CS507 Information Systems Final Term Paper Feb 2012

In order to justify the product design, which two approaches can be followed? (2 marks)

“Exception report can also be prepared from audit logs”. In this statement, what does Exception report mean
and what does it contain? (2 marks)

Consider a situation where unauthorized changes are made to system accidently or deliberately, then what
kind of threat has occurred and why? (2 marks)

From the given below statements recognize types of intrusion occurs in a system

1. Intruder can enter an organization physically to steal information system assets.

2. Intruder is trying to have an unauthorized access to the system (2 marks)

What is the role of ERP in E-commerce? (2 marks)

What are the applications of incremental model? (3 marks)

Explain the main reasons for using distributed system? (3 marks)

Zara creates her account at gmail.com. She login her account, check her mails. Then she reset her
passwords to keep her account secure from hackers. How can she make password more secure? (3 marks)

Ibrahim textile mill is going to launch an information system to interconnect its entire departments. The mill
owner wants the implementation of Information System immediately. It is very difficult for developer team to
make such information system in a very short time. As an I.T consultant what will you suggest to resolve this
issue? (3 marks)

Can we classify disaster with respect to its categories? If yes, then write down the classification. (3 marks)

How will you incorporate SDLC in risk management? Also identify phases of Risk Management? (5 marks)

A management consulting firm specializing in change management processes such as launching new
businesses, completing mergers, and doing internal reorganizations. The firm needed to automate their
business processes. In addition, the company needed new functionality such as the ability to build client
activity sequences and hierarchies, capture and update the status of change management events,
disseminate change activity information by viewing, printing, summarizing, and building presentations. How
can you fulfill its requirement change? (5 marks)

Suzuki motors has its own website. All of their brand details are available. Now they have launched a new
brand of car, they have organized all the data related to their brand and finally drawn out a report. How is
report preparation beneficial? (5 marks)
 FINALTERM EXAMINATION
Spring 2011
CS507- Information Systems
17th July, 2011

Time: 120 min

M a r k s: 80
Total MCQ= 40
CS507 - Information System - Question No: 41 ( M a r k s: 2 )
What are the parameters to be covered by Designing usable and complete input

CS507 - Information System - Question No: 42 ( M a r k s: 2 )

What are the drawback of authoritative management style?

CS507 - Information System - Question No: 43 ( M a r k s: 2 )

What is logical intrusions?

CS507 - Information System - Question No: 44 ( M a r k s: 2 )

Identify any two types of supply chain?

CS507 - Information System - Question No: 45 ( M a r k s: 2 )

Identify which information is used as input and output for vulnerability
Assessment
I. a)Potential vulnerability
II. b)Any audit comments

CS507 - Information System - Question No: 46 ( M a r k s: 3 )

What is the critical success factor? Give examples.

CS507 - Information System - Question No: 47 ( M a r k s: 3 )

What are the objectives/purposes of the DFDs?

CS507 - Information System - Question No: 48 ( M a r k s: 3 )

What are the issues that can be faced in the cost of End User Computing?

CS507 - Information System - Question No: 49 ( M a r k s: 3 )

How Audit trails are technical mechanism that helps managers to maintain
individual accountability?

CS507 - Information System - Question No: 50 ( M a r k s: 3 )

In a textile organization the administrator wants to monitor network activities of
the server that resides in finance dept. What types of IDS can be installed to
protect this system from security treats?

CS507 - Information System - Question No: 51 ( M a r k s: 5 )

Suggest any five methods of avoiding internet attacks?

CS507 - Information System - Question No: 52 ( M a r k s: 5 )

What is the role of behaviour blockers?

CS507 - Information System - Question No: 53 ( M a r k s: 5 )

Give comparison of ERP to Integrated Systems?

FINALTERM EXAMINATION
Spring 2011
CS507- Information Systems

Time: 120 min

Mark
s: 87
Paper Pattern: Total Questions: 53 MCQ’s 40
Subjective 05 (2 Marks) Subjective 04 (3 Marks) Subjective 05 (5
Marks)
2 & 3 Marks Questions:
Q1: Differentiat between Bugs and Virus?
Q2: What do you mean by messaging?
Q3: Define Vulnerability?
Q4: What steps should be followed to assess the risk?
Q5: How we can assess the risk by using the risk analysis?

5 Marks Question:
Q6: Differentiate between CRM and ERP?
Q7: Define Ecommerce and also tell how it helps in Business?
Q8: How much IS Integration function important and define in detail?

Q9: Compare the functions of Small Size Organization to the Large Size
Organization?

Q10: Define Firewall in detail and how it protects computer from the threats?

CS507 Final 2011 Paper Subjective Shared and Solved by Adnan

Awan
Define Object Oriented Analysis and Design (OOAD)? (2
marks)
Answer
The concept of object oriented analysis and design focuses on
problems in terms of classes and objects. This concept combines
aspects of both entity relationship diagram and data flow diagrams.
The object oriented analysis and design tool has been devised to
support the object oriented languages, for example
C++ and Java. The roots of the concept of object orientation
evolved in late 60’s with the emergence of first language “SIMULA
67” as the first object oriented language. Object oriented
methodologies do not
replace traditional approaches (such as data flow, process flow, and
state transition diagrams); they are important new additions to the
toolkit.

Inputs for threat identification Mark 2

Answer
“A threat is some action or event that can lead to a loss.”
Various types of threats may exist that could, if they occur result in
information assets being exposed, removed either temporarily or
permanently, lost, damaged, destroyed, or used for un-authorized
purposes are identified. Susceptibility to threats, whether logical or
physical are a major risk factor for the data base
and information system of an organization. These risks are to be
identified and steps that include physical and logical controls need to
be instituted and monitored on a regular basis.
Define Computer Aided Manufacturing (CAM)? (2 marks)
Answer
Computer-aided manufacturing (CAM) is a form of automation
where computers communicate work instructions directly to the
manufacturing machinery. The technology evolved from the
numerically controlled machines of the 1950s, which were directed
by a set of coded instructions contained in a punched paper tape.
Today a single computer can control banks of robotic milling
machines, lathes, welding machines, and other tools, moving the
product from machine to machine as each step in the
manufacturing process is completed. Such systems allow easy, fast
reprogramming from the computer, permitting quick implementation
of design changes. The most advanced systems, which are often
integrated with computer-aided design systems, can also manage
such tasks as parts ordering, scheduling, and tool replacement. It is
a system that uses computer aided techniques to control production
facility. Some of these techniques are Computer-aided process
planning – Use of computer to control activities and functions to
prepare a detailed set of plans and instructions to produce a
machine or part. -- Machines Computerised Numerical control (CNC)
– refers specifically to the computer control of machine tools for the
purpose of (repeatedly) manufacturing complex parts in metal as
well as other materials. e.g. drills, wood routers use this technology.
Robotics programming – The science or study of the technology
associated with the design, fabrication, theory, and application of
robots. – Automobile industry.

Define Dropper and Trojan horse? (2 marks)

Answer
A Trojan horse is a malicious program that is disguised as or
embedded within legitimate software. They may look useful or
interesting (or at the very least harmless) to an unsuspecting
user,but are actually harmful when executed. Examples are
Logic bomb – Trojan horses are triggered on certain event, e.g.
when disc clean up reaches a
certain level of percentage
Time bomb – Trojan horse is triggered on a certain date.
What are the objectives of ERP? (2 marks)

Answer
Enterprise Resource Planning or ERP uses multimodal application
software for improving the performance of the internal business
processes. ERP software systems may include application modules
for supporting marketing, finance, accounting and human resources

Define ERP? (2 marks)

Answer
“ERP (enterprise resource planning) is an industry term for the
broad set of activities supported by multi-module application
software that helps a manufacturer or other business manage the
important parts of its business, including product planning, parts
purchasing, maintaining inventories, interacting with suppliers,
providing customer service, and tracking orders.

Briefly define hackers? (3 marks)

Answer
Hackers
A hacker is a person who attempts to invade the privacy of the
system. In fact he attempts to gain un authorized entry to a
computer system by circumventing the system’s access controls.
Hackers are normally skilled programmers, and have been known to
crack system passwords, with quite an ease. Initially hackers used to
aim at simply copying the desired information from the system. But
now the trend has been to corrupt the desired information.

Discuss Technical Limitations of Ecommerce in business? (M

a r k s: 3)
Answer
Why E-Commerce business
Due to rapid expansion in business, and time pressures from
customers, Efficiency in delivering products and information there to
and addressing complaints is of paramount importance. Use of
internet or web services can be a very effective tool in achieving this
goal. It helps to achieve various business goals in the fastest
possible way, e.g. sharing production schedules with
suppliers, knowing customer demands for future in advance. These
days almost all businesses have Ecommerce, from fast food chains
to automobile manufacturers. Online orders can be
placed along with online payment made. All this is possible with the
use of E-commerce. According to Lou Gerstner, IBM’s former CEO,
“E-business is all about time, cycle, speed, globalization, enhanced
productivity, reaching new customers, and sharing knowledge across
institutions for competitive advantage.”

What are three challenges faced by security association of

USA?(3 marks)

Answer
Ethical Challenges
Information system security association of USA has listed down
following ethical challenges
1. Misrepresentation of certifications, skills
2. Abuse of privileges
3. Inappropriate monitoring
4. Withholding information
5. Divulging information inappropriately
6. Overstating issues
7. Conflicts of interest
8. Management / employee / client issues

Briefly describe SDLC? (3 marks)

Answer
Systems Development Life Cycle System Development Life Cycle
(SDLC) is the overall process of developing information systems
through a multi-step process from investigation of initial
requirements through analysis, design, implementation and
maintenance. SDLC is also known as information systems
development or application development. SDLC is a systems
approach to problem solving and is made up of several
phases, each comprised of multiple steps. It describes the stages a
system passes through from inception until it is discarded or
replaced. SDLC provides
• Structure
• Methods
• Controls
• Checklist

what should be kept in mind while identifying the risk? (3

marks)

Answer
Risk identification is often confused with risk mitigation. Risk
mitigation is a process that takes place after the process of risk
assessment has been completed. Let’s take a look at various risk
mitigation options.
• Risk assumption: To accept the potential risk and continue
operating the IT system or to
implement controls to lower the risk to an acceptable level.
• Risk Avoidance: To avoid the risk by eliminating the risk cause and
e.g. forgo certain functions of
the system or shut down the system when risks are identified.
• Risk Limitation: To limit the risk by implementing controls that
minimize the adverse impact of a
threat’s exercising a vulnerability e.g. use of supporting preventive
and detective controls.
• Risk Planning: To manage risk by developing a risk mitigation
plant that predicts implements and
maintains controls.
• Research and acknowledgement: To lower the risk of loss by
acknowledging vulnerability or flaw
and researching controls to correct the vulnerability.
• Risk Transference: To transfer the risk by using other options to
compensate loss such as
purchasing insurance.

Droppers and Trojan horses, 2 marks

Answer
A Trojan horse is a malicious program that is disguised as or
embedded within legitimate software.
They may look useful or interesting (or at the very least harmless)
to an unsuspecting user, but are actually harmful when executed.
Examples are
Logic bomb – Trojan horses are triggered on certain event, e.g.
when disc clean up reaches a
certain level of percentage
Time bomb – Trojan horse is triggered on a certain date.

Why is the production subsystem said to be the most critical

part of the entire manufacturing subsystem? (Marks 2)

Answer
Production Sub System
It can be seen as the most critical part of the entire manufacturing
sub system. Basically it tracks the flow of the job through the entire
production process. It also records change in form of goods or
transfer of goods from one place to the other.
Example Consider a manufacturing entity working with three
processing departments and one assembly
department. As raw materials pass through the processes, the sub
system records the relevant information at specific points or
locations until the finished goods are transferred to stock room

Model of DSS 2 marks

Answer
Model driven DSS uses following techniques
What-If analysis
Attempt to check the impact of a change in the assumptions (input
data) on the proposed solution
e.g. What will happen to the market share if the advertising budget
increases by 5 % or
10%?
 Goal Seek Analysis
Attempt to find the value of the inputs necessary to achieve a
desired level of output. It uses “backward” solution approach e.g. a
DSS solution yielded a profit of $2M. What will be the necessary
sales volume to generate a profit of $2.2M?
Define object mark 2
Answer
An object is defined as
“an abstraction of something in a problem domain, reflecting the
capabilities of the system to keep information about it, interact with
it, or both.”
How virus and worn can be transmitted into computer?
Identify any three sources? (3)

Answer:
Virus or worms are transmitted easily from the internet by
downloading files to computers web browsers. Other methods of
infection occur from files received though online services, computer
bulletin board systems, local area networks. Viruses can be placed
in various programs, for instance
1. Free Software – software downloaded from the net
2. Pirated software – cheaper than original versions
3. Games software – wide appeal and high chances
4. Email attachments – quick to spread
5. Portable hard and flash drives – employees take disks home and
may work on their own personal PC, which have not been cleaned or
have suitable anti-viruses installed on them.

Why TQM effective for the organization

Answer

Total Quality Management (TQM)

TQM is a set of management and control activities which focus on
quality assurance. The quality of the products and services is
enhanced and then offered to consumers. An organizational
undertaking to improve the quality of manufacturing and service, it
focuses on obtaining continuous feedback for making improvements
and refining existing processes over the long term. There are certain
Graphical tools used to implement and promote TQM. For instance
Histogram
Pareto Analysis
Cause & Effect Diagram
List down the component of an IDS? Marks 3
Answer
Components of IDS An IDS comprises on the following:
• Sensors that is responsible for collecting data. The data can be in
the form of network packets, log
files, system call traces, etc.
• Analyzers that receive input from sensors and determines intrusive
activity.• An administration
console
• A user interface
Classify E-Commerce into different classes. identify any five classes?
Mark 5
Answer
The most prevalent of E-Commerce models can be classified as
under:
1. Business to Consumer (B2C)
2. Business to Business (B2B),
3. Business to Employee (B2E),
4. Consumer to Consumer (C2C) and
5. E-Government
• Government to Citizens/Customers (G2C)
• Government to Business (G2B)
• Government to Government (G2G
Truth table of and operator in fuzzy system
Answer
Fuzzy Logic
The word Fuzzy literally means vague, blurred, hazy, not clear. Real
life problems may not be solved by an optimized solution. Hence
allowance needs to be made for any imperfections which may be
faced while finding a solution to a problem. Fuzzy logic is a form of
algebra employing a range of values from
“true” to “false” that is used in decision-making with imprecise data,
as in artificial intelligence systems. It is a rule based technology that
tolerates imprecision by using non specific terms/ imprecise concepts
like "slightly", "quite" and "very". to solve problems. It is based on
the Possibility theory.
which is a mathematical theory for dealing with certain types
of uncertainty and is an alternative to probability
theory Parameters of audit trail? Mark 2
Answer
Audit trail analysis can often distinguish between operator-induced
errors (during which the system may have performed exactly as
instructed) or system-created errors (e.g., arising from a
poorly tested piece of replacement code). For Example a system fails
or the integrity of a file (either program or data) is questioned, an
analysis of the audit trail can reconstruct the series of
steps taken by the system, the users, and the application.

Describe security goals Mark 5

Answer
The three security goals.
• Loss of integrity: System and data integrity refers to the
requirement that information should be
protected from improper modification. Integrity is lost if unauthorized
changes are made to the data or IT system by either intentional or
accidental loss of system or data. Violation of integrity may be the
first step in a successful attack against availability or confidentiality.
For all these reasons, loss of integrity reduces assurance of an IT
system.
• Loss of availability: If a mission-critical IT system is unavailable to
its end user, the organization’s missions may be affected. Loss of
system functionality and operational effectiveness.
• Loss of confidentiality: System and data confidentiality refers to the
protection of information from unauthorized disclosure. The impact of
unauthorized disclosure of confidential information can
range from the jeopardizing of national security. Unauthorized,
unanticipated, or unintentional disclosure could result in loss of public
confidence embarrassment or legal action against the
organization
Consequences of thread occurrence? Mark 5
Answer When a threat occurs, there can be following consequences.
1. Controls against the threat exists
• Controls can help stop the occurrence of the threat.
• Threat occurs but damage is avoided by the controls
• Threat circumvents controls and causes damage
2. Controls against threat do not exist.
• Threat has not yet been identified
• Threat has been identified but the consequent loss is considered as
minor
• Threat occurs, whether identified or Threat can cause damage
whether controls exist or not.

What do you know about change agents? Mark 5

Change agents Successful changes and their management are
backed by presence of a change agent. A person or a team who leads
a change project or business-wide initiative by defining, researching,
planning, building business support and carefully selecting volunteers
to be part of a change team. Change Agents must have the conviction
to state the facts based on data, even if the consequences are
associated with unpleasantness. Change Agent consciously
challenges the status quo, is comfortable with leading change
initiatives with uncertain outcomes and systematically
considers new and better ways of doing things. ERP is such a large
scale project that sponsorship from the senior management is an
immediate must. Unless the project itself and the consequential
change is sponsored from the senior level, the chances of success are
quite bleak.

What is TQM? Tools used promote (TQM) mark 5

Total Quality Management (TQM)
TQM is a set of management and control activities which focus on
quality assurance. The quality of the products and services is
enhanced and then offered to consumers. An organizational
undertaking to improve the quality of manufacturing and service, it
focuses on obtaining continuous feedback for making
improvements and refining existing processes over the long term.
There are certain Graphical tools used to implement and promote
TQM. For instance
Histogram
Pareto Analysis
Cause & Effect Diagram

Compare ERP and integrated system Mark 5

Answer
ERP Compared to integrated Software
The concept of ERP is that of an integrated software. An integrated
software can be defined as a software package that combines many
applications in one program. Previously, the user
needed various utilities to operate the program and provide suitable
interfaces. Today these utilities are an integral part of the software.
Thus the receipt of a confirmed customer order
should provide the start of a number of activities that are essential
to complete and deliver the order. There is no need to separately
enter data for each of the other related activities.
Integrated packages can move data among several programs
utilizing common commands and file structures. In effect, there are
multiple applications using the same data simultaneously. An
integrated package is recommended when identical source
information is to be used for varying purposes and activities

What is the concept of IS Audit? (5 marks)

 IS audit Information systems include accounting and finance
function as a critical part of the entire system. Hence, these days
audit of information systems as whole incisively focuses on finance
and accounting aspect as well. For example, all banks and financial
institutions have soft wares supporting interest computations. During
the audit of IS, the integrity of the source code/program
instructions have to be checked and assurance obtained that these
have not been tampered with or altered in any manner.
An information technology (IT) audit or information systems (IS)
audit is an examination of the controls within an entity's Information
technology infrastructure. When transactions are executed and
recorded through computers, the lack of physical audit trail requires
implementation of controls with the Information systems so as to
give the same result as controls are implemented in a manual
information system IS audit focuses more on examining
the integrity of controls and ensuring whether they are properly
working. Obtained evidence evaluation can ensure whether the
organization's information systems safeguard assets,
maintains data integrity, and is operating effectively and efficiently
to achieve the org.

CS507 Final 2011 Paper Subjectives Shared by Students

There were 53 Questions in All .... Total M a r k s: 80

MCQs = 40 for 40 Marks

Subjects= 13 for 40 Marks ( five for 2 marks , Five for 3 marks and three for 5
marks )
mcqs

Subjectives which i remember

1. Define Class? 2 marks
2. a)Define Ethics?
b) Code of ethics?

3. What is uses of DSS gives examples. 3 marks

4. What are the types of threats ? 5 marks
Answer: There are three types of threats.
1-Physical threats: It refers to damage caused to the physical infrastructure of
information
system. For example:
1-Fire
2-Water
3-Intrusion
4-Energy variation
5-Pollution
6-Structural damage
2-Logical Threat: It refers to damage caused to the information system without any
physical
presence.
1-Worms and viruses
2-Logical intrusion

5. What you know about Malware? and what types of the Malware are there
gives examples.. 5 marks
6. What are components of Intrusion detection system? 3 marks
Sensors that are responsible for collecting data. The data can be in the form of
network
packets, log files, system call, traces, etc. Analyzers that receive input from
sensors and
determine intrusive activity An administrative console – it contains intrusion
definitions applied
by the analyzers.A user interface

7.

What are the basic components of DSS?

There are two major components
• DSS data base – is a collection of current and historical data from internal
external sources. It
can be a massive data warehouse.

8. list down the components of IDS

Components of IDS
An IDS comprises on the following:
• Sensors that are responsible for collecting data. The data can be in the form of
network packets,
log files, system call traces, etc.
• Analyzers that receive input from sensors and determines intrusive activity.
• An administration

9. Define intrusion detection 2 marks

An element to securing networks is an intrusion detection system (IDS). IDS is
used in
complement to firewalls. An IDS works in conjunction with routers and firewalls
by monitoring
network usage anomalies. It protects a company’s information systems
resources from external
as well as internal misuse

10. what is change management and what are its types? 5 marks
Types of change management:
1- Organizational Development:
2- Re-engineering

11. what is Access Controls , explain with a practical example? 3 marks

Access Controls
These controls establish the interface between the would-be user of the
computer system and the
computer itself. These controls monitor the initial handshaking procedure of the
user with the
operating system. For example when a customer enter the card and the pin code
in an automatic
teller machine (ATM), the access controls are exercised by the system to block
unwanted or
illegitimate access.

12. what are the intruders ?

13.

Differentiate the following (Intrusion Detection vs Variance

Detection
Intrusion detection
Intrusion detection refers to the process of identifying attempts to penetrate a
system and gain unauthorized access. If audit trails have been designed and
implemented to record appropriate information, they can assist in intrusion
detection. Intrusion detection system can be made part of the regular security
system to effectively detect intrusion. Real time intrusion detection is technical
and complex to achieve but reasonable extent can be attained. Real-time
intrusion detection is primarily aimed at outsiders attempting to gain unauthorized
access to the system.
Variance detection and audit trails
Trends/variance-detection tools look for anomalies in user or system behavior. It
is possible to
monitor usage trends and detect major variations. The log can be detected and
analyzed to detect
the irregularity. For example, if a user typically logs in at 9 a.m., but appears at
4:30 a.m. one
morning, this may indicate either a security problem or a malfunctioning of the
system clock,
that may need to be investigated. The log can be sorted/filtered for all log ins
befor 9 a.m. from
that particular terminal

14. Differentiate between Objective & Scope of intrusion detection system.

3 marks

There were 40 MCQs

5 short q of 2 mark
5 short q of 3 mark
3 short q of 5 mark
Subjective portion is as followed
What are the parameters to b covered by designing useable n complete input ? 2
What are basic issues that should b considered at very beginning of system
development planning ?2
Application events n user events belong to which audit record n y ? 2
Identify types of change management ?2
What are security threats to information system ?2
How passwords can b secured ? 3
What r reusable soft wares ?3
Define risk determination?3
How information is kept in purchase system ? 3
Differ CRM from ERP ?3
Important of computer security system in aviation industry ?5
How firewall protect the network from unauthorized access ? 5
How will u incorporate SDLC in risk management n write the phases of risk
management ?5

CS507 : My Paper (Parishy Aziz)

2 marks: What is off page connector
Answer: If the flowchart becomes complex, it is better
to use connector symbols to reduce the number of flow
lines. Off-Page Connector is used to connect remote
flowchart portion on different pages.
3 marks : What is the data driven support system
Data Driven DSSAs opposed to model driven DSS, these
systems use large pools of data found in major
organizationalsystems. They help to extract information
from the large quantities of data stored. These systems
rely onData Warehouses created from Transaction
Processing systems.• They use following techniques for
data analysis• Online analytical processing, and• Data
miningComponents of DSSThere are two major components•
DSS data base – is a collection of current and
historical data from internal external sources. It can
be amassive data warehouse.• Decision Support Software
system – is the set of software tools used for data
analysis. For instance• Online analytical processing
(OLAP) tools• Data mining tools• Models

2 marks :What do u know about hackers.

Hackers
A hacker is a person who attempts to invade the privacy
of the system. In fact he attempts to gain un
authorized entry to a computer system by circumventing
the system’s access controls. Hackers are normally
skilled programmers, and have been known to crack
system passwords, with quite an ease. Initially hackers
used to aim at simply copying the desired information
from the system. But now the trend has been to corrupt
the desired information.

3 marks : List down the component of an IDS

Components of IDSAn IDS comprises on the following:•
Sensors that are responsible for collecting data. The
data can be in the form of networkpackets, log files,
system call traces, etc.• Analyzers that receive input
from sensors and determines intrusive activity.• An
administration console• A user interface.
3 marks : Identify the information that is required
before conducting the impact analysis
Impact AnalysisThis phase determines the adverse impact
resulting from a successful threat exercise
ofvulnerability. Following information is required
before conducting an impact analysis.1. System mission
e.g. the process performed by IT system.2. System and
data criticality e.g. the system’s value or importance
to an organization3. System and data sensitivityThe
information can be obtained from existing
organizational documentation
Impact needs to be measured by defining certain levels.
E.g. high medium low as qualitativecategories or
quantifying the impact by using probability
distribution.• Mission Impact Analysis• Assess
criticality assessment• Data criticality• Data
sensitivityThe output of this phase is impact rating.

3 marks : What do u understand by supply chain

management
There are lot of Material regarding this question in
the Lesson No 42 of the handouts
5 marks : Discuss why firewall is the primary method
keeping a computer can be secure from intruders .
FirewallFirewall is the primary method for keeping a
computer secure from intruders. A firewall allows
orblocks traffic into and out of a private network or
the user's computer. Firewalls are widely used togive
users secure access to the Internet as well as to
separate a company's public Web server fromits internal
network. Firewalls are also used to keep internal
network segments secure; for example,the accounting
network might be vulnerable to snooping from within the
enterprise. In the home,a personal firewall typically
comes with or is installed in the user's computer.
Personal firewalls mayalso detect outbound traffic to
guard against spy ware, which could be sending your
surfing habitsto a Web site. They alert you when
software makes an outbound request for the first time.
In theorganization, a firewall can be a stand-alone
machine or software in a server. It can be as simple
asa single server or it may comprise a combination of
servers each performing some type of
firewallprocessing.

Why we need to secure information systems

The information systems are vulnerable to modification,
intrusion or malfunctioning. Hence they need tobe
secured from all these threats be devising a sound
security system.“Information assets are secure when the
expected losses that will occur from threats
eventuating oversometime are at an acceptable
level.”28.1 Security IssuesSome losses will inevitably
occur in all environments. So eliminating all possible
losses is either impossibleor too costly. Level of
losses should be specified. The level of losses decided
should be linked with a timeperiod in which the
occurrence would be tolerated. The definition mentions
threats, which can be either• Physical, (e.g. Theft,
rain, earthquake, disasters, fire) or• Logical (e.g
intrusion, virus, etc)Examples of intrusionThe security
might be required to stop unauthorized access to the
financial system of a bank from executingfraudulent
transactions. The purpose of intrusion may not only be
to damage the database of the companybut may be limited
to stealing customer list for personal use transferring
money illegally. An employeebefore leaving the company
may have to be stopped from data manipulation, though
he is havingauthorized access to the system.

5 marks : Discuss the detail of the 4 categories’ of

ethical issue
Privacy and EthicsWhenever one has to talk of privacy,
ethics is the second half of it. It won’t be wrong to
say thatprivacy may not have been an issue had it not
been linked with the ethical view a society has.There
are certain aspects which when put together formulate a
set of ethical issues. These are1. Privacy issues2.
Accuracy issues3. Property issues4. Accessibility
issues
Privacy issuesFollowing aspects should be covered when
privacy is dealt with.• What kind of surveillance
should be used by an employer on an employee?• What
things can keep to themselves and not be forced to
reveal to others?• What information about individuals
should be kept in database and how secure is
theinformation there – Issues of Data Protection• What
can be revealed to others about oneself if one is
required to do so?Accuracy IssuesFollowing are some of
the accuracy issues.• How can we ensure that
information will be processed and presented properly?•
Who is responsible for checking the correctness of
information collected?• Is there any track of errors,
omissions made in the database and who has made them
atwhat time.• Who is to be held accountable for the
changes made in data base, whether authorized
orunauthorized, intentional or unintentional.Property
IssuesFollowing are some of the property issues.• There
has to be defined owner of the information• Issues of
software piracy
• Use of corporate computers for private use• Who
should access which component of information
database.Accessibility IssuesThese mostly comprise of
two aspects.• Extent of access to be given to various
employees in the organization.• The definition of
privileges of each person.
5 marks : Write a complete note on the Focal Point.
What is focal Point?A corporate-level facilitator may
serve as a focal point for assessments throughout the
company,including those pertaining to information
security because of familiarity with the tools and
thereporting requirements. Each business unit in an
organization may have a designated
individualresponsible for the business unit's risk
assessment activities. The computer hardware
andsoftware company, may also create a team for the
purpose of improving the overall riskassessment process
and reviewing results of risk assessments in the
hardware and softwaresystems from the perspective of
offering a better, reliable and risk free product.

2 marks: What is entity relationship management

2 marks: Identify aspects which re necessary to be
covered when property issues for privacy is dealt with.
Property IssuesFollowing are some of the property
issues
.• There has to be defined owner of the information•
Issues of software piracy
• Use of corporate computers for private use
• Who should access which component of information
database.

2 marks: Give a brief definition of ERP

“ERP (enterprise resource planning) is an industry term
for the broad set of activities supportedby multi-
module application software that helps a manufacturer
or other business manage theimportant parts of its
business, including product planning, parts purchasing,
maintaininginventories, interacting with suppliers,
providing customer service, and tracking orders.”

2 marks: Define centralized processing

Centralized Processing is performed in one computer or
in a cluster of coupled computers in a singlelocation.
Centralized processing was the architecture that
evolved from the very first computers; however,user
access was via dumb terminals that performed none of
the primary processing. Today, centralizedcomputers are
still widely used, but the terminals are mostly full-
featured desktop computers.

2 marks: Identify the role of senior management and

BODs in risk management Process
The Senior management and the board of Directors are
responsible for identifying, assessing,
prioritizing,managing and controlling risks. They
should ensure that necessary resources are devoted to
creating,maintaining and testing the BCP. The
effectiveness of the BCP depends on management
commitments andability to clearly identify what makes
business processes work. BCP is not limited to the
restoration of theIS technology and services or data
maintained in electronic form. Without a BCP that
considers every singlebusiness unit including personnel
workspace and similar issues.

3 marks: What should be the most important

information required for large organization in your
opinion .
Information Requirements of Large OrganizationsWith
such a large structure, it is inevitable that the
detailed planning should be made for propermanagement
control, for both short term and long term.Performance
measurement against plans / targetsNature of the
Business and Information Requirements• Manufacturing
Sector• Service Sector• Trading Sector1. Manufacturing
SectorManufacturing process involves more than one sub-
processes, detailed information is required
beforetransferring materials for warehousing,
manufacturing and sale to final consumer.Information
Requirements of Manufacturing SectorManagement is
concerned with the day to day costs, production
targets, quality of the product, deliveryschedules,
etc.2. Service SectorFinal product is intangible, so
information is critical at various steps, e.g.
preparation, delivery and customer
satisfaction. Quality maintenance is an issue which
requires structured reporting.Information requirements
of Service Sector• Quality of service provided.• Mode
of delivery• Customer Satisfaction• Time Scheduling•
Resource ManagementTrading SectorMonitoring requires
information for each product, e.g.• Customer profiles•
Customer Comments• Volume of sales• Profitability•
Stock movements Manufacturing/Procurement Cycle• Market
needs

Today my Current CS507 paper (unknown student)

( M a r k s: 2 )What is an entity?
EntityAn entity is an object that exists and is
distinguishable from other objects. An entity is
described using a setof attributes. For example
specific person, company, event, plant, crop,
department, section, cost center.

( M a r k s: 2 ) Why we need to secure information

systems?
Importance of SecuritySound security is fundamental to
achieving this assurance. Furthermore, there is a need
for organizations toprotect themselves against the
risks inherent with the use of information systems
while simultaneouslyrecognizing the benefits that can
accrue from having secure information systems. Thus, as
dependence oninformation systems increases, security is
universally recognized as a pervasive, critically
needed, quality.
Management’s responsibilityExecutive management has a
responsibility to ensure that the organization provides
all users with a secureinformation systems environment.
Importance for security should be sponsored by the
senior management.This would make employees/users of
IS, feel the importance of secure environment in which
the IS worksand operates un-tampered.

( M a r k s: 2 ) Identify types of change management.

Change managementChange management means to plan,
initiate, realize, control, and finally stabilize
changeprocesses on both, corporate and personal level.
Implementation of ERP or any otherintegration software
needs commitment and proper management. Managing change
inimplementation projects has become a serious concern
for the management.Types of Change• Organizational
Development: This is the more gradual and evolutionary
approach tochange. It bases on the assumption that it
is possible to align corporate objectives with
theindividual employees’ objectives. In practice,
however, this will rarely be possible.• Reengineering:
This is known as corporate transformation or business
transformation. Itis the more radical form of change
management, since it challenges all elements
ofprocesses or structures that have evolved over time.

( M a r k s: 2 ) What is CRM?
CRM is a business strategy that goes beyond increasing
transaction volume.• Its objectives are to increase
profitability, revenue, and customer satisfaction.• To
achieve CRM, a company wide set of tools, technologies,
and procedures promote the relationshipwith the
customer to increase sales.• Thus, CRM is primarily a
strategic business and process issue rather than a
technical issue.
OR
Customer relationship management (CRM) is a widely-
implemented strategy for managing a company’s
interactions with customers, clients and sales
prospects. It involves using technology to organize,
automate, and synchronize business processes—
principally sales activities, but also those
for marketing, customer service, and technical support.
The overall goals are to find, attract, and win new
clients, nurture and retain those the company already
has, entice former clients back into the fold, and
reduce the costs of marketing and client service.
[1]
Customer relationship management describes a company-
wide business strategy including customer-interface
departments as well as other departments.[2]

( M a r k s: 2 )Briefly discuss Risk Determination ?

Risk Determination/Exposure AnalysisThis phase relates
to analyzing how much the information assets are
exposed to various threats identifiedand thus
quantifying the loss caused to the asset through this
threat. This phase relates to analysis of bothphysical
and logical threats and comprises of four steps. Four
steps are usually followed while analyzing
the exposure.

( M a r k s: 3 ) What are hackers?

Hackers
A hacker is a person who attempts to invade the privacy
of the system. In fact he attempts to gain un
authorized entry to a computer system by circumventing
the system’s access controls. Hackers are normally
skilled programmers, and have been known to crack
system passwords, with quite an ease. Initially hackers
used to aim at simply copying the desired information
from the system. But now the trend has been to corrupt
the desired information

( M a r k s: 3 )Discuss Technical Limitations of

Ecommerce in business?
From Web
When the goods or services are sold or purchased over
the Internet then this way of commerce is known as E-
commerce. In this process consumers use the Internet to
purchase goods and services online; added to this in e-
commerce businesses sell and communicate with other
businesses through the Internet.
There is no doubt behind the fact that E-commerce has
given many companies the right to cheer but there are a
few limitations of E-commerce too.
The companies or the businesses who are selling the
products are not able to communicate with the customer
face to face. Due to this they are not able to get the
feedback about the products so that they may improvise
on the products. Although online chat programs have
solved this issue to some extent but it needs to be
implemented on a large scale.
Another limitation with E-commerce is that you are not
able to touch and check the quality of a product before
buying it.
Credit Card security is a serious issue. People who are
carrying out a transaction over the Internet are
worried about the credit card security.
The next one is a technological limitation that the
cost involved with bandwidth and server is too high.
Customers are still worried and fear about their online
Credit Card orders.
Extensive database and technical knowledge and
experience required.
Another limitation, in my view is that people are
becoming more and more isolated without having a
contact with other people. Due to this people are
facing difficulty interacting with people.

(M a r k s: 3 ) Identify roles and responsibilities

Controlled processing• The processing in a TPS must
support an organization's operations. For example if an
organisationallocates roles and responsibilities to
particular employees, then the TPS should enforce and
maintainthis requirement.

( M a r k s: 3 ) Differentiate CRM from ERP

From Web
CRM and ERP have a collaborative relationship. Imagine
that CRM is the point of a large V that faces outward
to your customer base, where it is used to track and
predict sales. To back up that effort, information
coordination with the sales department’s sister
organizations — finance, manufacturing, product
development andmarketing — smooth the way. But how do these
teams communicate with each other effectively? That’s
where ERP comes in. ERP is an internal system that coordinates
information between various departments and ensures the
lifeblood flows through your enterprise to help
profitability.
What does it take to coordinate your CRM and ERP efforts?
Consider these factors:

Getting Buy-In: All departments need to communicate

what they contribute and what can be gained from
collaboration to generate buy-in. Ideally, an overseer
or project planner not associated with a particular
function can bring all the stakeholders together.

Ownership: All players should consider their area as an

element of the whole enterprise and work in concert
with each other. Concealing proprietary information about
customers or other aspects of doing business is
detrimental.
Security: After departments agree that they should
share information, protection must be offered for
confidential employee, customer and industry data. A
system to grant access to information is needed.
Common Data Formatting: Data already exists in each
department that is useful to the organization. Back-end
data from all departments, for example, is valuable to
the on-the-firing-line sales team. But sometimes, the
processes of sharing information are flawed. Make sure
data isn't unnecessarily duplicated. Review information
to ensure that it is not contradictory or out-of-date.
The data format should also be the same for each
department to avoid confusion.

Scalability: Any ERP system should accommodate

enterprise growth and cross-company communication with
business partners.

Cost: The initial cost of ERP can be high if

communication between departments is seriously lagging.
Implementing your solution might be done effectively in
stages, perhaps growing outward from an existing CRM
system. Ultimately, the improvement in focus on the
customer should pay off.

(M a r k s: 3)Briefly describe Incremental Model?

Incremental ModelsIn incremental models, software is
built not written. Software is constructed step by step
in the same way abuilding is constructed. The products
is designed, implemented, integrated and tested as a
series ofincremental builds, where a build consists of
code pieces from various modules interacting together
toprovide a specific functional capability and testable
as a whole.

( M a r k s: 3) What do u know about Key stroke

Monitoring?
A record of every keystroke---- often called keystroke
monitoring. Keystroke monitoring isthe process used to
view or record both the keystrokes entered by a
computer user and thecomputer's response during an
interactive session. Keystroke monitoring is usually
considered aspecial case of audit trails.

( M a r k s: 5 ) Identify tangible or intangible in

splay Chan management?
( M a r k s: 5 ) What are the sources of critical
success factor?
Sources of Critical Success FactorsCritical Success
Factors have to be analyzed and established. CSF’s may
be developed from various sources.Generally four major
sources of identifying CSF’s are• Industry CSFs
resulting from specific industry characteristics;•
CSF’s resulting from the chosen competitive strategy of
the business e.g. quick and timely deliverymay be
critical to courier service business• Environmental
CSFs resulting from economic or technological changes;
and• Temporal CSFs resulting from internal
organizational needs and changes.

Subjective Part of Final Term paper Share by one

student
Total Qs 45
Total MCQs 30
6 Qs having 2 ,2 marks
6 Qs having 3 ,3 marks
3 Qs of 5 marks

MCQs mostly related from symbols and some related from

past chapters ( 1- 23)
Q1 . 2 Figures thein un k bary mein likhna tha.
Q2 1 Q related from supply chain management
Q3 Stand alone
Stand Alone ProcessingStand-alone, self-contained
computer is usually a microcomputer that is not
connected to a network ofcomputers and can be used in
isolation from any other device. The processing
activities undertaken onsuch a computer are usually
termed as stand-alone processing.Stand alone
environment may exist in some organization, but is not
the generally followed practice intoday's business
environment. Therefore we will not be discussing this
environment.
USB port enabled devices should not be used until it
has been scanned on a stand-alonemachine that is used
for no other purpose and is not connected to the
network.
These are primarily stand alone systems isolated from
major organizational information systems
(finance,manufacturing, HR, etc). They are developed by
end users and are not reliant on central
informationsystems control. These systems combine• Use
of a strong model, and• Good user interface to maximise
model utilityThey are not usually data intensive, hat
is very large data bases are usually not need for
model-driven DSS.They use data and parameters usually
provided by decision makers to aid in analyzing a
situation.
Q4 . An event oriented log
(1) An event-oriented log ---- this usually contain
records describing system events, applicationevents, or
user events. An audit trail should include sufficient
information to establish what eventsoccurred and who
(or what) caused them.

Q5. Types of threats

Types of Threats• Physical threat – This refers to the
damage caused to the physical infrastructure of the
informationsystems, e.g.• Fire• Water• Energy
Variations• Structural damage• Pollution• Intrusion•
Logical – This refers to damage caused to the software
and data without physical presence.• Viruses and worms•
Logical intrusion

Q6. How to secure our computer from virus?

Risk Determination/Exposure AnalysisThis phase relates
to analyzing how much the information assets are
exposed to various threats identifiedand thus
quantifying the loss caused to the asset through this
threat. This phase relates to analysis of bothphysical
and logical threats and comprises of four steps. Four
steps are usually followed while analyzing the
exposure.• Figure out whether there are any physical or
logical controls in place• Employees are interviewed•
Walk trough’s are conducted• How reliable are these
controls• Check whether the firewall stops a virus from
entering the organization’s system• Check whether the
antivirus installed stops the virus from execution• We
cannot start an earthquake to see if the building can
absorb shocks or not• What is the probability that
occurrence of threat can be successful against these
controls• Compare assets identified with threats
identified to see if controls exists• Estimate the
probability of occurrence based on past experience and
futureapprehensions/expectations• How much loss can
occur due to the threat being successful• scenarios are
written to see how an identified potential threat can
compromise control
 Q7. Write down the steps or order of EC fulfillment
esa kch tha
I. Subjective Part of Final Term paper Share by one
student
II. 1) types of threats 5 marks
2)describe control analysis marks 5
This phase includes assessment of controls already been
implemented or planned, probability thatthey can be
broken, assessment of potential loss despite such
controls existing. Controls are alsoclassified as non-
technical controls also called management controls and
technical controls –software, hardware controls. The
output of this step is current or planned controls used
for the ITsystem to measure the likelihood of
vulnerability being exercised and reduce the impact of
loss.
I.
3) how to secure the system through virus marks 5
4)describe E-supply 3 marks
5)list any general 6 impacts 3 marks
6) define CRM 3 marks
7)how to secure threats from internet 3marks
8)describe security audit 3marks
9)componenets of IDS and its limitations 3 marks
Components of an IDSAn IDS comprise of following
components:• Sensors that are responsible for
collecting data. The data can be in the form of
networkpackets, log files, system call, traces, etc.•
Analyzers that receive input from sensors and determine
intrusive activity• An administrative console – it
contains intrusion definitions applied by the
analyzers.• A user interface
Limitations of IDSAn IDS can not help with the
following weaknesses :• Incorrectness or scope
limitation in the manner threats are defined•
Application-level vulnerabilities• Backdoors into
application• Weakness in identification and
authentication schemes

I.
10) define IDS 2 marks
 Intrusion Detection Systems (IDS)Another element to
securing networks is an intrusion detection system
(IDS). IDS is used incomplement to firewalls. An IDS
works in conjunction with routers and firewalls by
monitoringnetwork usage anomalies. It protects a
company’s information systems resources from external
aswell as internal misuse.
I.
11) describe trojans virus 2 marks
A Trojan horse is a malicious program that is disguised
as or embedded within legitimate software.They may look
useful or interesting (or at the very least harmless)
to an unsuspecting user, but areactually harmful when
executed. Examples are• Logic bomb – Trojan horses are
triggered on certain event, e.g. when disc clean up
reaches acertain level of percentage• Time bomb –
Trojan horse is triggered on a certain date.
I.
Subjective Part of Final Term paper Share by one
student

Total Qs were 45 out of them 10 were subjective.

short Qs which i have in my memory were

Define data and information------ 2 marks

attributes of ERP, eaplain______ 5 marks
what are the change agents, explain their role in
change------- 3 marks
what factors are helpful for the successful
implementation of
cahnge.-------------- 3marks
property issues regarding privacy------------ 3 marks
what is ethics and code of ethics---------------------3
marks
what are physical threats-------------- 3 marks
the role of audit in MIS----------------- 3 marks
input of risk determination--------------------- 2
marks
risk variance ---------- 2 marks
 1. Today’s subjective paper by Fatima
2. 1) How the scanners are used as the technical
control against the spread of viruses?

I. 2) What is logical intrusion?

I. 3) Identify the rule that DFD as an analytical tool
follows the rule in achieving the level of
standarzate?
I. 4) What do you mean by Masquerading?
I. 5) List any two tolls used to implement TQM?
I. 6) Identify any two methods of IS integration?

I. 7) What is E-Supply chain?

I. 8) What is off-page connecter?
I. 9) Discuss various steps in threat
Steps in threat identificationFollowing steps are
followed in this phase1. Threat source identification –
sources vary from being human to natural threats2.
Motivation and threat actions – Reasons why someone
should instigate a threat and whatactions he can take
in such instigation are discovered.
Information is used as an input to determine and
identify what kind of threats the system isexposed to
history of system attack, data from intelligence
agencies. The out put of this phase is athreat
statement identifying and defining threats.

I.
II. 10) How can we make our password secure?
Passwords“Password is the secret character string that
is required to log onto a computer system,
thuspreventing unauthorized persons from obtaining
access to the computer. Computer users maypassword-
protect their files in some systems.”Misuse of
passwordsA very simple form of hacking occurs when the
password of the terminal under the use of aparticular
 employee is exposed or become commonly known. In such a
situation access to theentire information system can be
made through that terminal by using the password. The
extent ofaccess available to an intruder in this case
depends on the privilege rights available to the
user.33.5 Best Password practices• Keep the password
secret – do not reveal it to anyone• Do not write it
down – if it is complex, people prefer to save it in
their cell phone memory, orwrite on a piece of paper,
both of these are not preferred practices.
• Changing password regularly – Passwords should be
associated with users not machines.Password generation
program can also be used for this purpose.• Be discreet
– it is easy for the onlookers to see which keys are
being used, care should be takenwhile entering the
password.• Do not use obvious password – best approach
is to use a combination of letters, numbers,upper case
and lower case. Change passes word immediately if you
suspect that anyone elseknows it

I.
II. 11) Identify components of Intrusion detection
system?
Components of an IDSAn IDS comprise of following
components:• Sensors that are responsible for
collecting data. The data can be in the form of
networkpackets, log files, system call, traces, etc.•
Analyzers that receive input from sensors and determine
intrusive activity• An administrative console – it
contains intrusion definitions applied by the
analyzers.• A user interface