suggested solution - j.k. shah · pdf file · 2014-05-02system requirements...
TRANSCRIPT
1 | P a g e
SUGGESTED SOLUTION
(Date : 01 May, 2014)
Head Office : Shraddha, 3rd Floor, Near Chinai College, Andheri (E), Mumbai – 69.
Tel : (022) 26836666
2 | P a g e
Ans. 1 1. System requirements analysis is a phase, which includes a thorough and detailed understanding
of the current system, identification of the areas that need modification/s to solve the problem, the determination of user/managerial requirements and to have fair ideas about various system development tools. The following activities are performed in this phase:
To identify and consult the stake owners to determine their expectations and resolve their conflicts;
To analyze requirements to detect and correct conflicts and determine priorities;
To verify requirements in terms of various parameters like completeness, consistency, unambiguous, verifiable, modifiable, testable and traceable;
To gather data or find facts using tools like- interviewing, research/document collection, questionnaires, observation;
To develop models to document Data Flow Diagrams, E-R diagrams; and
To document activities such as interviews, questionnaires, reports etc. and development of a system dictionary to document the modeling activities.
The document/deliverable of this phase is a detailed system requirements report, which is generally termed as SRS.
2. Organizations face several business risks when migrating to real-time, integrated ERP systems.
These risks are given as follows:
Single point of failure: Since all the organization's data and transaction processing is within one application system, single point failure may be a major risk.
Structural changes: Significant personnel and organizational structure changes associated with reengineering or redesigning business processes may pose a big challenge.
Job role changes: Transition of traditional user's roles to empowered-based roles with much greater access to enterprise information in real time and the point of control shifting from the back-end financial processes to the front-end point of creation are also great risks.
Online, real-time: An online real-time environment requires a continuous business environment capable of utilizing the new capabilities of the ERP application and responding quickly to any problem requiring re-entry of information.
Change management: The level of user acceptance of the system has a significant influence on its success. Users must understand that their actions or inaction have a direct impact upon other users and, therefore, must learn to be more diligent and. efficient in the performance of their day-to-day duties.
Distributed computing experience: Inexperience with implementing and managing distributed computing technology may pose significant challenges.
Broad system access: Increased remote access by users and outsiders and high integration among application functions allow increased access to application and data.
Dependency on external assistance: Organization accustomed to in-house legacy systems may find that they have to rely on external help. Unless such external assistance is properly managed, it could introduce an element of security and resource management risk that may expose the organizations to greater risk.
Program interfaces and data conversions: Extensive interfaces and data conversions from legacy systems and other commercial software are often necessary. The exposure of data integrity, security and capacity requirements for ERP are therefore often much higher.
Audit expertise: Specialist expertise is required to effectively audit and control an ERP environment. The relative complexity of ERP systems has created specialization such that each specialist may know a small fraction of the entire ERP's functionality in a particular core module.
3. For the proper implementation of Physical and Environmental Security, the following points need
to be taken into account:
Physical security should be maintained and checks must be performed to identify all vulnerable areas within each site.
The IT infrastructure must be physically protected.
Access to secure areas must remain limited to authorized staff only.
Confidential and sensitive information and valuable assets must be securely locked away, when they are not in use.
3 | P a g e
Computers must never be left unattended whilst displaying confidential or sensitive information or whilst logged on to the systems.
Supplies and equipments must be delivered and loaded in an isolated area to prevent any unauthorized access to key facilities.
Equipment, information or software must not be taken off-site without proper authorization.
Wherever practical, premises housing computer equipment and data should be located away from, and protected against threats of deliberate or accidental damage such as fire and natural disaster.
The location of the equipment rooms must be away from, and protected against threats of unauthorized access and deliberate or accidental damage, such as system infiltration and environmental failures.
4. Retention of Electronic Records: [Section 7] of ITAA 2008
The provision for the retention of electronic records is discussed in Section 7 of ITAA 2008, which is given as follows: i. Where any law provides that documents, records or information shall be retained for any
specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, – (a) the information contained therein remains accessible so as to be usable for a
subsequent reference; (b) the electronic record is retained in the format in which it was originally generated, sent or
received or in a format, which can be demonstrated to represent accurately the information originally generated, sent or received;
(c) the electronic record is retained in the format in which it was originally generated, sent or received or in a format, which can be demonstrated to represent accurately the information originally generated, sent or received; However,
this clause does not apply to any information, which is automatically generated solely for the purpose of enabling an electronic record to be dispatched or received.
ii. Nothing in this section shall apply to any law that expressly provides for the retention of documents records or information in the form of electronic records, publication of rules, regulation etc. in Electronic Gazette.
Ans. 2
(a) Disaster can be defined as an incident which jeopardizes business operations and / or human life. It could be due to sabotage (human) or natural. The Disaster Recovery and Planning document should include the following aspects-
Aspect Description
1. Scope Detailed description of the purpose and scope of the plan.
2. Conditions for activating the plans
Process to be followed before each plan is activated.
3. Emergency Procedures
Actions to be taken following an incident which jeopardizes business operations and / or human life, arrangement for public relations management and for effective liaison with appropriate public authorities e.g. police, fire Services and Local Government.
4. Fallback Procedures
Actions to be taken to move essential business activities or support services to alternate temporary locations, to bring business process back into operation in the required timescale.
5. Resumption Schedule
Actions to be taken to return to normal business operations.
6. Maintenance Schedule
How and when the plan will be tested and the process for maintaining the plan.
7. Testing (a) Contingency Plan Testing and Recovery Procedure. (b) Checklist for inventory taking and updating the contingency
plan on a regular basis.
8. Awareness and Education Activities
Creating an understanding of the business continuity process, and ensuring that the business continues to be effective.
9. Responsibility of individual
(a) Description of who is responsible for executing which component of the plan,
(b) Nomination of alternative individuals, if required. (c) Contingency plan Document Distribution List.
4 | P a g e
10. System Data (a) Primary Computer Centre Hardware, Software, Peripheral Equipment and software Configuration.
(b) Location of Data and Program Files, Data Dictionary, Documentation Manuals, Source and Object Codes and Back-up media.
11. Contacts (a) List of Vendors and support entities doing business with the organization, their contact numbers and address for emergency purposes.
(b) List of phone number of employees in the event of an emergency.
(c) Emergency Phone List for Fire, Police, Hardware, Software, Suppliers, Customers Back-up Location etc.
(d) Details of airlines, hotels and transport arrangements.
12. Medical (a) Medical Procedure to be followed in case of injury. (b) Names and contact Number of Employees trained for
emergency situation, first aid and life saving techniques.
13. Backup (a) Back-up location, contractual agreement, correspondences etc.
(b) Alternate manual procedures to be followed such as preparation of invoices.
14. Insurance Insurance papers and Claim Forms.
(b)
1. Errors and Omissions: Errors and Omissions are important threats to data and system integrity. Errors can be caused by Data Entry Clerks, and also by all types of users, who create and edit data. Every program Many programs cannot detect all types of input errors or omissions, A sound awareness and training program can help and organization to reduce the number and severity of errors and omissions.
2. Malicious Code: Malicious Code refers to Viruses Worms, Trojan Horses, Logic Bombs and other such software, which freely accesses the unprotected network, and may affect organizational and business network that use these unprotected networks.
3. Downtime due to technology failure: IS facilities may become unavailable due to technical glitches or equipment failure. In such case, computing infrastructure may not be available for short or extended periods of time. The period for which the facilities are not available may vary in critically, depending on the nature of business and the critical business process that the technology supports.
4. Natural Disasters: Natural disasters like earthquakes, lightning, floods, tornado, tsunami, etc. can adversely affect the functioning of the IS operations, due to damage to IS facilities.
5. Fire: Fire due to electric short-circuit or due to riots, war or such other reasons, can cause irreversible damage to the IS infrastructure.
6. Power Loss: Power Failure/ Surge/ Spike can cause disruption of entire computing equipments and peripheral devices. This can cause physical damage, as well as loss of data resources.
7. Communication Failure: Failure of communication lines result in inability to transfer data which travel over communication lines. When the organization depends on public communication lines, e.g. for e-banking, communication failure presents a significant threat that will have a direct impact on operations.
8. Theft or Destruction of computing resources: Since the Computing equipment forms the backbone of information processing, any theft or destruction of the resource (e.g. Laptop, Blackberry, etc.) can result in compromising the competitive advantage of the organization.
9. Disgruntled Employees: A Disgruntled Employee, who has access to sensitive information of the organization, may – (a) cause intentional harm to the information processing facilities, or (b) sabotage operations, or (c) share data with unauthorized persons.
10. Abuse of Access Privileges: The security policy of the Company grants various access privileges to employees, based on their job responsibilities to access and execute select functions in critical applications. Abuse of such privileges is a possible threat.
11. Dependence on external agencies: IT Computing Services are significantly dependent on various Vendors, Consultants and Service Providers, e.g. equipment supply and support, consumables, systems and program maintenance, air-conditioning, hot-site provides utilities, etc. Over dependency on these agencies is a potential threat by itself.
5 | P a g e
12. Uses/Social Risks: IS facilities depend on the key persons with special skill sets, e.g. IT Operational Team, Programmers, Data Administrator, etc. Targeting of key persons to get sensitive information, in order to exploit the information resources of the enterprise is a social risk.
(c) Program Change Controls: 1. Application Software Programs are designed to support specific business operations e.g.
payroll, Receivables Management, etc. 2. Implementing Controls over the modification of application software programs is to ensure
that only authorized programs and authorized modifications are implemented. 3. Standard Organization Level Policies, Procedures, and Techniques are to be followed to
ensure that all programs and program modifications are properly authorized, tested and approved and the responsibility of access to implement changes and distribution of programs is carefully controlled.
4. Failure of proper controls leads to risks in software security, e.g. virus threats, deliberately omitted transactions, processing irregularities, or entry of malicious codes, etc.
IS Auditors Role: 1. To ensure maintenance of Software Program Code Libraries (Archives of code and
Executable Code). 2. To check whether software updating is done from a Central Repository. 3. To examine whether there are appropriate backups of the system’s data and programs to
store the various versions of files before the change. 4. To see whether tracking of program changes are done through Version Procedure. 5. To see whether there is a formal handover process so that authorized personnel are
involved in the software changes testing and updation with clearly assigned responsibilities skills, knowledge, and training to perform responsibilities.
6. To ensure the use of standardized software updation (Release) management policies, procedures and tools.
7. To maintain an updated technology inventory of all hardware, software, and services that are used based on the criticality of the vulnerability of the system.
8. To see whether through testing is done before any new software release is applied in a production environment.
Ans. 3 (a) Revocation of License [sec. 25(1)]:
1. Conditions: The Controller may revoke the license, if he is satisfied after making such inquiry as deemed fit, that a certifying Authorities has –
Made a statement in, or in relation to, the application for the issue or renewal of the license, which is incorrect or false in material particulars.
Failed to comply with the terms and conditions subject to which the license was granted.
Failed to maintain the procedures and standards specified u/s 30,
Contravened any provisions of this act, rule, regulation or order made there under. 2. Show cause Notice: a license shall be revoked only when the Certifying Authority has been
given a reasonable opportunity of showing cause against the proposed revocation.
Suspension of License [sec. 25(20]: 1. The controller may, if he has reasonable cause to believe that there is any ground for
revoking a license, by order suspend such license pending the completion of any inquiry ordered by him.
2. However, no license shall be suspended for a period exceeding 10 days, unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed suspension.
3. No Certifying Authority whose license has been suspended shall issue any Electronic, Signature Certificate during such suspension.
Notice of Suspension or Revocation of License [Sec. 26]:
6 | P a g e
1. Where the license of the Certifying Authority is suspended or revoked, the Controller shall punish notice of such suspension or revocation, as the case may be, in the database maintained by him.
2. Where one or more repositories are specified, the controller shall publish notices of such suspension or revocation, as the case may be, in all such repositories.
3. The database containing the notice of such suspension or revocation, shall be made available through a website which shall be accessible round the clock.
4. The Controller may, if he considers necessary, publicize the contents of database in such electronic or other media as he consider appropriate.
Surrender of License [sec. 33]: 1. Every Certifying Authority whose license is suspended or revoked shall immediately after
such suspension or revocation, surrender the license to the Controller. 2. Where any Certifying Authority fails to surrender a license, the person in whose favour a
license is issued, shall be guilty of an offence and shall be punished with imprisonment upto 6 months and/or fine upto Rs. 10,000.
(b) A good IS Policy should clearly state the following aspects- 1. Purpose and Scope of the document and the intended audience/ recipients. 2. The Security Infrastructure, 3. Security Policy document maintenance and compliance requirements, 4. Incident response mechanism and incident reporting, 5. Security Organization Structure , 6. Inventory and Classification of Assets, 7. Description of technologies and computing structure, 8. Physical and Environmental Security, 9. Identity Management and Access control, 10. IT Operations Management, 11. IT Communications, 12. System Development and Maintenance Controls, 13. Business Continuity Planning, 14. Legal Compliances, 15. Monitoring and Auditing Requirement, and 16. Underlying Technical Policy.
(c)
(i) Environment: The Environment is a collection of elements in which the system operates. These elements are external to the system. These elements surround the system and interact with it.
(ii) Target Environment: The immediately relevant external environment of a system is called Target Environment. For example, foreign exchange rate fluctuations are of immediate relevance to an exporter, but not a hawker selling vegetables locally. (Target Environment is also called as Task Environment)
(iii) Supra-System: Supra-system is a collection of various sub-systems, which interact with each other. For example, a business system is a supra-system consisting of purchase, manufacturing, marketing, administration and Finance sub-system.
(iv) Interfaces: The inter-connections and interactions between the sub-systems are called as Interfaces. Interfaces occur at the boundaries and take the form of inputs and outputs.
Ans. 4 (a)
1. Cross-Functional: ERP facilitates company-wide Integration System covering all functional areas like manufacturing, selling and distribution, payable, receivables, inventory, accounts, human resources, purchase etc.
2. Cross Company Integration: ERP provides complete integration of system not only across departments but also across Companies under the same management.
3. Multi-faceted: ERP provides multi-platform, multi-facility, multi-mode manufacturing, multicurrency, multi-lingual facilities.
7 | P a g e
4. Business Support: ERP support strategic and business planning activities, operational planning and execution activities, creation of materials and Resources. All these functions are effectively integrated for flow and update of information immediately upon entry of any information. It has end to end supply Chain Management to optimize the overall Demand and Supply Data.
5. Management Tool: ERP is the solution for better project management.
6. Business Tool: ERP provides intelligent business tools like Decision Support System, Executive Information System data mining and easy working system to enable better decisions.
7. Technology: ERP allows automatic introduction of the latest technologies like Electronic Fund Transfer (EFT), Electronic Data Interchange (EDI), Internet, Intranet, video Conferencing, E-Commerce, etc.
8. Problem elimination: ERP eliminates most business problems like material shortages, productivity enhancements, customer service, cash management, inventory problems, quality problems, prompt delivery etc.
9. Information Management: ERP bridges the information gap across organizations. ERP is a high-end solution to business applications which enable the integration of Enterprise Resources and Information.
10. Corporate Image: ERP performs core activities and increases customer service, thereby augmenting the corporate image. ERP system can enhance a manufacturer’s ability to accurately schedule production, fully utilize capacity, reduce inventory and meet promised despatch date of customers.
(b) Auditor may use SCARF to collect the following types of informations- 1. Application System Errors: SCARF audit routines provide an independent check on the
quality of system processing, i.e. whether there are any design and programming errors as well as errors that could creep into the system when it is modified and maintained.
2. Policy and procedural variances: SCARF audit routines can be used to check whether variations from Organization/ Industrial policies, procedures and standards have occurred.
3. System Exception: SCARF can be used to monitor different types of application system exceptions, e.g. when salespersons are given certain flexibility in the prices they charge from customers, SCARF can be used to see how frequently salespersons override the standard price.
4. Statistical Sample: SCARF provides a convenient way of collecting all the sample information together on one file and use analytical review tools thereon.
5. Snapshots and Extended Records: Snapshots and extended records can be written into the SCARF File and printed when required.
6. Profiling Data: Auditors can use embedded audit routines to collect data and build profiles of system users. Deviations from these profiles indicate that there may be some errors or irregularities.
7. Performance Measurement: Auditor can use embedded routines to collect data that is useful for measuring or improving the performance of an application system.
(c) 1. COBIT 5 is based on an enterprise-view and is aligned with enterprise governance best
practice enabling GEIT to be implemented as an integral part of wider enterprise governance.
2. COBIT 5 provides a basis to integrate effectively other frameworks, standards and practices used, e.g. ITIL, TOGAF and ISO 27000.
3. COBIT 5 is also aligned with GEIT standard ISO/IEC 38500:2008 Which sets out high-level principles for the governance of IT, covering responsibility, strategy, acquisition, performance, compliance and human behavior that the governing body of an entity (e.g. Board) should evaluate, direct and monitor.
4. COBIT 5 acts as the single overarching framework which serves as a consistent and integrated source of guidance in a non-technical, technology-agnostic common language. The framework and resulting enables should be aligned with an in harmony with the following also – (a) Enterprise policies, Strategies, Governance and Business Plans, and Audit Approaches, (b) Enterprise Risk Management Framework, and (c) Existing Enterprise Governance Organization, Structures and processes.
8 | P a g e
Ans. 5 (a) In respect of PKI, the certifying Authority / Institution should consider the following certificate
issuance and revocation policies and other controls- 1. Defining (within the Certificate issuance policy) the methods of initial verification appropriate
for different types of certificate applicants, and the controls for issuing Digital Certificates and key pairs,
2. Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure (Note: Expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate.),
3. Ensuring that the Digital Certificate is valid, by methods like checking a Certificate Revocation List before accepting transactions accompanied by a certificate,
4. Defining the circumstances for authorizing a certificate’s revocation, e.g. compromise of an user’s Private key or the closing of user accounts.
5. Updating the database of revoked certificates frequently, ideally in real-time mode, 6. Employing stringent measures to protect the Root key, e.g. limited physical access, tamper-
resistant security modules, and dual control over private keys and the process of signing certificates, storage of original and back-up keys on computers that do not connect with outside networks, etc.
7. Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures and followed to safeguard the certifying systems,
8. Recording in a secure audit log, all significant events performed by the certifying authority’s system, including the use of the Root key, where each entry is time/ date stamped and signed.
9. Regularly reviewing Exception Reports and system activity by the Certifying Authority’s employees, to detect malfunctions and unauthorized activities, and
10. Ensuring the institution’s certificates and authentication systems comply with widely accepted PKI standards, in order to retain the flexibility to participate in other system/sfacilities.
(b) The principles to guide the design of measures and indicators included in an EIS are- 1. Easy to understand: EIS measures must be easy to understand and collect, wherever
possible, data should be collected naturally as part of the process of work. An EIS should not add to the workload of managers or Staff.
2. Goal-oriented: EIS measures must be based on a balanced view of the Firm’s objective. The firm’s objectives in the areas of productivity, Resource management, Quality and Customer service should be reflected in the systems data.
3. Independent: Performance indicators in an EIS must reflect the contribution of all persons in a fair and consistent manner. Indicators should be as independent as possible from variables outside the control of Managers.
4. Teamwork: EIS measures must encourage management and staff to share ownership of the Firm’s objectives. Performance indicators must promote teamwork as well as friendly competition. Measures will be meaningful for all staff. Every individual should feel that his contribution can improve the performance of the firm.
5. Availability & Confidentiality: the objective EIS to provide everyone with useful information about the Firm’s performance, but the information that must remain confidential should not become part of EIS or Management System.
6. Flexibility: EIS measures must evolve to meet the changing needs of the Firm.
(c) 1. E-Gazette [Sec. 2(1)(s)]: Electronic Gazette is the official Gazette published in electronics
form.
2. Publication in official or Electronic Gazette [Sec. 8]: Where any law requires the publication of any rule, regulation, order, bye-law, notification or any other matter in the Official Gazette, then such requirement shall be deemed to be satisfied if the same is published in the Official Gazette or the Electronic Gazette.
9 | P a g e
3. Effective date: Where the Rule, Regulation etc. is published both in the Official Gazette and the Electronic Gazette, the date of publication shall be the date of the gazette, which was first published in any form.
4. Facility only, not a right [Sec. 9]: No person can insist that –(a) any Ministry or Department of the Central or State Government or (b) any statutory Authority or Body or any Authority or (c) Body controlled or funded by the Government should accept, issue, create, retain and reserve any document in the form of electronic records or effect any monetary transaction in the electronic form.
Ans. 6 (a)
1. Physical Security: (a) The Security Administrator must ensure the operation of a complete and reliable
protection scheme against possible physical attacks on the database, ranging from disclosure of a password, to theft of the physical storage devices.
(b) A higher-level security should use- (i) identification / login using password, and also (ii) personal recognition of the user by a guard.
2. Data Security: The Security Administrator should ensure that- (a) DBMS provide control over- (i) data definition, and (ii) data manipulation facilities. (b) Where Database Management is combined with online transaction processing,
accessing/ viewing database objects (tables) can be controlled through internal database mechanisms, which limit what the transaction or program, can do.
(c) Utility access and submission, as well as monitoring and performance tools, should be restricted to appropriate personnel.
3. Security Program: (a) A Security Program is a series of ongoing, regular, periodic evaluations conduced to
ensure that the physical facilities of an Information System are safeguarded adequately. (b) The first security evaluation conducted is a major exercise. The Security Administrator
should consider an extensive list of possible threats to the organization, prepare an inventory of assets, evaluate the adequacy of controls, implement new controls, etc.
(c) Subsequent security evaluations focus only on changes that have occurred, in light of the purchase of new hardware or a new threat, etc.
(d) Even in the absence of visible changes, security evaluations should be repeated periodically, to determine whether covert changes have occurred that necessitate modifications to controls.
(e) Various steps involved in a security program are-
Preparation of Project Plan, Exposure Analysis,
Identification and valuation of Assets, Controls Adjustment, and
Threat Identification, Report Preparation.
(b) 1. Plan: Prepare a simple and understandable plan of who do what in the case of an
emergency 2. Diagram: Create a Step-by-step guideline(e.g. Flowchart), clearly outlining the sequence for
the retrieval and restoration of data depending on the state of the system. 3. Backup Details: keep of record of what was backed up, when it was backed up and which
backup media contains what data. A calendar of which type of backup is due on a certain date can also be made.
4. Verification: Select the option to verify backup. This backup Verification Process will take a little longer time, but it is an important tool to ensure that the backup is taken properly.
5. Changes: Create a reference point where you know everything is working properly. It will be quicker to restore the changes from tape.
6. Controls: Select the option to restrict restoring data to Owner or Administrator and also set the Domain Group Policy to restrict the “Restore” privilege to Administrators only. This will help to reduce the risk of an unauthorized person being able to restore data should the media be stolen.
7. VSS: Use the Volume Shadow Copy (VSS) Service in Windows Server 2003. This feature allows user to create point-in-time copies of data, so that they can be restored and reverted
10 | P a g e
to at any given time. For example. If a user created a word document yesterday and decides that he wants to revert to it today, he can do so using VSS.
(c) The Auditor need to determine the audit procedures related to information system controls that are required to obtain sufficient, appropriate evidence to support the audit findings and conclusions. The factors that assist the Auditor in making this determination are- 1. Relationship of Internal Controls to Data Reliability: The extent to which internal controls
that are significant to the audit depend on the reliability of information processed or generated by Information Systems.
2. Relationship if IS Controls to Data Reliability: To obtain evidence about the reliability of computer generated information, Auditors may decide to access the effectiveness of IS Controls. If the Auditor concludes that IS Controls are effective, the auditor may reduce the extent of direct testing of data.
3. Availability of Evidence outside the information system to support the findings and conclusions: It may not be possible for Auditors to obtain sufficient appropriate evidence without accessing the effectiveness of relevant IS controls. Example: If information supporting the findings and conclusions is generated by information systems or its reliability is dependent on IS Controls, there may not be sufficient supporting or corroborating information or documentary evidence that is available other than that produced by the information systems.
4. Assessing the effectiveness of IS Controls as an audit objective: While assessing effectiveness of IS Controls, the Auditor should test IS Controls which is directly a part of audit objective.
Ans. 7 (a) Costs of Internal Control include costs of designing, implementing, operation and maintaining
the control. These may be classified as under. 1. Initial Setup Cost: This cost is incurred to design and implement controls, e.g. a Security
Specialist must be employed to design a physical security system. 2. Executing Cost: This cost is associated with the execution of a control, e.g. Cost incurred
in using a processor to execute input validation routines for a security system. 3. Correction Costs: If the control has operated reliably in signaling an error or irregularity, the
cost associated with the correction of error or irregularity is called Correction Costs. 4. Failure Cost: if the control malfunctions or not designed to defect an error or irregularity,
these undetected or unconnected errors cause losses. These are called Failure Costs. 5. Maintenance Cost: The Cost is associated with ensuring the correct working of a control.
e.g. re-writing input validation routines as the format of input data changes.
(b) 1. Schedule Jobs: OS gives priorities to different work based on user needs, and can
determine the sequence in which they the job needs to be managed. 2. Manage Hardware and Software Resources: The programs required by the user gets
loaded in the primary storage and then cause the various hardware units to perform as specified by the program.
3. Maintain System Security: A Password is created for every user, to ensure that unauthorized persons are denied access to data and system.
4. Enable multiple User Resource Sharing: Many Users can share the programs at the same time.
5. Handling Interrupts: It is a technique used by the Operating System to temporarily suspend processing of one program and enable the other program to be executed.
6. Maintain Usage records: This is useful in Companies where the usage of system resources by various departments have to be recorded and also charged sometimes.
(c) An ERP system is an integration of various organization processes. Its features include – 1. Best Business Practices: The ERP must have a collection of the best business processes
applicable worldwide. An ERP package imposes its own logic on a Company’s strategy, culture and organizations.
2. Wide Scope: The ERP should not be confined to the organizational boundaries, but rather support the on-line connectivity to the other business entities of the organization.
3. Modular & Open: ERP system should have open system architecture. Any Modules should be capable of being interfaced or detached whenever required without affecting the other
11 | P a g e
modules. ERP should support multiple hardware platforms for Companies having heterogeneous collection of systems. It must also be able to support any third party add-ons.
4. Exhaustive: An ERP should be able to support variety of organizational functions and must be suitable for a wide range of business organizations.
5. Flexibility: The ERP System should be flexible to respond to any change on organizational requirements. The Client Server Technology enables ERP to run across various database back ends through Open Database Connectivity (ODBC)
(d) Sec.36 provides that a Certifying Authority while issuing a DSC, shall certify that- 1. It has complied with the provisions of this Act and the rule and regulations made thereunder. 2. It has published the DSC or otherwise made it available to such person relying on it and the
subscriber has accepted it, 3. The Subscriber holds the Private Key corresponding to the public key, listed in DSC. 4. The Subscriber holds a Private Key which is capable of creating a digital signature 5. The Public Key to be listed in the certificate can be used to verify a digital signature affixed
by the private key held by the subscriber. 6. The Subscriber’s Public Key and Private Key constitute a functioning key pair, 7. The information contained in the DSC is accurate, and 8. It has no knowledge of any material fact, which if it had been included in the DSC would
adversely affect the reliability of the representations made in clauses (1) to (4) above.
(e) 1. Meaning: Information Security Management Standard System (ISMS) is a systematic
approach to managing confidential or sensitive information so that it remains secure in terms of Confidentiality, Integrity and Availability
2. Components: ISMS comprises people, processes and IT Systems. 3. Significance: ISMS helps the organization to co-ordinate its security efforts- both electronic
and physical coherently, consistently and cost-effectively. 4. Policies: An ISMS is a set of policies concerned with Information Security Management or
IT related risks. 5. Principles: The governing principle in ISMS is that an organization should design,
implement and maintain a coherent set of policies, processes and systems, to manage risks to its information assets, thus ensuring acceptable levels of information security risks.
12 | P a g e
MARKS ALLOCATION SHEET
Que. No.
Sub point No.(if any)
Name of Chapter Description of Concept Mark Allocatio
n
Total Marks
1 (a) SDLC Meaning of system requirements analysis
2
1 (a) SDLC Activities performed in this phase (each have o.5 marks)
3 5
1 (b) ERP Each point have 1 mark (any five point) 5 5
1 (c) IS Security Each point have 1 mark (any five point) 5 5
1 (d) IT act Explain Provision 5 5
2 (a) BCP & DRP Each point have 1 mark (any six point) 6 6
2 (b) Risk mgt methodology
Each point have 1 mark (any six point) 6 6
2 (c) SDLC Program change Control IS audits role (each 4point)
4 4
3 (a) IT act Each point have 1.5 marks 6 6
3 (b) Is Security & Audit Each point have 0.5 marks (any 12 point)
6 6
3 (c) IS Concept Each point have 1 mark 4 4
4 (a) ERP Each point have 1 mark (any six point) 6 6
4 (b) Testing – Gen. & Automated
controls
Each point have 1 mark (any six point) 6 6
4 (c) IS Audit std & Guidelines
Each point have 1 mark 4 4
5 (a) Data Access Controls Each point have 1 mark (any six point) 6 6
5 (b) IT Concepts Each point have 1 mark 6 6
5 (c) IT Act Each point have 1 mark 4 4
6 (a) SDLC Each point have 2 marks 6 6
6 (b) BCP & DRP Each point have 1 mark (any six point) 6 6
6 (c) Testing – Gen. & Automated
controls
Each point have 1 mark 4 4
7 (a) IS Control Each point have 1 mark (any four point) 4 4
7 (b) IS Concept Each point have 1 mark (any four point) 4 4
7 (c) ERP Each point have 1 mark (any four point) 4 4
7 (d) IT Act Each point have 0.5 marks 4 4
7 (e) Is audit Std.& Guidelines
Each point have 1 mark (any four point) 4 4