Académique Documents
Professionnel Documents
Culture Documents
Data Dictionary:
A data dictionary is a collection/repository of metadata.
Or in other words a data dictionary is a database of data about the data.
10. This model supports the simultaneous access by the multiple users. (That is called
Concurrency Control)
11. It eliminates data deadlock.
12. It supports the enhanced business reporting.
13. It provides Good Backup and Recovery Support.
14. It also assists in the implementation of organization access policy.
Database Access:
1. Sequential Access
2. Index Sequential Access
3. Direct Access
1. Sequential Access:
In sequential access the data is accessed by searching from the start of the hard drive till the
location that holds the desire data. The sequential access is obsolete technology.
Advantages:
1. It is the simplest technique.
2. It does not need any mathematical calculations to locate data.
3. It does not need any extra software for the data access.
4. It is suitable for small volume of data.
5. It is helpful in Batch Processing.
Disadvantages:
1. The time to access the first record and the time to access to last record is unequal.
2. It takes so much time for data access if the volume of storage is very high.
3. It brings inefficiency during the transaction processing due to high waiting time for
data access.
4. Random and instant data access is not possible.
5. It increases the user response time.
2. Index Sequential Access:
In index sequential access the data is organized or sorted with respect to a particular attribute.
A table is created for that particular attribute that is called index table
In order to search a particular data, a user must looks up into that index table to access the
particular or area of interest enhances filtering the undesired area.
Once a user accesses the desire region of interest, he has to apply the sequential mode of
access to get the desire data.
In index sequential access a particular area is reserved to accommodate the data for an
already occupied section.
3. Direct Access:
In direct access each memory location is assigned a unique memory address or identity.
A single memory location can easily be accessed instantly.
In order to access the memory using the direct access the Central Processing Unit (CPU) has to
calculate or determine the memory address and sends it to the memory or Storage devices.
The storage device accesses the desire location, fetches the data and sends it back to the CPU.
However a particular addressing scheme needs to be defined for the identification of the
memory location.
There are two kinds of memory locations.
1. Addressable: If the addressable memory area is fully occupied then an extra buffer area
which is known as overflow area used to accommodate.
2. Un-Addressable:
Advantages:
1. It gives you the direct access.
2. Bring efficiency in transaction processing
3. Leased data access time
4. Most suitable for accessing the large volume of data
5. Reduces user response time
6. Time to access the first and the last location is equal
Disadvantages:
1. It is a complex approach.
2. Proper addressing algorithms/schemes need to be defined.
3. CPU needs to calculate the address before access
4. There is a possibility of data collision that is generating the same memory address for
two different memory locations.
5. It needs special software to access the data, address calculations, collision avoidance
sand overflow area management.
ACID (Atomicity, Consistency, Integrity, Durability) Property of DBMS
Atomicity: Atomicity means a transaction must be processed completely or must be roll back
Consistency: Consistency means the execution of a transaction must bring the data base from
one consistent state to another consistent state.
Integrity: A transaction shall not interfere into another transaction process.
Durability: A transaction results must be recorded and save properly forever.
Type of Information Systems:
Level of Management:
1. Strategic Management
2. Tactical Management
3. Operational Management
Types of Problems or decisions:
1. Un structured
2. Semi structured
3. Highly structured
Transaction:
A transaction is an event or an incident that demands or requires data processing and its
dissemination of information. A transaction processing system is most commonly used
information system in all the sectors. It may have its own specific business needs depending
on the nature of the organization, Scope of work, inter-departmental needs and the Business
environment.
The most common features in corporate almost in all the transaction processing systems are
Transaction Book Keeping
Data processing
Business reporting
User query processing
Information distribution or sharing
Assistance for decision making at operational level
Data management (indexing, sorting, filtering etc.)
Maintaining the transaction logs
Transaction recovery
Transaction errors detection and correction
Transaction consolidation
Transaction security and integrity
SECTION A (4)
Information system acquisition and development
Approaches to develop software:
1. Software development life cycle. (SDLP)
2. Waterfall Model
3. Spiral Model
4. Interactive Model
5. Incremental Model
6. Prototyping Model
7. Agile development Model (Currently most using approach)
8. Components Based software Development Model
9. Application packages Model
10. End user computing Model
11. Reverse engineering Model
12. Re-engineering Model
13. Object oriented software development (OOSD)
14. Rapid Application Development
Software Development Life Cycle (SDLC)
Initiation Phase
a. Problem definition
b. Feasibility Study
1. Economic Feasibility
2. Financial Feasibility
3. Technical Feasibility
4. Schedule Feasibility
5. Organization Feasibility
6. Sociality/Operational Feasibility
c. Project Planning
Development Phase
d. Requirement Gathering and analysis
e. Software Design
f. Software development and testing
Implementation Phase
1. Training
2. Conversion
3. User Accepting Testing
4. Post Implementation Audit
Operation and maintenance Phase
g. Operation and maintenance
1. Ongoing Support
2. Software Upgradition
Problem Definition
Problem Statement
Explain existing system
Explain Drawbacks of existing system
Explain root cause of existing system
Explain impact of existing system
Explain benefit of proposal solution
Deliverables:
Feasibility Report
Management Approval
Project Plan
Feasibility Study:
Economic feasibility (Development, Infrastructure, Maintenance, Training,
Consultancy Cost)
In this study the IT Financial analyst determine the total cost of ownership including
the above mentioned cost and the corresponding expected benefits and payback
period and if this equation comes out to be positive it reflect the financial feasibility of
project.
Schedule Feasibility
Is it possible to meet the expected deadline of the project without affecting the
deadlines of the ongoing programs or Quality Compromising?
Organizational Feasibility
Does this project supports organization goals, missions and strategic objectives or in
other words will that investment is aligned with Business objective or not.
Sociality/Operational Feasibility
Will the new system be acceptable to the users and will that software can easily interoperate with existing business applications or not.
12. For the better understanding of the system and inter-presentation, various
diagrams are developed
a) Context diagram
b) Data flow diagram
c) Entity relationship diagram (ERD)
d) Flow chart
13. Once all these activities are performed they must be documented in the form of
report which is known as Software Requirement Specification (SRS) document
14. This document must be signed by the competent authorities of client and vendors
Software Design:
1. This phase defines how the system will deliver services to user
2. In this phase all sub-modules are explored in depth and its architecture is prepared
3. It identify the data processing schemes and flow
4. There are three types of design developed in this phase
a. Database design b. Process design c. User interface design
c. User Interface design: In GUI (graphical user interface) design a sketch of the software
interface is designed in the form of screen shots by applying various design tools.
The interface will address how many forms will be there in a software, what are the different
controls like Buttons, Radio buttons, Dropdown list, Icons, Progress bar etc.
a. Database Design: in database design the diagram identify the following things
1. Entities
4. Key attribute
7. Data access method
2. Attributes
5. Business rules
8. Data backup requirement
3. Relationship between entities
6. Data dictionary
b. Process Design: The designs identify various processes and their sub process of the
individual module of the system. They also determine the sequence of execution, decision
point, intermediate output and inputs in addition to that the possible collaboration between
the processes is also identified.
There is a standardize way of process designing. One of the very commonly used standards
is UML (unified modeling language)
According to the UML the following diagrams are developed
1. Close diagram
2. Activity diagram
3. Sequence diagram
Once all these diagrams are developed they must be documented in the form of software
design specification document.
Software Development:
1. Programming. (SDS) software design specification, source code (set of instructions)
2. Debugging (error free source code)
3. Software testing (deliverables outputs)
4. Documentation (Manual)
5. User acceptance testing (UAT) (user consent for development
Programming:
In this activity a programmer selects an appropriate high level language (4th GL) and writes
the instructions in the form of various programs can be address or source code.
After writing the source code the programs uses various language translators for the
translation of source code (human friendly language) into the machine language or executable
code.
The language translator includes complier, assembler and interpreter.
Before the development of the executable code the software errors must be removed in order
to locate and remove the errors debugging tool is used and this activity is known as
debugging.
Reverse Engineering:
Trial version
(Black box testingFunctionality)
If the above activity isnt helpful then decompile the software and make a new design form
the source code.
Advantages of Reverse Engineering
1. The fresh system to be developed is relatively optimized
2. Reverse engineering facilitate the development team to incorporate the good features
in the system and avoid the existing bad features.
Disadvantages of Reverse Engineering
1. It may cause the violation of the intellectual property rights and software piracy
2. Writing a decompiler is a very time consuming job with the very high risk good
success and licensing issue.
3. Acquisition of decompiler is very costly
Re-engineering:
Critical analysis of existing system identifies the problem, bring the changes/improvement and
deploy it.
Spiral Model:
1. Identify goals/objectives
2. Preform risk management (identification, analysis, mitigation(reduce/minimize),
monitoring)
3. Execution and test
4. Evaluate and Plan
SDLC, Spiral Model
Initiation:
a) Problem Statement (Apply Spiral Steps)
(Identify goals/objectives
Preform risk management (identification, analysis, mitigation (reduce/minimize),
monitoring)
Execution and test
Evaluate and Plan)
b) Feasibility Study (Apply Spiral Steps)
(Identify goals/objectives
Preform risk management (identification, analysis, mitigation (reduce/minimize),
monitoring)
Execution and test
Evaluate and Plan)
c) Project Plan (Apply Spiral Steps)
Development:
a) Requirement Gathering (Apply Spiral Steps)
b) Software Design (Apply Spiral Steps)
c) Programming (Apply Spiral Steps)
d) Documentation and Software Testing (Apply Spiral Steps)
Implementation:
a) Training (Apply Spiral Steps)
b) Conversion (Apply Spiral Steps)
c) User Acceptance testing (Apply Spiral Steps)
d) Post implementation audit (Apply Spiral Steps)
SECTION B (5)
The Process of Auditing Information System (IS)
Auditing Outsourcing Practices
1. The auditing control system should be of short period of time
2. The IS auditor should determine that whether contractual provisions for the rights of
audit to the client are mentioned or not
3. The auditor will determine whether the contractual provisions for the investigation of
industry best practice for various software development processes is addressed or
not for e.g.
o ISO 2700: 9000 (QMS Quality Management system)
o PMBOK (project management book of knowledge)
o Six sigma
o ITIL (information technology infrastructure library) Software services)
Development and import management
o CMMI (Capability, Maturity model integration) Software Development Process
o ISMS (information Security management system/services) Data Security
4. The auditor will determine that whether the contractual provisions for the timely
delivery of the software, conformance with the budget limits, their violation and
penalties in case of violation is mentioned or not
5. The auditor will identify that whether a provision for software escrow is mentioned or
not
6. Software ESCROW is the concept of making the third party normally (State or Federal
Regulator) a custodian of the software source code for the client, in case vendor deny
to provide services to the client, the client will have the right to request for the issuance
of source code form the custodian. The custodian is supposed to release the source
code after the verification
7. The auditor will determine that whether the provision for software licensing, reverse
engineering, license per node, license per site, license per user, regulatory
needs, intellectual property rights, software piracy and copy rights are addressed
or not
8. The IS auditor will determine that whether the contractual provisions for the security
requirements, software backup, data losses, data disclosure are addressed or not
9. The IS auditor will determine that whether the contractual provisions for accepting
parameters for user acceptance testing after deployment services are addressed or
not
10. The IS auditor will determine that whether the contractual provisions for timing
deadline, actions in case of falling behind the deadlines, quality of services,
expenditure monitoring, software costing are mentioned or not
11. The IS auditor will determine that whether the contractual provisions for software
change management practices, software configuration management practices
are mentioned or not
12. Whether the contractual provisions for base lining are mentioned of not
13. The IS auditor will determine that whether the contractual provisions for conflict,
resolution, negotiation, dispute escalation are mentioned or not
14. The IS auditor will determine that whether the contractual provisions for mode of
payment, payback period, warranty claims, software insurance are mentioned or
not
15. The IS auditor will determine that whether the contractual provisions for system
backup, system recovery, system down time compensation, system security are
addressed or not
16. The IS auditor will determine that whether the contractual provisions for resource
availability, quality management practices, after sale services delivery are
addressed or not
What are the audit practices in outsourcing? (SAS i-70) (SAS ii-70)
External auditor (nominated by vendor) should perform the audit of outsourcing
Internal auditor of the client or nominated by the client (auditor) will perform the audit of the
Vendor
Mutually agreed auditors
IS Audit
In the IS Audit following activities will be audited
1. Governance, Management, Organization structure
2. Infrastructure and operations
3. Software/System development
4. Information security management
5. Disaster recovery and BCP
Approaches of Audit
1. Audit round the system
2. Audit through the system
IS audit process
Audit:
Audit is an economic activity in which an auditor (internal/external) evaluate, examine and
test the effectiveness of the procedures or internal control or ongoing (activities) practices and
makes an opinion regarding degree of compliance, conformance or adherence to industry
standards or best practices
Types of auditor
Auditor should be
1. Independent
2. Professional
3. Vigilant
Types of Audit
1. Financial audit
2. Operational audit
3. Administrative audit
4. Integrated audit
5. IS or IT audit
6. Forensic audit
7. Specialized audit
8. Stock audit
9. Certification audit
10. Surveillance audit
Audit charter
1. Responsibility (task supposed to perform)
2. Authority (privileges, rights, powers, what you have to do)
3. Accountability (rules and laws)
Audit assignment/ Audit engagement letter
1. Audit mandate/audit assignment charter
2. Audit schedule
3. Rules of engagement (ROE)
4. None disclosure agreement (NDA)
IS Audit Process
1. Define audit area
2. Define or determine scope of audit
3. Define the audit objectives
4. Perform the audit planning
5. Perform the evidence gathering and do the fact finding
6. Verify/test and analyze the data
7. Preparation of audit report up to the mutually agreed upon standard
8. Communicating and presenting the audit result to the auditee management
9. Audit closing activity
10. Follow up audit activity
Audit Area
An audit area is the specification of the domain or the functional area to be audited.
1. Change management considered as audit area.
2. Software development practices
3. Change management Practices
4. IT services delivery and support
5. Operation management
6. Corporate/IT governance
7. Business continuity and disaster management
8. Information system maintenance practices
9. IT infrastructure utilization
10. Outsourcing practices
Audit objectives
1. In this activity the goals of an activity are defined or in other word the expected
deliverables of audit are defined for e.g. the audit objectives could be defined as
whether the SCM (Software Change Management Practices) are practiced in proper
way or not. Similarly another objective could be to verify that all the possible risks of
the unauthorized change are properly controlled
2. Another audit objective could be defined as that the internal control for the business
continuity and disaster recovery are effective and are practiced according to the
industry specific practices
Objective for Outsourcing
3. Another audit objective could be defined as that whether taking the services of
external vendors have not created any information security risk for the organization
Information Technology (IT) Governance Objective
4. Another audit objective could be defined as that whether IT investments are aligned
with the business goals or not
Audit Scope
Audit scope can be defined as the determination of the depth of the audit. The audit scope
defines the limits, boundaries of the audit. It also defines the coverage depth of an area for
e.g. if the audit area is the change management practices the scope can be defined either or
on the basis of the software types e.g. ERP, Security Software, Operating Software, EBusiness Solution or and specific Enterprise system.
The scope can also be defines on the basis of department and their software.
The scope can also be defines on the basis of Geographical area or Region for e.g. in
National Bank of Pakistan two different enterprise systems are being used, one for Islamic
Banking activities and other for Non-Islamic Banking activities. So the scope can be defines as
the change management practices in the Islamic Banking software across all the county wide
branches
Audit Planning
In audit planning following things are highlighted
1. Audit schedule (day, date, time, and duration)
2. Formation of audit team and job assignment
3. Resource required e.g. Software tools, audit working papers, literature documents(past
audit report, follow up report, rule book)
4. Identify the procedures for fact finding and evidence gathering
5. Identify the procedures for sampling and data evaluation
6. Identify the list of internal controls to be examined
7. Perform the risk analysis and risk assessment of the internal controls of auditee
environment. Identify the possible exposures, their criticality, their corresponding
controls and their effectiveness
8. Site to be visited
9. Identification of the auditees coordinator for the audit
10. Information of audit and its acknowledgment
11. Indentification of logistics requirements and other secondary requirements
12. If audit is Risk based then we do risk management in planning and if audit is non-risk
based then there is no use of risk management
Risk Management
1. Risks identification
2. Risks analysis
3. Risks mitigation
4. Risks control and monitoring
What is CSA?
What is the role of auditor in CSA?
Advantages and disadvantages of CSA
Management Approach
1. To leverage the audit function (leverage (optimization)- improving Audit process
continuously)
2. Educate trainee
3. Meeting between auditee and auditor
CSA is a management technique in which the management implements a new strategy to
leverage or optimize the audit function. In this concept the auditor brings awareness; educate
the auditee regarding the implementation of the practices in the best way as defined in the
industry.
Role of auditor in CSA:
In CSA the auditor does not work in the capacity of the auditor rather he works likes a
facilitator, mentor, advisor and a trainer. He gives the education by conducting seminars,
webinars, walkthrough sessions, formal or informal gathering and workshops and tries to
develop a sense of self accountability and self-control. The auditor will not act/behave like an
auditor rather he tries to facilitate the employees in overcoming their problems during the
implementation of best practices
Advantages:
1. Standard enforcement
2. Sense of ownership
3. Self-accountability
4. No re-working
5. Optimum utilization of resources
6. Improvement in audit function
7. Overall process improvement
8. Errors are controlled
9. Gain of competitive advantage
10. Risk management
11. Reduction of organizational inertia
Disadvantages:
1. The feeling/imposement of additional work load on the employees
2. Demotivation of moral in case of non-consideration of the suggestion
3. Union formation might start occurring
4. Un-realistic expectation of employee benefits
5. A misconception of substitution/replacement of audit function
Computer assisted audit techniques (CAAT) CASE TOOLS (Generalized audit standard
GAS) France firstly adopted the audit automatically technique
a) It is a software tool or collection of different software
b) It is an approach in which a software suite (which is a collection of multiples
software) is used for the purpose of data access, data extraction, analysis that
facilitates the auditor to make an opinion regarding the degree of compliance. This
approach become very significant for such financial audit in which the financial
data is maintained over the computer based servers or data centers. All these
software do implement and comply with the Generally Accepted Audit Practices
(GAAP).
7. Input validation
8. Firewall
9. Intrusion prevention system (IPS)
10.Restricted access
11.Encryption/decryption
Detective
1. Digital signature
8. Hash/sub totals or reconciliation
2. Activity logging
9. Environmental detectors
3. Sequence checking
10. Performance review
4. Supervisory review
11. Anti-virus
5. Reporting and acknowledgment
13. Echo sending
6. Parity checking (Even or Odd)
7. Cyclic redundancy check (CRC)
Corrective
1. Backups
2. Recovery procedures (Disaster recovery planning DRP)
3. Business continuity planning
4. Re-run activity
Information System Control Objectives:
1. Is to ensure the safe custody of the information systems, data centers, IPF, backup
sites, recovery sites, library sites
2. Ensures the protection of hardware equipment, its installation and configuration and
the continuity of the operations
3. Protect the operating systems environment from the external penetration
4. Assure the integrity of the business applications that includes the financial
Applications, ERP and E-Business solutions
5. Assure the data input validation, data processing, data preservation
6. Maintain the data integrity, availability and confidentiality
7. Maintain and assure that the data is processed completely and accurately
8. Assure that IT operations are performed as specified, continuously be monitored and
being improved as well
9. Assure that proper backups of the IT Applications has been taken and disaster
recovery procedures are effective
10. Implement the reliability of the system by implementing effective change management
practices
SECTION B (6)
Governance and Management
1. Corporate Governance
2. IS Governance
3. IT Governance
1. Corporate Governance
1. Give authority to the people
2. Give resources to the people
3. Give decision power to the people
4. Make them accountable
2. IS Governance
1. Assets protection
2. Processes protection
3. Data protection
3. IT Governance
1. IT shall deliver value to Business
2. IT risks are controlled
Objectives of IT Governance
1. Strategic alignment with business goals/objectives
2. Risk management
3. Value delivery
4. Resource management
5. Performance measurement
Steering Committee
It provides a plan and perform actions
Decide the amount or cost or budget which must be
allocated to the IT Project
Approval and acquisition of the resource for the project
Evaluate and approve the overall architecture of the
project that must be in accordance with the business
theme
It monitors and evaluate the execution of the project to see
whether it will be completed in time and allocated budget
or not
It may be involved in resolving the conflicts either between
the different division of the IT team/project team and
clients regarding the resources or requirements
respectively
It also gives recommendations to the top management
regarding the performance measurement strategies
It also give recommendations regarding the functioning,
resources, technology and the security requirements
1.
2.
3.
4.
5.
6.
7.
8.
Transaction Authorization:
In order to perform transaction authorization the user authorization request form is specially
designed, filled, recorded, assessed, approved or rejected
A control matrix regarding role versus role is developed. Role versus responsibilities matrix is
also developed
Supervisory Review: (supervisor review this)
1. Visual inspection
2. Cross check
3. Double check
Independent Review
Independent review can be performed by either the interdepartmental teams, internal
auditors or the regulated auditor in order to identify any kind of irregularity
Security or cost is impact, although it is not possible for small, medium enterprises to conduct
independent reviews due to financial constraints
Exception Reporting:
Exception Reporting is a feature of self-monitoring and feedback that distinguish the
abnormal pattern, bad or mollified patterns and compare it with the trusted one and
highlighted if needed
Audit Trial:
Is a process of reaching up to the origin of the crime or a fraud conducted in the organization,
it make use of the transaction logs and evaluate the whole transaction flow and facilitate the
judiciary in making the judgment regarding the crime
Reconciliation:
In that kind of activity different kinds of checks e.g. subtotals, batch totals, hash totals and
aggregated totals are used to determine the financial integrity of the transaction
IT Governance Best Practices:
Internal controls
Strategy and steering committee
IT Balance Score Card
It is a management technique to implement the IT Governance in the organization.
The concept is to assess the capability, performs the job in process oriented way and
subsequently evaluate the performance in Quantifying manner. It is slightly different from
other approaches because it does not evaluate the performance in term of financial gains,
Cost reduction, user satisfaction and deadline meeting. It focuses to identify industry specified
best Key Performance Indicator (KPI) to use as a parameter for the performance evaluation.
It gives three step procedures for its implementation
1. Define the mission
2. Define strategy
3. Measure the performance
In the first step (Define the Mission) we define what can we do, what shall we obtain, what
shall we become and what shall we deliver?
In the 2nd step (Define Strategy) that is strategy step; we define and develop the procedure
to answer the above mentioned questions.
Provide infrastructure, resources and information
Identity and implement the Controls
In third step (Measure the Performance) initially we define quantifying measures or
performance matrix/indicators/parameters in term of KPI, KGI (keep goal indicators) and
CSF (critical success Factors)
IS Management Practices:
1. Human Resource Management Practices (HRM)
2. Outsourcing Practices
3. Quality Management Practices
4. Change management Practices
5. Information security management practices
6. Financial Management Practices
7. Performance Optimization Practices
1. Human Resource Management Practices (HRM)
a) Hiring/recruitment policy
b) Training policy
c) Vocation policy
d) Performance evaluation policy
e) Assignment, Scheduling and reporting policy
f) Termination policy
a. Hiring/recruitment policy
1. You must perform the capacity management planning
2. Identification and determination of vacant positions
3. Defining the required level of qualification and professional certifications if required
4. Defining the level of experience required and the skills set
5. Defining the procedures for the candidate application processing, assessment and its
selection
6. Employee or candidate background screening check
7. It can be outsourced
b. Training Policy (human resource development HRD)
1. Identification of organization training requirements
2. Development of the training staff
3. Allocation of the training budget
4. Annual training schedule and planning
5. Training of the trainer
6. Succession planning
7. Transfer of the technology to the trainee
8. Training bonds policy and its violation consequences
c. Vocation Policies
1. Identification of vocation types (CL Casual Leave), (LFP Leave with full pay), (RCL
Recreational Leave), (X Pak leave)
2. Force vocation policy
3. Vocation encashment policy
4. Vocation approval authority policy
d. Performance Policy
1. Establishment of Goals and deliverables on annual basis
2. Formation of annual confidential report (ACR)
3. Decision of salary benefits, bonuses, honorarium (in term of cash, or certificate or gifts)
4. Decision of annual increment
5. Identification of career progress path
6. Promotion policy
7. Accelerated promotion policy
8. Demotion policy
9. Suspension policy (officer of special duty)
f. Termination policy
1. Criteria for job termination
2. Resignation policy
3. Absconding policy
4. Force termination, suspension, regular, post termination over the regular termination
revocation of the resource, intimation to the payroll department, intimation to the
security department and as well as system administrator department and intimation to
other associated parties
Global Practices of Outsourcing
1. Time Zone (Europe EST, American GST)
2. Culture
3. Human policies/personnel policy (incentives)
4. Environment safety (at the place of physical production)
5. Telecommunication issues (eastern E1, American TI)
6. Regulatory issues (Taxes, Licensing issues, software piracy, cyber Rules)
7. Quality standard
Risk of the Outsourcing
1. Inappropriate selection of the vendor
2. Discontinuity or Denial of services
3. Loss of control over the information system
4. Loss of learning opportunity
5. The cost may exceed the allocated budget
6. The client expectation may not be fulfilled
7. The software may not be delivered in time
8. Vendors failure of legal or regulatory compliance
9. Technological obsolesce of the vendor IT system
10. Lack of loyalty by the vendor
11. Contractual violation by the either parties
12. Resistance in changing the term of the contract
13. Increase in the organization inertia because the project is handed over to some other
party
14. Demand of hidden cost by the vendor
15. The expected level of services may not be delivered
16. Possibility of Data Disclosure or Security exposure
17. Noncompliance of standard which may bring either to the client or bring a regularity
plenty to his name
Auditing IT Governance and its Implementation
Documents to be reviewed by the Auditor
1. Company corporate policy document
2. IT Governance policy Document
3. Steering committee review
4. Steering committee review report
5. Strategy committee review
6. Strategy committee review report
7. IS controls review report
8. Information security policy
9. Information security policy review report
10. HR policy
11. Segregation of duties controls review report
12. Outsourcing contract review report
a. Contract award review report
c. Contract Bidding Procedures
b. Vendor selection process review
d. Contract Compliance Review Report
SECTION 7
Auditing infrastructure and operations
IPF (information processing facility)
IE (infrastructure elements)
1. Hardware
2. Operating System
3. Business Applications
4. Databases
5. Telecommunication Networks
1. Hardware
a) Capacity Management
b) Hardware Acquisition Review
c) Deployment (Change Management Review)
a. Capacity Management
1. The auditor must review that whether a plan or procedure does exist for the utilization
2. He will conduct the review of processor usage monitoring, Storage devices utilization
and utilization of the telecommunication infrastructure
3. The auditor will review that whether the future growth projection has been conducted
or not
4. The auditor will review the performance review criteria of the hardware
5. The auditor will review exception reports, problem logs, user feedback, processing
schedule and their implementation (hardware should be adequate (sufficient), should
be available, should have capability and capacity)
6. The auditor will review the support of access right, policy implementation in the
organizational
7. The auditor will review the following controls regarding the OS installation
Backup plans
Change impact assessment
Problem identification and resolution
Recovery procedures
8. The auditor will review the following controls regarding the security features of the OS
Weather the OEM (original equipment manufacturer) supplied has been changed
Does it have support for audit trail and fraud detection
Access right definition and its violation reporting
Utilization of storage resources
Built-in support for antivirus, firewall and password implementation
9. The auditor will review the change control procedures and their respective controls
Source code modification of the OS
The necessary changes in the documentation shall be made
Pre-change and post-change images of the OS shall be made
All the changes shall be tested before its implementation in the production
environment
Data base review
The auditor will review the following controls while performing the design review
1. Weather all the entities have been identified with proper naming conventions or not
2. Weather all the attributes including single valued, multiple valued and key attributes
are identified or not
3. Weather all the primary keys, candidate keys and foreign keys have been identified or
not
4. Weather all the relationship between the entities, degree of the relationship and the
cardinalities have been identified or not
5. Weather a proper data dictionary has been developed or not
6. Weather a complete ERD has been developed and transform to respective tables or not
7. Weather the normalization of the tables has been performed or not
8. Weather the data access method has been identified or not
9. Weather the provision for transaction log has been taken into consideration or not
Access review
1. The is auditor will review that whether proper access measures have been taken or not
2. Whether the proper implementation of triggers have been implemented or not
(Triggers are the actions that must be taken at the occurrence of the event)
3. The auditor will also see whether the stored procedures have been properly
implemented or not (Stored procedure is a set of instructions which are grouped in a
form of a function that can be re used by the user)
4. The IS auditor will also review that whether the exceptions during the transactions
processing have been dealt or not
Administration Review
The auditor will review that whether the proper controls have been taken for the
following measures
a. Regular/periodic backup of the data
b. Data recovery measures in case if data failure
c. Performance tuning
d. Query Optimization
e. Concurrency Control
f. Definition of Access rights
g. Allocation and monitoring of the memory
Interface Review
1. The auditor will review that whether the privileges of data import and export between
the database and the web, external sources, interdepartmental information system
have been established or not
2. Whether the proper security measures have been taken for the secure exchange of
data and handling the integrity issues
Portability Review
1. Whether the proper measures have been taken for the data portability, independent of
the DBMS, OS and technological infrastructure
LAN (Local Area Network) Review
1. Design Review
2. Review of Physical Controls
3. Review of Environment Controls
4. Review of the Logical Controls
5. Security Assessment and Testing Review
Design Review
IS auditor will perform following review to perform design review
1. Whether a proper network topology is identified and whether a proper design for the
topology was prepared or not
2. Whether the selection criteria for the Network has been established or not
3. Whether all the essential networking devices, their location and their configuration
parameters have been identified or not
4. Whether the network protocols for different set of services have been identified or not
5. Whether proper IP and Port scheme have been identified or not
6. Whether the security devices and security protocols have been determined or not
7. Whether the administrative role and their responsibilities have been identified and
assigned or not
8. Whether all the cables and their required specification have been determined or not
9. Whether a network design diagram has been prepared, assessed, reviewed and
approved or not
10. Whether the network designs diagrams and their latest versions has been maintained
or not
2. Review of Physical Controls
a) The auditor will review that whether all the important networking devices like network
servers, gateways, routers and firewall etc. have been kept in proper lock and key
premises or not
b) Whether a responsible and trained custodian have been deployed or not
c) Whether the access to the network control room is restricted or not
d) Whether the visitors log have been maintained or not
e) Similarly whether the network controls room keys logs have been maintained or not
f) Whether the sever casing and workstation casing, removable storage devices, portable
exchanges and the wiring closest have been physically protected or not
g) Whether the proper surveillance of network control room (NCR) with the CCTV
cameras or not
h) Whether the operations manuals of all the networking devices have been physically
protected or not
3. Whether the equipment maintenance schedule provided by the OEM is strictly being
followed or not
4. The preventive maintenance is being performed at the off peak hours to ensure the
minimum interruption or the discontinuity of the services
5. The performance logs of the equipment running computationally heavy applications to
determine that whether the capacity of the hardware is sufficient for the application or
not
6. Whether the hardware availability and its adequacy supports the job schedule or not
4. Problem Management Review
1. IS auditor will interrogate the IT Support Staff to know whether they are well aware of
their responsibilities and whether they are properly trained or not
2. Whether the proper documented procedures exists for problem recording, problem
resolution and evaluation of the solution
3. Whether the problem records or performance records are being regularly review to
identify the root cause of the problem, finding of the reason of the delay in problem
resolution and its justification
4. He will also review outstanding problem logs, re-occurring problem logs and delayed
problem logs are being reviewed by the management and whether the follow
up/preventive measures are being taken by the management or not
5. He will also review that whether the user feedback, remarks are being collected and
documented or not once the problem is resolved
6. He will also determine that whether the procedures exists for the unique identification
of the problem, problem tracking and status, solution, verification measures
7. Whether the management is being informed in a timely manner regarding the
resolution of Un-resolved problems
8. He will also review that whether the priority and the criticality of the problem is taken
into consideration or not when the multiple problems co exists
9. Whether the responsible and competent staff is authorized to resolve the reported
problem or not
10. Whether the statistics collected by the problem management department are being
used for the process improvement or not
5. Scheduling Review
1. Whether proper time plans for all the official tasks are being properly prepared or not
2. Whether the schedule planning considered the requirement gathering time,
development and processing time and delivery time
3. The auditor will reviews the activity logs and the schedules to find out that whether the
jobs are being performed in time and if not then whether the delays are being
highlighted and the reason of the delay are properly reported or not
4. Whether the relative priorities of the job, occupation of the employee to whom job is
assigned are considered or not
5. Whether the strict compliance of the time, quality are being in practice or not
6. Whether the skills of the employee, availability and adequacy of the resources are
being considered during scheduling planning or not
7. Whether all daily job schedules or even daily shift base schedules are being prepared
and whether a responsible supervisor is assigned to each schedule or not
8. Whether the job schedule clearly describes the numbers of jobs, their sequence of
execution, their relative priorities, works assigned to the particular job, requirement of
the resources for the job, deliverables of the job, job dependences, slake time/extra
time
9. Whether the jobs which are not being performed in time are being investigated by the
management and whether the follow-up measures have been taken to avoid the reoccurrence of the delay
10. Whether the back logs highlighted the outstanding jobs, delayed jobs are being
addressed by the management or no
Section 10
1. IS Audit Process
2. IT Governance and Management
3. Infrastructure and Operations
4. Protection of information assets
5. BCP and DRP
BCP
BCP Plan Parts
1. BCP Policy
2. Business Recovery Policy (BRP)
3. Continuity of operations plan
4. Continuity of IT Support plan
5. Crises communication plan
6. DRP
7. Occupant emergency plan
8. Cyber incident response plan (BS 25999, ISO 17799 BCP Standards)
2. Business Recovery Policy (BRP)
It provide procedures for recovering Business operations immediately after a disaster
3. Continuity of Operations plan
It addresses the procedures and capabilities to sustain an organization operation at an
alternate site or recovery site up to several days
4. Continuity of IT Support plan
It provides the procedure for recovering and sustaining a major Business Applications
for e.g. ERP operations, an Airline operations or a Manufacturing system in an
industry
5. Crises Communication Plan
It defines the procedures to disseminate the information and status about the event to
the General public, to the employee of the organization and other stakeholders
6. DRP
It provides the procedures to facilitate the Recovery Capability at the alternate site or
in another words it gives the detailed information how the critical operations can be
kept continuing at the alternate site or the recovery site until the primary site gets
operational again
7. Occupant Emergency Plan
It defines the procedures for minimizing the loss of life and damage to the assets in
case of physical disaster. It also deals with the safe evacuation of the worker from the
premises without causing them any injury and the Risk of loss of life
8. Cyber incident response plan
It define the procedures and strategies to detect a serious cyber-attack, how to
respond to incident and limiting its propagation and consequences of the incident. It
also deals with the correction of errors and irregular cost by the cyber incident
Teams Participating in BCP or DRP Plan
1. Senior management team (technical equipment procurement team)
2. Coordination team (training team)
3. Damage assessment team (testing)
4. Transportation and Relocation team
5. Administrative support team
6. Physical security team
13. Network support team
7. Media relation team
14. Application Recovery team
8. Legal affairs team
15. Operating System Support team
9. Premises evacuation team
10. Alternate site Recovery team
11. Hardware and data salvage team
12. Server Recovery team
4. Cold Sites
1. Cold sites only provide the facilities of premises and shelter the availability of basis
civic utilities
2. The cold sites provide very limited availability of Hardware equipment as well as the
telecom infrastructure, database and Business Applications
3. They have very long setup time roughly up to a couple of weeks
4. They required that hardware equipment must be purchased and transported to the
cold site after the disaster, subsequently their deployment, OS installation and their
inter connectivity is to be performed
5. For networking the cold sites provides the wiring and cabling infrastructure, socket
ports availability and the devices shelves
5. IPF with reciprocal agreement
1. This site is a joint venture between the two different companies, having highest degree
of compatibility in their services, needs and their technological infrastructure.
2. It is recommended that both parties belongs from two different geographical locations
3. These sites are cost effective
6. Mobile sites
1. A mobile site is a recovery site that is maintained over a customize vehicle and that can
be easily movable to the location where it is required.
2. The one of the most important advantage of mobile site is the portability and the cost
that incurred over its customization.
3. It is very helpful in these circumstances where the location is not feasible for the
permanent recovery site.
4. Mobile sites can also be used in case of providing temporary work around in case a
primary site gets shutdown.
5. They are very commonly used by the cellular companies, health departments, oil
services companies, defense organizations, and Media companies.
6. It has not setup time but the availability of the services depends on the infrastructure
supported by the mobile sites
BCP Process
1. Development of BCP Policy
2. Classification of operations and resources
3. Business impact analysis (BIA)
4. Development of BCP and DRP procedures
5. Testing and verification of BCP Plan and procedures
6. Training, drills and awareness campaigns
7. Audit the BCP Plan
1. BCP Policy Components
1. Definition of the disaster
2. Organizational management will for the BCP and DRP
3. Risk based framework for BCP
o Risk Based Assessment
o Controls for BCP
o Procedures for BCP Verification
o Legal, Regulatory, Environmental and security Compliance
4. Resources requirements and fulfillment for BCP
5. Training and awareness requirement s
6. Reference to the procedures and documents related to the implementation of BCP
2. Classification of Operations
a) Critical operations
b) Vital operations
c) Sensitive operations
d) Non-sensitive operations
a. Critical Operations
1. The critical operations are those operations which cannot be performed unless they are
replaced by same (exact) identical system.
2. These systems have very high down time or interruption cost, and these systems have
a very low interruption tolerance time.
3. The examples are Super Computers System running the flight operations of an airline
or A Business ERP for a company, Mainframe computer running the cores bunking
solution
b. Vital Operations
1. Vital operations are such operations which may be performed by human manually but
with very limited duration of time.
2. Such operations have low downtime cost as compare to the critical operations and
therefor have a high interruption tolerance as compare to the Critical Operations.
3. For example tool systems at a motorway Interchange, electronic Tagging system for
luggage tagging. Similarly point of sale (POS) cash and check clearance system of a
bank
c. Sensitive Operations
1. Sensitive operations are such operations which can be performed manually even for a
longer period of time such as for several weeks, such systems have relatively low
downtime cost as compare to the Critical and Vital Operations and have high
downtime tolerance.
2. These operations require additional human resources for their operational
functionality.
3. For example physical Security controls of the premises can be considered as sensitive
operation, data backup activity, power switching systems, replacement of interactive
voice response (IVR) system, job scheduling, assignment and planning can be
performed manually
d. Non-sensitive Operations
1. Non-sensitive operations are these operations which can be suspended deliberately in
case of a disaster.
2. These operations can be shut down without causing any significant damage or loss to
the organization.
3. For example Process improvement and quality solutions/assessment function, External
audit function, change management practices/function of the organizations
3. Business Impact Analysis
In business impact analysis identify possible disaster that might cause damage to the
critical operations and resources
The following matrix are identified for the business impact analysis
a) Recovery point objective (RPO)
b) Recovery time objective (RTO)
c) Services delivery objective (SDO)
d) Maximum tolerable outage (MTO)
e) Interruption Window (IW)
a. Tape Drives
1. Tape drives are being very commonly used in the industry
2. Tape drives are usually used for Data Archive and Permanent data storage.
3. They offer large storage capacity with the high cost of the hardware.
4. They are well equipped with the backup software and tape drive controller to perform
or to manage the functions of the tape drive.
5. With the advancement of the technology there rate of data retrieval and the success
percentage of the data restoration has been significantly increased.
6. If the tape drives are used for incremental or differential backup they must be
submitted or loaded in a proper sequence for the data restoration.
7. Another disadvantage of tape drive is the portability and in addition to that they must
be physically transported from backup site to recovery site.
8. Tape drives dont have online port
b. Data Mirroring/Data Replication
1. In this approach multiple data servers are established at a backup site or a remote site
for the primary storage system.
2. Since the data is being transferred electronically using the fast communication lines
between the primary sites and the backup sites there for data backup is available
online and there is no need of physical transportation so the data restoration time is
relatively low.
3. However such infrastructure require reliable networking and security measures for the
data transmission
4. It also require the maintenance of the dedicated site with the maintenance staff
c. Online Data Backup/Cloud Computing
1. It is a latest approach, in this approach the companies maintain their data backup at
the offsite maintained by the third party.
2. The client company has to pay for the services subscription
3. The data backup is available online to the client using a high speed WAN (Wide Area
Network) connection so the companies can restore their data online without any
physical movement
4. Such infrastructure is not to be maintained by the clients nor need to hire any staff for
that purpose
5. The advance form of this approach is Cloud Computing
d. Data Backup to a Co-location Facility
1. In this approach the companies do/can lease a Rack Space to a co-location facility and
install their own backup equipment including hardware and the software however
they might be use networking infrastructure of the vendor but they dont need to
invest the cost for the infrastructure establishment
2. The client may deploy their own designated staff or may use the services of the vendor
3. Such arrangements normally require a lease agreement; additionally a contract of
WET lease or DRY lease can be applied here
e. RAID (Redundant Array of Independent or inexpensive Disks)
1. Its a technology that consist of/contains a linear Array of Hard Drives that are
controlled by specially designed hardware controller and a RAID driver
2. It also provides good backup and restoration time
3. It employs different technologies for data backup for example data mirroring, data
duplexing or data stripping)
4. It also provide the support for data error detection, correction and Recovery
5. It has also built-in support of data encryption and decryption facility
6. It also supports the feature of interfacing with different other technology and
infrastructure
7. They provides very big volume of storage with fast data reading and writing speed
8. Depending upon the features the RAID equipment divided into various levels, almost
eleven (11) levels are in practice and any one can be used as per the business need,
However the first three (3) levels are the most commonly used
b. Count
1. Difference between the actual numbers of critical operations to be restore and the
actual numbers or restored operations
2. Difference between the numbers of Tape Drivers to be relocated and actually moved
3. Difference between the expected numbers of Records to be restored and actual
number of records restored
c. Amount
1. Is the percentage of administration, clerical and support task to be performed at the
recovery sites
d. Accuracy
2. Accuracy describes the level of precaution with which the restored transactions are
processed
3. A sample of transaction and their results at the recovery sites are compared with the
co-responding transactions perform at the primary site
4. Accuracy of the transaction processing time or delay is also evaluate
Types of BCP Test
1. Paper Based Test
2. Simulation Test
3. Fully Operational Test
Insurances of BCP
1. IPF insurance and IS Equipment insurance
2. Extra expanse insurance
3. Business interruption
4. Insurance of the Official Records and Data
5. Media transportation insurance
6. Operator errors and omissions
7. Fidelity coverage
8. Software loss insurance