the programmer might look for

syntax errors, logical errors or variation from coding standards.

(ii) Structured walk through

Structured walk through is a type of checking in which a programmer who is

responsible for the development of the modules leads the other programmers

through the module in order to detect the errors. Group who is responsible for

review is comprised of the independent programmers.

(iii) Design and Code inspections

Design and Code inspections a special team, led by an experienced

moderator, is composed to conduct review of program module. A proper

checklist is used to conduct the review and results are documented which is

followed by the correction of the module to ensure correctness of programs.

(B) DYNAMIC ANALYSIS TEST

This type of test requires modules to be executed on the machines and can be

classified into following two types:



(i) Black Box Test

In this type of test, test cases are designed based on the requirements

specification of be module. These test cases are executed to establish

divergence from requirements.

(ii) White Box Test

In this kind of a test, test cases are designed and conducted after examining

the internal logic of the module.

OPERATION AND MAINTENANCE TEST

A system becomes operation when it is released for daily use of the organization. It

is a continuous process to keep on monitoring the performance of the system. Over a

period of type the system is required to be maintained to keep the functionality of

the system up to date with the changing organizational requirements. Three types of

maintenance is conducted.

(a) Repair Maintenance

In which program errors are corrected which have been overlooked in the

earlier tests or which might arise after the program is implemented and

comes functional.

(b) Adoptive maintenance

In which the program is modified to meet changing user requirements. These

requirements might include business requirements or any changes in the

technologies.

(c) Perfective maintenance

In which the program is tuned to decrease resource consumption so that both

efficiency and effectiveness of the program can be improved.

COMPUTER AIDED SOFTWARE TESTING (CAST)

Automated testing tools are sometimes referred to as computer aided software

testing (CAST) tools. These are products available that can automate a variety of

tasks, including:

(a) Executing various command combinations and recording the results.

(b) Testing software in a variety of operating environments and comparing

results.

(c) The debugging of some ‘obvious’ programming errors.

(d) Facilities to track document all testing and quality assurance information.



BETA VERSION

Commercial software producers often carry out user acceptance testing through the

use of beta versions of software. A beta version is an almost finalized package, that

has been tested in controlled conditions, but has not been used in the field. Some

users are prepared to use beta versions and report any remaining bugs.

LIMITATION OF SOFTWARE TESTING

Poor testing process

The test palm may not cover all areas of system functionality. Testers may not be

adequately trained. The testing process may not be adequately documented.

Inadequate time

Software and systems are inevitability produced under significant time pressures.

Testing time is often squeezed to compensate for project over runs in other areas

Future requirements not anticipated

The test data used may have been fine at the time of testing, but future demands

may be outside the range of values tested. Testing should allow for future

expansion of the system.

Inadequate test data

Test data should test positively checking that the software does what it should

do, and test negatively that it doesn’t do what it shouldn’t. it is difficult to include

the complete range of possible input errors in test data.

Software changes inadequately tested

System / software changes made as a result of testing findings or for other

reasons may not be adequately tested as they were not in the original test plan.



Chapter 06

POST IMPLEMENTATION ISSUES

THE POST IMPLEMENTATION REVIEW REPORT

The findings of a post – implementation review team should be formalized in a

report.

a) A summary of their findings should be provided, emphasizing any

areas where the system has been found to be unsatisfactory.

b) A review of system performance should be provided. This will address

the matters outlined such as runtime and error rates.

c) A cost – benefit review should be included, comparing the forecast

costs cost and benefits identified at the time of the feasibility study

with actual costs and benefits.

d) Recommendations should be made as to any further action or steps

which should be taken to improve performance.

THE CAUSES OF SYSTEM MAINTENANCE

Besides environmental changes, three factors contribute to the need for

maintenance.

Error:

It is likely that bugs will exist in a newly implemented system. The effect of errors

can obviously very enormously.

Constraints:

Cost constraints may have meant that certain requested features were not

incorporated. Time constraints may have meant that requirements suggested

during development were ignored in the interest of prompt completion.

Changes in requirements:

Although over should be consulted at all stages of system development, problems

may arise after a system is implemented because users may have found it

different to express their requirements, or may have been concerned about the

future of their jobs and not participated fully in development.



Poor Documentation:

If old systems are accompanied by poor documentation, or even complete lack of

documentation, it may be very difficult to understand their programs. It will be

hand to update or maintain such programs.

Programmers may opt instead to patch up the system with new applications using

newer technology.

System Change Procedure

System should be built with a certain amount of flexibility that allows changes to

be made in the future to cope with different demands. Changing a system carries

the some risks associated with the initial system development to system changes

should therefore pass through change procedure.

COMPONENTS OF A FORMAL SYSTEM CHANGE PROCEDURE

(a) Raise the change request.

(b) Evaluate the impact of the requested change.

(c) Specify the change request.

(d) Regression, system and acceptance testing.

(e) Implement the change.

IN – HOUSE MAINTENANCE

With large computer systems, developed by the organization itself, in–house systems

analysts and programmers might be given the responsibility for software

maintenance.

To ensure the maintenance is carried out efficiently, the principles of good

programming practice should be applied.

(a) Any change must be properly authorized by a manager in user department.

(b) The new program requirement must be specified in full and in writing. These

specifications will be prepared by system analyst. A programmer should use

these of the program.

(c) In developing a new program version, a programmer should keep working

papers. He can refer back to these papers later or check in the event that

there is an error in the new program or the user of the program asks further

change in the program.



(d) The new program version should be tested when it has been written. A

programmer should prepare test data and establish whether the program will

process the data according to he specification given by system analyst.

(e) Provisions should be made for further program amendments in the future.

One way of doing this is to leave space in the program instruction numbering

sequence for new instructions to be inserted later.

(f) A record should be kept of all program errors that are found during live

processing and of the corrections that are made to the program.

(g) Each version of a program should be separately identified, to avoid a mix – up

about what version of a program should be used for live operating.

OFF THE SHELF SOFTWARE MAINTENANCE

With ready-made software, the software house or supplier is likely to issue a version

of a package if significant changes are required.

MAINTENANCE CONTRACTS

There is also likely to be an agreement b/w the supplier of software and the

customer for the provision of a software support service. A maintenance contract

typically includes the following services:

(a) Help (Telephone call or visits to office premises)

(b) Information (Magazine to subscribers, case studies)

(c) Updates (Free discounted updates)

(d) Upgrades (Heavy discounts to subscribers)

(e) Legal conditions (Termination of contract, use of hardware prohibitions on

making copies)

HARDWARE MAINTENANCE

Computer hardware should be kept serviced and maintained too. Maintenance

services are provided by:

(a) The computer manufacturers.

(b) Third – party maintenance companies.

It may be obtained on a contract or an ad – has basis.



END – USER DEVELOPMENT

End – user development is the direct, hands – on development of computer system

by users. Accounts staff designing and using complex spreadsheet models is an

example of end – user computing. While these programs may work they will be very

difficult to modify and they will very often be the personal property of the individual

who developed the system, with no wider use.

DISADVANTAGES:

i) A great time and energy is gaining into producing inefficient programs

which are unusable by anyone other than their developer.

ii) The risk from the elimination of the separation of the functions of user and

analyst.

iii) The risk from lack of user knowledge and acceptance of application quality

assurance procedures for development and operation.

iv) The risk from limits on user ability to identify correct and complete

requirements for an application.

v) The risk from unstable user system.

vi) The risk from encouraging private information system.

vii) The risk from permitting unstructured information systems development.

USER GROUPS

A user group is a forum for user of particular hardware or, more usually, software,

that they can share ideas and experience.

User of a particular package can meet, or perhaps exchange views over the internet

to discuss solutions, ideas or shat cuts to improve productivity. An electronic new

letter service might be appropriate, based on views exchanged by members, but also

incorporating ideas culled from the wider environment by IT specialist.

Interested parties, including as a maximum representative from the IT department

and users who are familiar with different parts of the system can attend monthly or

quarterly meetings to discuss the operation of the system, make suggestions for

improvements and raise any queries.



COST BENEFIT REVIEW

A cost – benefit review is similar to a cost benefit analysis, except that actual data

can be used.

Categories of cost – benefit review:

Direct Benefits

Might include reduced operating cost, for example lower overtime payments.

Indirect Benefits

Might include better decision making and the freeing of human “brainpower” from

routine tasks so that it can be used for more creative work.

Development Costs

Include systems analysts costs and the cost of time spent by users in assisting

with fact – finding.

Implementation Costs

Would include costs of site preparation and costs of training.

Running Costs

Include maintenance costs, software leasing costs and an – going user support.

EFFICIENCY

Efficiency can be measured by considering the resource input into, and the output

from, a process or an activity.

An entity uses resources such as staff, money and materials. If the same activity can

be performed using fewer resources, for example fewer staff or less money, or if it

can be completed more quickly, the efficiency of the activity is improved. An

improvement in efficiency represents an improvement in productivity.

EFFECTIVENESS

Effectiveness is a measurement of how well the organization is achieving its

objective.

It focuses primarily on the relationship of the organization with its environment. For

example, automation might be perused because it is expected that the company will

be more effective at increasing market share or at satisfying customer needs. Recent



trends are more towards the development of “front office” systems, for example to

improve an organization’s decision – making capability or to seek competitive

advantage. This approach seeks to improve the effectiveness of the organization.

METRICS

Metrics are quantified measurements used to measure system performance. The use

of metrics enables system quality to be measured and the early identification of

problems. Examples of metrics include system response time, the number of

transactions that can be processed per minute, the number of bugs per hundred lines

of codes and the number of system crashes per week.

Many facets of system quality are not easy to measure statistically (e.g. user

friendliness). Indirect measurements such as the number of calls to the help – desk

per month can be used as an indication of overall quality / performance.

COMPUTER BASED MONITORING

Systems evaluation may use computer based monitoring. Four methods used are:

HARDWARE MONITORS:

Hardware monitors are devices which measure the presence or absence of electrical

signals in selected circuits in the commuter hardware. They might measure idle time

or levels of activity in the CPU, peripheral activity. Data is sent from the sensors to

counters which periodically write it to disk or tape.

A program will then analyze the data and produce an analysis of findings as output.

It might identify for example inefficient co-ordination of processors and peripherals,

or excessive delays in writing data to backing storage.

SOFTWARE MONITORS:

Software monitors are commuter programs which interrupts the application in use

and record data about it. They might identify, for example, excessive waiting time

during program exaction. Unlike hardware monitors, they may slow down the

operation of the program being monitored.



SYSTEM LOGS

Many computer systems provide automatic log details, for example job start and

finish times or which employee has used which program and for how longs. The

systems log can therefore provide useful data for analysis.

a) Unexplained variations in job running times might be recorded.

b) Excessive machine down-time is sometimes a problem.

c) Mixed workloads large and small jobs might be scheduled inefficiently.

HYBIRD MONITOR

A hybrid monitor has hardware, software and perhaps firmware components. These

components can be configured in many different ways. For example, software and

firmware probes can detect events and write them to a hardware interface. An

external device that reads processes stores and present the data written to the

hardware interface. Thus, hybrid monitor can detect both software and hardware

related events. They are sometimes difficult to use. However, because of the

measurement taken by the software component the measurement taken by hardware

component must be coordinated.

Performance measurement data can be presented by either using tables or

charts. Two types of charts that are often used to present performance

measurement data are:

a) Gantt charts:

Gantt charts use the horizontal bar to show the percentage utilization of a

resource and the extent of overlap of resource utilization among a number of

resources.

b) Kiviat graphs:

Kiviat graphs present performance measurements results so the problem

with the performance can be recognized easily. They use radial axes in a

circle to plot performance measurement results. The shape of the resulting

plot can be used to determine the extent to which the system is balanced in

terms of its resource utilization.

Auditors should have two concerns about data integrity whenever performance

monitors are used



a) First, they should determine whether the monitor has been installed correctly

in the target system. They must evaluate the integrity of the measurements

made by the monitor and the integrity of the target system processes after

instrumentation.

b) Second, auditors must try to determine whether a monitor has been used to

violate data integrity. They should evaluate whether unauthorized use of the

monitor to breach data privacy.

INDIRECT MEASURES TO EVALUATE SYSTEM PERFORMANCE

a) Significant task relevance attempts to observe the results of system use.

For example: a document turnaround times might have improved following the

acquisition of a document image processing system, or minutes of meetings

might be made available & distributed faster following the addition of a company

secretarial function to a LAN.

b) The willingness of users to pay might give an indication of value. Charge out

mechanism may provide an indication of how much users would be prepared to

pay in order to gain the benefits of a certain upgrade, e.g. availability of a

particular report.

c) Systems logs may give an indication of the value of the system it us a voluntary

use system, such as an external database.

d) User information satisfaction is a concept which attempts to find out, by asking

users, how they rate their satisfaction with a system. They may be asked for their

views on timeliness, quality of output, response times, processing and their

overall confidence in the system.

e) The adequacy of system documentation may be measurable in terms of how

often manuals are actually used and the number of errors found or amendments

made.

PERFORMANCE REVIEWS

Performance reviews can be carried out to look at a wide range of system functions

and character technological change often gives scope to improve the quality of

outputs or reduce the cost of inputs.



Performance reviews will vary in contact form organization, but the matters which

will probably be looked at are as follows:

a) The growth rates in file sizes and the number of transactions processed by the

system. Trends should be analyzed and projected to access whether there are

likely to be problems with lengthy processing time or an inefficient file structure

due to volume of processing.

b) The clerical manpower needs for the system, and deciding whether they are more

or less than estimated.

c) The identification of any delays in processing and an assessment of the

consequences of any such delays.

d) An assessment of the efficiency of security procedures, in terms of number of

breaches, number of viruses encountered.

e) A check of the error rates for input data. High error rates may indicate inefficient

preparation of input documents, an inappropriate method of data capture or poor

design of input media.

f) An examination of whether output from computer is being used to good purpose.

(Is it used? Is it timely? Does it go to the right people?)

g) Operational running costs, examined to discover any inefficient programs or

processes. This examination may reveal excessive costs for certain items

although in total, cost may be acceptable.

COMPUTER SYSTEMS EFFICIENCY AUDITS

Computer systems efficiency audits are concerned with improving outputs from the

system and their use and / or reducing the costs of system inputs. With falling costs

of computer hardware and software, and continual technological advance, there

should often be scope for improvements in computer systems.

a) Outputs from a computer system

(i) More output of some valve could be produced by the same input resources.

e.g. process more transaction / minute, produce better quality management

information (sensitivity analysis), make information available to more people.

(ii) Outputs of little valve could be eliminated from the system, thus making

savings in the cost of inputs, processing and handling. e.g. reports produced

too frequently should be lesson, distribution list should be shortened, reports

size should be reduced.



(iii) The timing of outputs could be better. Computer systems could give managers

immediate access to the information they require, by means of file ensuing or

special software (such as databases, or spreadsheet modeling packages.

(iv) It might be found that outputs are not as satisfactory as they should be,

perhaps because access to information from the system is limited, and could

be improved by the use of a database and network system.

Available outputs are restricted because of the method of data processing used (e.g.

batch processing instead of real – time processing) or type of equipment used (e.g.

stand-alone PCs am pared with client / server systems).

b) Inputs to a computer system

The efficiency of a computer system could be improved if the same volume and

frequency of output could be achieved with fewer input resources, and at less cost.

(i) Multi user or network systems might be more efficient than stand – alone

system. Multi user systems allow several input operators to work on the same

file at the heavy workload and another is warranty short of work, the person

who has some free time can help his or her busy college – thus improving

operator efficiency.

(ii) Real – time systems might be more efficiency than batch processing.

(iii) Using more up – to – date software.

(iv) Using computer and external storage media with bigger storage capacity. A

frequent can be very long & tedious. Computer systems with better backing

storage facilities can reduce this operator waiting time, & so be more efficient.

Management might also wish to consider whether time spent checking & correcting

input data can be eliminated. An alternative method of input might be chosen. e.g.

burr codes & scanners eliminate input errors.



CHAPTER 07

ORGANIZING THE IT FUNCTION

INVITATION TO TENDER (ITT)

An imitation to tender (ITT) sets out the specification for the required system,

explaining how it is to be used and setting out the timescale for implementation. It

will set the performance required of the new system.

An organization may issue an ITT to a range of suppliers. It would give same

background information about the company, together with an indication of the

purpose of the system and with the details of requirements such as:

a) The volume of data to be processed.

b) The complexity of processing requirements (including interfaces with other

systems).

c) The number of offices or in divisional people who will want to access the

computer system, and whether access needs to be instant or not.

d) The speed of processing required, e.g. response times.

e) Inputs and outputs desired.

f) The type of file processing needed.

g) Estimated life of the system.

h) Possible upgrades or expansion anticipated.

Details about the company should relate to its present organization structure, the

nature and size of its business and its plan for future expansion.

General Matters

a) Contact name within the company.

b) A Financial constraint.

c) The form that submissions are to take.

d) The closing date for submission of tenders.

e) The address to which tenders should be sent.



Responses to ITT

Sending of standard broachers & price lists.

Officers to visit the organization’s site and provide free demonstration of

equipment and its capabilities.

FINANCING METHODS

The financing decision can be an important consideration in the choice of hardware or

software. Failure to make the right choice can lead to serious consequence financially

and operationally.

There are various financing options.

a) Purchasing

b) Leasing

c) Renting / Rental

d) Outsourcing / Facilities management

An outright purchase may be funded from me of time sources:

a) Cash or working capital from within the organization.

b) A new lean or other borrowing.

c) Credit from a finance house, in the form of a hire-purchase agreement.

EVALUATION OF SUPPLIER PROPOSALS

Once supplier proposal have been obtained, they must be evaluated. Evaluated

becomes very complicated if there is any doubt about system’s performance, as this

may necessitate a test of the system. The varsity of responses may make a direct

comparison of different tender difficult.

The supplier will usually try to match the customer’s profile with that of an existing

customer to demonstrate that the system can handle such a workload. However, if

the application is unusual or new, this will not be possible, and so a formal evaluation

using bank marking simulation tests will be necessary.



BENCHMARK TESTS Benchmark tests test how long it takes a machine to run through a particular set of

programs.

One way of computing power is to conduct benchmark tests. More powerful machine

will do the processing more quickly. There is some concern that some benchmarks

tests are created by manufacturers are designed to give the most favorable result to

their products. Also, it may be hard to say that one computer performs better than

another, as it may depend on application used.

These tests are carried out to compare the performance of piece of hardware or

software against pre-set criteria. Typical criteria which may be used as benchmarks

include:

Speed of performance of performance of a particular operation;

Acceptable volumes before a degradation in response times is apparent;

General user-friendliness of equipment.

These do not have to be objective, though clearly with subjective tests, such as user-

friendliness, it may be harder to reach definitive contusions.

Software can also be benchmarked. Organization might try out a series of different

package on its own existing hardware to see which performed the best speed of

respond, ability, to process different volume of transactions, reporting capabilities

and so on.

SIMULATION TESTS

Simulation testing uses synthetic programs written specifically for testing purposes

and incorporating routines designed to test variety of situations programs are

particularly appropriate for testing PCs, which generally execute one program step at

a time. However carrying out simulation tests on larger computers is more complex,

as multiple jobs are usually processed at the same time and realistic operating

conditions must be created.



Consideration of other features of the proposal

i) Supplier reliability

ii) Cost

iii) Utility software

iv) Warranty & maintenance

v) Software support

vi) Training

vii) Keeping the package up-to-date

INFORMATION SYSTEM MANAGER AS LIAISON

Liaison b/w information systems professionals and the rest of the organization is a

key role. Such function includes the following:

i) Provision of technical assistance.

ii) Informal dissuasion with users as to their needs before detailed feasibility

studies are carried out, which can also include discussions as to the payoffs of

a particular is investment.

iii) Advice on the impact of information systems on organizational structure,

working environment and so forth.



CHAPTER 08

SUPPLY CHAIN MANAGEMENT & ENTERPRIZE RESOURCE PLANNING

SUPPLY CHAIN MANAGEMENT Supply chain management is concerned with the total management of the supply

chain. Without the right companies up and down the supply chain to work with a

company will never achieve true competitive advantages.

Typically, SCM will attempt to centrally control or link the production, shipment and

distribution of a product. By managing supply chain, companies are able to cut

excess fat and provide products faster. This is done by keeping control of internal

inventories, internal production, distribution, sales and the monitories of the

company’s product purchasers.

STRATEGIC GROWTH OPPORTUNITIES FOR SUCESSFUL GROWTH CONPANISE

Customer Franchise Management

Growth companies focus selectively and aggressively on developing and

managing the most profitable customers. They constantly strive to know

everything about those customers and their needs and serve those needs with

intense dedication. They realize that growth flows from the acquisition,

development and retention of profitable customers.

New products / services development strategy

Growth companies become exceptionally effective at rapidly developing new

products and services that offer superior value to customers. These companies

that consistently bring the best new products to market can feul significant

growth. Frequent and rapid introduction of new products would be impractical

without agile supply chains.



Channel Management

Growth companies find, develop and continually review the most effective ways

to connect customer segments with their products and service. Some companies

have grown by creatively using alternative distribution channels, and in many

instances developing multi-channel strategies. The exploitation of e-commerce

opportunities has in many cases resulted in significant growth opportunities.

PRE-REQUISITE FOR GROWTH

VALUE

Comparatively superior value as defined by your customer.

A product or service is competitively superior if it provides the highest value as

defined by the customer at the right price. Growth champion invest vast resources in

identifying how to create and increase value.

Expand your customer service research to comprehensively understand how your

customer define, achieve, and measure success including growth.

Access all customer service offerings in terms of how they contribute to customer

business and growth plans.

Measure the effectiveness and efficiency of your customer service programs on

the basis of your customer’s success.

Communicate the success principles to your customers, and make it the basis of

your relationship. Explain how your service benefits them.

Become indispensable to your customer. Provide so much value that there would

be virtually no advantage in bringing in a new supplier.

ECONOMICS

Comparatively superior economics across value chain

Supply chain must be aligned with the customer’s and the organization’s growth

strategy. Tradeoffs among the logistics cost components exist along to supply chain

e.g. higher service levels vs higher inventory holding costs.

Define company’s supply chain as broadly as possible.

Understanding the economics levers (drivers)

To be more agile in order to adopt to the changing market place.

Requirements are faster info. flows, reduced cycle times, flexible production,

minimal inventories, integrated inter, Co.SC



EXECUTION

Consistently superior strategy execution via organization alignment

Through process re-definition and a horizontal management structure, supply chain

management can integrate inter dependent processes and their supporting internal

specialization (such as sales and production) with external customers and suppliers.

Companies must serve the customer through horizontal processes. Horizontal

processes cross traditional functional disciplines within organizations and even go

beyond formal organizational boundaries to include customers, suppliers and

other stakeholders.

Process owners, teams and individuals are driven by customer accountability.

They must be given the responsibility need to be designed to support the efficient

management of processes.

People must have the attitude, skills and behaviours required to sustain

horizontal processes. Human performance systems and organizational culture

become critical enablers. Key goals include attracting, developing, leveraging,

and retaining top talent across the organization and fostering a culture to process

excellence.

Information enables horizontal integration and adoptive learning. Real time

access to information enables the effective and efficient management of process.

RESISTANCE TO CHANGE

Clear vision communicated to all levels

Participation support available if they participate in creation

Alignment performance measures and rewards systems with growth strategy.

MANAGEMENT CONCERNS IN SCM Logistic strategy development and implementation

Logistic network optimization

Logistic performance measurement

Sakes forecasting

Logistic support for marketing activities

Purchasing and procurement strategies

Inventory levels and development

Ware house / facility location



Transport cost

Fleet size

Vehicle scheduling

Logistic MIS

Universal logistic success factors

Market driven customer service strategy

Optimum logistic cost and investment

Logistic management information systems

Logistic organization structure

Customer service elements

Product availability (order fill)

Length of order cycle time

Consistency of order cycle time

Invoice / billing procedure /accuracy

Information request responsiveness

Distance to supplier wave house

Special customer requests

Frequency of damaged goods

Quality of order deptt

Emergency coverage

On time delivery

ENTERPRIZE RESOURCE PLANNING (ERP)

Enterprise resource planning (ERP) is an industry term for integrated, multi-module

application software packages that are designed to serve and support multiple

business functions.

FEATURES OF ERP ERP facilities companywide integrated information system covering all functional

areas like manufacturing selling and distribution payables receivables inventory

accounts human resources purchases etc.



ERP performs core corporate activities and increases customer services and

thereby augmenting the corporate image.

ERP bridges the information gap across the organization.

ERP provides for complete integration of systems not only across the departments

in a company sat also across the companies under the same management.

ERP is the only solution for better project management.

ERP allows automatic introduction of latest technologies like EFT, EDI, Internet,

Internet video conferencing, e-commerce etc.

ERP eliminates he most of the business problems like material shortages

productivity enhancements, customer service, cash management, inventory

problems, quality problems.

ERP not only addresses the current requirements of the company but also

provides the opportunity of continually improving and refining business process.

ERP provides business intelligence tools like decision support systems (DSS

executive information system (EIS) reporting data miing and early warning

systems (Robots) for enabling people to make better decisions and thus improve

their business processes.

COMPONENTS OF ERP Sales and marketing

Master scheduling

Material requirement planning

Capacity requirement planning

Bill of materials

Purchasing

Shop floor control

Account payable

Account receivable logistics

Asset management

Financial accounting

BUSINESS PROCESS RE-ENGINEERING

Business process re-engineering is a pre-rquisite for going ahead with a powerful

planning tool, ERP. An in depth BPR study has to be done before taking up ERP.

Business process re-engineering brings out deficiencies of the existing system and



attempts to maximize productivity through restructuring and reorganizing the human

resources as well as divisions and departments in the organization.

STEPS OF BUSINESS PROCESS RE-ENGINEERING

Study the current system

Design and develop new systems

Define process, organization structure and procedure

Develop customize the software

Train people

Implement new system

The principle followed for BPR may be defined as USA principle (understand, simplify,

automate) i.e. understanding the existing practices, simplifying the processes and

automate the process. Various tools used for this principle are

Understand simplify automate

Diagramming eliminating EDI

Story boarding combining ERP

Brain storming rearranging

SELECTION OF ERP Evaluation and selection involves:

Checking whether all functional aspects of the business are duly covered

Checking whether all the business functions and processes are fully integrated.

Checking whether all the latest IT trends are covered

Checking whether the vendor has customizing and implementing capabilities

Checking whether the business can absorb the cost

Checking whether the ROI is optimum

IMPLEMENTATION OF ERP Implementing an ERP package has to be done on a phased manner. Step by step

method of implementing will yield a better result than a big-bang introduction. The

total time required for successfully implementing on ERP package will be anything

s/w 18 and 24 months. The normal steps involved in implement of an ERP are as

follows



i. DETAILED DISCUSSION PHASE

Task

Project initiation

Evaluation of current processes

Business practices

Setup project organization

Deliverables

Accepted norms and conditions

Project organization chart

Identity work teams

ii. DESIGN AND CUSTOMIZATION PHASE

Task

Map organization

Map business process

Define functions and process

ERP software configuration

Build ERP system modification

Deliverables

Organization structure

Design specification

Process flow diagrams

Function model

Configuration recording and system modification

iii. IMPLEMENTATION PHASE

Task

Create go live plan and documentation

Integrate application

Test the ERP customization

Train users

Deliverables

Testing environment report

Customization test report

Implementation report

Conversion plan execution



iv. PRODUCTION PHASE

Task

Execute trial production

Maintain systems

Deliverables

Reconciliation reports

BENEFITS OF ERP Gives accounts payable personnel increased control of invoicing and payment

processing and thereby boosting their productivity and eliminating their reliance

on computer personnel for these generations.

Reduce proper documents by providing on line formats for quickly entering and

retrieving information.

Improves timelines of information by permitting, posting daily instead of monthly.

Greater accuracy of information with detailed content, better presentation, fully

satisfaction for the auditors.

Improved cost control

Faster response and follow up on customers

Most efficient cash collection, say material reduction in delay in payment by

customers.

Better monitoring and quicker resolution of queries.

Enables quick response to change in business operations and market conditions.

Help to achieve competitive advantage by improving its business process.

Improve supply demand linkage with remote locations and branches in different

countries.

Provides a unified customer database usable by all applications

Improves information access and management throughout the organization.

Improves international operations by supporting a variety of two structures,

invoicing, shares, multiple currencies, multiple period accounting and languages.

WHY DOES IN ERP MATTER FOR A CA

CA as a consultant (ERP role in consultancy business)

CA as an auditor

Assuming a situation where the client has implemented an ERP solution. If the

auditor is aware of ERP he can make use of the feature of ERP and thereby:



Ensures that the internal controls and checks are consistently maintained

Ensures that the provisions of income tax or other fiscal laws are not

ignored

Ensures that the accounting standards are consistently followed across the

company.

Improves the quality of the reporting.

CA as an Liaison

CA as a Manager (accounts, timely information for taking appropriate business

decisions)



CHAPTER 09

CUSTOMER RELATIONSHIP MANAGEMENT &

SALES FORCE AUTOMATION

CUSTOMER RELATIONSHIP MANAGEMENT

Customer relationship management (CRM) puts the customer at the center of any

and all activities within an enterprise. A CRM solution helps an enterprise learn more

about the customer’s need and makes any knowledge gained through interaction

with the customer accessible at all levels of the organization. The value of CRM

software grows considerably when CRM is highly integrated with solid enterprise

resource planning (ERP) and supply chain management (SCM) functionality. This

total solution enables you to support and streamline the entire business process from

original customer contact through post sales service.

BENEFITS OF CRM CRM tools can help your business track opportunities and close sale quickly, but their

capabilities go beyond these areas. The real power lies in their ability to help you

build smart customer relationships that will grow into long term success.

Examples

(i) Track Orders

At their most basic level, CRM tools automate the process of tracking

customer’s order histories. You can find out which products they order and

how many, so you can easily identify your best customers, not only in terms

of volume, but also in terms of profitability. You can use this information to

give these bread and butter clients special discounts for volume buying and

other incentives that will encourage loyalty and send the message that you

value their business.



(ii) Pinpoint buying behavior

The information CRM tool track allows you to identify the customer buying

patterns, you can determine the time of year or situations that prompt

purchases, and use this information to raise your level of customer service.

(iii) Build compelling promotions

CRM tools take the guesswork out of designing effective promotions. Because

they help you identify customer needs, challenges and buying habits, you

have insight into whether your market will respond to two for one promotions,

free product with purchase offers, other outreach programs.

(iv) Locate cross selling and up selling opportunities

By creating an accurate picture of customer buying details, CRM tools can help

you highlight opportunities to increase sales to a particular customer. e.g.

since you know client has purchased a particular product model, you can

design follow up marketing outreach to promote model accessories,

complementary products or available upgrades.

(v) Build customer care from inside your company

Since CRM tools allow employees to share information exile, they can enhance

team productivity and morale. Employees develop collaborative habits across

your organization, which raise job satisfaction and sense of empowerment.

This, in turn, translates to better service for your customers. A productive,

satisfied team provides better care than a disjointed and disorganized one.

CONSIDERATION FOR SELECTION OF CRM SOLUTION

(i) Who are your customers?

Because CRM is customer centric, its important to design a solution with a

clear understanding of who your customers are. You went to know their

preferred ways of doing business, how they usually come in contact with your

business and why they select you over another vendor.

(ii) How many people need to work with your CRM tools?

The solution you design will need to be powerful enough to accommodate

peak staff usage without performance suffering. Be sure to consider future

growth plans in your analysis as well.

(iii) What roles do they have in the company?

When defining the number of users you want to support with CRM tools, also

define their job functions and the way in which they will use the tools, e.g. will



traveling sales reps rely on it? If so, you’ll want to make it easily accessible

from the road.

(iv) How does your business receive order?

If your company takes orders from many channels such as telephone order

centres, a web site, and through sales reps you will want to make sure your

solution can accommodate information from each source.

(v) Does your inventory allow for significant cross sell and / or up sell?

If your business sells a deep range of related products and services, it is

especially well suited to CRM tools. You will want to look for a solution that

can help you make the most of cross sell and up sell opportunities, with the

flexibility to handle multiple layers of data sorting. This will allow you to

customize outreach efforts to a high degree.

CUSTOMER RELATIONSHIP MANAGEMENT (CRM) Customer relationship management (CRM) tools help business better understand and

respond to customer needs, boosting satisfaction and loyalty level. These solutions

using a combination of hardware, software and web based capabilities provide

companies with insight into daily interactions with individual customers. This allows

than to be more proactive in meeting each purchaser’s highly specific needs.

CRM tools aggregate and maintain customer information so it is easy for sales staff,

service representative, and support teams to access. The goal is to have the same

set of up to the minute information available across an organization so every client

need can be met quickly.

BENEFITS OF CRM Tools Faster response time: CRM tools allow your business to respond quickly to

customer requests. This means you can provide better service while handling

more business in less time.

Increased efficiency: By automating information sharing, CRM tools allow

employees to stay focused on business building activities, rather than paper

work associated with tracking customer data.

Increased marketing opportunities: CRM tools make it easy to identify

your most profitable customers and their needs, giving you the information

you need to make marketing efforts as targeted and effective as possible.



Insight into customers: By making it easy to track customer buying habits,

requests, and complaints, these tools give you the information you need to

enhance products and services, and raise you overall level of customer

service.

BENEFITS FOR SMALL COMPANIES Increased efficiency: Online documents can be shared more quickly in a

virtual work share. Large documents or graphics rich files, for instance, can be

posted and worked on line instead of having to be uploaded and downloaded

via email.

Boost turnaround time: Companies can meet with clients online to

exchange comments and revisions, and post edited document for instant

approval. This can often cut down on the volume of meetings necessary to

reach a final version.

Lower Costs: Virtual work can reduce or eliminate the need for travel, phone

calls, faxes, and over right mail. This decreased overhead can provide a

needed boost to a firm’s bottom line.

Streaming project management: Timelines, budgets and other documents

can be uploaded to project specific sites, keeping everyone on target with a

project’s overall goals.

Ensure client confidentiality: Collaborative software and services lots

companies restrict access to files and various workflow routines. This ensures

that only those people authorized to view and work on specific projects can do

so.

COLLABORATION SOLUTIONS Remote network access:

Using your network management solution, you can create specific customer

accounts that provide limited, secure access to the information on your

server. Customers can log on to download files they are authorized to view,

collaborate on served based documents, or transfer files on the fly. Some

companies set up client only servers for this purpose, posting files to these

servers as needed, to reduce the impact of their captive network

Collaborative workspace:

These solutions can make remotes network access a step further by creating

virtual conference rooms where companies can meet and exchange



documents and information with clients. These collaborative solutions can be

housed on your networks, or are available as “hosted” solutions from a

number of internet based suppliers. The workspaces are accessed via a

standard web browser, and only authorized users can get in. companies use

these solutions to streamline the process of posting, editing and exchanging

documents with clients.

Messaging solutions

Instant messaging and real time chat features, which are common elements

of collaborative workspace, allow companies to converse online with clients

instead of having to pick up the phase. Some solutions also utilize vip

technology, allowing members to conduct real time, web based voice

conferences. Message boards permit companies and their clients to keep a

running record of comments regarding specific projects, boosting overall

knowledge management. Paging solutions can be used to invite users to a

workspace when specific documents have been posted.

Calendaring / Scheduling

Companies such as medical practices, salons, or restaurants can use internet

based scheduling solutions to play customers set up appointments. These

solutions act as virtual appointment books, allowing customers to go online to

schedule, view, move, or even cancel appointments at any time of the day or

night. This can make it easier for a company to manage its schedule, while

providing it with another way to reach customers with its message.

SALE FORCE AUTOMATION

SFA is the fastest growing component of CRM. The interaction of sales force with the

prospect, turning the prospect into a customer and then maintaining a loyal

relationship, is a core business concern for the enterprise’s success. The sales

process must be managed across many domains interfacing with other business

units.

By automating company’s sales efforts, management can efficiently forecast, track

and fulfill orders and customer interactions, analyze sales forecast and competitors

trends, manage sales cycles and communicate with sales representative both in office

and on the road. These services, known collectively as sales force automation (SFA),

use technology to reduce administrative work and increase sales team productivity.



BENEFITS OF SALES AUTOMATION SYSTEM Streamline sales processes

Sales automation tools handle repetitive and time consuming activities such as

capturing website leads, qualifying buyers, and triggering follow up. They also

make data re-keying unnecessary by automatically disseminating information to

appropriate departments, which reduces errors and save time.

Boost salesperson knowledge

Online product catalogue can be updated the moment a new product or service is

available sales people can access produce spec and configuration information at

their fingertips.

Enhance collaborative selling

All users of your sales automation system share access to the single data source,

which facilitates collaborative selling, marketing efforts, and customer support. It

additions, these capabilities can be entered to include third party sales

representative and distribution partners.

Improve customer relationship

SFA system can target data to customer based on their specific needs and keep

existing clients abreast of product updates. They also support online customer

service, including automated help and access to information 24 hours a day, 7

days a week.

Reduce quote time

Online product configuration allows customers to configure complex solutions in

minutes instead of days. A salesperson can use this tool to determine customer

requirements and immediately provide a professional and complete proposal after

a single meeting, cutting days or even weeks from the selling cycle.

Increased sale with other company data

Sales automation tool can communicate with financial and enterprise resource

planning (ERP) systems, establishing an open data flow among department such

as accounting, sales, and fulfillment.

Increased sales force morale

Sales automation applications reduce the time your staff spends on low level

business functions. They create a more flexible work environment by allowing

employees to use internet to access information when and where they need it,

whether working from home, on the road, or in your corporate offices.



PRE-REQUISITE FOR SELECTING AND IMPLEMENTING SFA The sales should be well defined in the beginning phase.

Select a sales automation tool from that was compatible with our business.

Involve a cross functional team that thoroughly understood what salespeople go

through on a day to day basis, and that made sure the SFA system customized

appropriate appropriately in the pilot phase of the project. During this phase the

sales process was painstakingly mapped to the SFA tool. Focusing on the process

itself was the most critical success factor.

Clear articulation of the value proposition around the tool.

Executive commitment from all our executives.

Win-win-win advantages for the sales force, the delivery teams and management.

To gain rapid acceptance, SFA was designed to help salespeople get much more

organized around managing their own business in their own territories, allowing

them to spend more time with customers.

It also intended to help delivery teams gain visibility into pending opportunities,

so they can plan when their services will be needed.

Provide easy to create, self serve management reports that can be detailed and

summarized in many ways, allowing much better business predictability and what

if planning.

OTHER BENEFITS INCLUDE Un-expected new knowledge, because information can be presented in many

ways to reveal new insights.

Validation of how will services offerings are selling for marketing purposes.

The ability for individuals to bring up a list of sales opportunities and search and

sort in a number of different ways.

Improved account planning by attaching account plans, so the entire selling team

can see the breeder context of the account.



Chapter 10

COBIT

Control Objectives for Information and Related Technology

For IT to be successful in delivering against business requirements, management

should put an internal control system or framework in place. The COBIT control

framework contributes to these needs by:

a) Making a link to the business requirements.

b) Organizing IT activities into a generally accepted process model;

c) Identifying the major IT resources to be leveraged;

d) Defining the management control objectives to be considered.

The business orientation of COBIT consist of linking business goals to IT goals,

providing metrics and maturity model to measure their achievement, and identifying

the associated responsibilities of business and IT process owners.

COBIT this supports IT governance by providing a framework to ensure that:

a) IT is aligned with the business.

b) IT encases the business and maximizes benefits;

c) IT resources are used responsibly.

d) IT risks are managed appropriately.

Strategic Alignment

Focuses on ensuring the linkage of business and IT plans, on defining,

maintaining and validating the IT valve proposition; and on aligning IT operations

with enterprise operations.

Valve Delivering

Is about executing the valve proposition throughout the delivery cycle, ensuring

the IT delivers the promised benefits against the strategy, concentrating on

optimizing costs and providing the intrinsic value of IT.



Resource Management

Is about the optimal investment in, and the proper management of, critical IT

resources: applications, information, infrastructure and people. Key issues relate

to the optimization knowledge and infrastructure.

Risk Management

Requires risk awareness by senior corporate officers, a clear understanding of the

enterprise’s appetite for risk, understanding of compliance requirement,

transparency about the significant risks to the enterprise, and embedding of risk

management responsibilities into the organization.

Performance Management

Tracks and monitors strategy implementation, project

Completion, resource usage, for example, balanced scorecards that translate

strategy into action to achieve goals measures beyond conventional accounting.

The COBIT process model has been mapped to the IT governance focus areas,

providing bridge between what operational managers need to execute and what

executive wish to govern. To achieve effective governance; executives expect

controls to be implemented by operational managers within a defined control

framework for all IT processes.

Benefits of implementing COBIT as a Governance Framework over IT

Better alignment, based on a business focus.

A view, understandable to management, of what IT does.

Clear ownership and responsibilities, based on process orientation.

General acceptability with third parties and regulators.

Shared understanding amongst all stakeholders, based on a common

language.

Fulfillment of the COSO requirement for the IT control environment.

IT Governance Maturity Model

Value, Risk and control constitute the core of IT Governance.

Governance over information technology and its processes with the business goal of

adding valve, while balancing risk versus return.



Non – existent (Complete lack of IT governance process)

Initial / Ad hoc (Recognition of IT governance exist, but no standard process)

Repentance but intuitive

Define process

Managed and measures

Optimized

(Detail from PBP book)

IFAC – IT GUIDELINE

MANAGING SECURITY OF INFORMATION

The security objective is supported by the eight core principles;

Accountability:

Responsibility and accountability most be explicit.

Awareness:

Awareness of risks and security interactive must be disseminated.

Multidisciplinary:

Security must be addressed taking into consideration bath technological and non-

technological issues.

Cost Effectiveness:

Security must be cost effective.

Integration:

Security must be coordinated & integrated.

Reassement:

Security must be reassessed periodically.

Timeliness:

Security procedures must provide for monitoring and timely response.

Social Factors:

Ethics must be promoted by respecting the rights and interests of others.



PLANNING IT PLANNING FOR BUSINESS IMPACT:

The objective of the IT plan is to provide a road-map of the information technology

required to support the business direction of an organization, out lining the resources

that are required and the benefits that will be realized on implementation of the plan.

Alignment:

The plan should support and complement the business direction of an organization.

Relevant Scope:

The scope of the plan should be established to facilitate formulation of effective

strategies.

Relevant Timeframe:

A planning horizon should be formulated that provides long-term direction and short

to-medium term deliverable in a manner consistent with the business strategy.

Benefit Realization:

Cost of implementation should be justified through tangible & intangible benefits that

can be realized.

Achievability:

The planning process should recognize the capability & capacity of the organization to

deliver solutions within the stated planning timeframe.

Measurable Performance:

The plan should provide a basis for measuring and monitoring performance.

Reassessment:

The plan should be reassessed periodically.

Awareness:

The plan should be disseminated widely.

Accountability:

Responsibility for implementing the plan should be explicitly.

Commitment:

Management commitment in implementing the plan should be exhibited.

ACQUISITION OF INFORMATION TECHNOLOGY

The objective of the IT acquisition process is to acquire the right solution, at the right

price, and at the right time. Regardless of the nature of the acquisition, its size, cost

and complexity, the following generic core principles apply:-



Alignment:

The objectives, scope and requirements of the acquisition should be clearly defined

and documented, including any integration issues that need to be addressed.

Obsolesce:

The impact of new and emerging technologies on the acquisition must be considered.

Accountability:

Responsibilities and accountability for the acquisition most be considered.

Opinion analysis:

The available options must be identified and assessed.

Evaluation:

Selection criteria must be established and consistently applied across the alternatives

available.

Negotiation:

Effective negotiation mist be conducted before any decision is made.

Transparency:

Good governance dictates that the IT acquisition process be fair, open and

consistent.

THE IMPLEMENTATION OF IT An IT project may cover the acquisition and implementation of IT resources such as

date, application systems, technical components, facilities and, eventually, the

relevant in terms of its needs and circumstances and may vary considerably in

complexity, it is generally conducted according to the following principles:

Aligned Scope:

The scope of the implementation of an IT solution should be aligned with the

objective first developed during the acquisition phase, including any issues of

integration and implementation timing.

Project Management & Commitment:

An IT project must be properly managed. To achieve this goal, the human resources

allocated to the project need to have experience in project management, technical

competence and knowledge of the organization’s business process.

Managing Changes, Awareness and Communication:

When preparing an organization for the implementation of new systems, the issue of

change management must be specifically addressed and a communication plan must



be established to ensure that all relevant parties are kept informed about the

progress of the project.

Selection of the relevant implementation methods:

There are several methods for implementation of a new IT system. The method

chosen will depend on the type of IT development selected. To ensure the successful

implementation of the solution developed, it may be necessary to follow elements of

several different methods.

Implementation Phasing:

Depending on the method chosen, the phasing of an IT project may either be strict

and detailed or more iterative. It is essential, however, to include the following five

major project phases: general design, specification, development, completion and

deployment.

Integration:

The final product of IT project will generally either be a new application system or

new technical facilities which must be integrated into the existing information

system.

Risk Management & Monitoring:

The project risks must be continuously evaluated during the project and alternative

congruency solutions identified. To ensure effective project management,

performance indicators must be established and reviewed regularly, regular

management reporting is also essential.

Interactive approach:

A prototype is built and entranced until all needs are dealt with and users are

satisfied. Some phases of this type of project are more or less linked. This

approach is usually applied to the implementation of a software package or

development of a system using rapid application development method.

Linear approach:

A project follows a step – by – step method, with a strict vacillation of each

phase before proceeding to the next. This approach typically applies to the

large, specific development projects.

IT SERVICE DELIVERY AND SUPPORT

Although the information technology infrastructure and reliance on information

systems varies from one organization to another, there are broad fundamentals that

can be applied to all IT environments and that should be considered in the delivery of

IT services and support.



The core principles are:

Accuracy:

Information delivered to the business must be accurate and timely;

Awareness:

Trainings, education and support services area provided to all IT staff and IT

customers.

Cost Effectiveness:

Systems and facilities should be aligned with business needs and not put undue

financial burdens on the organization.

Customer Focused:

The organization’s systems should be easy to operate and supportive of its business

operations.

Disciplined Approach:

IT should have adequate controls, a well – defined structure and consistent policies

and procedures.

Flexibility:

Systems and facilities should exhibits and degree of flexibility to cater for fluctuations

in business volumes and staffing levels, and, wherever possible, be capable of being

easily modified to handle changes in business practices.

Meeting Performance Expectations:

The delivery of, and support for IT, services must meet the expectations of IT

customers, be available at agreed – on times and be measurable and measured.

Protected Environment:

Business data and the facilities and IS used to process them should be safe and

secure. The environment should also offer a safe working environment for IT

customers and staff.

Relevance:

The system and facilities should be appropriate and aligned with the organization’s

business needs. They should also be fit for purpose and conform to the user

requirements.

Reliability:

Information system should be robust and reliable.



IT MONITORING

Monitoring of IT is enabled by the definition of relevant performance indicators, the

systematic and timely reporting of performance and prompt acting on any deviations

identified. IT monitoring is especially important because of the complexity and risk

involved in IT activities. It has the business goals of ensuring the delivery of

information to help the organization achieve its objectives and ensuring the

achievement of performance objectives for the IT function.

Core principles are:

Comprehensiveness:

Any monitoring activity has to be comprehensive based on simple and consolidated

measures focusing on exceptions.

Relevance:

Any monitoring activity has to be relevant to the mission, vision, goals and strategy

of the enterprise.

Acceptability:

An effective monitoring approach has to be acceptable to those being monitored. This

means not invading their privacy and not intruding into their day to day

responsibilities.

Timelines:

To make correct and expedient decisions, monitoring data must be available to

detect deviations that need to be reported immediately.

Verifiability:

Information obtained by the monitoring process should be verifiable by other means

thus, it should be accurate, and whenever possible, it should be based on fact.

Action – Oriented:

Any form of monitoring must enable expedient corrective action.

Flexibility Adaptability:

The monitoring system should be easily adaptable to provide accurate, changing

environment.

WEB TRUST The web trust standards have been developed by experts in auditing, accounting and

risk management. These standards also incorporate, whenever possible, prevailing

international “best practices” and guidelines for conducting business over the

internet.



(a) Online Privacy:-

“Prove you keep your privacy promise”

The enterprise ensures that personally identifiable information obtained as a result of

electronic commerce is protected as stated in its online privacy statement.

Example:

(i) Information on the sources of private information being collected.

(ii) How that information will be used and distributed as well as corrected when

necessary.

(iii) How “cookies” are used.

(iv) How customers can opt out of translations.

(b) Confidentiality:

“Assures customers about their confidential information.”

The enterprise ensure that access to the information obtained as a result of electronic

commerce and designated as confidential is restricted to authorized individuals in

conformity with its disclosed confidentiality practices.

Example:

(i) Assurance that the security surrounding transmission.

(ii) Collection and distribution of confidential information is adequate.

(iii) Proper procedures for confidentiality breaches.

(iv) Choices provided to customers, including opting out.

(v) Safeguard an transmission to unintended recipients and against unauthorized

access secure storage of backup media.

(c) Security:

“Ease concerns about your commitment to security.”

The security ensures that access to the electronic commerce system and data is

restricted only to authorized individuals in conformity with its disclosed security

policies.

Example:

(i) The existence of a functioning disaster recovery plan

(ii) Procedures to handle security breaches.



(iii) The use of proper encryption technology.

(iv) The use of routine system backups.

(d) Business Practices transition integrity:-

The enterprise’s electronic commerce transitions are processed completely,

accurately and in conformity with its disclosed business procures.

Examples:-

(i) Assurance that services or products are provided to customers as requested.

(ii) Information on the condition of goods.

(iii) Time frame for transactions.

(iv) Payment& delivery terms.

(v) How to cancel orders and receive customer support & service.

(e) Availability:-

“Show you keep your promises”

The enterprise ensures that e-commerce systems and data are availability as

disclosed.

Examples of areas evaluated are:

(i) Access terms and conditions.

(ii) Availability policies that conform with legal, contractual and other

requirements.

(iii) Procedures to handle availability problems and security incidents.

(iv) A functioning disaster recovery plan.

(v) Assurance that hardware and software have properly tested and documented

availability objectives.

Summary IFAC Guidelines Managing security of information:

(a) Awareness

(b) Accountability

(c) Multidisciplinary

(d) Cost effectiveness

(e) Integration

(f) Reassessment

(g) Social factors



Planning IT planning for business impact:

(a) Alignment

(b) Awareness

(c) Achievability

(d) Relevant scope

(e) Relevant

(f) Commitment

(g) Benefit Realization

(h) Measurable performance

Acquiring of information technology:

(a) Alignment

(b) Accountability

(c) Vegetation

(d) Relevant requirements

(e) Trangerancy

(f) Obsolesce

Implementation of an IT:

(a) Aligned scope

(b) Project management & commitment

(c) Managing changes, awareness, and communication.

(d) Selection of relevant information methods.

(e) Implementation phasing.

(f) Integration.

(g) Risk management & monitoring.

IT Monitoring:

(a) Compare heaviness

(b) Relevance

(c) Acceptability

(d) Timeliness

(e) Vendibility

(f) Action oriented

(g) Flexibility



Chapter 11

Management Operation& Controls

(These provide prevention from access to the network of the Co.)

CONTROLS: STRUCTURE, ASSESSMENT & MONITORING Internal Control:

The whole system of controls, financial and otherwise, established in order to provide

reasonable assurance of:

Effective and efficient operation.

Internal Financial control.

Compliance with laws and regulations.

Internal Control System:

An internal control system consist of all the policies and procedures adapted by

management of an entity to assist in achieving management’s objective of ensuring,

as for as practicable, the orderly and efficient conduct of its business, including

adherence to management policies, the safeguarding of assents, the prevention and

detection of fraud and error, the accuracy and completeness of the accounting

records, and the timely preparation of reliable financial information.

Management Control:

Management controls consist of processes used by managers to ensure that

organizational goals are achieved and procedure adapted to and that organizational

responds appropriately to changers in its environment.

It has following features:

(a) It is an integral part of management responsibility.

(b) It is always designed to achieve organization goals.

(c) It seeks to help the employees in attaining the company goals by

following organizational policies.



Administrative Controls:

The administrative controls are designed to ensure operational efficiency and

adherence to managerial polices.

Accounting Controls:

Accounting controls are designed to ensure that assents are safeguarded and that

financial data and records are reliable.

General Controls:

The controls which are used to ensure that an organization’s control environment is

sound and is properly managed to enhance the effectiveness of application controls

are referred to as general controls.

Application Controls:

The application controls are the controls which are used to prevent, detect, and

correct errors and irregularities in various transactions during their processing.

Input Controls:

Input controls are designed to ensure the only accurate, valid, and properly authorize

date are processed and entered into the system.

Processing Controls:

To ensure the correct and complete processing of all transactions and proper of

record, the control and are termed as processing controls.

Output Control:

Output controls are designed to ensure that system output is properly controlled and

protected.

CONTROL STRUCTURE The policies and procedures which have been established to ensure that the

organization’s specific objectives are achieved, as termed as internal control

structure.

Following are elements of internal control structure.

Control environment



Information and communication

Control procedure activities

Control Environment:

Control environment consist of attitude of management and employees towards

various policies and objectives of the organization. Positive attitude increases the

wealth of organization.

The factors which effect the establishment, enhancement or working of various

policies and procedures adopted by the management are as follows:

(a) Working style of the management.

(b) Integrity and ethical valves followed by employees and the

management.

(c) The structure of the organization.

(d) The working style of BOD.

(e) Assigning of authority and responsibility to various managers.

(f) Behavior of management dealing with the performance deviations.

(g) Commitment of the organization of competence.

(h) Monitoring of the controls.

The Accounting Information System:

Information and communication accounting information system consist of methods,

and records used to identify, assemble, classify, record and report the business

transactions.

Establishing of methods and records required function as follow:

(a) Identify and record all valid transactions

(b) Determine the time period of occurrence of transactions for their

recording in the proper accounting period.

(c) Describe each transaction in sufficient details to facilitate the proper

classification of transactions for financial reporting.

(d) Measure the valve of transactions for recording in the financial

statements.

(e) Present properly the transactions and related disclosures in the

financial statements.



Control Procedures Activities:

Controls procedures or activities refer to various steps provided in the operating

procedures intended to award threats to the objective and polices of organization.

These may be categorized as procedures pertaining to the following:

(a) Proper authorization of transactions and activities.

(b) Segregation of duties that reduce the opportunities of fraud.

(c) Design and use of adequate documents and records to help ensure the

proper recoding of transactions and event.

(d) Adequate safeguards over access to and use of assets and records.

(e) Independent check on performance & proper valuation of recorded

amounts.

RISK ASSESSMENT

Risk refers to a possible loss in future which could be a result of a threat it that

comes true.

Its assessment is necessary to ensure that control system adopted is a

comprehensive one. Following steps may facilitate the proper assessment of the risk.

(a) Identification of threats:

The threat which could be faced by organization must be identified to avoid

possible losses. e.g. threat in constructing down in on area of frequent

earthquake.

(b) Estimating the risk:

If probability of occurrence of a threat is more and more likely, the risk

involved is greater.

(c) Identification of controls:

The identification of controls which could protect on organization from threat

is must. Protective controls are much superior as compared to detective

controls which involve additional costs.

(d) Estimating costs and benefits:

A control system involves certain costs for protecting an organization from

threats. Protection from threats in fact is the benefit of the control system.

The benefits of a control procedure should be greater them the costs.



(f) Determining effectiveness of costs & benefits:

Benefits of a control system should be greater them the cost. For determining

the cost-benefit effectiveness a good judgment must be applied and all factors

be considered to arrive at he correct decision. Documenting, the existing

internal control system, evolving its quality and cost and benefits and basis

steps for this exercise.

MONITORING CONTROL SYSTEM

Internal control system, if not reviewed periodically, will become in-effective with the

passage of time, as such the quality of internal control performance of must be

assessed on a timely basis. Monitoring of control system is important to keep this

updated and to meet the changing environment.

Methods for monitoring internal control system are:

Effective supervision

Responsibility accounting

Internal awaiting

APPLICATION CONTROLS

CODES Data codes are used to identify an entity uniquely. Poorly designed data codes cause

recording and keying errors.

Four type of coding systems used are:

(a) Serial Codes:

Which assign consultative numbers or alphabetic to an entity.

(b) Block sequence codes:

Which assign blocks of numbers to particular categories of an entity.

(c) Hierarchical codes:

Which assign codes on the basis of an assigned order of importance of the

attributes of an entity.

(d) Association codes:

Which are concatenations of codes assigned to different attributes of an

entity.



INPUT CONTROL

1. VALIDATION CHECKS

Validation of input data is ensured by putting in following checks.

(a) Field Check

(b) Record Check

(c) Batch Check

(d) File Check

(a) Field Check:

Field are used to ensure the completeness and correctness of independent field in the

records. Following types of fields checks are used:

(i) Completeness:

Items should be of a specific length e.g. 17 digit for A/C #.

(ii) Format:

Format should be of a standard form e.g. postal code in the address comes

after the city or date field as mm/dd/yyyy.

(iii) Range:

Only data within specified range is acceptable e.g. code ranges b/w 0000 to

9999.

(iv) Check Digit:

A Check digit is a redundant digit added to a code that enables the accuracy

of other characters in the code to be checked e.g. customer or product #.

(b) Record Check:

With a record checks a relationship amongst the field in a record is checked logically

to ensure data integrity rules of databases. Following types of record checks are

applied in an input system.

(i) Reasonableness:

Even though a field is checked for a range check, the content of another field

in the record may be used to ensure the correctness of dependent field e.g.

Range of valid salaries must be depended upon the organizational positions.

(ii) Valid Sign Numbers:

The contents of one field might establish which sign is valid for a numeric

field.



(iii) Size:

If a variable length record are used, the size of the record is a function of the

sizes of variable length fields or the sizes of the fields whose valves may be

omitted from the record.

(iv) Sequence check:

A logical record might contain more than one physical record e.g. an invoice

data will have more then once occurrences of the details like item and their

quantities. The input program might check the sequence of the physical

record it receives.

(c) Batch Checks:

Batching is the process of grouping together transactions that bear some type of

relationship to each other. Two types of batches are used.

Physical Batches:

Are groups of transactions that constitute a physical unit e.g. a batch of

source documents.

Logical Batches:

Are groups of transactions bound together on some logical basis e.g.

transactions entered directly into a terminal during some time period.

(d) File Checks:

With file check, the validation tests examine whether the characteristics of a file used

during data entry are harmonious with the stated characteristics of a file. The input

programs ensures that files which are being used is accessing the correct file for this

very propose an internal label is used. It is also important for input programs to

validate that file while is being used does not use an older file with and expired date.

Control totals can be calculated for a file on he basis of the staffing of a file. The

input validation program checks to see that it is using a file with accurate control

totals.

INSTRUCTION INPUT

There are six major ways in which instructions can be entered into on IS:

(a) Menu driven languages,

Which ask users to select from a list of options with which they are presented.

(b) Question-answer dialogs,

Which ask users to respond to questions presented by the application system.



(c) Command Languages,

Which require users to recall and initiate instructions for the application

system.

(d) Form based languages,

Which require users to specify commands in he content of some input or

output form.

(e) Natural languages,

Which allow users to instruct an application system via free-form input.

(f) Direct manipulation interfaces,

Which allow users to enter instructions to an application system via direct

manipulation of objects on a screen.

INSTRUCTION INPUT Ensuring the quality of instruction input to an application system is a more difficult

objective to achieve. During instruction input, however, users, often attempt to

communicate complex actions that they want the system to undertake. Following are

the application system used to communicate instruction to an application system.

1. Menu driven languages

Menu is the simplest way to provide instruction to an application system. The

system presents users with a list of options. Users then choose an option. The

following guidelines should reduce the no. of errors that are likely to occur using

menu input:

i) Menu items should be grouped logically so they are meaningful and

memorable

ii) Menu items should follow any natural order, ordered by frequency of

occurrence and long menus by alphabetical order.

iii) Menu should be fully spelled, clear, concise

iv) The basis for selecting a menu item should be clear for e.g. numbers, a

mnemonic abbreviation

v) Where other output is displayed on the screen, the menu should be clearly

differentiated.

2. Question answer dialogue

Used primarily to obtain data input. For finding of NPV system asks questions like

discount rate, initial investment, no. of periods, cash flow per period etc. and the

user responds. A well designed question-answer dialog makes clear the set of

answers that are valid. In those cases in which the required facility answers are

not obvious, a help facility can be used to assist inexperienced users.



3. Command languages – require users to specify commands to invoke some

process and a set of arguments that specify precisely how the process should be

executed For e.g., SQL is a database interrogation language that uses a

command-language format.

To facilitate recall of commands, command names should be meaningful.

To reduce typing effort, it should be possible to truncate (shorten,

abbreviate) commands

4. Forms based languages - Forms-based languages can be successful if users

solve problems in the context of input and output forms. In these cases syntax of

the language corresponds to the ways users think about the problem. As a result,

input errors are reduces, and the language tends to be used effectively and

efficiently.

5. Natural languages – are the subject of substantial research and development

efforts. Its goal is to enable relatively free form natural language interaction to

occur b/w users and users and an application system, perhaps via speech

production/recognition device. Current natural languages have following

limitations.

i) They do not always cope with the ambiguity and redundancy present in

natural language for e.g., the meaning

ii) Substantial effort sometimes must be expanded to establish the lexicon

(glossary, word list) for the natural language interface. Users must define all

possible works they could use

iii) Even minor deviations outside the lexicon established for the application

domain can cause problems.

iv) Users still need some training when they employ natural language interfaces.

6. Direct manipulation languages

Some user interface application systems employ direct manipulation to enter

commands and data i.e. spreadsheet. There are 3 attributes are identifies of a

direct manipulation interface

(1) visibility of the object of interest

(2) rapid, reversible, incremental actions and,

(3) use of direct manipulation devices e.g. mouse. Examples are:

i) Electronic spreadsheet – users see visual image on the spreadsheet and its

associated cell values. They can alter values by using a mouse to move the

cursor to the cell to be altered and keying of new value.

ii) Electronic desktops – users see an image of a desktop with an in-basket, an

out-basket, a thrash basket, a set of files and so on. They can manipulate

these objects using a mouse. For e.g. files to be deleted can be moved to the

trash basket.

It often provides a more error free, effective and efficient interface that traditional

menu or command-oriented interfaces.

Three types of validation check scan be exercised over instruction input:

(a) Lexical validation,

Which evaluates whether commands contain valid commands;



(b) Syntactic validation,

Which evaluates whether commands contain a string of valid operations,

(c) Semantic validation,

Which evaluates whether the actins to be invoked by a command are

meaningful.

REPORT PROGRAM EXECUTION CONTROLS

Auditors should have three concerns in relation to the execution of report programs.

(a) Only authorized persons should be able to execute the programs.

Otherwise, confidential data could be revealed.

(b) The action privileges assigned to the authorized users of report

programs should be appropriate to their need.

(c) Report programs that produce a large amount of output should include

checkpoint restart facilities.

STORAGE CONTROLS

Three major centrals should exist in relation to storage of output.

(a) Output should be store in an environment that will allow it to be

preserved for the period it is required.

(b) Output must be stored securely.

(c) Appropriate inventory controls must be kept over stored output.

REPORT DESIGN CONTROLS

Following information may be included in a well-designed batch report.

(a) Time and date of production.

(b) Distribution list

(c) Processing period covered

(d) Contact person

(e) Retention data

(f) Page reading

(g) Page numbers

(h) End of job tag



PROCESSING CONTROL Processing refers to computing, sorting, classifying, and summarizing data. Main

components involved in processing are:

(a) Control processing unit for execution of program.

(b) Main or virtual memory storage of data and programs.

(c) Operating system for system management.

(d) Application programs to execute specific user requirement.

Four types of controls are used to minimize expected losses from errors &

irregularities associated with central processors:

(a) Errors in processor can be detected via parity checks or instruction

velocity checks. Temporary errors can be corrected by attempting to

execute failed instruction again.

(b) Privileged instructions can only be executed if the processor is in

special state.

(c) Timing controls can be used to prevent the processor idol state in an

endless loop.

(d) Processor component can be replicated to allow processing to continue

if any component fails.

Two types of controls are used to reduce expected losses from errors and

irregularities associated with real memory.

(a) Memory errors can be detected via parity checks and hamming codes,

which also allows correcting the errors.

(b) Access controls, which are implemented via boundary registers, are

used to ensure that one process does not gain unauthorized access to

real memory assigned to another process.

These are few threats involved with the integrity of computer these may

include but not limited to:

(a) Privileged personnel misuse their powers

(b) Penetrates deceive privileged personnel into giving them special

powers.

(c) Special devices are used to detect electromagnetic radiation, unit

electromagnetic radiation or wiretap communication lines.

(d) Penetrates interact with as a to determine & exploit any flow in the

system.



Chapter 13

Effective Management of IS

OPERATIONS MANAGEMENT CONTROL

Operations management is responsible for the daily running of hardware and

software facilities so that:

(a) Production application system can accomplish their work, and.

(b) Development staff can design implement and maintain application

systems.

Operations management typically exercises controls over the following functions.

(a) Computer operations

(b) Communication network control

(c) Data preparation and entry

(d) File library

(e) Documentation & program library

(f) Help desk technical support

(g) Capacity planning & performance monitoring

(h) Outsourced operations

The production control section under operations management performs five major

functions.

(a) Receipt and dispatch of input & output

(b) Job scheduling

(c) Management of SLA with users

(d) Transfer pricing charge out control

(e) Acquisition of computer consumables

The file library function within the operations area takes responsibility for the

management of an organization’s machine readable storage media. Four functions

must be undertaken:



(a) Ensuring that removable storage media used only for authorized

purpose.

(b) Maintaining storage media in good working order, and.

(c) Locating storage media appropriately at either on site or off site

facilities.

DOCUMENTING & PROGRAM LIBRARY FUNCTIONS

(a) Maintenance of documentation

(b) Management of inventory of acquired or licensed software.

(c) Documentation should be kept up to data

(d) Illegal copies of software are not made

(e) Compliance with terms and conditions of licensing agreement.

(f) Suitable backup for the software often has responsibility for managing

the day to day activities

(g) Associated with an outsourcing contract.

Four types of control must be exercise;

(a) Ongoing evaluation of the financial Viability of the outsourcing vendor,

(b) Ensuring compliance with the outsourcing contract’s terms and

conditions.

(c) Ensuring the ongoing outsourcing vendor’s operation and

(d) Maintaining procedures for disaster recovery with the outsourcing

vender.

IS Organization Structure and Responsibilities Organization and management controls include those controls that provide protection

for the actual or tangible physical environment, as well as for the staffing and

operation of the information processing facility (IPF). Organizational and

management control provide effective and efficient operations staffed with qualified

and dependable personal. Proper level of responsibility should be clearly defined and

provide for an adequate separation of duties.

Organization and management controls within the IPF encompass the following:

Sound human resource policies and management practices.

Separation of duties among the information processing environment and

other organizational environment or functions.



Separation of duties within the information processing environment.

Methods to assess effective and efficient operations.

Line Management Structure

Following person/may report to IS directors:

i) Control Group: Members of the operation area that are responsible for

the collection, logging and submission of input for the various user groups.

ii) System Development Manager:

Responsible for programmers and analysts who implement new systems &

maintain existing systems

ii) Help Desk: Responsible for easting and users to employ and user hardware

& software and provide technical support for production systems by assisting

with problem resolution.

iv) End User: Responsible for operations related to business application

services: used to distinguish the person for whom the product was designed,

form the person who programs, services or install applications.

v) End User support manager:

Responsible as lesions b/w the IS deptt and the and user.

vi) Data Management: Responsible for the data architecture in larger IT

environments and tasked with managing data as a corporate asset.

vii) Database Administrator:

Responsible for maintenance and integrity of the organization’s database

systems.

viii) Technical Support Manager:

Responsible for system programmers who maintain the system software.

ix) Security Administrator: Responsible for implementing information security

policy and providing assurance that adequate Physical and logical security for

IS programs, data and equipment are carried out.

x) System Administrator: Responsible for maintaining major multi-user

computer systems, including local area networks.

xi) Operations Manager: Responsible for computer operations personnel,

including computer operators, librarians, schedulers and data control

personnel.



xii) Network Manager/Administrator:

Responsible for planning, implementing & maintaining the

telecommunications infrastructure, and also may be responsible for voice

networks.

xiii) Quality Assurance Manager:

Responsible for negotiating and facilitating quality activities in all areas of

information technology, although must frequently, quality initiatives are

focused on systems development activities.

Job descriptions and organizational structure charts are important items for all

employees to have as they provide a clear definition of their job responsibilities and

authority. Given the dynamic nature of information technology, job disruptions and

organization structure can change frequently. Therefore, it is important that

procedures be in place to maintain them.

Functional Areas in Information Processing Environment

Operations (From book) Systems analysis

Data Entry Application programming

Control Group System programming

Librarian Network management

Security Administration Help Desk Administration

Quality assurance

Database administration.

Security Administrator’s Functions

Maintaining security and confidentiality over the issuance and maintenance of

authorized user IDs and password.

Monitoring security violations and taking corrective action to ensure that

adequate security is provided.

Periodically reviewing and evaluating the security policy and suggesting

necessary changes to management.

Preparing and monitoring the security awareness program for all employees.

Testing the security architecture to evaluate the security strengths & detect

possible threats.

Maintaining access rules to data & other IT resources.



Data Entry

Batch Entry

Online Entry

Tasks Performed in Data Entry

Receives source documents from various department and ensures proper

safekeeping of such until processing is complete and source documents and

output are returned.

Prepares batches of source documents with accurate control totals.

Schedule and sets up the jobs to process input.

Verifies, logs and distributes output to the appropriate department with

special core for confidential information.

A supervisor should be assigned to ensure that the work is properly prepared and

submitted for processing. This individual should also ensure that all exception and

rejected inputs are brought to the attention of the originating department and

resubmitted in a timely fashion and must ensure that the entry staff maintains

confidentiality and does have to temper sensitive data.

Duties of System Administrator

Adding and configuring new workstations.

Setting up user accounts.

Installing system wide software.

Performing procedures to prevent the spread if viruses.

Allocating mass storage space.

Data Security It includes the standards and procedures designed to protect data against accidental

or intentional unauthorized disclosure, modification or destruction. A critical part of

the management control exercised by the IPF is providing an adequate level of data

security. Data security covers many aspects of security and must be contumely

modified and expanded to cover IS technological advances.

Data security program must effectively integrate:



i) Physical Security: Such as safeguarding hardware used during the

processing of data and media on which data are stored.

ii) Employee Education: That encompass the need for data security and

privacy; employees also must understand that disciplinary action will be taken

against anyone who violates corporate guidelines in this area.

iii) Logical Security: Such as software or hardware controls built into

the system to prevent and detect unauthorized access to data.

Processing Controls

Include those items necessary to ensure that the organization receives timely,

complete, accurate and secure processing of data. These controls are particularly

pertinent to the work performed by the computer operations group that includes:

Data control is often responsible for all the data necessary to run various

systems and for checking to ensure that output information received is

complete. Adequate, up-to-data control manuals are essential for each

system. Manuals should state the source of various forms of input, which such

input should be available.

Production control is often responsible for job scheduling, job submission and

media management. Job scheduling may be done manually or with scheduling

is essential if the computer resources are to be used at optimum efficiency.

Database Administration DBA defines and maintains the data structures in the corporate database systems.

He is responsible for the actual design, definition and proper maintenance of the

corporate databases. The DBA has the tools to establish control over the database

and the ability to override these controls. The DBA also has the capability of gaining

access to all data, inhaling production data. It is usually not practical to prohibit or

completely prevent access by the DBA to production data.

DBA’s Roles

i) Specifying physical (computer oriented) data definition.

ii) Changing physical data definition to improve performance.

iii) Selecting and implementing database optimization tools.

iv) Testing and evaluating programmer and optimization tools.

v) Answering programmer queries and educating programmers in the

database structures.



vi) Implementing database definition controls, access controls, update

controls and concurrency controls.

vii) Monitoring database usage, collecting performance satiations and tuning

the database.

viii) Defining and initiating backup and recovery procedures.

IS Deptt. Exercise Control over Database Administration Through

i) Segregation of duties.

ii) Management approval of DBA activities.

iii) Supervisor review of access logs.

iii) Detective controls over the use of database tools.

Reviewing Documentation in review of IT Planning / Strategy

Information technology strategies, plans & budget.

Organization / functional charts.

Security policy documentation.

Job descriptions.

Steering committee report.

System development and program change procedures.

Operations procedures.

Human resource manuals.

Information technology strategies, plans and budgets provide evidence of

planning and management’s control of the information system environment.

Security policy documentation provides the standard for compliance. It

should state the position of the organization with regard to any and all

security risks. It should identify who is responsible for the safeguarding the

company assets, including programs and data. It should state the preventive

measures to be taken to provide adequate protection and actions to be taken

against violations. For this reason it should be treated as a confidential of

documents.

Organization / functional charts provide the IS auditor with an

understanding of the reporting line within a particular department or

organization. They illustrate a division of responsibility and give an indication

of the degree of segregation of duties within the organization.



Job description defines the functions and responsibilities of positions

throughout the organization. They provide an organization with the ability to

group similar jobs in different grade levels to ensure a fair compensation of

the workforce. Job decorations should identify the position that the personnel

report to.

Steering committee reports provide documented information regarding mew

system projects. Those reports are reviewed by upper management &

disseminated among the various business units.

System development and program change procedures provide a

framework within which to undertake system development or program

change.

Operations procedures describe the responsibilities of the operation staff.

Human resource manuals provide the rule and regulations determined by an

organization for how it expects its employees to conduct themselves.

Interviewing and Observing Personnel Observing personnel in the performance of their duties assist an IS Auditor in

identifying:

Actual Fluctuations:

Observation is the best test to ensure that the individual who is assigned and

authorized to perform a particular function is the person who is actually doing

the job. It allows the IS Auditor an opportunity to witness how policies and

procedures are understood and practiced.

Security Awareness:

Security awareness should be observed to verify on individual’s understanding

and practice of good preventative and detective security measures to

safeguard the Co assets & data.

Reporting Relationships:

Reporting relationship should be observe to ensure that assigned

responsibilities and adequate separation of duties are being practiced.

Examples or IS vision and Mission Statements

The mission /goal is to provide world –class computer systems and to deliver

quality computer services to users.

Put a value information system planning process in place and to ensure its

continuity.



Install system planning mechanisms challenged and supported by IS

management.

To provide relevant, reliable, useful, timely, and meaningful data and

information is a user located anywhere at any time in a form that the valve

and benefits to be received from the system.

Establish partnership relations with functional users, auditors, hardware and

software venders, business supplier, and customer in sharing data and system

services.

Cultivate a mind-set among IS employees and to develop a working

environment in which the functional user is treated as a business client or

customer.

Identify and analyze the drivers of IT and computing cost structures and to

reduce such costs where possible.

Achieve a balance between productivity and quality with the available

resources.

Indicators of Potential Problems at IPE Unfavorable and user attitudes

Excessive costs.

Budget overruns

Lode Projects

High staff turnover

Inexperienced staff

Frequent hardware / software errors

Excessive backlog of user requests.

Exception reports which were not followed up on.

Slow computer response time.

Numerous aborted / suspended projects

Unsupported / unauthorized purchase

Frequent hardware / software upgrades

Extensive exception reports.

Poor motivation

Lack of succession plans

Reliance on one or two key personnel.



CHAPTER 14

CRITICAL CHARACTERISTICS OF INFORMATION

The value of information comes from the characteristic it possesses.

Availability

Availability enables users who need to access information to do so without

interference or obstruction, and to receive it in required format.

Accuracy

Information is accurate when it is free from mistakes or errors and it has the

value that the end users expect.

Authenticity

Authenticity of information is the quality or state of being genuine or original,

rather than a reproduction or fabrication. Information is authentic when it is

the information that was originally created, placed, stored, or transferred.

Confidentiality

The confidentiality of information is the quality or state of preventing

disclosure or exposure to unauthorized individuals or systems. Confidentiality

of information is ensuring that only those with the rights and privileges to

access a particular set of information are able to do, and that those who are

not authorized are prevented from obtaining access.

Integrity

The quality or state of being whole, complete and uncorrupted is the integrity

of information. The integrity of information is threatened when the

information is exposed to corruption, damage, destruction or other disruption

of its authentic state. The threat of corruption can occur while information is

being stored or transmitted.

Utility

The utility of information is the quality of state of having value of some

purpose or information has value when it serves a particular purpose. This

means that if information is available but not in a format meaningful to the

end user, it is not useful.



Possession:

The possession of information is the quality of state of having ownership or

control of some object or item. Information is said to be in possession of one

obtains it, independent of format or other characteristic. Encryption protects

confidentiality of information but possession may change.

Components of an Information System

Software People

Hardware Procedure

Data Network

INFORMATION SECURITY POLICY, STANDARD & PRACTICES (IT security Policy should provide following responsibilities)

Organization

The information security policy should provide general guidance on the

allocation of security roles and responsibilities in the organization. All

responsibilities regarding information security management must be well

defined which includes information security management personnel and

management. Following responsibilities could be assigned to different levels of

management in the organization.

Executive Management

Executive management in the organization is responsible for overall

information system asset protection. Executive management has to show

commitment for information security management by providing budgets and

have follow ups on information security management policies and plans.

Security Committee

In order to implement the security policies and procedures in the organization,

a security committee may be formulated. Formal terms of references may also

be formulated for this committee and recommendation be adopted by the

organization.



Data Owners:

Data owners have the responsibility of maintaining accuracy, completeness

and integrity business processes.

Process Owners:

Process owners have to ensure that the processes running on computer

systems are secure and are in line with the procedures defined in the scope of

security policies of the organization.

IT Developers:

IT developers are responsible for implementing the security policy in the

organization.

Security Specialist / Advisers

Organization may hire security specialist / adviser in order to disseminate and

assist the management and IT developers to design and implement

organizational security policy, standards and procedures.

Users:

It/ is users of the organization are responsible for having full knowledge of all

policies and procedures developed within organization. Users also have a

heavy responsibility for protecting.

IS Auditors

IS Auditors are responsible for providing independent assurance to

management regarding aptness and effectiveness of information security

objectives and its implementation in the organization.

COMPUTER CRIME ISSUES AND EXPOSURES

INTRUDERS OF COMPUTER CRIMES

(a) Hackers

A hacker is a person who attempts to invade the privacy of a computer

system. Hackers are normally skilled programmers and have been known to

crack system passwords with consummate ease.



(b) Employees

Unauthorized employees intentionally attempt to break the security

implementations within the organization and try to gain access to

organizational information assets. While authorize employees may cause loss

to assets intentionally or by mistake.

(c) IS Personnel

These have the easiest access to organizational information, since they are to

custodians of information assets. Good segregation of duties apart from

checks like logical access controls will ensure reduction in attacks on reset

from this category of personnel.

(d) Outsiders

This may include the organized criminals like hackers, competitors or crackers

(paid hackers)

PHYSICAL EXPOSURE AND CONTROLS

FIRE DAMAGE

Fire is often most serious threat to physical security of information system assets. A

well designed fire-protection plan should be made in the organization. Such plan may

include:

(a) Both automatic and manual fire alarms are placed in computer rooms etc.

(b) Automatic fire extinguishers are placed at strategic places in the organization.

(c) When a fire alarm is activated, a signal is sent automatically to a control

station that is always staffed.

(d) To minimize the risk of extensive damage from electrical fires, electrical wiring

should be placed in fire resistant panels and conduct.

Security administrators should arrange regular inspections and test of all fire

protection system and ensure that they are properly serviced. Periodic

trainings of the staff to use such like equipment’s should also be arranged.

WATER DAMAGES

Water damages to IS assets might results in due to fire or could also happen due to

other natural disasters like floods or terrestrial rains. To protect, following measure:

(a) Installation of water proof ceilings and walls

(b) Proper drainage system existence in premises



(c) Installation of alarms in important places

(d) All material information systems assets be placed above water levels, in

floody areas

(e) Cover hardware devices with protective covers when not in use.

ENERGY VARIATIONS

Energy variations occur from “increase” in power (surge or spikes)”, “decrease in

power (sags on brain outs)”, or “loss of power (blackouts)”. Voltage regulators and

circuit breakers may be used to avoid such instances. UPS may also be used or two

different sources of power to avoid blackouts.

TERRORIST ACTIVITIES

Political terrorism is the main risk, but there are also threats from individuals with

grudges. In some cases there is every little that an organization can do: its buildings

may just happen to be in the wrong place and bear the brunt of an attack aimed at

another organization or intended to cause general disruption.

(a) There are some avoidance measures that should be taken, however

(b) Physical access to buildings should be controlled.

ACCIDENTAL DAMAGE

People are physical threat to computer installations or cause of accidental damage to

installation.

Combating accidental damage is a measure of:

(a) Sensible attitude to office behavior.

(b) Good office layout

(c) Check new software with antivirus software before it is installed.

(d) Educate users about the dangers of viruses and the ways to prevent infection.

PHYSICAL ACCESS EXPOSURES AND CONTROL PHYSICAL ACCESS ISSUES AND EXPOSURES

Unauthorized entry

Damage

Vandalism/Sabotage (Strikes)



Theft

Copying or viewing of sensitive data

Alteration of sensitive equipment and information

Public disclosure of sensitive information

Abuse of data processing

Blackmailing

Embezzlement

PHYSICAL ACCESS CONTROLS

Security guards

Bolting/secure door locks

Combination of door locks (multiple kinds of locks)

Electronic doors

Dead man door (e.g. Bank lockers, only one person can enter at one time)

Controlled single entry point

Alarm system

Manual logging

Electronic logging

Identification

Video cameras

Secured report distribution carts

Bounded personnel (fixed the people to enter)

No advertising of sensitive location

Computer workstation

PERSONAL COMPUTER /LAPTOPS PHYSICAL AND LOGICAL SECURITY

Engraving the company name

Logging of serial numbers

Physical locking (e.g. IBM steel hangers)

Theft response team

Backup of data

Password on files

Data encryption

AREAS TO BE COVERED FOR PHYSICAL ACCESS CONTROL

Physical access controls are designed to prevent intruder getting access to physical

assets of the company like computer equipment and storage media etc. following are

the areas which should be physically protected from intruder:

Programming areas Micro Computers

Computer Rooms Office Back up Facilities

Operator Console Power Sources

Tape library, Tape disks Telecommunication

Storage rooms & supplies Printing facilities

Door Locks Access Logging

Card entry system Biometric access



LOGICAL ACCESS CONTROLS

Logon IDs and passwords

Password policies

Biometric devices

Single Sign-on (SSO)

LOGICAL THREATS

VIRUSES

A virus is a piece of software which infects programs and data and which replicates

itself. Viruses need an opportunity to spread. The programmers of virus therefore

place viruses in the kind of software which is most likely to be copied. This includes

(a) Free Software

(b) Pirated Software

(c) Games Software

PROTECTION AGAINST VIRUS ACTIVITIES:

To reduce expected losses from viruses, security administration can

implement the following types of controls.

Preventive:

(a) Use only “clean” certified copies of software files.

(b) Do not use public domain / shareware software or files unless that have been

checked for viruses individual login ID’s & passwords to ensure security of assets and

also maintain physical security of assets.

Detective:

(a) Regularly run antivirus software to detect infections. Carryout file size

comparisons to check whether the size of programs has changes

(b) Undertake date/time stamp comparisons to determine whether unauthorized

modifications have been made to software.

Corrective:

(a) Ensure clean back up is maintained

(b) Have a documented plan for recovery from virus infection.

(c) Run antivirus software to remove infections.



TROJANS

A Trojan is a program that while visibility performing one functions secretly carries

out another. For example, a program could be running a game, while simultaneously

destroying a data file or another program. 4 Trojan’s work is immediate, and

obvious. They are easy to avoid as they do not copy themselves onto the target disk.

WORMS

Whereas a Trojan attacks from without, a worm, which is a type of virus, attacks

from within. A worm is a program that survives by copying and replicating itself

inside the computer system it has entered, without necessarily altering that system.

Other viruses attach themselves to a program.

TRAP DOOR

A trap door is an undocumented entry-point into a computer system. It is not to be

found in design specification but may be put in by software developers to enable

them to bypass access controls while working on a new piece of software. Because, it

is not documented, it may be forgotten and rediscovered by a hacker perhaps, at a

later date.

LOGIC BOMBS

A large bomb is a piece of code triggered by certain events. A program will behave

normally until a certain event occurs, for example when disk utilization reaches a

certain percentage. A large bomb, by responding to set conditions, maximizes

damage.

TIME BOMBS A time bomb is similar to a logic bomb, except that it is triggered at a certain date.

Companies have experienced virus attacks on April Fools’ Day and on Friday 13th.

These were released by time bombs.

SPAM

Spam is flooding the internet with many copies of the some messages in an attempt

to force the message on people who would not otherwise choose to receive it. Most

spam is commercial advertising, often for doubles products, get rich quickly schemes,



or quasi-logical services. Spam costs the sender very little to send most of the costs

are paid by the recipient or the carriers rather than by the sender.

Cancelable Spams

Email Spam

SNIFFERS

A sniffer is a program or device that can monitor data traveling over a network.

Sniffers can be used both for legitimate network management functions and for

stealing information from a network. Unauthorized sniffers can be extremely

dangerous to a network’s security, because they are virtually impossible to detect.

They often work on TCP/IP networks, where they are sometimes called “packet

sniffers.”

SPOOFING

IP spoofing is one of the most common forms of online camouflage. In IP spoofing,

an attacker gains unauthorized access to a computer or a network by making it

appear that a malicious message has come from a trusted by “spoofing” the IP

address of that machine.

NON BLIND SPOOFING

This type of attack takes place when the attacker is on the same subset as the

victim. The sequence and acknowledgement numbers can be sniffed, eliminating the

potential difficulty of calculating them accurately. The biggest threat of spoofing in

this instance would be session hijacking. This is accomplished by corrupting the data

stream of an established connection, then re-establishing it based on correct

sequence and acknowledgement number with the attack machine. Using this

technique, an attacker could effectively by pass any authentication measures taken

place to build the connection.

MAN IN THE MIDDLE ATTACK

In these attacks, a malicious party intercepts a legitimate communication between

two friendly parties. The malicious host then controls the flow of communication and

can eliminate or alter the information sent by one of the original participants without

the knowledge of either the original sender or the recipient. In this way, an attacker



can fool a victim into disclosing confidential information by “spoofing” presumably

trusted by the recipient.

ROUNDING DOWN (SALAMI TECHNIQUE)

Rounding down involves drawing small amounts of money from a computerized

transaction or account and rerouting this amount to the operator’s account. The term

rounding down refers to rounding small fractions of a denomination down and

transferring these small fractions into the unauthorized account. Since the amounts

are so small, they are noticed rarely.

LOGICAL ACCESS CONTROL SOFTWARE

It is operate in the operating system

It may be in data base / Programmes

Function:

User identification (log on IDs) and authentication (password)

Apply restrictions

Create or change user profiles/setting

Create accountability (record each and every thing)and auditability(audit of

record)

Log events

Log user activities Report capabilities e.g. message in window XP don’t send

Identification and Authentication (Internal Audit System)

Process of providing one’s identity its first line of accountability

Identification and Authentication system based on three things:

a) Something you know (log on IDs and password)

b) Something you have (ID card)

c) Something you are (By matrices)

Identification and Authentication system Examples:

a) Logon IDs and password

b) Token devices (video games)

c) One time password

d) Bi matrix

Thumb prints

Finger prints

Palm readers



Hand geometry

Iris checking

Retinal imaging

Facial imaging

Signature recognition

Voice recognition

e) Single Sign On (SSO)

Multiple password for every server

One password and you have access to every servers, its most dangerous

(MSN Messenger)

SECURITY BYPASS FEATURES

Physical example: entry is blocked; Bypass due to influence, position, special

privilege.

Bypass should be disabled for everyone.

Features to be considered

a) Label processing, Bypass off; label process on

b) Special system log on IDs

Every system has logon IDs when you install window as administrator and then other

IDs are guest users i.e. called special system logon IDs, this should be disabled.

c) System Exists

This should not be available to user; complex maintenance task/tailoring: there are

thing which cannot be recorded by system e.g. in cell phone removing battery or SIM

system cannot record it.

NETWORK INFRA STRUCTURE SECURITY I. Controls in network environment

a) Qualified people are hired for networking

b) Segregation of duties

c) Restriction on important function

d) Terminal identification file (when you log on/off)

e) Encrypted transmission. Data has to be encoded

II. LAN (Client Sever) Security

i. Risk associated with LAN

Loss of data and program integrity

Viruses

License issues

External access (outsiders may access LAN)



Illegal access (hackers may access LAN)

Destruction of auditing and logging data

ii. Controls of LAN

Dial/call back modems

Turn off call forwarding (first goes to specific no.) or divert on terminal (direct

goes to another no.)

III. Internet threats and security

a) Threats

Viruses

Hackers

b) Security

Antivirus

Dial back mechanism, firewall

IV. Types of network attacks

i. Passive attacks

Get knowledge before going for active attack.

Three methods of passive attack:

a) Network analysis

Scan operating system, services and ports/software ports (monitoring

operating system)

Ports ( Software Port) e.g. http port

b) Eaves dropping (wiretapping)

c) Traffic analysis

look at nature of traffic flow, means audio, video, graphic, session length

(data packets)

message length and

frequency of packets)

ii. Active attacks

Five methods of active attack:

1. Brute force attack (try out all possible combinations of passwords; deadly

attack)

2. Impersonation /spoofing /masquerading

3. Packet replay (you copy packet & replay it and join it with your packets and

gain access to the system)

4. Email bombing

5. DOS - DDOS (Denial of service - Distributed DOS)

DOS: e.g. one student ask all question; Huge email

DDOS: e.g. distribute questions among the students

Engaging the server (Huge email; server busy)

Bouncing back all request (request does not reach to server)

Blocking a specific user (block one specific user)



SUBVERSIVE THREATS – can be active or passive

In a passive attack the intruder’s attempt:

to learn the characteristics the data being transmitted, so privacy of data

is violated

read and analyze the clear text source and destination identifiers attached

to a message for routing purposes, and the content of data remains same

examine the length and frequency of message

Examples are traffic analysis, Release of message content, invasive tap

In an active attack, intruders could

insert a message in the message stream being transmitted

delete the message being transmitted

modify the contents of message

duplicate messages

alter the order of message

deny message services b/w sender and receiver by corrupting, discarding

or delaying messages

IDS (INCLUSION DETECTION SYSTEM) An IDS inspects all inbound and outbound network activity and identifies suspicious

patterns. These are several types

of IDS.

Types of IDS

a) Misuse detection system

The IDS analysis the information it gathers and compares it to large

databases of attacks signature.

b) Anomaly Detection (Abnormal Detection)

System administrator defines the baseline /normal state of the networks

traffic load breakdown, protocols and typical packet size. The anomaly

detector monitors network segments to compare their state to the normal

baseline and look for anomalies.

c) Network based system

Detects individual malicious packets flowing through the network that are

designed to be overlooked by a firewall.

d) Post based system

Examines activities on each individual computer or host.

e) Passive system

Detects a potential security breach, logs the information and signals and

alert.

f) Reactive system

Responds to the suspicious activities by logging off a user or re-programming

the firewall.



The Difference between IDS and Firewall

Firewall IDS

They are installed at meeting point They are installed in your

server

Check only out bound activities Check both inbound and out

bound activities.

HR Termination policies

There should be clearly defined steps of termination policy in writing. The policy

should address both types of policies.

Voluntary may be dangerous.

Voluntary (dangerous).

Control Procedures

Return all access keys.

Delete log on IDs and Password.

Notification to other staff about the terminated employee.

Arrangement of final pay.

Termination / exit Interview.

Return all company property.

Escort the person to main Gate.

SECURITY PROGRAMME

A security programme is a series of on-going, regular, periodic reviews conducted to

ensure that assets associated with the information systems function are safeguarded

adequately. Security program must have six features:

(a) Alignment:

The programme must be aligned with the organizational goals.

(b) Enterprise Wide:

Everyone in the organization must become part of the security

programme.

(c) Continuity:

The programme must be operational continuously without any disruption.

(d) Validation:

The security programme must be tested and validated to ensure its

operability.



(e) Proactive:

Organization should not wait from something to happen rather must use

innovative, preventive and protective measures.

(f) Formal:

It must be a formal programme with authority, responsibility and

accountability.

DISASTER RECOVERY PLAN

The purpose of a disaster recovery plan or contingency plan is to enable the

information systems function to restore operations in the event of some types of

disaster.

Comprehensive DRP comprises four parts:

(a) An emergency plan

(b) A Back up Plan

(c) A recovery Plan

(d) A test Plan

(a) An Emergency Plan

The emergency plan specifies the actions to be taken immediately when a disaster

occurs. Management must identify those situations that require the plan to be

invoked. When the situations that evoke the plan have been identified, four aspects

of energy plan must be articulated.

(i) The plan must show who is to be nitrified immediately when the disaster

occurs management, police or fire deptt.

(ii) The plan must show any actions to be undertaken, such as shutdown of

equipment, removal of files, and termination of power.

(iii) Any evaluation procedures required must be specified.

(iv) Return procedures (e.g. conditions that must be met before the site is

considered safe) must be designated.

(b) Backup Plan

The backup plan specified

The type of backup to be kept.

The frequency with which backup is to be undertaken



The procedures for making backup

The location of backup resources

The site where these resources can be assembled and operations restarted.

The personal who are responsible for gathering backup resources and

restarting operations.

The priorities to be assigned to recovering the various systems, and

A time frame in which recovery of each system must be affected.

The following resources must be considered

Personnel (trainings & rotation of duties)

Hardware (outsourcing for provision)

Facilities (outsourcing for provision)

Documentation (inventory stored offside & on site)

Supplied (inventory stored offside & on site)

Data / information (inventory of files offsite & on site)

Application software (inventory of files offsite & on site)

System Software (inventory of files offsite & on site)

(c) Recovery Plan

Whereas the backup plan is intended to restore operations quickly so the information

systems function can continue to service an organization, recovery plans set out

procedures to restore full information system capabilities. Recovery plans depend on

the circumstances of a disaster. E.g. They will depend on whether the disaster is

global or localized and if localized, the nature of the machine, the applications, and

the data to be recovered. The plan should specify the responsibilities of the

committee and provide guidelines or priorities to be followed. Plan might also include

which applications are to be recovered first.

(d) Test Plan

The final component of a DRP is a test plan. The purpose of a test plan is to identify

deficiencies in the emergency, backup or recovery plans or in the preparedness of an

organization and its personnel in the event of a disaster. It must enable a range of

disaster to be simulated and specify the criteria by which emergency, backup and

recovery plans can be deemed satisfactory.



To facilitate testing, a phased approach can be adopted. First, the DRP can be tested

by desk checking and inspection and walk through, must like validation procedures

adopted for programs. A disaster can be simulated at a convenient time. Finally,

disaster could be simulated without warning at any time. These are the acid tests of

the organization’s ability to recover from a real disaster.

BACKUP OPTIONS Following are some viable backup options security administrators should consider:

(a) Cold Site

If an organization can tolerate some downtime, cold site backup might be

appropriate. A cold site has all the facilities needed to install a mainframe

system, raised floors, air conditioning, power, communication lines, and so

on. The mainframe is not present, however, and it must be provided by the

organization wanting to use the cold site.

(b) Hot Site

If fast recovery is critical, an organization might need hot side backup. All

hardware and operations facilities will be available at the hot site. In some

cases, software, data and supplies might also be stored there. Hot sites are

expensive to maintain. They usually are shared with other organizations that

have hot site needs.

(c) Warm Site

A warm site provides an intermediate level of backup. It has cold site facilities

plus hardware that might be difficult to obtain or install e.g. a warm sight

might certain selected peripheral equipment plus a small mainframe with

sufficient power to handle critical application in the short run.

(d) Reciprocal Agreement

Two or more organizations might agree to provide backup facilities to each

other in the event of one suffering from a disaster. This, backup option is

relatively cheap, but each participant must maintain sufficient capacity to

operate another critical systems. Reciprocal agreements are often informal in

nature.

If a third party site is to be used for backup and recovery purposes, security

administrators must ensure that a contract is written to cover such issues as:



(i) How soon the site will be made available subsequent to a disaster.

(ii) The number of organizations that will be allowed to use the site on currently

in the event of a disaster.

(iii) The priority to be given to concurrent users of the site in the event of a

common disaster.

(iv) The period during which the site can be used.

(v) The conditions under which the site can be used.

(vi) The facilities and services the site provider agrees to make available.

(vii) What controls will be in place and working at the off-site facility.

BUSINESS CONTINUITY PLANNING (BCP)

BCP is the act of proactively working out a way to prevent and manage the

consequences of a disaster, limiting it to the extent that a business can afford. BCP

determines how a company will keep functioning until its normal facilities are

restored after a disruptive event.

There are two key performance indicators (KPIs) that measure across the business

continuity spectrum.

(a) Recovery point objective (RPO)

The pre-incident point in time that data must be recovered to resume

business transactions (acceptable transaction data less)

(b) Recovery time objective (RTO)

The maximum elapsed time required to recover data and processing

capability.

1. Business impact analysis (BIA)

Business impact analysis is performed to determine the impacts associated

with disruptions to specific functions or assets in a firm. These include

operating impact, financial impact and legal or regulatory impact.

2. Risk Analysis

Risk analysis identifies important functions and assets that are critical to a

firm’s operations, and then subsequently establishes the probability of a

disruption to those functions and assets. Once the risk is identified and

established, objectives and strategies to eliminate avoidable risks and



minimize impacts of unavoidable risks can be set. A list of critical business

functions and assets should first be complied and prioritized.

3. Disaster Recovery Plan

DRP is an IT focused plan designed to restore operability of the target

systems, applications, or computer facility at an alternate site after an

emergency. A DRP addresses major site disruptions that require site

relocation. The DRP applies to major, usually catastrophic, event that deny

access to the normal facility for an extended period.

4. Disaster tolerance

Disaster tolerance defines an environment’s ability to withstand major

disruptions to systems and related business processes. Disaster tolerance at

various levels should be built into an environment and can take form of

hardware redundancy, high availability/clustering solutions, multiple data

centers, eliminating single points of failure, and disaster solutions.

Bare Metal Recovery

A bare metal recovery describes the process of restoring a complete system,

including system and boot partitions, system settings, applications, and data to their

original state at some points prior to a disaster.



CHAPTER 15

NETWORK INFRASTRUCTURE SECURITY

TCP/IP: THE LANGUAGE OF THE INTERNET

TCP/IP includes both network-communication and application-support protocols. The

TCP/IP protocol is defined as follows:

(a) Remote terminal control protocol (telnet)

This terminal-emulation protocol enables users to log remote systems and use

resources as if they were connect locally.

(b) File transfer protocol (FTP)

FTP enables users and systems to transfer files from one computer to another

on the internet. FTP allows for users and anonymous login based on

configuration. FTP can be used to transfer a variety of file types and does not

provide secure communication (encryption) during login or file transfer.

(c) Simple mail transfer protocol (SMTP)

This protocol provides standard electronic (email) transfer services.

(d) Domain Name Service (DNS)

This protocol resolves hostnames to IP addresses and IP addresses to

hostnames. That is www.google.com would resolve to IP address

66.33.202.245. DNS servers have hierarchal distributed database systems

that are queried for solution the service enables users to remember names

instead of having to remember IP addresses.

(e) Network File System (NFS)

This protocol allows a computer to access files over a network as if they were

on its local disk.

http://www.google.com/



(f) Transmission Control Protocol (TCP)

This transport-layer protocol establishes a reliable, full-duplex data delivery

service that many TCP/IP applications use. TCP is a connection oriented

protocol, which means that it guarantees the delivery of data and that the

packets will be delivered in the same order as they were sent.

(g) User Datagram Protocol (UDP)

This transport layer protocol provides connectionless delivery of data on the

network. UDP does not provide error-recovery services and is primarily used

for broadcasting data on the network.

(h) Internet Protocol (IP)

This protocol specifies the format of packets (datagrams) that will be

transported on the network. IP only defines the format of packets, so it is

generally combined with a transport protocol such as TCP to affect.

(i) Internet Control Message Protocol (ICMP)

This protocol is an extension of the internet protocol (IP). It supports packets

that contain error, control, and informational messages. The ping command,

used to test networks connectivity, uses the ICMP protocol.

(j) Address Resolution Protocol (ARP)

This network-layer protocol is used to convert on IP address (logical address)

into a physical address. When a host on the network wants to obtain a

physical address, it broadcasts on ARP request. The host on the network that

has the IP address replies with the physical address.

(k) X.25

This is a data communications interface specification developed to describe

how data passes into and out of switched packet network. The x.25 protocol

suite defines protocol layer I-3.

NETWORK

Network is a connection of autonomous processes. Two or more processes are said to

be autonomous if they can work independently with each other as well as

collectively.



Our mobile phones processes do not form a network because they are not intelligent

enough to work independently. Similarly if several I/O devices are attached with a

super, mainframe or minicomputer, it is not a network because I/O devices are not

able to work independently if they are disconnected. However, if two or more micro

computers are connected with each other and they are able to work independently as

well as in a sharing network, then it is a NETWORK.

NETWARE (SOFTWARE NEEDED TO RUN THE NETWORK)

Client – Server

One computer is server and other computer is client. The biggest example might be

internet in which we are the clients of an internet ISP. Again IPSs are client of

internationally recognized networking bodies. (Hyundai, AT & T, British Telecom)

Peer to Peer

No one is server, no one is client. Every machine is server and every machine is

client.

FOUR REASONS FOR FORMING NETWORK

Sharing of data/information

Sharing of resources (e.g. printer, hard disk, CD drive)

Sharing of services (e.g. internet service, stock exchange service)

Security (You cannot take data away from the network hard disk. A lot of

instructions are imposed even to access data.)

APPLICATION SERVICE PROVIDER (ASP) (Outsourcing vendor on internet / WAN)

Functions

Own and Operate server

Own and Operate software application

Employ people who operate / run the system

Service anywhere and every where

Charge a nominal fee.

Advantages

Low and no setup cost

Pay as you go

No specialization

User has his own bandwidth



Flexibility

Disadvantages

Same as outsourcing

Serious points to consider

1. Customer access:

Browser for websites

Special browsers E.g. at Airport terminal we can use internet

2. Customer Issues:

Training

Queries

3. Secure Connection

4. Dedicated or shared application server (dedicated is recommended)

5. Problem resolution capacity

6. Level of Redundancy / backup

7. Disaster recovery

8. Date ownership

9. Data security

10. Transfer of date between In-house application and ASP 11. How to switch to another ASP.

IP SPOOFING This is where one host claims to have the IP address of another. Since many systems

(such as router access control list) define which packets may and which packets may

not pass based on the sender’s IP address. This is a useful technique to on attacker.

He can send packets to a host, perhaps causing it to take some sort of action.

Additionally, some applications allow login based on the IP address of a person

making the request. These are both good examples how trusting on-trustable layers

can provide security that is at best-weak.

DENIAL OF SERVICE

The promise of DOS attack is simple: Send more requests to the machine than it can

handle. Dos attacks are probably the nastiest, and the most difficult to address.

These are the nastiest, because they are very easy to launch, difficult to track, and it

is not easy to refuse the requests of the attacker, without also refusing legitimate

requests for service.

There are tool kits available in the underground community that make this simple

matter of running a program and telling it which host to blast with request.



Some things that can be done to reduce the risk of being stung by a Dos attack

include:

(a) Not running your visible to the world services at a level too close to capacity.

(b) Using packet filtering to prevent obviously forged packets from entering into

your network address space.

(c) Obviously forged packet would include those that claim to come from your

own hosts; addresses reserved for private networks, and the look back

network (127.0.0.0).

(d) Keeping up to date on security related patches for your hosts operating

systems.

DESTRUCTIVE BEHAVIOUR Among the destructive sorts of break-ins and attacks, there are two major

categories.

Data diddling

Data destruction

Data Diddling

The data diddling is likely the worst sort, since the fact of a break-in might not be

immediately obvious. Perhaps he’s toying with the numbers in your spreadsheets, or

changing the dates in your projections and plans. May be he is changing the account

numbers for the auto deposit of certain paychecks.

Data Destruction

Some of those perpetrate attacks are simply twisted jerks who likes to delete things.

In these cases, the impact on your computing capability and consequently your

business can be nothing less than if a fire or other disaster caused your computing

equipment to be completely destroyed.

Preventive Measures

1) Regular backups should be maintained

2) Don’t put data where it doesn’t need to be

3) Avoid systems with single point of failure

4) Stay current with relevant operating system patches

5) Have someone on staff be familiar with security practices.



ROUTER Routers are used to direct or route traffic on the network and work at the network

layer (layer 3) of the OSI model. Router link two or more physically separate network

segments. Although they are linked via route, they can function as independent

networks. Routers look at the headers in networking packets to determine source

addresses (logical addresses). Router can be used as packet filtering firewalls by

comparing header information in packets only against their rules. The creation of rule

in packet filtering involves both permit and deny statements.

BRIDGE

A bridge works at the data link layer (layer 2) of the OSI model and cannot

two separate networks to form a logical network. They can store and forward frames.

Bridge examines the media access control (MAC) header of a data packet to

determine where to forward the packet; they are transparent to end users. A MAC

address is the physical address of the device on the network. As packet pass through

it, the bridge determines whether the MAC address resides on its local network, if

not, the bridge forwards the packets to the appropriate network, segment. Bridge

can reduce collisions that result from segment congestion, but they do forward

broadcast fames. Bridges are good network devices if used for right purpose.

HUBS AND SWITCHES

A hub operates at the physical layer (layer 1) of the OSI model and can serve as the

center of a star topology. Hubs can be considered concentrators because they

concentrate all network communications for the device attached to them. A hub

contains several parts to which clients are directly connected.

A switch combines the functionality of a multi-port bridge and the signal amplification

of a repeater.

DEMILITARIZED ZONE (DMZ)

The DMZ is a critical part of a firewall. It is a network that is neither part of the

in0trusted network, nor part of the trusted network. But, this is a network that

connects the un-trusted to the trusted. The importance of a DMZ is tremendous.

Someone who breaks into your network from the internet should have to get through



several layers in order to successfully do so. Those layers are provided by various

components within the DMZ.

CRYPTO CAPABLE ROUTERS A feature that is being built into some routers is the ability to session encryption

between specified routers. Because traffic traveling across the internet can be seen

by people in the middle who have the resource and time to snoop around. These are

advantageous for providing connectivity between two sites, such that there can be

secure routers.

VIRTUAL PRIVATE NETWORKS (VPN) VPNs provide the ability for two offices to communicate with each other in such a way

that it looks like they are directly connected over a private leased line. The session

between them, although going over the internet, is private (because the link is

encrypted), and the link is convenient, because each can see other’s internal

resources without showing them off to the entire world.

NETWORK INFRASTRUCTURE SECURITY CHECKLIST

Check systems for zombie agent software

Minimize external exposure by minimizing internet access and connectivity.

Consider using a web-content filter product to further limit your exposure to

breaches and legal liability.

Remove or limit internet access from those employees who may not need it for

business purposes.

Review security policy and ensure that they are current.

Ensure all current service level and security patches have been installed on

operating systems and softwares including antivirus updates.

Diligently review and monitor all critical system legs for suspect activity and

consider implementing a host instruction detection system.

Revisit your firewall configuration and rules to ensure that un-necessary parts

and services are turned off and that access control is tightly manages.

Consider changing passwords for all super users or power IDs such as root, DB

admin, application manager ID etc.



Revisit access control lists on routers firewalls, servers and applications to ensure

that access to critical functions and resources is limited to those whose “need to

know”.

Ensure all critical systems are regularly backed up and actual systems recovery

procedures have been tested.

Consider developing on incident response plan to address appropriate actions

should a deliberating cyber incident / event occur at your business.

Users working from home via high-speed, broad band connections should be

required to have a firewall installed on their system.

FIREWALLS

A firewall is a device (hardware/software) that restricts access between networks.

Those networks might be a combination of an internal and external networks

(organization’s LAN and the internet) or might be within internal networks. A firewall

is implemented to support the organizational security policy, in those specific

restrictions or rules are configured within the firewall to restrict access to services

and ports. If configured correctly the firewall is the gateway through which all traffic

will flow. The network traffic (or packet) then is monitored as it comes into the

firewall and compared against a set of rules (filters) if the traffic does not meet the

requirements of the access control policy, it is not allowed access and might be

discarded or redirected.

Firewall can be considered a “choke point” on the network because all traffic must be

checked against the rules before gaining access. As a result, the rules that are

created for the network must take into account performance as well as security.

Firewall can filter traffic based on a variety of the parameters within the packet.

(a) Source and Destination Addresses

The firewall can look at the source or destination address in the packet.

(b) Source and Destination ports

The firewall can look at the source or destination port identifier of the service

or application being accessed.

(c) Protocol types

The firewall might not let certain protocol types access the network.

There are many different types of firewall but most enable organization to:



(i) Block access to particular sites on the internet.

(ii) Limit traffic on an organization’s public services segment to relevant

addresses and ports.

(iii) Prevent certain users from accessing certain servers or services

(iv) Monitor and record all communications between an internal network

and the outside world to investigate network penetrations or detect

internal subversion.

(v) Encrypt packets that are sent between different physical locations

within an organization by creating a VPN over the internet (i.e.IPSEC

VPN tunnels)

FIREWALL ISSUES

Problems faced by organizations that have implemented firewall include:

(i) A false sense of security may exist where management feels that no

further security checks and controls are needed on the internal

network. (i.e. the majority of incidents are caused by insiders, who are

no controlled by firewall).

(ii) The circumvention of firewalls through the use of modems may

connect users directly to internet service providers.

(iii) Management should provide assurance that the use of modems when a

firewall exists is strictly controlled or prohibited altogether.

(iv) Mis-configured firewalls may allow unknown and dangerous services to

pass through freely.

(v) What constitutes a firewall may be misunderstand (e.g. companies

claiming to have a firewall merely have a screening router.)

(vi) Monitoring activities may not occur on a regular basis (i.e. log settings

not appropriately applied and reviewed.)

(vii) Firewall policies may not be maintained regularly.



CHAPTER 16

DATABASE AND DATE RESOURCE MANAGEMENT

MANAGEMENT OF DATA

The organization needs information for making decision of running the business in a

successful manner. This necessitates that data should be collected and managed

properly.

There are four objectives for better data management:

(a) User must be able to share data.

(b) Data must be available to users when it is needed, where it is needed and in

the form in which it is needed.

(c) Data modification should be easy in the light of changing requirements.

(d) Data integrity must be preserved.

TASKS OF DATA ADMINISTRATIVE

(i) Defining Data

Undertake strategic data planning, determine user needs, specify conceptual

and external scheme definitions.

(ii) Creating Data

Advertising user on collection, validation and editing criteria.

(iii) Redefining / Restructuring Data

Specify new conceptual and external schema definitions.

(iv) Retiring Data

Specify retirement policies

(v) Making database available to users

Determine end user requirements for database tools, testing and

evaluation of end use tools.



(vi) Informing and servicing users

Answering end user queries, educating, informing high level policies.

(vii) Maintaining database integrity

Developing organizational standards

(viii) Monitoring operations

Monitoring end users

TASKS OF DATABASE ADMINISTRATOR

(i) Defining Data

Specify internal schema definitions

(ii) Creating Data

Preparing programs to create data, assist in populating database.

(iii) Redefining / Restructuring Data

Now internal schema definitions, altering database to implement that

(iv) Retiring Data

Implement retirement policies

(v) Making Database available to users

Determine programmer requirements for database tools, testing / evaluation

of programmer and optimization tools.

(vi) Informing and servicing users

Answering programmer queries, educating, informing low level policy

information.

(vii) Maintaining database Integrity

Implementing database controls, application controls

(viii) Monitoring operations

Monitoring programmers, performance timing

DATA ADMINISTRATOR (a) Ensures that all data management role groups comply with data management

policies and guidelines.

(b) Periodically reports to director on status of compliance with data management

policies and guidelines.



DATABASE MANAGEMENT

Access controls are used in the database subsystem to prevent unauthorized

access to end use of data. A discretionary access control policy can be used, which

allow users to specify who can access the data they own and what action privileges

they have with respect to the data. A mandatory access control policy requires a

system administrator to assign security aspects to data that cannot be changed by

database users.

Under a discretionary access control policy, users who are not owners of data can

be subjected to four types of access restrictions:

(a) Name-dependent access control, which permits or denies access to a named

data resource.

(b) Content-dependent access control which permits or denies access depending

on the content of the data item.

(c) Context dependent restriction, which permits or denies access depending on

the context. E.g. revelation of a specific data item value versus access for

statistical purpose.

(d) History dependent access, which permits or denies access depending on the

history of prior accesses to the database.

Under a mandatory access control policy, classification levels can be assigned to

specific data items / attributes in a record / relation and to records / relations as a

whole. The value of the classification level is then compared against the users

clearance level to determine whether the data item / attribute or record / relation will

be made available to the users.

RECOVERY STRATEGY Existence controls encompass both a backup strategy and a recovery strategy. All

backup strategies require maintenance of a prior version of the database and a log of

transaction or changes made to the database. Recovery strategies take two forms:

(a) Roll forward; where by the current stage of the database is recovered from

a previous version.

(b) Rollback, where a previous state of the database is retrieved from the current

state.



GRANDFATHER, FATHER, SON BACKUP & RECOVERY STRATEGY

It involves maintaining the previous two versions of a master file and a previous

version of the transaction file. If the current (son) version of the master file is lost, it

can be recovered by processing the current transaction file against the previous

version of the master file (father). If the previous version of the master file is lost

during recovery, it too can be recovered by using the grand father’s version of the

master file and previous version of the transaction file.

DUMPING

Dumping involves copying the whole or a portion of the database to some backup

medium. Recovery involves rewriting the dump back to the primary storage medium

and reprocessing transactions that have occurred since the time of dump.

LOGGING Logging involves recording a transaction that changes the database or and image of

the record changed by an update action.

Three types of log s can be kept;

(a) Transaction logs – to allow reprocessing of transactions during recovery

(b) Before image logs – to allow rollback of the database.

(c) After image logs – to allow roll forward of the database.

RESIDUAL DUMPING Residual dumping involves logging records that have not been changes since the last

database dump. The database is recovered by going back to but not including the

second last residual dump log. Residual dumping reduces the overheads associated

with dumping because records that have been changed and recorded on the log are

not then dumped.

DIFFERENTIAL FILE/SHADOW PAGING BACKUP AND RECOVERY STRATEGY

The differential file / shadow paging backup and recovery strategy involves. Keeping

the database intact and writing changes to the database, to a separate file. In due

course these changes are written to the database. If failure occurs before the

changes are applied, the intact database constitutes a prior dump of the database.



Providing a log of transactions has been kept, these transactions can then be

reprocessed against the database.

MAJOR TYPES OF DATABASE

(a) Database containing structured data, the most common subtypes are

relational database and object database. The contents of these database

transactions and it is used in the business transactions and business reports.

(b) Database containing freely linkable (associated) information on various types

of entities, intelligence databases. These databases are used as a tool in

solving complex one off problems.

(c) Databases containing free format text or multimedia data, text or multimedia

unstructured texts or multimedia data. The data may be tagged indicating

meaning of data or permanently liked to maps (GIS), drawings etc to allow

easy access to data.

(d) Database containing references to articles, books, WWW pages and similar

external materials, reference databases. These databases are used for

literature searches.

(e) Databases containing logical and mathematical inference rules and data for

these rules to operate upon, knowledge databases. These databases are

used as a tool in solving repeating complex problems or as a part in

embedded problem solvers.

UPDATE AND REPORT PROTOCOLS When application programs use the database, they should follow certain update and

report protocols to protect the integrity of the database. The update protocols

include:

(a) Sequence checking the order of the transaction file and master file during

batch updates.

(b) Ensuring correct end of file procedures are followed so that records are not

lost.

(c) Processing multiple transactions for a single record in the correct order.

(d) And posting monetary transactions that mismatch a master file record against

a suspense account.

(e) The report protocols include:



(i) Printing control data for internal tables/ standing data to ensure it

remain accurate and complete.

(ii) Printing run to run control totals

(iii) Printing suspense account entries.

DEAD LOCK Locking out one process while the other process completes it update can lead to a

situation called dead lock in which two processes are waiting for each other to

release a data item that other needs. A widely accepted solution to deal lock is a two

phase locking, in which all the data items needed to propagate the effects of a

transaction are first obtained and locked from other processes. The data items are

not released until all updates on the data items have been completed.

POTENTIAL BENEFITS OF THE DATABASE APPROACH

(a) Ease of setting up:

Databases do not require programming in a low level language to set them

up, and in many cases a working prototype of the required system can be

developed quickly, allowing users to get involved with the design of the

system and in the capture of data before the final system is anywhere near

developed. Screen and report painting facilities also encourages users to

produce their own data input or query screens, and design their own reports.

(b) Lower maintenance cost:

Because many of the highly technical aspects of the systems are handled by a

standard engine, the programmers involve in the system can concentrate on

the organization specific parts of the processing, rather than those concerned

with the computer, file handling and so on. As a result the complexity of the

system and therefore the ongoing maintenance costs of a database can be

significantly lower than those of systems designed using other methods.

(c) Standardized query and reporting mechanism

The use of SQL as a standard query and report specification mechanism, or

language, is reducing the need for more technical expertise and this level of

programming. Databases allow users to use SQL to specify their queries and

reports in statements approaching English in their syntax.



(d) Standardized interfaces to other software

Many software products which might complement a database in an

information system, such as graph drawing programs, spreadsheets and

analysis tools have standard data interfaces which are supported by the main

database products. As a result it is simple to extract data from databases and

move the data into those programmes for subsequent manipulation.

(e) Standard security mechanisms

The access security backup and disaster recovery facilities offered by many

databases are very sophisticated and would be difficult and time consuming to

implement using other software methods. The facilities normally built in

include access security at file, record, menu and field levels. These provide for

high level of data integrity without the need for specific programming.

(f) Eliminating of data duplication

An application specific processing system will usually capture, process and

store much of the some data as other systems in an organization. This result

in duplicated efforts and resources being utilized. Using a database approach,

the same data can be used for different applications and so data only needs to

be captured and stored once.

(g) Improved integrity of data:

Because data is stored once, the risk of inconsistencies between data used by

different applications is reduced. If one department updates a file, other

departments will have instant access to updated information.

(h) Better management information

A database is better able to satisfy the information needs of management,

which are necessarily based on a requirement for global rather than

application specific information.



CHAPTER NO. 17

COMPUTER AUDITING

INTERNAL AUDIT The purpose of an internal audit is to evaluate the adequacy and effectiveness of a

company’s internal control system and responsibilities are actually carried out.

RESPONSIBILITIES OF AN INTERNAL AUDITOR

(a) Review the reliability and integrity of operating and financial information and

how it is identified, measured, classified and reported.

(b) Determine whether the systems designed to comply with operating and

reporting policies, plans, procedures, laws and regulations are actually being

followed.

(c) Review how assets are safeguarded and verify the existence of assets as

appropriate.

(d) Examine company resources to determine how effectively and efficiently they

are utilized.

(e) Review company operations and programs to determine whether they are

being carried out as planned and whether they are meeting their objectives.

TYPES OF INTERNAL AUDITIG WORK

Three types of audit are commonly performed.

(a) The financial audit examines the reliability and integrity of accounting records

and therefore correlates with the first of the five scope standards.

(b) The IS audits reviews the general and application controls of an AIS to assess

its compliance with internal control policies and procedures and its

effectiveness in safeguarding assets.

(c) The operational, or management, audit is concerned with the economical and

efficient use of resources and the accomplishment of established goals and

objectives.



WORKING PAPERS PACKAGES

Automated working paper packages have now been developed which can make the

documentary of audit work much easier.

(a) Such programmes will aid preparation of working papers, lead schedules, and

even sets of accounts. These documents are automatically cross referenced

and balanced by the computer.

(b) The risk of error is reduced and the working papers produced will be neater

and easier to review.

(c) Standard forms will no longer have to be carried to audit locations.

(d) It will not be necessary for an audit manager to visit auditors “in the field” in

order to review completed audit working paper files: these can now be

transmitted to the audit manager at audit HQ or at home for review.

(e) Auditors may also benefit from on-line accessing and real time file updating.

TYPES OF SOFTWARE WHICH THE AUDITOR COULD USE WITH A MICRO COMPUTER AS AN AID TO AUDIT WORK

(a) Standard software for word processing and spreadsheets which can be used to

carry out the various tasks.

(b) Expert systems which will determine sample sizes based specified risk criteria.

USE OF MICRO COMPUTR AS AN AUDIT AID

(a) The production of time budgets and budgetary control. The variances which

arises on the audit can be used as a basis for updating the future audit time

budget.

(b) The production of working papers, in particulars lead schedules, trial balances

and schedule of errors.

(c) Analytical review procedures can be more efficiently carried out on a micro-

computer as the necessary calculations can be carried out at much greater

speed and year-on-year information built-up.

(d) The production and retention of audit programmes. These can then be

reviewed and updated from year to year.

(e) The maintenance of permanent file information which can be updated from

one year to the next.



CONTROLS WHICH MUST BE IN PLACE OVER A MICRO-COMPUTER USED IN AN AUDIT

Controls which must be exercised when micro computers are used by he auditor in

his work: are as follows:

Access controls for users by means of passwords.

Back up of data contained on files, regular production of hard copy; back up

disks held off the premises.

Viral protection of programmes.

Training for users.

Evaluation and testing of programs before use.

Proper recording of input data to ensure reasonableness of output.

CONTROLS OVER MASTER FILE AND THE STANDING DATA CONTAINED THEREIN

Controls are required to ensure the continuing correctness of master files and the

standing data contained therein. Frequently, control techniques, such as record

counts or hash totals for the file, are established and checked by the user each time

the file is used.

Controls are required:

Over application development.

To prevent or detect unauthorized changes to programs.

To ensure that all program changes are adequately rested and documented.

To prevent and detect errors during program execution.

To prevent unauthorized amendment to data files.

To ensure that systems software is properly installed and maintained.

To ensure that proper documentation is kept; and

To ensure continuity of operations.

COMPUTER ASSITED AUDIT TECHNIQUES (CAATS)

Computer assisted audit techniques (CAAT) are methods of using computer to assist

the auditor in the performance of a computer audit. Audit techniques that involve,

directly or indirectly, the use of client’s computer are referred to as CAATs, of which

the following are two “principle categories”.



AUDIT SOFTWARE

Computer programs used for audit process to examine the contents of the

clients’ computer files.

TEST DATA

Dated used by the auditor for computer processing to test the operation of the

enterprise’s computer programs.

BENEFITS OF USING CAATS

a. By using computer audit programs, the auditor can scrutinize large volumes of

data and concentrate skilled manual resources on the investigation of results,

rather than on the extraction of information.

b. Once the programs have been written and tested; the costs of operation are

relatively low; indeed the auditor does not necessarily have to be present

during its use.

TEST PACK A “test pack” consists of input data submitted by the auditor for processing by the

enterprise’s computer based accounting system. It may be processed during a

normal production run (“live”) or during a special run at a point in time outside the

normal cycle (“dead”).

PRACTICAL PROBLEMS ENCOUNTERED USING A TEST PACK

The practical problems encountered in using a test pack are as follows:

a. In using “live” processing there will be problems removing or reversing the

test data, which might corrupt master file information.

b. In using ‘dead’ processing the auditor does not test the system actually used

by the audit subject.

c. The system will be checked by the test pack, but not the year end balances,

which will still require sufficient audit work. Costs may therefore be high.

d. Any auditor who wishes to design a test pack must have sufficient skill in

computing and also a thorough knowledge of the client’s system.

e. Any changes in the system will mean that the test pack will have to be re-

written which will be costly and time-consuming.



EMBEDDED AUDIT FACILITIES An embedded audit facility consists of program code or additional data provided by

the auditor and incorporated into the computer element of the enterprise’s

accounting system. Two frequently encountered examples are:

o Integrated test facility (ITF)

o System control and review file (SCARF)

o Snapshot

o Continuous and Intermittent Simulation (CIS)

INTEGRATED TEST FACILITY (ITF)

Integrated test facility involves the creation of fictitious entity within the framework

of a regular application. Transactions are then posted to the fictitious entity along

with the regular transaction. The results produced by the normal processing cycle are

compared with what should have been produced, which is predetermined by other

means.

Fictitious entities must not become part of the financial reporting of the organization

and several methods can be adopted to prevent this. The simplest and most secure

method is to make reversing journal entries at the appropriate cut-off dates. ITF

enables management and auditor to keep a constant check on the internal processing

functions applied to all types of valid and invalid transaction.

SYSTEM CONTROL AND REVIEW FILE (SCARF)

SCARF is a relatively simple technique to build into an application.

Each general ledger account has two fields. These are yes/no field indicating whether

or not SCARF applies to this account; and a monetary value which is a threshold

amount set by the auditor.

If SCARF does apply to the account then all transactions posted to the account which

have a value in excess of the threshold amount are also written to a SCARF file. The

contents of that file can be read by the user, but usually can only be altered or

deleted by the organization’s internal and internal auditors. The same restriction

applies to the yes/no and threshold fields associated with each account when new



account is opened, it is automatically assigned as a SCARF account (yes) and with a

threshold of zero Rs only the auditor can change hese fields SCARF thus enables the

organization and its auditor to monitor material transactions or sensitive accounts

with ease and provides on assurance that all such transactions are under the

scrutiny.

Snapshot

The snapshot concurrent auditing technique involves having embedded audit

modules take pictures of a transaction as it flows through various points in an

application system. The snapshots are either printed immediately or written to a file

for later printing. Auditors must determine where they want to place the snapshot

points in an application system, which transactions will be subject to snapshot, and

how and when the snapshot data will be presented for audit evaluation purposes.

A modification to the snapshot technique is the extended record technique. Whereas

snapshot writes a record for each snapshot point, the extended record technique

appends data for each snapshot point to a single record. All the data relating to a

transaction is kept, therefore, in the one place.

Continuous and Intermittent Simulation (CIS)

The continuous and intermittent simulation (CIS) concurrent auditing technique can

be used whenever application systems use a database management system.

Transactions that are of interest to auditors are trapped by the database

management system and passed to CIS. CIS then replicates the application system's

processing, and the two sets of results are compared. If CIS's results differ from the

application system's results, data about the discrepancy is written to a special audit

file. If the discrepancies are material, CIS can instruct the database management

system not to perform the updates to the database on behalf of the application

system.

AUDIT SOFTWARE Audit software comprises computer programs used by the auditor to examine an

enterprise’s computer files. It may consist of package programs or utility programs

which are usually run independently of the enterprise’s computer based accounting

system. It includes interrogation facilities available at the enterprise. The features of

the main typical of audit software are as follows:



PACKAGE PROGRAMS:

Consist of prepared generalized programs for which the auditor will specify his

detailed requirements by means of parameters, and sometimes by

supplementary program code.

PURPOSE WRITTEN PROGRAMS:

Involve the auditor satisfying his detailed requirements by means of program

code specifically written for the purpose.

UTILITY PROGRAMS:

Consist of programs available for performing simple functions such as sorting

and printing data files.

OTHER TYPES OF CAATS:

(a) Logical path analysis will draw a flow chart of the program logic.

(b) Code comparison programs compare the original specific program to

the current program to detect unauthorized amendments.

CONTROLS IN ONLINE AND REAL TIME SYSTEMS

(a) SEGREGATION OF DUTIES: When remote terminals are located at a

point at which data is originated, it may be found that the some person

is responsible for producing and processing the some information. To

compensate for the reduction in internal check, supervisory controls

should be strengthened.

(b) DATA FILE SECURITY: The ability of a person using a remote

terminal to gain access to the computer at will results in the need for

special controls to ensure that files are neither read nor written to (nor

destroyed), either accidentally or deliberately, without proper

authority.

(i) The controls may be partly physical access to terminal is

restricted to authorized personnel. The terminals and the rooms in

which they are kept are locked when not in use.



(ii) They may be partly operated by the operating system.

Passwords, special bridges, PIN Restriction by OS of certain terminals

to certain files. Logging of all attempted violations of the above

controls possibly accompanied by the automatic shutdown of terminal

used.

(c) PROGRAM SECURITY: Previous points apply equally to the use of

program.

(d) FILE RECONSTRUCTIONS: Dumping, the method of allowing for the

reconstruction of direct access files in batch processing systems, is of

limited use in on-line systems as the contents of the file are being

costively changed. Although the complete file will be dumped

periodically, it is also necessary to maintain a file giving details of all

transactions processed since the last dump.

(e) One of the greatest advantages of online system is the ability to make

editing more effective.

CONTROLS IN DATABASE SYSTEM (DBMS)

The following controls (some of which are common to all real bone system) might be

incorporated to DBMS

(a) Controls to prevent or detect unauthorized changes to programs

(i) No access to live program files by any personnel except for the

operations personnel at the central computer.

(ii) Password protection of programs

(iii) Restricted access to the central computer and terminal

(iv) Maintenance of a console log and scrutiny by the data processing

managers and by an independent party such as the internal auditor.

(v) Periodic comparison of live production programs to control copies

supporting documentation.

(b) Control to prevent or detect errors during operation

(i) Restriction of access to terminals by use of passwords and restrictions

of programs themselves to certain fields.



(ii) Satisfactory application controls over input, processing and master files

and their contents, including retrospective batching.

(iii) Use of operations manuals and training of all users.

(iv) Maintenance of logs showing unauthorized attempts to access and

regular scrutiny by the data processing manager and internal auditors.

(v) Physical protection of data files

(vi) Training in emergency procedures

(c) Controls to ensure integrity of the data base system

(i) Restriction of access to the data dictionary.

(ii) Segregation of duties between the data processing manager, the

database administration function (including its manager) and systems

development personnel.

(iii) Liaison between the date base administration function and system

development to ensure integrity of systems specifications.

(iv) Preparation and update as necessary of user manuals in conjunction

with the data dictionary.

BUREAUX AND SOFTWARE HOUSES

Computer service bureaux are third party service organizations who provide facilities

to their clients.

The main types of bureaux are:

(a) Independent companies formed to provide specialist computing

services.

(b) Computer manufactures with bureaux

(c) Computer users with spare capacity who hire out computer time when

it is not required for their own purposes. e.g. (universities).

REASONS FOR USING BUREAU (a) New User: A company that is considering acquiring a computer may find it

extremely beneficial to use a bureau because:

(i) It can evaluate the type of computer it is interested in.

(ii) It can test and develop its programs prior to the delivery of its own

computer.



(iii) Its staff will become familiar with the requirements of a computer

system.

In some cases the new system may be initially implemented using a bureau.

This will involve file conversion and pilot or parallel running.

(b) Cost: Many companies cannot justify the installation of an in house computer

on cost-benefit ground. With the enormous increase in the number of VCRs

and mini computers available this basis is becoming less common.

(c) Peak Loads: Some computer users find it convenient to employ a bureau to

cope with peak loads arising for example from seasonal variations in sales,

bureau may be used for data preparation work for file conversion, prior to the

implementation of a new computer system.

(d) Stand by: A bureau’s computer may be used in the event of breakdown of an

in house machine.

(e) Specialist skills: Management feel that the job of data processing should be

left to the experts.

(f) Consultancy: Bureau can provide advice and assistance in connection with

feasibility studies, system design equipment evaluation, staff training and so

on.

(g) For On – Off use.

ADVANTAGES OF BUREAU:

(a) A very few users can offered to pay for the services of system analysts and

programmers of the quantity that will be found working for the large bureau.

(b) Use of a bureau should enable a customer to obtain the use of up to date

computer technology in the bureau.

(c) Unloading responsibility on to the bureau (e.g payroll)

(d) Use of a bureau does not require high capital outlay.

DISADVANTAGES OF BUREAU

(a) Loss of control over time taken to process data and in particular the inability

to reschedule work should input delays occur.

(b) Problems may be encountered in the transfer of data to end from the bureau.

(c) The bureau may close down leaving the customer without any DP facilities.



(d) Customer may feel that they will lose control over an important that it is bad

security to allow confidential information to be under the control of outsiders.

(e) Its employees will be uninterested in and often unaware of the type of data

they are processing.

(f) Standards of service and the provision of adequate documentation control and

any audit trail are also important consideration.

Summary of the main control procedures over the in-house development:

(i) Adopt a recognized and documented system analysis and design method.

(ii) Full on going documentation must be completed throughout the development

stage.

(iii) Review and approval should be carried out throughout the development stage.

(iv) Test data must be designed to impact on all system areas with pre-

determined results.

(v) Full testing should be carried out prior to implementation.

(vi) Approval of system documentation with external auditors.

(vii) Full training schemes should be set up.

(viii) User documentation should be reviewed prior to implementation.

(ix) Controlled file conversion from old to new system.

(x) Review of ability of development staff.

Auditors may use a number of computer assisted audit

techniques (CAAT) including.

Audit interrogation software

Test data

Embedded audit facilities

Simulation

Logical path analysis

Code Comparison

itmac notes by nowsherwan adil niazi.pdf

Documents