SECTION A (3)

Database Management Systems (DBMS)

Data:
Raw facts collected by an organization related to an Entity in form of text, audio, video, and
image
Information:
Information is the most refine, processed and goal centric representation of data.
Quality of an entity regarding an organization is interested is called Information
Characteristics of Information:
1. Security
2. Accuracy
3. Representation Format
4. Useful age
5. Updated Information
6. Accessibility
Data Base:
A Database is an electronic, digitalized and organized collection of logically co-related data.
Examples: Nadra data base, FBI Data base, Student, Vehicles, Bank Data base etc.
Attributes of an entity:
Single Value: The attributes that have only single value is called single value attributes i.e.
Name, age etc.
Multi value: The Attributes that have multiple attributes are called multi Value attributes i.e.
Key attributes: Key attributes are those attributes which are unique in nature and can easily
be distinguished one instance of an entity with the other instance.
Entity Instance: An entity instance is the independent, individual example or object of the
entity.
DBMS Facilitation:
A DBMS is software that is used to create, manage and the administration of the data base. It
can facilitate the user to perform the following operations.
1. Design
7. View
13. Query Optimization
2. Create
8. Backup
14. Concurrency Control
3. Insertion
9. Recovery
15. Performing Tunings
4. Update
10. Sharing
16. Deadlock Prevention
5. Edit
11. Access
17. Privilege
6. Retrieve
12. Security
18. Performing Monitoring
Examples of DBMS:
Oracle DBMS of Oracle Corporation
Microsoft Access of Microsoft
Database 2
My SQL
PL SQL (Procedural Language Structured query Language)
Database Modeling:
Representation Design of Database in an understandable format is known as database Model.
Entity Relationship Diagram (ERD):
Process/Activity of representing a database architecture or database design by the help of
industry-specified standard diagram is known as Entity Relationship Diagram (ERD)

ERD involves the Followings:

Identity entities
Identify Attributes (Single Value, Multi Value, Key attributes)
Identify Relationship between Entities
Identify Cardinality
Benefits / Characteristics of ERD
1. It helps the Business Professional to provide the feedback about the design of the
Database system.
2. It also helps to establish a balance of collaboration between the Business Professional
and the Information system professional.
3. It also helps the Business Professional to verify the level of understanding of the
Information System Professional regarding the information System on the Business
needs of the Business Professional.
4. It also helps the Information System Professional to transform/Map the Business details
into the Technical details.
5. It also helps the Business Professional to Participate/involve in an effective manner in
the development of the Database Design.
6. In an ERD entities are identified/Represented using a rectangular box.
7. The Rectangular Box shall be labeled with meaningfully.
8. The attributes must be represented using oval Shape.
9. All the attributes shall be labeled meaningfully.
10. The Label of Key Attribute shall be Underline.
11. The Multi Valued attributes represented using Double Outline.
12. All the attributes shall be directly linked with the entity.
CASE (Computer Added Software Engineering) Tool may also be used in order to facilitate
or automate the process of Database.
Examples of Case Tools for Database modeling are Microsoft Visio, UML-Draw etc.
Organization of Database:
1. Meaningful characters make Fields.
2. Fields Make records/row.
3. Records/row makes Tables.
4. A combination of tables makes Files.
5. And Files make Database.
Logical View:
Logical view of the database is the human understanding about the databases.
Logical view describes how the users conceived or visualized.
Physical View:
Physical view is the understanding of machine about Databases. The Physical view defines
how a computer system and its storage devices conceived and managed the Databases.
Translation between Logical view and Physical View:
1.
2.
3.
4.
5.

User (Physical view)

Application
Database Management System
Operating System
Storage Devices (Logical View)

Data Dictionary:
A data dictionary is a collection/repository of metadata.
Or in other words a data dictionary is a database of data about the data.

The metadata includes the following.

1. Description
2. Formal/ syntax
3. Range
4. Type (i.e.) numerical, alpha numerical, special characteristics
5. Minimum value
6. Maximum value
7. Default value
8. Is null value
Advantages of Data Dictionary
1. The data dictionary is used for input validation.
2. It provides essential information about the physical structure of the database to
the developers.
3. Data dictionary is also very helpful during the integration of data or database.
4. Data dictionary is very helpful during the migration of data (import/export of data).
5. Data dictionary is also used in order to bring changes in the existing infrastructure
of database.
6. It also used during the development of data ware house.
7. Data dictionary is also helpful in the optimization and refining of the data base
design.
Database Model:
1. Network model
2. Hierarchy model
3. Relational model
Relational model:
Characteristic of relational model:
1. A relational model uses a tabular structure for the database development.
2. A table or relation is intersection of rows and columns.
3. In relational model each row represents a unique record.
4. In relational model order of rows is insignificant or immaterial.
5. In relational model new rows can easily be added.
6. In relational model the columns represent the attributes and the name of column is
meaningful.
7. In relational model the order of column is insignificant or immaterial.
8. In relational model new columns can easily be added.
9. It supports or implements the concept of normalization.
10. In relational model the chances of data inconsistency, errors and omissions are
very low.
11. Relational model helps to maintain the minimum level of redundancy (unnecessary repetition).
Advantages:
1. Standard Enforcement
2. It is very much flexible in accommodating the changes in Database structure.
3. It is the most commonly used approach in the industries. For example Oracle Corp.
uses Relational model to make Oracle Database.
4. It maintains the minimum level of Redundancy.
5. The implementation of Normalization significantly reduces the storage needs.
6. It provides relatively better security.
7. This model helps in providing Good Transaction Processing Time.
8. It reduces the chances of data inconsistency and therefor provides reliable information
for decision making.
9. It is very Simple, Easy, and Intuitive to understand.

10. This model supports the simultaneous access by the multiple users. (That is called
Concurrency Control)
11. It eliminates data deadlock.
12. It supports the enhanced business reporting.
13. It provides Good Backup and Recovery Support.
14. It also assists in the implementation of organization access policy.
Database Access:
1. Sequential Access
2. Index Sequential Access
3. Direct Access
1. Sequential Access:
In sequential access the data is accessed by searching from the start of the hard drive till the
location that holds the desire data. The sequential access is obsolete technology.
Advantages:
1. It is the simplest technique.
2. It does not need any mathematical calculations to locate data.
3. It does not need any extra software for the data access.
4. It is suitable for small volume of data.
5. It is helpful in Batch Processing.
Disadvantages:
1. The time to access the first record and the time to access to last record is unequal.
2. It takes so much time for data access if the volume of storage is very high.
3. It brings inefficiency during the transaction processing due to high waiting time for
data access.
4. Random and instant data access is not possible.
5. It increases the user response time.
2. Index Sequential Access:
In index sequential access the data is organized or sorted with respect to a particular attribute.
A table is created for that particular attribute that is called index table
In order to search a particular data, a user must looks up into that index table to access the
particular or area of interest enhances filtering the undesired area.
Once a user accesses the desire region of interest, he has to apply the sequential mode of
access to get the desire data.
In index sequential access a particular area is reserved to accommodate the data for an
already occupied section.
3. Direct Access:
In direct access each memory location is assigned a unique memory address or identity.
A single memory location can easily be accessed instantly.
In order to access the memory using the direct access the Central Processing Unit (CPU) has to
calculate or determine the memory address and sends it to the memory or Storage devices.
The storage device accesses the desire location, fetches the data and sends it back to the CPU.
However a particular addressing scheme needs to be defined for the identification of the
memory location.
There are two kinds of memory locations.
1. Addressable: If the addressable memory area is fully occupied then an extra buffer area
which is known as overflow area used to accommodate.
2. Un-Addressable:
Advantages:
1. It gives you the direct access.
2. Bring efficiency in transaction processing
3. Leased data access time
4. Most suitable for accessing the large volume of data
5. Reduces user response time
6. Time to access the first and the last location is equal

Disadvantages:
1. It is a complex approach.
2. Proper addressing algorithms/schemes need to be defined.
3. CPU needs to calculate the address before access
4. There is a possibility of data collision that is generating the same memory address for
two different memory locations.
5. It needs special software to access the data, address calculations, collision avoidance
sand overflow area management.
ACID (Atomicity, Consistency, Integrity, Durability) Property of DBMS
Atomicity: Atomicity means a transaction must be processed completely or must be roll back
Consistency: Consistency means the execution of a transaction must bring the data base from
one consistent state to another consistent state.
Integrity: A transaction shall not interfere into another transaction process.
Durability: A transaction results must be recorded and save properly forever.
Type of Information Systems:
Level of Management:
1. Strategic Management
2. Tactical Management
3. Operational Management
Types of Problems or decisions:
1. Un structured
2. Semi structured
3. Highly structured
Transaction:
A transaction is an event or an incident that demands or requires data processing and its
dissemination of information. A transaction processing system is most commonly used
information system in all the sectors. It may have its own specific business needs depending
on the nature of the organization, Scope of work, inter-departmental needs and the Business
environment.
The most common features in corporate almost in all the transaction processing systems are
Transaction Book Keeping
Data processing
Business reporting
User query processing
Information distribution or sharing
Assistance for decision making at operational level
Data management (indexing, sorting, filtering etc.)
Maintaining the transaction logs
Transaction recovery
Transaction errors detection and correction
Transaction consolidation
Transaction security and integrity

There are two types of Transaction Processing systems:

1. Batch processing system
2. Real Time Processing system
A real time transaction processing system
processes the transaction instantly or
immediately at the time of its occurrence.
For example, An airplane navigation system,
Stock trading, Online Banking system, Online
payment system (web based), and missiles or
target system etc.

The batches processing systems accumulates

the transaction over a certain period of time
and then process them. For example, monthly
payroll generation, utility billing systems,
annual balance sheet

Real time system are very interactive

Batch Processing systems are less interactive

Real time systems are user friendly

BPS are less user friendly

Real time systems makes the information

available instantly

In real time system the priority of transaction

cant be change

Batch Processing systems makes the

information available after a certain period of
time
Batch Processing systems helps in problem
solving after a certain period of time
In Batch Processing systems the priority of
transaction can be changed or modified

In real time system a transaction cant be

interrupted

In Batch Processing systems a transaction can

be interrupted

In Real time processing system a transaction

schedule cant be redefine

In Batch Processing systems a transaction

schedule can be redefine

Real time systems are relatively more

sophisticated
Real Time processing system needs more
protection and security
Real Time processing system cant be left
unattended

Batch Processing systems are relatively less

sophisticated
Batch Processing systems relatively needs less
protection and security
Batch Processing systems needs less
supervision
Batch Processing systems are not costly

Real time system helps in problem solving

Real Time processing system is more costly

Real time processing system needs relatively
skilled professional

Batch Processing systems also requires skilled

professional

Real Time processing system is relatively high

complex
Real Time processing system takes more time
for development
It must be rigorously tested

Batch Processing systems are relatively less

complex
Batch Processing systems takes less time for
development
It must be tested at normal basis

Decision Support System (DSS):

An information system that is used to assist the Middle Management or Top Management in
decision making
Characteristic of DSS:
1. It helps to manage the complexity of the problem.
2. It helps in better analysis by providing relevant information in desire manner.
3. It helps to breakdown the problem and guides to reach the decision.
4. It gives Business Intelligence.
5. Improve quality of decision making process.
6. It helps the beginner (Novice) to solve problem in a way that an experienced
professional would have performed.

Challenges for DSS:

1. It takes too long time for its development.
2. The development of DSS needs highly skilled and domain experts.
3. The development cost is very high.
4. The organizational inertia and the willing acceptance are very difficult to achieve.
Continues update in the knowledge base and analytical schemes is essentially
required.
5. Ease of use and user friendly interface is a big challenge.
6. Support for information visualization is also very much desired.
7. The implementation cost, maintenance cost and infrastructure cost is very high.
8. Proper planned implementation strategy is required.
9. Rigorously testing is required.
Implementation Strategies for DSS:
1. Un-freeze (educate and trained peoples)
2. Move
3. Freeze
DSS decision Models:
1. Simulation and Modeling.
2. Case base reasoning.
3. Neural Networks.
4. Fuzzy logics.
5. Intelligent agent.
6. OLAP (online analytical processing) and data mining.
7. Expert systems.
Advancements in DSS:
1. Enhanced information visualization techniques are being in-corporate for the
facilitation of the decision makers.
2. An interactive, very graphical and user friendly interface is being developed for the
early acceptance of the software.
3. Rapid development is also being focused.
4. Integration of DSS with the existing Business Applications is being focused.
DSS architecture:
DSS Dialogue Generator:
DSS Dialogue Generator is a module that accepts the user queries and conveys system
responses in an interactive manner.
DSS Engine (inferences):
It accepts the facts regarding a problem from the DSS Dialogue Generator, uses the
information preserved in the knowledge base, manipulate it and draw a conclusion.
DSS Knowledge Base:
This part is a database that maintains the collection of facts and information that will be used
in problem solving.

SECTION A (4)
Information system acquisition and development
Approaches to develop software:
1. Software development life cycle. (SDLP)
2. Waterfall Model
3. Spiral Model
4. Interactive Model
5. Incremental Model
6. Prototyping Model
7. Agile development Model (Currently most using approach)
8. Components Based software Development Model
9. Application packages Model
10. End user computing Model
11. Reverse engineering Model
12. Re-engineering Model
13. Object oriented software development (OOSD)
14. Rapid Application Development
Software Development Life Cycle (SDLC)
Initiation Phase
a. Problem definition
b. Feasibility Study
1. Economic Feasibility
2. Financial Feasibility
3. Technical Feasibility
4. Schedule Feasibility
5. Organization Feasibility
6. Sociality/Operational Feasibility
c. Project Planning
Development Phase
d. Requirement Gathering and analysis
e. Software Design
f. Software development and testing
Implementation Phase
1. Training
2. Conversion
3. User Accepting Testing
4. Post Implementation Audit
Operation and maintenance Phase
g. Operation and maintenance
1. Ongoing Support
2. Software Upgradition
Problem Definition
Problem Statement
Explain existing system
Explain Drawbacks of existing system
Explain root cause of existing system
Explain impact of existing system
Explain benefit of proposal solution
Deliverables:
Feasibility Report
Management Approval
Project Plan

Feasibility Study:
Economic feasibility (Development, Infrastructure, Maintenance, Training,
Consultancy Cost)
In this study the IT Financial analyst determine the total cost of ownership including
the above mentioned cost and the corresponding expected benefits and payback
period and if this equation comes out to be positive it reflect the financial feasibility of
project.

Technical Feasibility (Return on Investment, Payback Period)

Does the capability of the human resource is sufficient enough for the successful
development. Whether the availability and adequacy of the technical infrastructure is
capable of managing the project or not

Schedule Feasibility
Is it possible to meet the expected deadline of the project without affecting the
deadlines of the ongoing programs or Quality Compromising?

Organizational Feasibility
Does this project supports organization goals, missions and strategic objectives or in
other words will that investment is aligned with Business objective or not.

Sociality/Operational Feasibility
Will the new system be acceptable to the users and will that software can easily interoperate with existing business applications or not.

Service Level Agreement (SLA)

It is a legal document that defines all the services expected by the clients as well as the
monitory demands of the vendors. This document is prepared by IT Legal Experts and must
be uphold all the concerns and protection of the both parties. It also covers all the relevant
legal possibilities, their impacts and corresponding decisions. It must be duly signed by the
competent authorities of both sides under the presence of mutually agreed witnesses.
Requirement Gathering and Analysis
1. Identify key stakeholders
2. Identify all those internal and external entities which will be interacting with the
system
3. Identify and document all functional requirement (Core Business Requirement)
4. Identify and document all Non-functional requirements (Security, storage, CPU,
Bandwidth etc.)
5. Determine tools and technology used
6. On the basis of gathering functional and no functional requirements the conceptual
model is prepared by the analysts
The conceptual model represents only what are the main sub systems and
their possible interactions
7. Determine the main inputs, outputs and business rules of the systems
8. Identify all the user accepting procedures against which the software will evaluated
before handing over the software (ATP)
9. Determine whether there is any need of integrating an audit module (EAM
embedded audit module)
10. Determine whether there is a need for computer fraud detection module or
computer Forensic detection module
11. In this phase all the conflicts between the different stakeholder over the
requirement are identified, negotiated and must be resolved

12. For the better understanding of the system and inter-presentation, various
diagrams are developed
a) Context diagram
b) Data flow diagram
c) Entity relationship diagram (ERD)
d) Flow chart
13. Once all these activities are performed they must be documented in the form of
report which is known as Software Requirement Specification (SRS) document
14. This document must be signed by the competent authorities of client and vendors
Software Design:
1. This phase defines how the system will deliver services to user
2. In this phase all sub-modules are explored in depth and its architecture is prepared
3. It identify the data processing schemes and flow
4. There are three types of design developed in this phase
a. Database design b. Process design c. User interface design
c. User Interface design: In GUI (graphical user interface) design a sketch of the software
interface is designed in the form of screen shots by applying various design tools.
The interface will address how many forms will be there in a software, what are the different
controls like Buttons, Radio buttons, Dropdown list, Icons, Progress bar etc.
a. Database Design: in database design the diagram identify the following things
1. Entities
4. Key attribute
7. Data access method
2. Attributes
5. Business rules
8. Data backup requirement
3. Relationship between entities
6. Data dictionary
b. Process Design: The designs identify various processes and their sub process of the
individual module of the system. They also determine the sequence of execution, decision
point, intermediate output and inputs in addition to that the possible collaboration between
the processes is also identified.
There is a standardize way of process designing. One of the very commonly used standards
is UML (unified modeling language)
According to the UML the following diagrams are developed
1. Close diagram
2. Activity diagram
3. Sequence diagram
Once all these diagrams are developed they must be documented in the form of software
design specification document.
Software Development:
1. Programming. (SDS) software design specification, source code (set of instructions)
2. Debugging (error free source code)
3. Software testing (deliverables outputs)
4. Documentation (Manual)
5. User acceptance testing (UAT) (user consent for development
Programming:
In this activity a programmer selects an appropriate high level language (4th GL) and writes
the instructions in the form of various programs can be address or source code.
After writing the source code the programs uses various language translators for the
translation of source code (human friendly language) into the machine language or executable
code.
The language translator includes complier, assembler and interpreter.
Before the development of the executable code the software errors must be removed in order
to locate and remove the errors debugging tool is used and this activity is known as
debugging.

1. Writing Source Code Program

a. Source Code editor
b. Compiler, Interpreter
c. Debugger
d. Software testing tools
e. Configuration
f. Performance
2. Language Translator
3. Debugging
4. Executable code (executor)
Integrated Development Environment (IDE)
IDE is software which is a collection of much different software tool design to facilitate the
development activities. E.g. Microsoft Visual Studio, Java Eclipse
Software Testing:
1. Validation (Does the software meet the business needs of the clients mentioned in SRS)
2. Verification
Levels of Testing
a) Unit testing
b) Module testing
c) Integration testing
d) System testing
e) Security testing
f) Stress testing
g) Volume testing
h) Recovery testing
i) Response testing
Testing Types:
1. White Box Testing
2. Black Box Testing
3. Regression
4. Beta
5. Alpha
6. UAT/FAT
Approaches:
1. Top-down (At the accomplishment of the Development)
2. Bottom-up (As develop as test)
Maintenance and Operations:
Prototype (Advantages of Prototype)
1. Requirement clarification
2. It decrease the development time
3. It is very appropriate approach for the software which is very attractive e.g. mobile
apps, computer games, simulations, animations websites, social media apps etc.
4. It reduce the requirement miss understanding
5. The cost of development can also be reduced
6. It ensures the user participation and involvement
7. User gets familiar with system at the earlier stage and therefor reduces the elements of
inertia
Disadvantages of Prototype:
1. The software may lack optimization because most of the time design phase is escaped
2. The product is relatively less reliable
3. Evolutionary may develop unrealistic expectation of the user
4. Excessive prototype building may exceed the budget
5. It is not appropriate for critical large scale business applications

Reverse Engineering:
Trial version
(Black box testingFunctionality)
If the above activity isnt helpful then decompile the software and make a new design form
the source code.
Advantages of Reverse Engineering
1. The fresh system to be developed is relatively optimized
2. Reverse engineering facilitate the development team to incorporate the good features
in the system and avoid the existing bad features.
Disadvantages of Reverse Engineering
1. It may cause the violation of the intellectual property rights and software piracy
2. Writing a decompiler is a very time consuming job with the very high risk good
success and licensing issue.
3. Acquisition of decompiler is very costly
Re-engineering:
Critical analysis of existing system identifies the problem, bring the changes/improvement and
deploy it.
Spiral Model:
1. Identify goals/objectives
2. Preform risk management (identification, analysis, mitigation(reduce/minimize),
monitoring)
3. Execution and test
4. Evaluate and Plan
SDLC, Spiral Model
Initiation:
a) Problem Statement (Apply Spiral Steps)
(Identify goals/objectives
Preform risk management (identification, analysis, mitigation (reduce/minimize),
monitoring)
Execution and test
Evaluate and Plan)
b) Feasibility Study (Apply Spiral Steps)
(Identify goals/objectives
Preform risk management (identification, analysis, mitigation (reduce/minimize),
monitoring)
Execution and test
Evaluate and Plan)
c) Project Plan (Apply Spiral Steps)
Development:
a) Requirement Gathering (Apply Spiral Steps)
b) Software Design (Apply Spiral Steps)
c) Programming (Apply Spiral Steps)
d) Documentation and Software Testing (Apply Spiral Steps)
Implementation:
a) Training (Apply Spiral Steps)
b) Conversion (Apply Spiral Steps)
c) User Acceptance testing (Apply Spiral Steps)
d) Post implementation audit (Apply Spiral Steps)

Operations and Maintenance:

a) Ongoing Support (Apply Spiral Steps)
b) Software Up gradation (Apply Spiral Steps)
Advantages of Spiral Model:
1. It is very practical approach for software development
2. It is the most commonly practiced approach in the industry
3. It is unique approach because it applies the risk management unlike the other
approaches.
4. Due to the risk management it helps to identify the major risk at the initial stages
which might bring heavy if remain unidentified or uncontrolled
5. It is very appropriate approach for large scale business applications
6. It heavily focused on feasibility, costing, management and therefor manage all the
software risk
7. It is an interactive model therefor feasible enough for adaptability of the change and
software optimization
Disadvantages of Spiral Model:
1. It is a very complex approach relatively to others
2. It requires very skilled and competent professionals for its execution
3. The risk management and other activities may cause the timing deadline if they are
not properly managed
4. It is a not a practical or an infeasible approach for small budget (small scale enterprise
business application)
Software Base Lining:
An activity that is performed when the design phase is in its initial stage
Before Base Lining (Requirements) After Base Lining (Change)
1. Define freezing point for software scope
2. Avoid software creep (Failure)
3. Accept a change, analyze in terms of cost, benefits seek approvals and then implement
4. Establish basis for information system maintenance practices i.e. change management
and configuration management
5. Performed at initial stages of software design
Information system maintenance practices:
1: Change management
2: configuration management
Change management:
1. Change request
2. Record change (CRF Change Request Form)
3. Analyze change (CCB Change Control Board)
4. Approve or reject change
5. Authorization of change
6. Implementation of change
7. Emerging change
8. Testing the change
9. Deploy change into production
10. Document change
11. Audit program change
Configuration Management
1. Configuration items
2. Configuration control data base (CCDB)
3. CCB (Change Control Board)
4. Change identity

Library Control System

1. Information processing facility (IPF)
2. Production environment
3. Backup site
4. Recovery site
5. Library site
6. Asset management
a) SRS (Software Requirement Specification)
b) SDS (Software Development Specification)
c) Source code
Programming file
Object file
d) Executable code
e) Software Library
Dynamic (.dll (Dynamic Link Library))
Static (.lib)
f) STS
g) UI (user interface)
h) Configuration manual
i) Audit report
Library control software has the following functionality to deliver
1. It maintains the record keeping of the source code and executable code comprising of
program files, object files, libraries respectively
2. It maintains the record of all the requests for the source code release
3. It control the un-restricted access to the source code and executable code
4. It identifies the nomenclature for the identification of source code, executable code and
their respective versions
5. The LCS (Library control software) maintain the log regarding the change management
activity
6. The LCS defines and implements the access of authorized personnel
7. The LCS perform the safe custody of different documents and software codes
8. LCS also raises an exception in case of any violation
9. The LCS tracks all the items that have been issued and have to be received
10. The LCS is also responsible for managing the physical and environmental security as
well

SECTION B (5)
The Process of Auditing Information System (IS)
Auditing Outsourcing Practices
1. The auditing control system should be of short period of time
2. The IS auditor should determine that whether contractual provisions for the rights of
audit to the client are mentioned or not
3. The auditor will determine whether the contractual provisions for the investigation of
industry best practice for various software development processes is addressed or
not for e.g.
o ISO 2700: 9000 (QMS Quality Management system)
o PMBOK (project management book of knowledge)
o Six sigma
o ITIL (information technology infrastructure library) Software services)
Development and import management
o CMMI (Capability, Maturity model integration) Software Development Process
o ISMS (information Security management system/services) Data Security

4. The auditor will determine that whether the contractual provisions for the timely
delivery of the software, conformance with the budget limits, their violation and
penalties in case of violation is mentioned or not
5. The auditor will identify that whether a provision for software escrow is mentioned or
not
6. Software ESCROW is the concept of making the third party normally (State or Federal
Regulator) a custodian of the software source code for the client, in case vendor deny
to provide services to the client, the client will have the right to request for the issuance
of source code form the custodian. The custodian is supposed to release the source
code after the verification
7. The auditor will determine that whether the provision for software licensing, reverse
engineering, license per node, license per site, license per user, regulatory
needs, intellectual property rights, software piracy and copy rights are addressed
or not
8. The IS auditor will determine that whether the contractual provisions for the security
requirements, software backup, data losses, data disclosure are addressed or not
9. The IS auditor will determine that whether the contractual provisions for accepting
parameters for user acceptance testing after deployment services are addressed or
not
10. The IS auditor will determine that whether the contractual provisions for timing
deadline, actions in case of falling behind the deadlines, quality of services,
expenditure monitoring, software costing are mentioned or not
11. The IS auditor will determine that whether the contractual provisions for software
change management practices, software configuration management practices
are mentioned or not
12. Whether the contractual provisions for base lining are mentioned of not
13. The IS auditor will determine that whether the contractual provisions for conflict,
resolution, negotiation, dispute escalation are mentioned or not
14. The IS auditor will determine that whether the contractual provisions for mode of
payment, payback period, warranty claims, software insurance are mentioned or
not
15. The IS auditor will determine that whether the contractual provisions for system
backup, system recovery, system down time compensation, system security are
addressed or not
16. The IS auditor will determine that whether the contractual provisions for resource
availability, quality management practices, after sale services delivery are
addressed or not
What are the audit practices in outsourcing? (SAS i-70) (SAS ii-70)
External auditor (nominated by vendor) should perform the audit of outsourcing
Internal auditor of the client or nominated by the client (auditor) will perform the audit of the
Vendor
Mutually agreed auditors
IS Audit
In the IS Audit following activities will be audited
1. Governance, Management, Organization structure
2. Infrastructure and operations
3. Software/System development
4. Information security management
5. Disaster recovery and BCP
Approaches of Audit
1. Audit round the system
2. Audit through the system

IS audit process
Audit:
Audit is an economic activity in which an auditor (internal/external) evaluate, examine and
test the effectiveness of the procedures or internal control or ongoing (activities) practices and
makes an opinion regarding degree of compliance, conformance or adherence to industry
standards or best practices
Types of auditor
Auditor should be
1. Independent
2. Professional
3. Vigilant
Types of Audit
1. Financial audit
2. Operational audit
3. Administrative audit
4. Integrated audit
5. IS or IT audit

6. Forensic audit
7. Specialized audit
8. Stock audit
9. Certification audit
10. Surveillance audit

Audit charter
1. Responsibility (task supposed to perform)
2. Authority (privileges, rights, powers, what you have to do)
3. Accountability (rules and laws)
Audit assignment/ Audit engagement letter
1. Audit mandate/audit assignment charter
2. Audit schedule
3. Rules of engagement (ROE)
4. None disclosure agreement (NDA)
IS Audit Process
1. Define audit area
2. Define or determine scope of audit
3. Define the audit objectives
4. Perform the audit planning
5. Perform the evidence gathering and do the fact finding
6. Verify/test and analyze the data
7. Preparation of audit report up to the mutually agreed upon standard
8. Communicating and presenting the audit result to the auditee management
9. Audit closing activity
10. Follow up audit activity
Audit Area
An audit area is the specification of the domain or the functional area to be audited.
1. Change management considered as audit area.
2. Software development practices
3. Change management Practices
4. IT services delivery and support
5. Operation management
6. Corporate/IT governance
7. Business continuity and disaster management
8. Information system maintenance practices
9. IT infrastructure utilization
10. Outsourcing practices

Audit objectives
1. In this activity the goals of an activity are defined or in other word the expected
deliverables of audit are defined for e.g. the audit objectives could be defined as
whether the SCM (Software Change Management Practices) are practiced in proper
way or not. Similarly another objective could be to verify that all the possible risks of
the unauthorized change are properly controlled
2. Another audit objective could be defined as that the internal control for the business
continuity and disaster recovery are effective and are practiced according to the
industry specific practices
Objective for Outsourcing
3. Another audit objective could be defined as that whether taking the services of
external vendors have not created any information security risk for the organization
Information Technology (IT) Governance Objective
4. Another audit objective could be defined as that whether IT investments are aligned
with the business goals or not
Audit Scope
Audit scope can be defined as the determination of the depth of the audit. The audit scope
defines the limits, boundaries of the audit. It also defines the coverage depth of an area for
e.g. if the audit area is the change management practices the scope can be defined either or
on the basis of the software types e.g. ERP, Security Software, Operating Software, EBusiness Solution or and specific Enterprise system.
The scope can also be defines on the basis of department and their software.
The scope can also be defines on the basis of Geographical area or Region for e.g. in
National Bank of Pakistan two different enterprise systems are being used, one for Islamic
Banking activities and other for Non-Islamic Banking activities. So the scope can be defines as
the change management practices in the Islamic Banking software across all the county wide
branches
Audit Planning
In audit planning following things are highlighted
1. Audit schedule (day, date, time, and duration)
2. Formation of audit team and job assignment
3. Resource required e.g. Software tools, audit working papers, literature documents(past
audit report, follow up report, rule book)
4. Identify the procedures for fact finding and evidence gathering
5. Identify the procedures for sampling and data evaluation
6. Identify the list of internal controls to be examined
7. Perform the risk analysis and risk assessment of the internal controls of auditee
environment. Identify the possible exposures, their criticality, their corresponding
controls and their effectiveness
8. Site to be visited
9. Identification of the auditees coordinator for the audit
10. Information of audit and its acknowledgment
11. Indentification of logistics requirements and other secondary requirements
12. If audit is Risk based then we do risk management in planning and if audit is non-risk
based then there is no use of risk management
Risk Management
1. Risks identification
2. Risks analysis
3. Risks mitigation
4. Risks control and monitoring

Importance of Risk Management

If the risk management activity performs during the audit planning then the corresponding
audit will be considered as risk based IS audit otherwise it will be considered as non-risk
based IS audit
Risk based IS audit helps the auditor to foresee or predict the various challenges during the
audit activity. Additionally it facilitates them to assess the criticality and finding the
remedial/preventive measures. It also helps to meet the audit deadline, fulfillment the audit
objective effectively (optimum resource utilization)
Evidence Gathering and Fact Finding
1. Silent observation
2. One on one interview
3. Sampling
4. Questioners
5. Document literature review
6. Identify data
Identify data source
Identify data gathering procedures
Identify data processing
Types of Testing
1. Compliance Testing
2. Substantive Testing
1. Compliance testing:
If minimum level of polices are adopted by the organization then the IS auditor will do
Compliance testing
2. Substantive Testing:
If the internal controls of an organization are not according to polices then the IS
auditor will do Substantive testing (for e.g. if segregation of duties are not
implemented)
Structure of the Audit Report
1. Area
2. Charter
3. Objective
4. Scope
5. Schedule
6. Audit team members and their job responsibilities
7. Fact finding
8. List of internal control that were inspected
9. Errors
10. Complaints
11. Follow up activity
12. Description of compliance and no compliance
13. Auditor recommendation and suggestions (Follow up activity)
14. Closing remarks
Emerging trends in audit
1. Control self-assessment (CSA)
2. Computer assisted audit techniques (CAAT)
3. Continuous online audit techniques (COAT)
4. Automated working papers

What is CSA?
What is the role of auditor in CSA?
Advantages and disadvantages of CSA
Management Approach
1. To leverage the audit function (leverage (optimization)- improving Audit process
continuously)
2. Educate trainee
3. Meeting between auditee and auditor
CSA is a management technique in which the management implements a new strategy to
leverage or optimize the audit function. In this concept the auditor brings awareness; educate
the auditee regarding the implementation of the practices in the best way as defined in the
industry.
Role of auditor in CSA:
In CSA the auditor does not work in the capacity of the auditor rather he works likes a
facilitator, mentor, advisor and a trainer. He gives the education by conducting seminars,
webinars, walkthrough sessions, formal or informal gathering and workshops and tries to
develop a sense of self accountability and self-control. The auditor will not act/behave like an
auditor rather he tries to facilitate the employees in overcoming their problems during the
implementation of best practices
Advantages:
1. Standard enforcement
2. Sense of ownership
3. Self-accountability
4. No re-working
5. Optimum utilization of resources
6. Improvement in audit function
7. Overall process improvement
8. Errors are controlled
9. Gain of competitive advantage
10. Risk management
11. Reduction of organizational inertia
Disadvantages:
1. The feeling/imposement of additional work load on the employees
2. Demotivation of moral in case of non-consideration of the suggestion
3. Union formation might start occurring
4. Un-realistic expectation of employee benefits
5. A misconception of substitution/replacement of audit function
Computer assisted audit techniques (CAAT) CASE TOOLS (Generalized audit standard
GAS) France firstly adopted the audit automatically technique
a) It is a software tool or collection of different software
b) It is an approach in which a software suite (which is a collection of multiples
software) is used for the purpose of data access, data extraction, analysis that
facilitates the auditor to make an opinion regarding the degree of compliance. This
approach become very significant for such financial audit in which the financial
data is maintained over the computer based servers or data centers. All these
software do implement and comply with the Generally Accepted Audit Practices
(GAAP).

These software/techniques facilitate the auditor to perform the following functions

1. Data access or file access/data base access
12. Goal seek
2. Data extraction
13. Log reduction tool
3. Data conversion/file or format conversion
14. Log analysis
4. Format Convertor
15. Data lookups
5. Data Indexing
16. Data import/export
6. Data sorting
7. Data comparison
8. Data filtering
9. Data analysis/pattern finding
10. Calculating the mean, variance, median, average, probability etc.(statistical functions)
11. Analytical functions (what if analysis)
Different types of CAAT
1. Generalized audit standard (GAS)
2. Embedded audit module (EAM)
3. Decision support system (DSS) for auditor
4. Expert system for auditor
5. BI (Business Intelligent) applications for auditors
6. Format convertors
7. Data mapper
8. Data access tools
9. Data import and export tools
10. Data analytical tools (mathematical, statistical tools)
Internal controls
Measures, actions, checks placed on/imposed on assets or working procedures or actors for
applying standards best practices
Objectives
1. Risks are controlled or risks are mitigated
2. It facilitate the organization in fulfillment of the objectives
3. All the stakeholders will be satisfied
4. Smooth execution of the operations will be ensure
5. All the assets are well protected
6. Effective implementation of internal control ensures the strict compliance of the
industry best practices, laws, regulation standards
7. Effective implementation of internal controls will help the organization to gain the
competitive advantage and increase the market shares
8. It ensures the optimum utilization of the resources
Types of Internal Control
1. Preventive
2. Detective
3. Corrective
Preventive
1. Polices
2. Enforcement of industry best practices
3. Selection of Qualified professionals
4. Segregation of duties
5. Training and orientation
6. Capacity planning and management

7. Input validation
8. Firewall
9. Intrusion prevention system (IPS)
10.Restricted access
11.Encryption/decryption

Detective
1. Digital signature
8. Hash/sub totals or reconciliation
2. Activity logging
9. Environmental detectors
3. Sequence checking
10. Performance review
4. Supervisory review
11. Anti-virus
5. Reporting and acknowledgment
13. Echo sending
6. Parity checking (Even or Odd)
7. Cyclic redundancy check (CRC)
Corrective
1. Backups
2. Recovery procedures (Disaster recovery planning DRP)
3. Business continuity planning
4. Re-run activity
Information System Control Objectives:
1. Is to ensure the safe custody of the information systems, data centers, IPF, backup
sites, recovery sites, library sites
2. Ensures the protection of hardware equipment, its installation and configuration and
the continuity of the operations
3. Protect the operating systems environment from the external penetration
4. Assure the integrity of the business applications that includes the financial
Applications, ERP and E-Business solutions
5. Assure the data input validation, data processing, data preservation
6. Maintain the data integrity, availability and confidentiality
7. Maintain and assure that the data is processed completely and accurately
8. Assure that IT operations are performed as specified, continuously be monitored and
being improved as well
9. Assure that proper backups of the IT Applications has been taken and disaster
recovery procedures are effective
10. Implement the reliability of the system by implementing effective change management
practices

SECTION B (6)
Governance and Management
1. Corporate Governance
2. IS Governance
3. IT Governance
1. Corporate Governance
1. Give authority to the people
2. Give resources to the people
3. Give decision power to the people
4. Make them accountable
2. IS Governance
1. Assets protection
2. Processes protection
3. Data protection
3. IT Governance
1. IT shall deliver value to Business
2. IT risks are controlled
Objectives of IT Governance
1. Strategic alignment with business goals/objectives
2. Risk management
3. Value delivery
4. Resource management
5. Performance measurement

Auditor role in IT Governance

1. He will facilitate the top management in the successful implementation of IT
Governance
2. The auditor will give the reasonable assurances to the top management regarding the
compliance of the best practices
3. The IT auditor will provide best recommendation regarding the implementation of IS
control that will surely reduce the level of organizational risk
4. The recommendations of the auditor will help the organization to achieve the legal,
security, regulatory and compliance and requirement
5. The introduction of CSA, CAAT will help the organization to bring overall process
improvement
Approaches to Implement the IT Governance
1. Internal controls and IS Controls
2. IT Steering Committee and IT Strategy Committee
3. IT Balance score card
Strategy and Steering Committee
Strategy Committee
Advices
It will ensure that the investment in IT will be aligned with
Business Goal
It defines the strategy in direction for IT project
It gives the advice on the resources, professional skills and
infrastructure for the fulfillment of the organization goals
It gives the advice how the IT Risks will be controlled

It will makes sure the Cost Optimization

Steering Committee
It provides a plan and perform actions
Decide the amount or cost or budget which must be
allocated to the IT Project
Approval and acquisition of the resource for the project
Evaluate and approve the overall architecture of the
project that must be in accordance with the business
theme
It monitors and evaluate the execution of the project to see
whether it will be completed in time and allocated budget
or not
It may be involved in resolving the conflicts either between
the different division of the IT team/project team and
clients regarding the resources or requirements
respectively
It also gives recommendations to the top management
regarding the performance measurement strategies
It also give recommendations regarding the functioning,
resources, technology and the security requirements

Organizational Structure/ Organizational Organogram

1.
2.
3.
4.
5.
6.
7.
8.

Project Managers Responsibilities

System analyst Responsibilities
Data base administrator Responsibilities
Network administrator Responsibilities
System Administrator Responsibilities
Security architect Administrator Responsibilities
Web Developer/web administrator Responsibilities
Media Manager Responsibilities

1. Project manager Responsibilities

a) Deliver the project in time
b) Deliver the project in allocated budget
c) Assure the fulfillment of customer need
d) Quality management
e) Risk management
f) Resource management
a. Deliver the project in time
Perform the WBS (Work Breakdown structure)
Identify the task dependencies
Task prioritization
Identify the start time, finish time, slack (extra) time
Assigned the task to the team/task assignment
e. Risk Identification
1. Risk assessment
2. Risk mitigation/contingency
3. Risk controlling
f. Resource Management
1. Resource need/requirement assessment
2. Resource identification
3. Resource acquisition
4. Resource allocation
5. Resource monitoring
6. Resource revocation (to take back)
2. System Analyst Responsibilities
a) Requirement gathering and analysis
b) Team formation/development
c) Coordination and communication between the development teams and the project
managers as well as with business client
d) Selection of technology, its assessment and approval
e) Selection and identification of technical equipment including hardware and software
f) Conflict resolution between the different stakeholders
3. Database Administrator Responsibilities
a) Selection of the Database Management Software (DBMS)
b) DBMS installation and configuration
c) Implement and monitor user query processing activities
d) Perform the regular Database performance testing
e) Implement the procedures for DB change management
f) Implement the DB security controls, access controls, concurrency controls
g) Monitor the DB usage, gather the statistics and use them for the improvement

4. Network administrator responsibilities

a) Design the network, topology, size and architecture
b) Ensure the selection of cable media and its installation
c) Deployment of network devices (routers, etc.) their installation and configuration
d) Network administrator is responsible for port addressing and its mapping with the
devices
e) He is responsible for IP addressing scheme and assignment of IP addresses to the work
stations
f) He is responsible for network protocol configuration and its installation
g) He is responsible for monitoring the network traffic and gathering the statistics
regarding the network usage
h) He is responsible for the bandwidth utilization and resource monitoring
i) He is responsible for network trouble shooting device monitoring
j) He is also responsible for taking the network backup and security as well
k) He is responsible for the smooth transmission of data and access the data
l) He is responsible for the management of the network operations and its continuous
monitoring
5. System administrator responsibilities
a) He is responsible for setting up work stations
b) He is responsible to perform the installation of the operating system, antivirus, critical
applications and their installation
c) He is responsible for the setting up user and admin account as well
d) He is responsible for the implementation of organizational policies and access right
definition on work station
e) He is also responsible for equipment replacement and trouble shooting
f) He is responsible for providing the network access on the work station and specifying
the user access, storage quota and bandwidth limit
6. Security Administrators Responsibilities:
a) He is responsible for periodically reviewing the information security policy and giving
leading recommendation regarding the possible improvements
b) He is responsible for defining the access rights to the IT resources and also responsible
for ensuring the information or data confidentiality and its safe custody
c) He is responsible for monitoring the user attempts and user access for preventing any
secret violation
d) He is responsible for taking corrective actions in case of a security violation
e) He is responsible for implementing the different security controls and their regular
assessment
f) He is responsible for testing the installed security architecture to evaluate its strength
and weaknesses
g) He must exercise good control on the practice of issuing user logins and passwords
h) He is responsible for security risk management, legal and regulatory compliance
7. Web developers responsibilities/programmer
a) He is responsible for web graphical user interface GUI designing
b) He is also entitled for writing the source code using appropriate web programming
language for e.g. HTML, PHP, ASP, XML, Java script
c) He is also responsible for web database development
d) He is also responsible for the websites regular maintenance
Quality Assurance (QA) (verification)
Quality assurance personnel is responsible for assuring that Quality Policy and Quality
procedures are in compliance with industry best practices and are being strictly
followed and are they effective

Quality Control (QC) (validation)

Quality Control personnel is responsible for ensuring that software product is free from
software bugs and errors and it fulfills the user demands
8. Media Management Responsibilities:
1. He is responsible for issuance, receiving of the IT inventory
2. He is responsible for managing the inventory records and its safe custody
3. He is responsible for the arrangement, labeling, indexing of the files, storage devices
and other equipments
4. He is responsible for the restricting the un-authorized access to the assets
5. He must maintain a master file record for the inventory, their context and keep
updating the list
6. He is responsible for the physical security measures as well as the environment
security measures
7. He is responsible for the user memberships, user accounts and their renewal etc.
8. He is responsible for managing the versions control of the software source code
9. He is responsible for managing the pre-change and post-change software source code
images
10. He is responsible for maintaining the logs of the inventory issuance request, request
approval, inventory issuance and its revocation or recovery
Information Security/system policies
Its components are
1. Description of the management will
2. Definition of organizational information security
3. Information security framework
4. Identification of the responsibilities reference to the document supporting the security
policies that may include/refer to the standard practice document, manual and
organizational procedures
5. The information security framework gives brief description regarding the risk
assessment, internal controls and IS controls, business continuity planning, cyber
incident handling, management, security violation and response. In addition to that
user training, awareness and education is also declared an important requirement
Segregation of Duties
Importance or segregation of duties or benefits
Control for segregation of duties:
Critical Control (not ignorable)
1. Custody of Asset
2. Restricted access to asset or data
3. Transaction authorization
Compensating Controls:
Gives support to Critical control
1. Transaction logs
2. Supervisory review
3. Independent review
4. Exception reporting
5. Audit trial
6. Reconciliation
Custody of Asset: (media managers responsibility)
Owner defines the security level of the asset (Security levels are as follows)
1. Secret
2. Top Secret
3. Confidential
4. Undefined
Defines the authority of people who intended to access it, normally criteria of least privilege
on the basis of need to do, need to know and need to have

Transaction Authorization:
In order to perform transaction authorization the user authorization request form is specially
designed, filled, recorded, assessed, approved or rejected
A control matrix regarding role versus role is developed. Role versus responsibilities matrix is
also developed
Supervisory Review: (supervisor review this)
1. Visual inspection
2. Cross check
3. Double check
Independent Review
Independent review can be performed by either the interdepartmental teams, internal
auditors or the regulated auditor in order to identify any kind of irregularity
Security or cost is impact, although it is not possible for small, medium enterprises to conduct
independent reviews due to financial constraints
Exception Reporting:
Exception Reporting is a feature of self-monitoring and feedback that distinguish the
abnormal pattern, bad or mollified patterns and compare it with the trusted one and
highlighted if needed
Audit Trial:
Is a process of reaching up to the origin of the crime or a fraud conducted in the organization,
it make use of the transaction logs and evaluate the whole transaction flow and facilitate the
judiciary in making the judgment regarding the crime
Reconciliation:
In that kind of activity different kinds of checks e.g. subtotals, batch totals, hash totals and
aggregated totals are used to determine the financial integrity of the transaction
IT Governance Best Practices:
Internal controls
Strategy and steering committee
IT Balance Score Card
It is a management technique to implement the IT Governance in the organization.
The concept is to assess the capability, performs the job in process oriented way and
subsequently evaluate the performance in Quantifying manner. It is slightly different from
other approaches because it does not evaluate the performance in term of financial gains,
Cost reduction, user satisfaction and deadline meeting. It focuses to identify industry specified
best Key Performance Indicator (KPI) to use as a parameter for the performance evaluation.
It gives three step procedures for its implementation
1. Define the mission
2. Define strategy
3. Measure the performance
In the first step (Define the Mission) we define what can we do, what shall we obtain, what
shall we become and what shall we deliver?
In the 2nd step (Define Strategy) that is strategy step; we define and develop the procedure
to answer the above mentioned questions.
Provide infrastructure, resources and information
Identity and implement the Controls
In third step (Measure the Performance) initially we define quantifying measures or
performance matrix/indicators/parameters in term of KPI, KGI (keep goal indicators) and
CSF (critical success Factors)

IS Management Practices:
1. Human Resource Management Practices (HRM)
2. Outsourcing Practices
3. Quality Management Practices
4. Change management Practices
5. Information security management practices
6. Financial Management Practices
7. Performance Optimization Practices
1. Human Resource Management Practices (HRM)
a) Hiring/recruitment policy
b) Training policy
c) Vocation policy
d) Performance evaluation policy
e) Assignment, Scheduling and reporting policy
f) Termination policy
a. Hiring/recruitment policy
1. You must perform the capacity management planning
2. Identification and determination of vacant positions
3. Defining the required level of qualification and professional certifications if required
4. Defining the level of experience required and the skills set
5. Defining the procedures for the candidate application processing, assessment and its
selection
6. Employee or candidate background screening check
7. It can be outsourced
b. Training Policy (human resource development HRD)
1. Identification of organization training requirements
2. Development of the training staff
3. Allocation of the training budget
4. Annual training schedule and planning
5. Training of the trainer
6. Succession planning
7. Transfer of the technology to the trainee
8. Training bonds policy and its violation consequences
c. Vocation Policies
1. Identification of vocation types (CL Casual Leave), (LFP Leave with full pay), (RCL
Recreational Leave), (X Pak leave)
2. Force vocation policy
3. Vocation encashment policy
4. Vocation approval authority policy
d. Performance Policy
1. Establishment of Goals and deliverables on annual basis
2. Formation of annual confidential report (ACR)
3. Decision of salary benefits, bonuses, honorarium (in term of cash, or certificate or gifts)
4. Decision of annual increment
5. Identification of career progress path
6. Promotion policy
7. Accelerated promotion policy
8. Demotion policy
9. Suspension policy (officer of special duty)

f. Termination policy
1. Criteria for job termination
2. Resignation policy
3. Absconding policy
4. Force termination, suspension, regular, post termination over the regular termination
revocation of the resource, intimation to the payroll department, intimation to the
security department and as well as system administrator department and intimation to
other associated parties
Global Practices of Outsourcing
1. Time Zone (Europe EST, American GST)
2. Culture
3. Human policies/personnel policy (incentives)
4. Environment safety (at the place of physical production)
5. Telecommunication issues (eastern E1, American TI)
6. Regulatory issues (Taxes, Licensing issues, software piracy, cyber Rules)
7. Quality standard
Risk of the Outsourcing
1. Inappropriate selection of the vendor
2. Discontinuity or Denial of services
3. Loss of control over the information system
4. Loss of learning opportunity
5. The cost may exceed the allocated budget
6. The client expectation may not be fulfilled
7. The software may not be delivered in time
8. Vendors failure of legal or regulatory compliance
9. Technological obsolesce of the vendor IT system
10. Lack of loyalty by the vendor
11. Contractual violation by the either parties
12. Resistance in changing the term of the contract
13. Increase in the organization inertia because the project is handed over to some other
party
14. Demand of hidden cost by the vendor
15. The expected level of services may not be delivered
16. Possibility of Data Disclosure or Security exposure
17. Noncompliance of standard which may bring either to the client or bring a regularity
plenty to his name
Auditing IT Governance and its Implementation
Documents to be reviewed by the Auditor
1. Company corporate policy document
2. IT Governance policy Document
3. Steering committee review
4. Steering committee review report
5. Strategy committee review
6. Strategy committee review report
7. IS controls review report
8. Information security policy
9. Information security policy review report
10. HR policy
11. Segregation of duties controls review report
12. Outsourcing contract review report
a. Contract award review report
c. Contract Bidding Procedures
b. Vendor selection process review
d. Contract Compliance Review Report

13. Outsourcing contracts (SLA)

14. Financial report
15. Organogram document
16. Job description of employee documents
17. Standard IT operations procedures manual
18. Risk assessment procedure document
19. Change management procedure manual
The problems that can be highlighted during the audit of IT Governance
1. IT investment are not being used for value delivery to the organization
2. Excessive expenditure
3. No time saving
4. High staff turnover
5. Incompetent and inexperienced employees
6. Incomplete projects
7. Completed project not delivered in time
8. Negative user feedback
9. Extensive exception report
10. Frequent failure of the infrastructure
11. High backlogs of user complains
12. Lack of employees moral
13. Possibility of information disclosure
14. Lack of loyalty towards the organization
15. No major financial projects
16. Frequent fraud occurrences
17. No awareness of standard practices
18. Loss of competitive edge in the market

SECTION 7
Auditing infrastructure and operations
IPF (information processing facility)
IE (infrastructure elements)
1. Hardware
2. Operating System
3. Business Applications
4. Databases
5. Telecommunication Networks
1. Hardware
a) Capacity Management
b) Hardware Acquisition Review
c) Deployment (Change Management Review)
a. Capacity Management
1. The auditor must review that whether a plan or procedure does exist for the utilization
2. He will conduct the review of processor usage monitoring, Storage devices utilization
and utilization of the telecommunication infrastructure
3. The auditor will review that whether the future growth projection has been conducted
or not
4. The auditor will review the performance review criteria of the hardware
5. The auditor will review exception reports, problem logs, user feedback, processing
schedule and their implementation (hardware should be adequate (sufficient), should
be available, should have capability and capacity)

b. Hardware Acquisition Review

1. The auditor will review that whether there is a plan for the consideration of IT obsolete
during the acquisition
2. The auditor will review that whether a cost and benefit analysis has been conducted
before the acquisition or not
3. The auditor will review the procedures for the selecting of hardware supplier, Vendor
or OEM (original equipment manufacturer)
4. The auditor will review that whether all the acquisition are being performed through
the purchase department or not to get the highest quality and discount
5. The auditor will review the effectiveness of procurement assessment team and its
composition
6. The auditor will review the requirement and adequacy of the essential documentation
provided by the vendor
7. The auditor will review that whether a documented approval of the cost and benefit
analysis is available or not, and further more dose it included the hardware cost,
licensing cost, installation cost, maintenance cost, warranty and insurance cost.
c. Deployment (Change management)
1. The auditor will review that whether a proper plan for the hardware deployment is
available or not.
2. The auditor will review that whether the person responsible for configuration,
installation and deployment is well aware and well trained or not
3. The auditor will review that whether the proper preventive and hardware backup
measures have been taken or not
4. The auditor will review that whether the schedule for the hardware deployment affect
peak hours of the business or not
5. The auditor will review that whether the proper communication regarding the
hardware change have been communicated to the application programmer, software
designer and respective IT staff
6. The auditor will review that whether the operational manual and their respective
copies at different sites have been replaced in case of new hardware acquisition and
have been updated in case of hardware Upgradition
7. The auditor will review that whether the existing environment/premises is capable of
accommodating the new upcoming hardware or not
Operating system review
1. The auditor will interrogate the IS team regarding the selection criteria of the
operating system
2. The auditor will review that whether the following parameters are considered during
the selection of operating system
Does operating system support long term IT plans and infrastructure
Does it capable of fulfilling the computational, security, input and output and
strategic requirements or not
Dose operating system vendor provide the necessary documentation or not(
Operational manual, troubleshooting manual, help document online or offline
and installation manual)
Does it need the control requirement for E.G maintenance of the logs, exception
reports and audit support
Impact on the application security
3. The auditor will review that whether the capability of the operating system of the
current version with the business application have been evaluated or not
4. The auditor will also review the cost and benefit analysis that must include hardware
cost, licensing cost, maintenance cost, training cost and control cost
5. The auditor will review the test plan for the OS implementation, implementation
procedures, test result documentation and its approval

6. The auditor will review the support of access right, policy implementation in the
organizational
7. The auditor will review the following controls regarding the OS installation
Backup plans
Change impact assessment
Problem identification and resolution
Recovery procedures
8. The auditor will review the following controls regarding the security features of the OS
Weather the OEM (original equipment manufacturer) supplied has been changed
Does it have support for audit trail and fraud detection
Access right definition and its violation reporting
Utilization of storage resources
Built-in support for antivirus, firewall and password implementation
9. The auditor will review the change control procedures and their respective controls
Source code modification of the OS
The necessary changes in the documentation shall be made
Pre-change and post-change images of the OS shall be made
All the changes shall be tested before its implementation in the production
environment
Data base review
The auditor will review the following controls while performing the design review
1. Weather all the entities have been identified with proper naming conventions or not
2. Weather all the attributes including single valued, multiple valued and key attributes
are identified or not
3. Weather all the primary keys, candidate keys and foreign keys have been identified or
not
4. Weather all the relationship between the entities, degree of the relationship and the
cardinalities have been identified or not
5. Weather a proper data dictionary has been developed or not
6. Weather a complete ERD has been developed and transform to respective tables or not
7. Weather the normalization of the tables has been performed or not
8. Weather the data access method has been identified or not
9. Weather the provision for transaction log has been taken into consideration or not
Access review
1. The is auditor will review that whether proper access measures have been taken or not
2. Whether the proper implementation of triggers have been implemented or not
(Triggers are the actions that must be taken at the occurrence of the event)
3. The auditor will also see whether the stored procedures have been properly
implemented or not (Stored procedure is a set of instructions which are grouped in a
form of a function that can be re used by the user)
4. The IS auditor will also review that whether the exceptions during the transactions
processing have been dealt or not
Administration Review
The auditor will review that whether the proper controls have been taken for the
following measures
a. Regular/periodic backup of the data
b. Data recovery measures in case if data failure
c. Performance tuning
d. Query Optimization
e. Concurrency Control
f. Definition of Access rights
g. Allocation and monitoring of the memory

Interface Review
1. The auditor will review that whether the privileges of data import and export between
the database and the web, external sources, interdepartmental information system
have been established or not
2. Whether the proper security measures have been taken for the secure exchange of
data and handling the integrity issues
Portability Review
1. Whether the proper measures have been taken for the data portability, independent of
the DBMS, OS and technological infrastructure
LAN (Local Area Network) Review
1. Design Review
2. Review of Physical Controls
3. Review of Environment Controls
4. Review of the Logical Controls
5. Security Assessment and Testing Review
Design Review
IS auditor will perform following review to perform design review
1. Whether a proper network topology is identified and whether a proper design for the
topology was prepared or not
2. Whether the selection criteria for the Network has been established or not
3. Whether all the essential networking devices, their location and their configuration
parameters have been identified or not
4. Whether the network protocols for different set of services have been identified or not
5. Whether proper IP and Port scheme have been identified or not
6. Whether the security devices and security protocols have been determined or not
7. Whether the administrative role and their responsibilities have been identified and
assigned or not
8. Whether all the cables and their required specification have been determined or not
9. Whether a network design diagram has been prepared, assessed, reviewed and
approved or not
10. Whether the network designs diagrams and their latest versions has been maintained
or not
2. Review of Physical Controls
a) The auditor will review that whether all the important networking devices like network
servers, gateways, routers and firewall etc. have been kept in proper lock and key
premises or not
b) Whether a responsible and trained custodian have been deployed or not
c) Whether the access to the network control room is restricted or not
d) Whether the visitors log have been maintained or not
e) Similarly whether the network controls room keys logs have been maintained or not
f) Whether the sever casing and workstation casing, removable storage devices, portable
exchanges and the wiring closest have been physically protected or not
g) Whether the proper surveillance of network control room (NCR) with the CCTV
cameras or not
h) Whether the operations manuals of all the networking devices have been physically
protected or not

3. Review of Environmental Controls

1. The IS auditor will review that whether the protection of the equipment against the
environmental exposures have been insured or not
2. Whether proper humidity control sensors, water and flood detectors, smoke detectors,
proper backup sources, electrical search and spike regulators, UPS backups and
Generators, Fuel Backups, Fuel Tank reservation, static charged protectors, magnetic
field protectors, proper Air Conditioning System, Sprinkler systems, Fire protection
and extinguisher controls and sink system have been implemented or not
4. Review of the Logical Controls
1. Whether proper security measures for the restricted access has been taken or not
2. Whether the access and privileges have been granted on need to know, need to
have and need to do and least privileges basis
3. Whether properly configured network firewalls have been implemented or not
4. Whether the data over the communication lines is been transmitted in encrypted
manners or not
5. Whether proper network traffic monitor tools have been deployed over the network
to identify any malicious or bad data traffic
6. Whether proper user identification and authentication measures by employing
best password practices have been insured or not
7. Whether all the attempts to access the server is being strictly monitored or not
8. Whether proper network activity logging is in practice or not
9. Whether the regular and periodic reviews of the logs have been performed or not
10. Whether the proper domain policy has been implemented or not
11. Whether the automatic logout of the sessions has been implemented in case no
activity is being performed over the workstations
12. Whether the server operating system and the other network operation software
are being regularly updated or not
5. Security Assessment Testing
1. The auditor will interrogate the network operation staff to know whether they are
well aware of their job responsibilities, Security Polices, Best Practices, possible
network threat and exposures or not
2. Whether proper measures have been taken for reporting the security violation and its
security remedy is taken or not
3. The auditor will review official records to know that whether the networking staff is
being properly trained or not
4. Whether the vendor specified maintenance measures are being regularly taken or not
5. Whether the IS staff is well aware of handling a cyber-incident or not and are they
aware of taking the responses or not
6. Whether the regular risk assessment, control assessment in the respective follow-ups
are being practiced or not
Auditing IS Operations
1. Light out Operations Review
2. Computer Operations Review
3. Hardware Availability and utilization review
4. Problem management review
5. Job Scheduling Review

1. Light out Operations Review

1. The IS auditor evaluate that whether a manual backup system, standby Operator in
case of failure of the Light out Operations
2. Whether the secure communication between the both side that is i.e. where the
operations is being performed and from where the operations is controlled is endured
or not
3. Whether all the remote access to the console (location from where the operations is
being monitored) is strictly being monitored or not
4. Whether the periodic reports regarding the scheduling of the Light out operations, all
the failure states, operations restart activity, activity logging is being generated or not
5. Whether the change management procedures (programed change control practices)
are in practice to avoid any unauthorized changes in the software of Light out
operations
6. He will also determine that whether all the physical and environmental security
controls have been deployed on the both sides or not
7. Whether the storage activities, versions control activities are being monitored or not
2. Computer Operations Review
a) File Handling Procedures
b) Data entry Operations
c) Scheduling and exception
d) The library operations
a) File Handling Procedures
1. Whether the procedures for file identification, storage, backup, manipulation,
distribution, release and receipt procedures and file security exists or not
b) Data Entry Operations
1. Whether the controls for safe custody of the data, authorization of the transactions,
segregation of duties, validation of input data and record keeping is exists or not
2. Scheduling and Exception
3. Whether the operations record the jobs, whether they arrange them properly and
execute them with the in compliance with the scheduling or not
4. Whether they record all the exceptions, report them to the management, ask for the
permission to restart to resolve the exception and whether the logs are being kept or
not
c) Scheduling and Exception
1. The auditor will review that whether the operators record the jobs, whether they
arranged them properly and execute them with the incompliance with the schedule or
not
2. Whether they record all the exceptions, report them to the management, ask for the
permission to restart or resolve the exception and whether the logs are been kept or
not
d) The Library Operations
1. Whether the restricted access to the tap devices, source code, documentation manual
is ensured or not
2. Whether the controls for item issuance, receipt, backups, environment and physical
security and restricted access are placed or not
3. Hardware Availability and Utilization Review
1. The exception reports, problems logs, performance records and job schedule plans,
resource pool report, equipment maintenance schedule report to determine that
whether the utilization of the hardware is at optimum level or not
2. The reports to find out the reasons for the Hardware malfunctioning, un-expected or
abnormal behavior of the software and the operator mistakes

3. Whether the equipment maintenance schedule provided by the OEM is strictly being
followed or not
4. The preventive maintenance is being performed at the off peak hours to ensure the
minimum interruption or the discontinuity of the services
5. The performance logs of the equipment running computationally heavy applications to
determine that whether the capacity of the hardware is sufficient for the application or
not
6. Whether the hardware availability and its adequacy supports the job schedule or not
4. Problem Management Review
1. IS auditor will interrogate the IT Support Staff to know whether they are well aware of
their responsibilities and whether they are properly trained or not
2. Whether the proper documented procedures exists for problem recording, problem
resolution and evaluation of the solution
3. Whether the problem records or performance records are being regularly review to
identify the root cause of the problem, finding of the reason of the delay in problem
resolution and its justification
4. He will also review outstanding problem logs, re-occurring problem logs and delayed
problem logs are being reviewed by the management and whether the follow
up/preventive measures are being taken by the management or not
5. He will also review that whether the user feedback, remarks are being collected and
documented or not once the problem is resolved
6. He will also determine that whether the procedures exists for the unique identification
of the problem, problem tracking and status, solution, verification measures
7. Whether the management is being informed in a timely manner regarding the
resolution of Un-resolved problems
8. He will also review that whether the priority and the criticality of the problem is taken
into consideration or not when the multiple problems co exists
9. Whether the responsible and competent staff is authorized to resolve the reported
problem or not
10. Whether the statistics collected by the problem management department are being
used for the process improvement or not
5. Scheduling Review
1. Whether proper time plans for all the official tasks are being properly prepared or not
2. Whether the schedule planning considered the requirement gathering time,
development and processing time and delivery time
3. The auditor will reviews the activity logs and the schedules to find out that whether the
jobs are being performed in time and if not then whether the delays are being
highlighted and the reason of the delay are properly reported or not
4. Whether the relative priorities of the job, occupation of the employee to whom job is
assigned are considered or not
5. Whether the strict compliance of the time, quality are being in practice or not
6. Whether the skills of the employee, availability and adequacy of the resources are
being considered during scheduling planning or not
7. Whether all daily job schedules or even daily shift base schedules are being prepared
and whether a responsible supervisor is assigned to each schedule or not
8. Whether the job schedule clearly describes the numbers of jobs, their sequence of
execution, their relative priorities, works assigned to the particular job, requirement of
the resources for the job, deliverables of the job, job dependences, slake time/extra
time
9. Whether the jobs which are not being performed in time are being investigated by the
management and whether the follow-up measures have been taken to avoid the reoccurrence of the delay
10. Whether the back logs highlighted the outstanding jobs, delayed jobs are being
addressed by the management or no

Section 10
1. IS Audit Process
2. IT Governance and Management
3. Infrastructure and Operations
4. Protection of information assets
5. BCP and DRP
BCP
BCP Plan Parts
1. BCP Policy
2. Business Recovery Policy (BRP)
3. Continuity of operations plan
4. Continuity of IT Support plan
5. Crises communication plan
6. DRP
7. Occupant emergency plan
8. Cyber incident response plan (BS 25999, ISO 17799 BCP Standards)
2. Business Recovery Policy (BRP)
It provide procedures for recovering Business operations immediately after a disaster
3. Continuity of Operations plan
It addresses the procedures and capabilities to sustain an organization operation at an
alternate site or recovery site up to several days
4. Continuity of IT Support plan
It provides the procedure for recovering and sustaining a major Business Applications
for e.g. ERP operations, an Airline operations or a Manufacturing system in an
industry
5. Crises Communication Plan
It defines the procedures to disseminate the information and status about the event to
the General public, to the employee of the organization and other stakeholders
6. DRP
It provides the procedures to facilitate the Recovery Capability at the alternate site or
in another words it gives the detailed information how the critical operations can be
kept continuing at the alternate site or the recovery site until the primary site gets
operational again
7. Occupant Emergency Plan
It defines the procedures for minimizing the loss of life and damage to the assets in
case of physical disaster. It also deals with the safe evacuation of the worker from the
premises without causing them any injury and the Risk of loss of life
8. Cyber incident response plan
It define the procedures and strategies to detect a serious cyber-attack, how to
respond to incident and limiting its propagation and consequences of the incident. It
also deals with the correction of errors and irregular cost by the cyber incident
Teams Participating in BCP or DRP Plan
1. Senior management team (technical equipment procurement team)
2. Coordination team (training team)
3. Damage assessment team (testing)
4. Transportation and Relocation team
5. Administrative support team
6. Physical security team
13. Network support team
7. Media relation team
14. Application Recovery team
8. Legal affairs team
15. Operating System Support team
9. Premises evacuation team
10. Alternate site Recovery team
11. Hardware and data salvage team
12. Server Recovery team

Recovery Site Alternatives Types

1. Mirror Site, Duplicate Sites
2. Hot Sites
3. Warm Sites
4. Cold Sites
5. IPF with Reciprocal Agreement
6. Mobile Sites
Elements/parameters on the basis of Recovery Sites alternatives are differentiated
1. Cost
2. Setup time/Recovery time
3. Availability and setup time of the hardware
4. Availability of telecommunication infrastructure
5. Location
6. Basic Civic utilities
Scope of the services supported by the sites
1. Mirror sites
1. Mirror sites are recovery sites which has the highest cost of establishment and
maintenance
2. It takes no time to be operational rather they are kept running even during the peace
time in similar way like the primary IPF works
3. They are fully equipped with all the civil utilities as well as they are running with the
mirror telecommunication infrastructure, Hardware equipment and the Business
applications
4. Their location in fixed and accurately and usually they are geographically far from the
primary site preferably in a safe neighbor country or state
2. Hot Sites
1. Their setup time or recovery time is relatively more than the mirror sites but lower
than the rest of the alternatives
2. Their cost of infrastructure establishment and maintenance is lower than the mirror
sites but higher than the rest of the options
3. They are fully equipped with the entire telecommunication infrastructure that includes
Cables, Telecom Hardware equipment, their protection, configuration and installation.
However they might not be operational in parallel with primary sites
4. They are also well equipped with the infrastructure required for the Business
Applications that includes Server Machines, Their OS installation, their network
configuration and their database configuration as well.
5. Application would be installed but not be running in some cases.
6. The installation of the Business Applications is performed after the relocation of the
employees to the site
7. Their location in fixed and accurately and usually they are geographically far from the
primary site preferably in a safe neighbor country or state
8. They are fully equipped with all the civil utilities
3. Warm Sites
1. Warm sites are well equipped with the basis hardware equipment however few
hardware devices that have a high rate of availability in the market are arranged and
bought at the time of Relocation
2. Similarly these sites are also partially equipped with Good telecommunication facilities
including cabling deployment of Network devices and connectivity however their
configuration, Protocol Configuration are to be performed once the relocation has
been done
3. Similarly the data availability is ensured but the installation of Business applications
and its connectivity with the databases yet to be performed
4. They have a fixed location and take few days (2-3) in their setup time
5. All the civil utilities including living, electricity, Gas, water and fuel availability, security
arrangement are available

4. Cold Sites
1. Cold sites only provide the facilities of premises and shelter the availability of basis
civic utilities
2. The cold sites provide very limited availability of Hardware equipment as well as the
telecom infrastructure, database and Business Applications
3. They have very long setup time roughly up to a couple of weeks
4. They required that hardware equipment must be purchased and transported to the
cold site after the disaster, subsequently their deployment, OS installation and their
inter connectivity is to be performed
5. For networking the cold sites provides the wiring and cabling infrastructure, socket
ports availability and the devices shelves
5. IPF with reciprocal agreement
1. This site is a joint venture between the two different companies, having highest degree
of compatibility in their services, needs and their technological infrastructure.
2. It is recommended that both parties belongs from two different geographical locations
3. These sites are cost effective
6. Mobile sites
1. A mobile site is a recovery site that is maintained over a customize vehicle and that can
be easily movable to the location where it is required.
2. The one of the most important advantage of mobile site is the portability and the cost
that incurred over its customization.
3. It is very helpful in these circumstances where the location is not feasible for the
permanent recovery site.
4. Mobile sites can also be used in case of providing temporary work around in case a
primary site gets shutdown.
5. They are very commonly used by the cellular companies, health departments, oil
services companies, defense organizations, and Media companies.
6. It has not setup time but the availability of the services depends on the infrastructure
supported by the mobile sites
BCP Process
1. Development of BCP Policy
2. Classification of operations and resources
3. Business impact analysis (BIA)
4. Development of BCP and DRP procedures
5. Testing and verification of BCP Plan and procedures
6. Training, drills and awareness campaigns
7. Audit the BCP Plan
1. BCP Policy Components
1. Definition of the disaster
2. Organizational management will for the BCP and DRP
3. Risk based framework for BCP
o Risk Based Assessment
o Controls for BCP
o Procedures for BCP Verification
o Legal, Regulatory, Environmental and security Compliance
4. Resources requirements and fulfillment for BCP
5. Training and awareness requirement s
6. Reference to the procedures and documents related to the implementation of BCP

2. Classification of Operations
a) Critical operations
b) Vital operations
c) Sensitive operations
d) Non-sensitive operations
a. Critical Operations
1. The critical operations are those operations which cannot be performed unless they are
replaced by same (exact) identical system.
2. These systems have very high down time or interruption cost, and these systems have
a very low interruption tolerance time.
3. The examples are Super Computers System running the flight operations of an airline
or A Business ERP for a company, Mainframe computer running the cores bunking
solution
b. Vital Operations
1. Vital operations are such operations which may be performed by human manually but
with very limited duration of time.
2. Such operations have low downtime cost as compare to the critical operations and
therefor have a high interruption tolerance as compare to the Critical Operations.
3. For example tool systems at a motorway Interchange, electronic Tagging system for
luggage tagging. Similarly point of sale (POS) cash and check clearance system of a
bank
c. Sensitive Operations
1. Sensitive operations are such operations which can be performed manually even for a
longer period of time such as for several weeks, such systems have relatively low
downtime cost as compare to the Critical and Vital Operations and have high
downtime tolerance.
2. These operations require additional human resources for their operational
functionality.
3. For example physical Security controls of the premises can be considered as sensitive
operation, data backup activity, power switching systems, replacement of interactive
voice response (IVR) system, job scheduling, assignment and planning can be
performed manually
d. Non-sensitive Operations
1. Non-sensitive operations are these operations which can be suspended deliberately in
case of a disaster.
2. These operations can be shut down without causing any significant damage or loss to
the organization.
3. For example Process improvement and quality solutions/assessment function, External
audit function, change management practices/function of the organizations
3. Business Impact Analysis
In business impact analysis identify possible disaster that might cause damage to the
critical operations and resources
The following matrix are identified for the business impact analysis
a) Recovery point objective (RPO)
b) Recovery time objective (RTO)
c) Services delivery objective (SDO)
d) Maximum tolerable outage (MTO)
e) Interruption Window (IW)

a) Recovery Point Objective (RPO)

RPO is the acceptable amount/time of data loss
RPO helps you that after what interval of time data backup should be taken
b) Recovery Time Objective (RTO)
RTO is the acceptable downtime or tolerable downtime
RTO will help to identify the selection of the Recovery site
(DOWNTIME is the duration during which the continuity of Critical Operations remain
interrupted)
c) Services Delivery Objective (SDO)
SDO is the anticipated or expected level of services by the Recovery site
d) Maximum Tolerable Outage (MTO)
MTO is the maximum duration of time for which the Recovery site can keep continuing
the delivery of services
In other words MTO can be defines as maximum amount of time an organization can
sustain the operations at Recovery Site
f) Interruption Window (IW)
Interruption window is the amount of time that starts form the point of failure till the
restoration of the critical IT services or operations at the Recovery Site
Low Downtime =High Downtime Cost similarly High Downtime = Low Downtime Cost
Less Recovery Time= High Recovery Cost Similarly More Recovery Time=Less Recovery
Cost
Data Backup Polices
1. Grandfather
2. Father
3. Son
Data Backup Approaches
1. Differential Backup
2. Incremental Backup
3. Other Approaches
1. Differential Backup
Differential Backup is the approach that keeps the Backup of all the changes since the
last full backup
2. Incremental Backup
Incremental Backup is the approach that keeps the Backup of all the changes since the
last backup only

3. Other Approaches or Data Backup Methods

a) Tape drives
b) Data Mirroring or Data Replication (Offsite)
c) Online Data Backup (cloud computing)
d) Backup to a Co-location facility
e) Differential and Incremental Backup
f) RAID Technology (Redundant Array of Independent/inexpensive Disks)

a. Tape Drives
1. Tape drives are being very commonly used in the industry
2. Tape drives are usually used for Data Archive and Permanent data storage.
3. They offer large storage capacity with the high cost of the hardware.
4. They are well equipped with the backup software and tape drive controller to perform
or to manage the functions of the tape drive.
5. With the advancement of the technology there rate of data retrieval and the success
percentage of the data restoration has been significantly increased.
6. If the tape drives are used for incremental or differential backup they must be
submitted or loaded in a proper sequence for the data restoration.
7. Another disadvantage of tape drive is the portability and in addition to that they must
be physically transported from backup site to recovery site.
8. Tape drives dont have online port
b. Data Mirroring/Data Replication
1. In this approach multiple data servers are established at a backup site or a remote site
for the primary storage system.
2. Since the data is being transferred electronically using the fast communication lines
between the primary sites and the backup sites there for data backup is available
online and there is no need of physical transportation so the data restoration time is
relatively low.
3. However such infrastructure require reliable networking and security measures for the
data transmission
4. It also require the maintenance of the dedicated site with the maintenance staff
c. Online Data Backup/Cloud Computing
1. It is a latest approach, in this approach the companies maintain their data backup at
the offsite maintained by the third party.
2. The client company has to pay for the services subscription
3. The data backup is available online to the client using a high speed WAN (Wide Area
Network) connection so the companies can restore their data online without any
physical movement
4. Such infrastructure is not to be maintained by the clients nor need to hire any staff for
that purpose
5. The advance form of this approach is Cloud Computing
d. Data Backup to a Co-location Facility
1. In this approach the companies do/can lease a Rack Space to a co-location facility and
install their own backup equipment including hardware and the software however
they might be use networking infrastructure of the vendor but they dont need to
invest the cost for the infrastructure establishment
2. The client may deploy their own designated staff or may use the services of the vendor
3. Such arrangements normally require a lease agreement; additionally a contract of
WET lease or DRY lease can be applied here
e. RAID (Redundant Array of Independent or inexpensive Disks)
1. Its a technology that consist of/contains a linear Array of Hard Drives that are
controlled by specially designed hardware controller and a RAID driver
2. It also provides good backup and restoration time
3. It employs different technologies for data backup for example data mirroring, data
duplexing or data stripping)
4. It also provide the support for data error detection, correction and Recovery
5. It has also built-in support of data encryption and decryption facility
6. It also supports the feature of interfacing with different other technology and
infrastructure
7. They provides very big volume of storage with fast data reading and writing speed
8. Depending upon the features the RAID equipment divided into various levels, almost
eleven (11) levels are in practice and any one can be used as per the business need,
However the first three (3) levels are the most commonly used

Preparation of a telephone delivery for the BCP Plan

Identification and Record keeping of the key personnel participating in BCP Plan
1. Identify the teams and their compositions
2. Identify all the human personnel that are to be contacted during the disaster handling
3. Identify their emergency numbers
4. Identify the sequence in which the people are to be contacted which is called a tree
5. Keep updating that whether the number of functional and if there is a change then
properly disseminate the information to the concern department
6. Identify the persons to whom the other has to report
7. Identify the vendor representative, the legal focal person, designated insurance agent,
Backup and Recovery site administrator, media partner, Rescue, law and order
agencies and their contact numbers
Testing and Verification of BCP Plan
1. Pre-test
2. Actual test
3. Post test
1. Pre-test
1. Define objectives of the BCP test exercise
2. Definition of the Scope
3. Design the test case
o Identify the expected output or outcome of the test
o Identify the pre-conditions of the test
o Identify the post-conditions of the test
4. Verify and Plan the Schedule for the BCP Test
5. Identify the resources require for the BCP test execution
6. Management approval for the BCP test and intimation to the concern departments
2. Actual Test
1. Perform the actual test
2. Record the test observations and results
3. Monitoring of the coordination among the teams
4. Transportation and re-location to the recovery site
5. Data transportation from the backup site to the recovery site and data restoration
6. Data restoration activity
7. Monitor the response of services agency
3. Post Test
1. Packing of the resources and its equipment and its relocation to the primary site
2. Formal documentation of the test results
3. Result analysis
a) Time
b) Count
c) Amount
d) Accuracy
4. Result analysis review
5. Payment to the services provider
6. Identification of corrective actions and follow-ups
a. Time
1. Actual duration of activity
2. Difference between the expected completion time and actual completion time of the
activity
3. Transportation time
4. Data restoration time
5. Difference between actual and expected Interruption window (IW)

b. Count
1. Difference between the actual numbers of critical operations to be restore and the
actual numbers or restored operations
2. Difference between the numbers of Tape Drivers to be relocated and actually moved
3. Difference between the expected numbers of Records to be restored and actual
number of records restored
c. Amount
1. Is the percentage of administration, clerical and support task to be performed at the
recovery sites
d. Accuracy
2. Accuracy describes the level of precaution with which the restored transactions are
processed
3. A sample of transaction and their results at the recovery sites are compared with the
co-responding transactions perform at the primary site
4. Accuracy of the transaction processing time or delay is also evaluate
Types of BCP Test
1. Paper Based Test
2. Simulation Test
3. Fully Operational Test
Insurances of BCP
1. IPF insurance and IS Equipment insurance
2. Extra expanse insurance
3. Business interruption
4. Insurance of the Official Records and Data
5. Media transportation insurance
6. Operator errors and omissions
7. Fidelity coverage
8. Software loss insurance