Chapter 3 - Information System and Its Components

3.2 INFORMATION SYSTEMS

Information System: Information System (IS) is a combination of people,
hardware, software, communication devices, network and data resources that
processes (can be storing, retrieving, transforming information) data and
information for a specific purpose.
An Information System model comprises of following steps:
 Input: Data is collected from an organization or from external environments
and converted into suitable format required for processing.
 Process: A process is a series of steps undertaken to achieve desired outcome
or goal. Information Systems are becoming more and more integrated with
organizational processes, bringing more productivity and better control to
those processes.
 Output: Then information is stored for future use or communicated to user
after application of respective procedure on it.

INPUT PROCESSING OUTPUT

(Business problems in the (Software, Programs, (Solution to problems in
form of data, information, people, the form of reports,
instructions, opportunities) communication, graphics, calculations,
equipment, storage) voices)

CONTROL
(Decision Makers,
Auto Control) FEEDBACK

User

Fig. 3.2.1: Functions of Information Systems

3.3 COMPONENTS OF INFORMATION SYSTEMS

 Components of Information Systems

Fig. 3.3.1: Components of Information Systems

3.3.1 People Resources

People are the most important element in most Computer-based Information
Systems. The people involved include users of the system and information
systems personnel, including all the people who manage, run, program, and
maintain the system.
3.3.2 Computer System – Hardware and Software
Computer System: This is considered as combination of Hardware & Software.
Hardware: Information Systems hardware is the part of Information Systems that
you can touch-the physical components of technology. Computers, keyboards,
hard drives, iPads and flash drives are all examples of Information Systems
hardware.
Software: Software is a set of instructions that tells the hardware what to do.
There are several categories of software, with the two main categories being
operating system software, which makes the hardware usable and application
software, which does something useful. Examples of operating system software:
Microsoft Windows, LINUX, etc. Examples of application software are Microsoft
Excel, Adobe Photoshop, Microsoft PowerPoint etc.
I. Hardware
Hardware is the tangible portion of our computer systems; something we can
touch and see. It basically consists of devices that perform the functions of input,
processing, data storage and output activities of the computer.
(i) Input Devices are devices through which we interact with the systems and
include devices like Keyboard, Mouse and other pointing devices, Scanners
and Bar Code, MICR readers, Webcams, Microphone and Stylus/ Touch
Screen.
(ii) Processing Devices include computer chips that contain the Central
Processing Unit and main memory. The Central Processing Unit (CPU or
microprocessor) is the actual hardware that interprets and executes the program
(software) instructions and coordinates how all the other hardware devices work
together.
(iii) Data Storage Devices refers to the memory where data and programs are
stored. Various types of memory techniques/devices are given as follows:
(a) Internal Memory: This includes Processer Registers and Cache
Memory.
➢ Processor Registers: Registers are internal memory within CPU,
which are very fast and very small.
➢ Cache Memory: To bridge the huge speed differences between
Registers and Primary Memory, we have cache memory. Cache is a
smaller, faster memory, which stores copies of the data from the
most frequently used main memory locations so that
Processor/Registers can access it more rapidly than main memory.
(b) Primary Memory/Main Memory: These are devices in which any
location can be accessed by the computer’s processor in any order (in
contrast with sequential order). There are two types of primary memory
as discussed in Table 3.3.1:
Table 3.3.1: RAM vs ROM

Random Access Memory (RAM) Read Only Memory (ROM)

Volatile in nature means Information Non-volatile in nature (contents

is lost as soon as power is turned off. remain intact even in absence of
power).

Purpose is to hold program and data Used to store small amount of

while they are in use. information for quick reference by
CPU.

Information can be read as well as Information can be read not modified.

modified.

Responsible for storing the Generally used by manufacturers to

instructions and data that the store data and programs like
computer is using at that present translators that is used repeatedly.
moment.

(c) Secondary Memory: CPU refers to the main memory for execution of
programs, but these main memories are volatile in nature and hence
cannot be used to store data on a permanent basis in addition to being
small in storage capacity. The secondary memories are available in
 bigger sizes; thus programs and data can be stored on secondary
memories.
(d) Virtual Memory: Virtual Memory is in fact not a separate device but an
imaginary memory area supported by some operating systems (for
example, Windows) in conjunction with the hardware. If a computer
lacks in required size of the Random-Access Memory (RAM) needed to
run a program or operation, Windows uses virtual memory to
compensate. Virtual memory combines computer’s RAM with
temporary space on the hard disk. When RAM runs low, virtual memory
moves data from RAM to a space called a paging file. Moving data to
and from the paging file frees up RAM to complete its work. Thus,
Virtual memory is an allocation of hard disk space to help RAM and
depicted in the Fig. 3.3.2.

Register Cache Primary Virtual Memory

Secondary
Memory

Fig. 3.3.2: Memory Techniques/Devices

(iv) Output Devices: Output devices are devices through which system
responds. Visual output devices like, a display device visually conveys text,
graphics, and video information. Eg Monitor and Printer.
Some types of output are :
• Textual output comprises of characters that are used to create words,
sentences, and paragraphs.
• Graphical outputs are digital representations of non-text information
such as drawings, charts, photographs, and animation.
• Tactile output such as raised line drawings may be useful for some
individuals who are blind.
• Audio output is any music, speech, or any other sound.
• Video output consists of images played back at speeds to provide the
appearance of full motion.
II. Software
Software is defined as a set of instructions that tell the hardware what to do.
Software is created through the process of programming. Without software, the
hardware would not be functional. Software can be broadly divided into two
categories: Operating Systems Software and Application Software as shown in
the Fig. 3.3.3. Operating systems manage the hardware and create the interface
between the hardware and the user. Application software is the category of
programs that do some processing/task for the user.

Operating Systems Software Application Software

Fig. 3.3.3: Types of Software

(a) Operating Systems Software
An Operating System (OS) is a set of computer programs that manages computer
hardware resources and acts as an interface with computer applications programs.
Some prominent Operating systems used nowadays are Windows 7, Windows 8,
Linux, UNIX, etc.
All computing devices run an operating system. For personal computers, the most
popular operating systems are Microsoft’s Windows, Apple’s OS X, and different
versions of Linux. Smart phones and tablets run operating systems as well, such as
Apple’s iOS, Google Android, Microsoft’s Windows Phone OS, and Research in
Motion’s Blackberry OS.
A variety of activities are executed by Operating systems which include:
 Performing hardware functions: Operating System acts as an intermediary
between the application program and the hardware by obtaining input from
keyboards, retrieve data from disk and display output on monitors
 User Interfaces: Nowadays, Operating Systems are Graphic User Interface (GUI)
based which uses icons and menus like in the case of Windows.
 Hardware Independence: Operating System provides Application Program
Interfaces (API), which can be used by application developers to create
application software, thus obviating the need to understand the inner workings
of OS and hardware. Thus, OS gives us hardware independence.
 Memory Management: Operating System allows controlling how memory is
accessed and maximize available memory and storage.
 Task Management: This facilitates a user to work with more than one
application at a time i.e. multitasking and allows more than one user to use the
system i.e. time sharing.
 Networking Capability: Operating systems can provide systems with features
and capabilities to help connect computer networks like Linux & Windows 8.
 Logical Access Security: Operating systems provide logical security by
establishing a procedure for identification and authentication using a User ID
and Password.
 File management: The operating system keeps a track of where each file is
stored and who can access it, based on which it provides the file retrieval.
(b) Application Software
Application software includes all that computer software that causes a computer to
perform useful tasks beyond the running of the computer itself. Application Suite
like MS Office 2010 which has MS Word, MS Excel, MS Access, etc.; Enterprise
Software like SAP; Content Access Software like Media Players, Adobe Digital etc.
are some examples of Application Software.
3.3.3 Data Resources
 Data: Data, plural of Datum, are the raw bits and pieces of information with
no context that can either be quantitative or qualitative. Quantitative data is
numeric, the result of a measurement, count, or some other mathematical
calculation. Qualitative data is descriptive. “Ruby Red,” the color of a 2013
Ford Focus, is an example of qualitative data.
 Database: A set of logically inter-related organized collection of data is
Database.
 Database Management Systems (DBMS): DBMS may be defined as a
software that aid in organizing, controlling and using the data needed by the
application programme. Commercially available Data Base Management
Systems are Oracle, MySQL, SQL Servers and DB2 etc. DBMS packages
generally provide an interface to view and change the design of the
database, create queries, and develop reports. Microsoft Access and Open
Office Base are examples of personal DBMS.
 Database Models: Databases can be organized in many ways, and thus take
many forms. A Database Model is a type of data model that determines the
logical structure of a database and fundamentally determines in which manner
data can be stored, organized and manipulated.
Hierarchy of database is as under:
• Database: This is a collection of Files/Tables.
• File or Table: This is a collection of Records. It is also referred as Entity.
• Record: This is a collection of Fields.
• Field: This is a collection of Characters, defining a relevant attribute of Table
instance.
 • Characters: These are a collection of Bits.
This hierarchy is shown in the Fig. 3.34:

Account Code Account Head Group Head

MASTER
RECORD 11001 Travelling Expenses ACCOUNT
FILE
11002 Printing Expenses

11003 Repairs Expenses

FIELD

Fig. 3.3.4: Hierarchy of Databases

Some prominent database models are as follows:
A. Hierarchical Database Model: In this, records (also known as Nodes) are
logically organized into a hierarchy of relationships in an inverted tree
pattern. The top parent record in the hierarchy that “own” other records is
called Parent Record/ Root Record which may have one or more child records,
but no child record may have more than one parent record. Thus, each node
is related to the others in a parent-child relationship. Thus, the hierarchical
data structure implements one-to-one and one-to-many relationships.
For example, an equipment database, shown in Fig. 3.3.5 may have building
records, room records, equipment records, and repair records. The database
structure reflects the fact that repairs are made to equipment located in
rooms that are part of buildings.

Root
Parent of Room

Children of Root
Parents of equipment

Children of Room
Parents of Repair

Children of Equipment

Fig. 3.3.5: Hierarchical Database Model

B. Network Database Model: The network model is a variation of the
hierarchical model in which unlike the hierarchical model, the branches can
 be connected to multiple nodes. A network database structure views all
records in sets; wherein each set is composed of an owner record and one or
more member records thus allowing the network model to implement the
many-to-one and the many-to-many relationship types.
C. Relational Database Model: A Relational Database allows data and their
structures, storage and retrieval operations and integrity constraints that can be
organized in a Table structure. A table is a collection of records and each record in
a table contains the same fields, which define the nature of the data stored in the
table. A record is one instance of a set of fields in a table. Three key terms are
used extensively in relational database models:
• Relations: A relation is a table with columns and rows.
• Attributes: The named columns of the relation are called attributes
(fields); and
• Domains: It is the set of values the attributes can take.
In this, all the tables are related by one or more fields, so that it is possible to
connect all the tables in the database through the field(s) they have in
common. For each table, one of the fields is identified as a Primary Key, which
is the unique identifier for each record in the table. Keys are commonly used
to join or combine data from two or more tables. Popular examples of
relational databases are Microsoft Access, MySQL, and Oracle.
D. Object Oriented Data Base Model: It is based on the concept that the world
can be modeled in terms of objects and their interactions. An Object-
Oriented Database provides a mechanism to store complex data such as
images, audio and video, etc. An object-oriented database (also referred to
as Object-Oriented Database Management System or OODBMS) is a set of
objects. In these databases, the data is modeled and created as objects.
OODBMS helps programmers make objects which are an independently
functioning application or program, assigned with a specific task or role to
perform.
(ii) Advantages of DBMS
Major advantages of DBMS are given as follows:
 Permitting Data Sharing: One of the principle advantages of a DBMS is that
the same information can be made available to different users.
 Minimizing Data Redundancy: In a DBMS, duplication of information or
redundancy is, if not eliminated, carefully controlled or reduced i.e. there is no
need to repeat the same data repeatedly. Minimizing redundancy reduces
significantly the cost of storing information on storage devices.
 Integrity can be maintained: Data integrity is maintained by having accurate,
 consistent, and up-to-date data. Updates and changes to the data only must be
made in one place in DBMS ensuring Integrity.
 Program and File consistency: Using a DBMS, file formats and programs are
standardized. The level of consistency across files and programs makes it easier
to manage data when multiple programmers are involved as the same rules and
guidelines apply across all types of data.
 User-friendly: DBMS makes the data access and manipulation easier for the
user. DBMS also reduces the reliance of users on computer experts to meet their
data needs.
 Improved security: DBMS allows multiple users to access the same data
resources in a controlled manner by defining the security constraints. Some
sources of information should be protected or secured and only viewed by select
individuals. Using passwords, DBMS can be used to restrict data access to only
those who should see it.
 Achieving program/data independence: In a DBMS, data does not reside in
applications but data bases program & data are independent of each other.
 Faster Application Development: In the case of deployment of DBMS,
application development becomes fast. The data is already therein databases,
application developer has to think of only the logic required to retrieve the data
in the way a user needs.
(iii) Disadvantages of a DBMS
 Cost: Implementing a DBMS system in terms of both system and user-training
can be expensive and time-consuming, especially in large enterprises. Training
requirements alone can be quite costly.
 Security: Even with safeguards in place, it may be possible for some
unauthorized users to access the database. If one gets access to database, then
it could be an all or nothing proposition.
Some Related Concepts of Database
A. Big Data: A new buzzword that has been capturing the attention of businesses
lately is Big Data. The term refers to such massively large data sets that
conventional database tools do not have the processing power to analyze them.
For example, Flipkart must process over millions of customer transactions every
hour during the Billion Day Sale. Storing and analyzing that much data is beyond
the power of traditional database-management tools. Understanding the best tools
and techniques to manage and analyze these large data sets is a problem that
governments and businesses alike are trying to solve. This is an interesting space
to explore from a career perspective since everything is nothing more than data.
Benefits of Big Data Processing are as follows:
a) Ability to process Big Data brings in multiple benefits, such as-
• Businesses can utilize outside intelligence while taking decisions.
• Access to social data from search engines and sites like Facebook, Twitter
are enabling organizations to fine tune their business strategies.
• Early identification of risk to the product/services, if any
b) Improved customer service
• Traditional customer feedback systems are getting replaced by new
systems designed with Big Data technologies. In these new systems, Big
Data and natural language processing technologies are being used to
read and evaluate consumer responses.
c) Better operational efficiency
• Integration of Big Data technologies and data warehouse helps an
organization to offload infrequently accessed data, this leading to better
operational efficiency.
B. Data Warehouse:
The concept of the Data Warehouse is simple: Extract data from one or more of
the organization’s databases and Load it into the data warehouse (which is itself
another database) for storage and analysis. However, the execution of this concept
is not that simple. A data warehouse should be designed so that it meets the
following criteria:
❖ It uses non-operational data. This means that the data warehouse is using a
copy of data from the active databases that the company uses in its day-to-day
operations, so the data warehouse must pull data from the existing databases
on a regular, scheduled basis.
❖ The data is time-variant. This means that whenever data is loaded into the data
warehouse, it receives a time stamp, which allows for comparisons between
different time periods.
❖ The data is standardized. Because the data in a data warehouse usually comes
from several different sources, it is possible that the data does not use the same
definitions or units. For example, our Events table in our Student Clubs database
lists the event dates using the mm/dd/yyyy format (e.g., 01/10/2013). A table in
another database might use the format yy/mm/dd (e.g.13/01/10) for dates. For
the data warehouse to match up dates a standard date format would have to be
agreed upon and all data loaded into the data warehouse would have to be
converted to use this standard format. This process is called Extraction-
Transformation-Load (ETL).
❖ There are two primary schools of thought when designing a data warehouse:
 Bottom-Up and Top- Down.
• The Bottom-Up Approach starts by creating small data warehouses,
called data marts, to solve specific business problems. As these data marts
are created, they can be combined into a larger data warehouse.
• The Top-Down Approach suggests that we should start by creating an
enterprise-wide data warehouse and then, as specific business needs are
identified, create smaller data marts from the data warehouse.
❖ Benefits of Data Warehouse
Organizations find data warehouses quite beneficial for several reasons:
• The process of developing a data warehouse forces an organization to
better understand the data that it is currently collecting and, equally
important, what data is not being collected.
• A data warehouse provides a centralized view of all data being collected
across the enterprise and provides a means for determining data that is
inconsistent.
• Once all data is identified as consistent, an organization can generate one
version of the truth. This is important when the company wants to report
consistent statistics about itself, such as revenue or number of employees.
• By having a data warehouse, snapshots of data can be taken over time.
This creates a historical record of data, which allows for an analysis of
trends.
• A data warehouse provides tools to combine data, which can provide new
information and analysis.

• Data Mining: Data Mining is the process of analysing data to find

previously unknown trends, patterns, and associations to make decisions.
Generally, data mining is accomplished through automated means against
extremely large data sets, such as a data warehouse.

The steps involved in the Data Mining process are as follows:

a. Data Integration: Firstly, the data are collected and integrated from all the
different sources.
b. Data Selection: It may be possible that all the data collected may not be
required in the first step. So, in this step we select only those data which we think
useful for data mining.
c. Data Cleaning: The data that is collected are not clean and may contain errors,
missing values, noisy or inconsistent data. Thus, we need to apply different
techniques to get rid of such anomalies.
d. Data Transformation: The data even after cleaning are not ready for mining as
it needs to be transformed into an appropriate form for mining using different
techniques like - smoothing, aggregation, normalization etc.
e. Data Mining: In this, various data mining techniques are applied on the data to
discover the interesting patterns. Techniques like clustering and association
analysis are among the many different techniques used for data mining.
f. Pattern Evaluation and Knowledge Presentation: This step involves
visualization, transformation, removing redundant patterns etc. from the
patterns we generated.
g. Decisions / Use of Discovered Knowledge: This step helps user to make use of
the knowledge acquired to take better decisions.
3.3.4 Networking and Communication Systems
Computer Network is a collection of computers and other hardware
interconnected by communication channels that allow sharing of resources and
information.
Network and Communication System: These consist of both physical devices and
software, links the various pieces of hardware and transfers the data from one
physical location to another. Computers and communications equipment can be
connected in networks for sharing voice, data, images, sound and video. A network
links two or more computers to share data or resources such as a printer.
Two types:
 Connection Oriented networks: Wherein a connection is first established
between the sender and the receiver and then data is exchanged like it happens
in case of telephone networks.
 Connectionless Networks: Where no prior connection is made before data
exchanges. Data which is being exchanged in fact has a complete contact
information of recipient and at each intermediate destination, it is decided how
to proceed further like it happens in case of postal networks.
Each of these networks is modeled to address the following basic issues:
 Routing: It refers to the process of deciding on how to communicate the data
from source to destination in a network.
 Bandwidth: It refers to the amount of data which can be sent across a network
in given time.
 Resilience: It refers to the ability of a network to recover from any kind of error
like connection failure, loss of data etc.
 Contention: It refers to the situation that arises when there is a conflict for some
 common resource in a network. For example, network contention could arise
when two or more computer systems try to communicate at the same time.
The following are the important benefits of a computer network:
 Distributed nature of information: There would be many situations where
information must be distributed geographically. E.g. in the case of Banking
Company, accounting information of various customers could be distributed
across various branches but to make Consolidated Balance Sheet at the year-
end, it would need networking to access information from all its branches.
 Resource Sharing: Data could be stored at a central location and can be shared
across different systems. Even resource sharing could be in terms of sharing
peripherals like printers, which are normally shared by many systems. E.g. In the
case of a CBS, Bank data is stored at a Central Data Centre and could be accessed
by all branches as well as ATMs.
 Computational Power: The computational power of most of the applications
would increase drastically if the processing is distributed amongst computer
systems. For example: processing in an ATM machine in a bank is distributed
between ATM machine and the central Computer System in a Bank, thus
reducing load on both.
 Reliability: Many critical applications should be available 24x7, if such
applications are run across different systems which are distributed across
network then the reliability of the application would be high. E.g. In a city, there
could be multiple ATM machines so that if one ATM fails, one could withdraw
money from another ATM.
 User communication: Networks allow users to communicate using e-mail,
newsgroups, video conferencing, etc.

3.4 INFORMATION SYSTEMS’ CONTROLS

Some of the critical control lacking in a computerized environment are as follows:
 Lack of management understanding of IS risks and related controls;
 Absence or inadequate IS control framework;
 Absence of weak general controls and IS controls;
 Lack of awareness and knowledge of IS risks and controls amongst the business
users and even IT staff;
 Complexity of implementation of controls in distributed computing
environments and extended enterprises;
 Lack of control features or their implementation in highly technology driven
 environments; and
 Inappropriate technology implementations or inadequate security functionality
in technologies implemented.
These categories have been represented in the Fig. 3.4.1:

Preventive
Detective
Corrective

Environmental
Physical Access
Logical Access

Managerial
Application

Fig. 3.4.1: Classification of IS Controls

3.4.1 Classification based on “Objective of Controls”

The controls per the time that they act, relative to a security incident can be
classified as under:
(A) Preventive Controls: These controls prevent errors, omissions, or security
incidents from occurring. Examples include simple data-entry edits that block
alphabetic characters from being entered in numeric fields.
The following Table 3.4.1 shows how the same purpose is achieved by using
manual and computerized controls.
Table 3.4.1: Preventive Controls
Purpose Manual Control Computerized Control
Restrict unauthorized Build a gate and post a Use access control
entry into the security guard. software, smart card,
premises. biometrics, etc.
 Restrict unauthorized Keep the computer in Use access control, viz.
entry into the software a secured location and User ID, password, smart
applications. allow only authorized card, etc.
person to use the
applications.
(B) Detective Controls: These controls are designed to detect errors, omissions
or malicious acts that occur and report the occurrence. For example, a
detective control may identify account numbers of inactive accounts or
accounts that have been flagged for monitoring of suspicious activities.
(C) Corrective Controls: It is desirable to correct errors, omissions, or incidents
once they have been detected. They vary from simple correction of data-entry
errors, to identifying and removing unauthorized users or software from
systems or networks, to recovery from incidents, disruptions, or disasters.
3.4.2 Classification based on “Nature of Information System
Resources”
These are given as follows:
(A) Environmental Controls: These are the controls relating to IT environment
such as power, air-conditioning, Uninterrupted Power Supply (UPS), smoke
detection, fire-extinguishers, dehumidifiers etc. Tables 3.4.2 (A,B,C,D) enlist all
the environmental exposures related to Fire, Electrical Exposures, Water
Damage, and Pollution damage and others with their corresponding controls
respectively.
I. Fire: It is a major threat to the physical security of a computer installation.
 Table 3.4.2(A): Controls for Fire Exposure

 Both automatic and manual fire alarms may be placed at strategic locations
and a control panel may be installed to clearly indicate this.
 Besides the control panel, master switches may be installed for power and
automatic fire suppression system. Different fire suppression techniques like
Dry-pipe sprinkling systems, water based systems, halon etc., depending
upon the situation may be used.
 Manual fire extinguishers can be placed at strategic locations.
 Fireproof Walls; Floors and Ceilings surrounding the Computer Room and
Fire Resistant Office Materials such as waste-baskets, curtains, desks, and
cabinets should be used.
 Fire exits should be clearly marked. When a fire alarm is activated, a signal
may be sent automatically to permanently manned station.
 All staff members should know how to use the system. The procedures to be
followed during an emergency should be properly documented are Fire
Alarms, Extinguishers, Sprinklers, Instructions / Fire Brigade Nos., Smoke
detectors, and Carbon dioxide based fire extinguishers.
 Less Wood and plastic should be in computer rooms.
 Use a gas based fire suppression system.
 To reduce the risk of firing, the location of the computer room should be
strategically planned and should not be in the basement or ground floor of
a multi-storey building.
 Regular Inspection by Fire Department should be conducted.
 Fire suppression systems should be supplemented and not replaced by
smoke detectors.
 Documented and Tested Emergency Evacuation Plans: Relocation plans
should emphasize human safety, but should not leave information
processing facilities physically unsecured. Procedures should exist for a
controlled shutdown of the computer in an emergency. In all circumstances
saving human life should be given paramount importance.
 Smoke Detectors: Smoke detectors are positioned at places above and
below the ceiling tiles. Upon activation, these detectors should produce an
audible alarm and must be linked to a monitored station (for example, a fire
station).
 Wiring Placed in Electrical Panels and Conduit: Electrical fires are always
a risk. To reduce the risk of such a fire occurring and spreading, wiring should
be placed in the fire-resistant panels and conduit. This conduit generally lies
under the fire-resistant raised floor in the computer room.

II. Electrical Exposures: These include risk of damages that may be caused
due electrical faults. These include non-availability of electricity, spikes
(temporary very high voltages), fluctuations of voltage and other such risk.
Table 3.4.2(B): Controls for Electrical Exposure

 The risk of damage due to power spikes can be reduced using Electrical Surge
Protectors that are typically built into the Un-interruptible Power System
(UPS).
 Un-interruptible Power System (UPS)/Generator: In case of a power failure,
the UPS provides the back up by providing electrical power from the battery
to the computer for a certain span of time. Depending on the sophistication
of the UPS, electrical power supply could continue to flow for days or for just
a few minutes to permit an orderly computer shutdown.
 Voltage regulators and circuit breakers protect the hardware from temporary
increase or decrease of power.
 Emergency Power-Off Switch: When the need arises for an immediate power
shut down during situations like a computer room fire or an emergency
evacuation, an emergency power-off switch at the strategic locations would
serve the purpose. They should be easily accessible and yet secured from
unauthorized people.

III. Water Damage: Water damage to a computer installation can be the

outcome of water pipes burst. Water damage may also result from other
resources such as cyclones, tornadoes, floods etc.
Table 3.4.2(C): Controls for Water Exposure

Wherever possible have waterproof ceilings, walls and floors;

Ensure an adequate positive drainage system exists;
Install alarms at strategic points within the installation;
In flood areas have the installation above the upper floors but not at the top
floor;
Water proofing; and
 Water leakage Alarms.

IV. Pollution Damage and others: The major pollutant in a computer

installation is dust. Dust caught between the surfaces of magnetic tape / disk
and the reading and writing heads may cause either permanent damage to
data or read/ write errors.
Table 3.4.2(D): Controls for Pollution Damage Exposure
 Some of the controls are as follows:
Power Leads from Two Substations: Electrical power lines that are exposed
to many environmental dangers such as water, fire, lightning, cutting due to
careless digging etc. To avoid these types of events, redundant power links
should feed into the facility. Interruption of one power supply does not
adversely affect electrical supply.
 Prohibitions against Eating, Drinking and Smoking within the
Information Processing Facility: These activities should be prohibited from
the information processing facility. This prohibition should be clear, e.g. a sign
on the entry door.

(B) Physical Access Controls:

The Physical Access Controls are the controls relating to physical security of
the tangible IS resources and intangible resources stored on tangible media
etc. Such controls include Access control doors, Security guards, door alarms,
restricted entry to secure areas, visitor logged access, CCTV monitoring etc.
Refer the Table 3.4.3.
Table 3.4.3: Controls for Physical Exposures

i. Locks on Doors
• Cipher locks (Combination Door Locks) - Cipher locks are used in low
security situations or when many entrances and exits must be usable all the
time. To enter, a person presses a four-digit number, and the door will
unlock for a predetermined period, usually ten to thirty seconds.
• Bolting Door Locks – A special metal key is used to gain entry when the
lock is a bolting door lock. To avoid illegal entry, the keys should not be
duplicated.
• Electronic Door Locks – A magnetic or embedded chip-based plastics card
key or token may be entered a reader to gain access in these systems.
ii. Physical Identification Medium: These are discussed below:
• Personal Identification Numbers (PIN): The visitor will be asked to log
on by inserting a card in some device and then enter their PIN via a PIN
keypad for authentication.
• Plastic Cards: These cards are used for identification purposes. Customers
should safeguard their card so that it does not fall into unauthorized hands.
• Identification Badges: Special identification badges can be issued to
personnel as well as visitors. For easy identification purposes, their color of
the badge can be changed. Sophisticated photo IDs can also be utilized as
electronic card keys.
iii. Logging on Facilities: These are given as under:
• Manual Logging: All visitors should be prompted to sign a visitor’s log
indicating their name, company represented, their purpose of visit, and person
 to see. Logging may happen at both fronts - reception and entrance to the
computer room. A valid and acceptable identification such as a driver’s license,
business card or vendor identification tag may also be asked for before
allowing entry inside the company.
• Electronic Logging: This feature is a combination of electronic and biometric
security systems. The users logging can be monitored and the unsuccessful
attempts being highlighted.
iv. Other means of Controlling Physical Access: Other important means of
controlling physical access are given as follows:
• Video Cameras: Cameras should be placed at specific locations and
monitored by security guards. Refined video cameras can be activated by
motion. The video supervision recording must be retained for possible future
play back.
• Security Guards: Extra security can be provided by appointing guards aided
with CCTV feeds. Guards supplied by an external agency should be made to
sign a bond to protect the organization from loss.
• Controlled Visitor Access: A responsible employee should escort all visitors.
Visitors may be friends, maintenance personnel, computer vendors,
consultants and external auditors.
• Bonded Personnel: All service contract personnel, such as cleaning people
and off-site storage services, should be asked to sign a bond. This may not be
a measure to improve physical security but to a certain extent can limit the
financial exposure of the organization.
• Dead Man Doors: These systems encompass a pair of doors that are typically
found in entries to facilities such as computer rooms and document stations.
The first entry door must close and lock, for the second door to operate, with
the only one person permitted in the holding area.
• Non–exposure of Sensitive Facilities: There should be no explicit indication
such as presence of windows of directional signs hinting the presence of
facilities such as computer rooms. Only the general location of the information
processing facility should be identifiable.
• Computer Terminal Locks: These locks ensure that the device to the desk is
not turned on or disengaged by unauthorized persons.
• Controlled Single Entry Point: All incoming personnel can use controlled
Single Entry Point. A controlled entry point is monitored by a receptionist.
Multiple entry points increase the chances of unauthorized entry. Unnecessary
or unused entry points should be eliminated or deadlocked.
• Alarm System: Illegal entry can be avoided by linking alarm system to inactive
entry point and the reverse flows of enter or exit only doors, to avoid illegal
entry. Security personnel should be able to hear the alarm when activated.
• Perimeter Fencing: Fencing at boundary of the facility may also enhance the
security mechanism.
• Control of out of hours of employee-employees: Employees who are out of
office for a longer duration during the office hours should be monitored
 carefully. Their movements must be noted and reported to the concerned
officials frequently.
• Secured Report/Document Distribution Cart: Secured carts, such as mail
carts, must be covered and locked and should always be attended.

(C) Logical Access Controls: These are the controls relating to logical access to
information resources such as operating systems controls, application software
boundary controls, networking controls, access to database objects, encryption
controls etc. Table 3.4.4 provides the list of Technical Exposures.
Table 3.4.4: Technical Exposures
Technical Exposures: Technical exposures include unauthorized implementation or
modification of data and software. Technical exposures include the following:
 Data Diddling: This involves the change of data before or after they entered the
system. A limited technical knowledge is required to data diddle and the worst part
with this is that it occurs before computer security can protect the data.
 Bomb: Bomb is a piece of bad code deliberately planted by an insider or supplier of
a program. An event, which is logical, triggers a bomb or time based. The bombs
explode when the conditions of explosion get fulfilled causing the damage
immediately. However, these programs cannot infect other programs. Since, these
programs do not circulate by infecting other programs; chances of a widespread
epidemic are relatively low.
 Christmas Card: It is a well-known example of Trojan and was detected on internal
E-mail of IBM system. On typing the word ‘Christmas’, it will draw the Christmas tree
as expected, but in addition, it will send copies of similar output to all other users
connected to the network. Because of this message on other terminals, other users
cannot save their half-finished work.
 Worm: A worm does not require a host program like a Trojan to relocate itself. Thus,
a Worm program copies itself to another machine on the network. Since, worms are
stand-alone programs, and they can be detected easily in comparison to Trojans and
computer viruses. Examples of worms are Existential Worm, Alarm clock Worm etc.
The Alarm Clock worm places wake-up calls on a list of users. It passes through the
network to an outgoing terminal while the sole purpose of existential worm is to
remain alive. Existential worm does not cause damage to the system, but only copies
itself to several places in a computer network.
 Rounding Down: This refers to rounding of small fractions of a denomination and
transferring these small fractions into an authorized account. As the amount is small,
it gets rarely noticed.
 Salami Techniques: This involves slicing of small amounts of money from a computerized
transaction or account. A Salami technique is slightly different from a rounding technique in the
sense a fix amount is deducted. For example, in the rounding off technique, ` 21,23,456.39
becomes ` 21,23,456.40, while in the Salami technique the transaction amount ` 21,23,456.39 is
truncated to either ` 21,23,456.30 or `21,23,456.00, depending on the logic.
 Trap Doors: Trap doors allow insertion of specific logic, such as program interrupts that permit a
review of data. They also permit insertion of unauthorized logic.
 Spoofing: A spoofing attack involves forging one’s source address. One machine is
 used to impersonate the other in spoofing technique. Spoofing occurs only after a
particular machine has been identified as vulnerable. A penetrator makes the user
think that s/he is interacting with the operating system. For example, a penetrator
duplicates the login procedure, captures the user’s password, attempts for a system
crash and makes user login again.

Asynchronous Attacks
They occur in many environments where data can be moved synchronously across
telecommunication lines. Data that is waiting to be transmitted are liable to
unauthorized access called Asynchronous Attack. These attacks are hard to detect
because they are usually very small pin like insertions and are of following types:
 Data Leakage: This involves leaking information out of the computer by means
of dumping files to paper or stealing computer reports and tape.
 Subversive Attacks: These can provide intruders with important information
about messages being transmitted and the intruder may attempt to violate the
integrity of some components in the sub-system.
 Wire- Tapping: This involves spying on information being transmitted over
communication network.
 Piggybacking: This is the act of following an authorized person through a secured
door or electronically attaching to an authorized telecommunication link that
intercepts and alters transmissions. This involves intercepting communication
between the operating system and the user and modifying them or substituting new
messages.

Fig. 3.4.2: Asynchronous Attacks

Compromise or absence of logical access controls in the organizations may result in
potential losses due to exposures that may lead to the total shutdown of the computer
functions. Intentional or accidental exposures of logical access control encourage
technical exposures and computer crimes in Table 3.4.4 and Fig. 3.4.2 respectively.
Logical Access Violators are often the same people who exploit physical
exposures, although the skills needed to exploit logical exposures are more
technical and complex. They are mainly as follows:
 Hackers: Hackers try their best to overcome restrictions to prove their ability.
Ethical hackers most likely never try to misuse the computer intentionally;
 Employees (authorized or unauthorized);
 IS Personnel: They have easiest to access to computerized information since
they come across to information during discharging their duties. Segregation
of duties and supervision help to reduce the logical access violations;
 Former Employees: should be cautious of former employees who have left
the organization on unfavorable terms;
 End Users; Interested or Educated Outsiders; Competitors; Foreigners;
 Organized Criminals; Crackers; Part-time and Temporary Personnel; Vendors
and consultants; and Accidental Ignorant – Violation done unknowingly.
Some of the Logical Access Controls are listed below:
I. User Access Management: This is an important factor that involves following:
• User Registration: Information about every user is documented. Some
questions like why and who is the user granted the access; has the data
owner approved the access, and has the user accepted the responsibility?
etc. are answered. The de-registration process is also equally important.
• Privilege management: Access privileges are to be aligned with job
requirements and responsibilities and are to be minimal w.r.t their job
functions. For example, an operator at the order counter shall have direct
access to order processing activity of the application system.
• User password management: Passwords are usually the default screening
point for access to systems. Allocations, storage, revocation, and reissue of
password are password management functions. Educating users is a critical
component about passwords, and making them responsible for their password.
• Review of user access rights: A user’s need for accessing information
changes with time and requires a periodic review of access rights to check
anomalies in the user’s current job profile, and the privileges granted earlier.
II. User Responsibilities: User awareness and responsibility are also important
factors and are as follows:
• Password use: Mandatory use of strong passwords to maintain confidentiality.
• Unattended user equipment: Users should ensure that none of the
equipment under their responsibility is ever left unprotected. They should also
secure their PCs with a password and should not leave it accessible to others.
III. Network Access Control: An Internet connection exposes an organization to
the harmful elements of the outside world. The protection can be achieved
through the following means:
• Policy on use of network services: An enterprise wide policy applicable
to internet service requirements aligned with the business need for using
the Internet services is the first step. Selection of appropriate services and
approval to access them should be part of this policy.
• Enforced path: Based on risk assessment, it is necessary to specify the
exact path or route connecting the networks; e.g. internet access by
employees will be routed through a firewall and proxy.
• Segregation of networks: Based on the sensitive information handling
function; say a VPN connection between a branch office and the head-
office, this network is to be isolated from the internet usage service
 • Network connection and routing control: The traffic between networks
should be restricted, based on identification of source and authentication
access policies implemented across the enterprise network facility.
• Security of network services: The techniques of authentication and
authorization policy should be implemented across the organization’s network.
• Firewall: A Firewall is a system that enforces access control between two
networks. To accomplish this, all traffic between the external network and
the organization’s Intranet must pass through the firewall that will allow
only authorized traffic between the organization and the outside to pass
through it. The firewall must be immune to penetrate from both outside
and inside the organization. In addition to insulating the organization’s
network from external networks, firewalls can be used to insulate portions
of the organization’s Intranet from internal access also.
• Encryption: Encryption is the conversion of data into a secret code for
storage in databases and transmission over networks. The sender uses an
encryption algorithm with a key to convert the original message called the
Clear text into Cipher text. This is decrypted at the receiving end. Two general
approaches are used for encryption viz. private key and public key encryption.
• Call Back Devices: It is based on the principle that the key to network
security is to keep the intruder off the Intranet rather than imposing
security measure after the criminal has connected to the intranet. The call-
back device requires the user to enter a password and then the system
breaks the connection. If the caller is authorized, the call back device dials
the caller’s number to establish a new connection. This limits access only
from authorized terminals or telephone numbers and prevents an intruder
masquerading as a legitimate user. This also helps to avoid the call
forwarding and man-in-the middle attack.
IV. Operating System Access Control: Operating System(O/S) is the computer
control program that allows users and their applications to share and access
common computer resources, such as processor, main memory, database and
printers. Major tasks of O/S are Job Scheduling; Managing Hardware and
Software Resources; Maintaining System Security; Enabling Multiple User
Resource Sharing; Handling Interrupts and Maintaining Usage Records.
Operating system security involves policy, procedure and controls that
determine, ‘who can access the operating system,’ ‘which resources they can
access’, and ‘what action they can take’. Hence, protecting operating system
access is extremely crucial and can be achieved using following steps.
• Automated terminal identification: This will help to ensure that a
specified session could only be initiated from a certain location or
computer terminal.
• Terminal log-in procedures: A log-in procedure is the first line of
defense against unauthorized access as it does not provide unnecessary
help or information, which could be misused by an intruder. When the
user initiates the log-on process by entering user-id and password, the
system compares the ID and password to a database of valid users and
accordingly authorizes the log-in.
• Access Token: If the log on attempt is successful, the Operating System
creates an access token that contains key information about the user
including user-id, password, user group and privileges granted to the
user. The information in the access token is used to approve all actions
attempted by the user during the session.
• Access Control List: This list contains information that defines the
access privileges for all valid users of the resource. When a user
attempts to access a resource, the system compasses his or her user-id
and privileges contained in the access token with those contained in
the access control list. If there is a match, the user is granted access.
• Discretionary Access Control: The system administrator usually
determines; who is granted access to specific resources and maintains
the access control list. However, in distributed systems, resources may
be controlled by the end-user. Resource owners in this setting may be
granted discretionary access control, which allows them to grant access
privileges to other users. For example, the controller who is owner of
the general ledger grants read only privilege to the budgeting
department while accounts payable manager is granted both read and
write permission to the ledger.
• User identification and authentication: The users must be identified
and authenticated in a foolproof manner. Depending on risk
assessment, more stringent methods like Biometric Authentication or
Cryptographic means like Digital Certificates should be employed.
• Password management system: An operating system could enforce
selection of good passwords. Internal storage of password should use
one-way hashing algorithms and the password file should not be
accessible to users.
• Use of system utilities: System utilities are the programs that help to
manage critical functions of the operating system e.g. addition or
deletion of users. Obviously, this utility should not be accessible to a
general user. Use and access to these utilities should be strictly
controlled and logged.
• Duress alarm to safeguard users: If users are forced to execute some instruction
under threat, the system should provide a means to alert the authorities.
 • Terminal time out: Log out the user if the terminal is inactive for a defined
period. This will prevent misuse in absence of the legitimate user.
• Limitation of connection time: Define the available time slot. Do not
allow any transaction beyond this time. For example, no computer
access after 8.00 p.m. and before 8.00 a.m. or on a Saturday or Sunday.
V. Application and Monitoring System Access Control: Some steps are as follows:
• Information Access restriction: The access to information is prevented by
application specific menu interfaces, which limit access to system function.
A user can access only to those items, s/he is authorized to access. Controls
are implemented on the access rights of users. For example - read, write,
delete, and execute. And ensure that sensitive output is sent only to
authorized terminals and locations.
• Sensitive System isolation: Based on the critical constitution of a system
in an enterprise, it may even be necessary to run the system in an isolated
environment. Monitoring system access and use is a detective control, to
check if preventive controls discussed so far are working. If not, this control
will detect and report any unauthorized activities.
• Event logging: In Computer systems, it is easy and viable to maintain
extensive logs for all types of events. It is necessary to review if logging is
enabled and the logs are archived properly. An intruder may penetrate the
system by trying different passwords and user ID combinations. All incoming
and outgoing requests along with attempted access should be recorded in
a transaction log. The log should record the user ID, the time of the access
and the terminal location from where the request has been originated.
• Monitor System use: Based on the risk assessment, a constant monitoring
of some critical systems is essential. Define the details of types of accesses,
operations, events and alerts that will be monitored. The extent of detail
and the frequency of the review would be based on criticality of operation
and risk factors. The log files are to be reviewed periodically and attention
should be given to any gaps in these logs.
• Clock Synchronization: Event logs maintained across an enterprise
network plays a significant role in correlating an event and generating
report on it. Hence, the need for synchronizing clock time across the
network as per a standard time is mandatory.
VI. Controls when mobile: In today’s organizations, computing facility is not
restricted to a certain data center alone. Ease of access on the move
provides efficiency and results in additional responsibility on the
management to maintain information security. Theft of data carried on
the disk drives of portable computers is a high-risk factor. Both physical
 and logical access to these systems is critical. Information is to be
encrypted and access identifications like fingerprint, eye-iris, and smart
cards are necessary security features.
3.4.3 Classification based on “Audit Functions”
Auditors might choose to factor systems in several different ways. Auditors have
found two ways to be especially useful when conducting information systems
audits. These are discussed below:
A. Managerial Controls: In this part, we shall examine controls over the
managerial controls that must be performed to ensure the development,
implementation, operation and maintenance of information systems in a planned
and controlled manner in an organization. The controls at this level provide a stable
infrastructure in which information systems can be built, operated, and maintained
on a day-to-day basis.
I. Top Management and Information Systems Management Controls
The controls adapted by the management of an enterprise are to ensure that the
information systems function correctly and they meet the strategic business
objectives.
(a) Planning – This includes determining the goals of the information systems
function and the means of achieving these goals. The steering committee
shall comprise of representatives from all areas of the business, and IT
personnel that would be responsible for the overall direction of IT. The
steering committee should assume overall responsibility for the activities of
the information systems function.
(b) Organizing – There should be a prescribed IT organizational structure with
documented roles and responsibilities and agreed job descriptions. This
includes gathering, allocating, and coordinating the resources needed to
accomplish the goals that are established during Planning function.
(c) Leading – This includes motivating, guiding, and communicating with personnel.
The purpose of leading is to achieve the harmony of objectives; ie.. a person’s or
group’s objectives must not conflict with the organization’s objectives. The process
of leading requires managers to motivate subordinates, direct them and
communicate with them.
(d) Controlling – This includes comparing actual performance with planned
performance as a basis for taking any corrective actions that are needed. This
involves determining when the actual activities of the information system’s
functions deviate from the planned activities.
II. Systems Development Management Controls
System development controls are targeted to ensure that proper documentations and
authorizations are available for each phase of the system development process. It
includes controls at controlling new system development activities. The activities
discussed below deal with system development controls in IT setup.
 System Authorization Activities: All systems must be properly and formally
authorized to ensure their economic justification and feasibility. This requires that
each new system request be submitted in written form by users to systems
professionals who have both the expertise and authority to evaluate and approve
(or reject) the request.
 User Specification Activities: Users must be actively involved in the systems
development process wherein a detailed written descriptive document of the logical
needs of the users is created.
 Technical Design Activities: The technical design activities translate the user
specifications into a set of detailed technical specifications of a system that meets
the user’s needs.
 Internal Auditor’s Participation: The internal auditor should be involved at the
inception of the system development process to make conceptual suggestions
regarding system requirements and controls and should be continued throughout
all phases of the development process and into the maintenance phase.
 Program Testing: All program modules must be thoroughly tested before they are
implemented. The results of the tests are then compared against predetermined
results to identify programming and logic errors.
 User Test and Acceptance Procedures: Just before implementation, the individual
modules of the system must be tested as a unified whole. A test team comprising
user personnel, systems professionals, and internal audit personnel subjects the
system to rigorous testing. Once the test team is satisfied that the system meets its
stated requirements, the system is formally accepted by the user department(s).
III. Programming Management Controls
Program development and implementation is a major phase within the systems
development life cycle. The primary objectives of this phase are to produce or
acquire and to implement high-quality programs. The Control phase runs in parallel
for all other phases during software development or acquisition is to monitor
progress against plan and to ensure software released for production use is
authentic, accurate, and complete. Refer Table 3.4.5.
Table 3.4.5: Phases of Program Development Life Cycle
Phase Controls
Planning Techniques like Work Breakdown Structures (WBS), Gantt charts and
PERT (Program Evaluation and Review Technique) Charts can be used to
monitor progress against plan.
 Control The Control phase has two major purposes:
 Task progress in various software life-cycle phases should be
monitored against plan and corrective action should be taken in
case of any deviations
 Control over software development, acquisition, and
implementation tasks should be exercised to ensure software
released for production use is authentic, accurate, and complete.
Design A systematic approach to program design, such as any of the structured
design approaches or object-oriented design is adopted.
Coding Programmers must choose a module implementation and integration
strategy (like Top-down, Bottom-up & Threads approach), a coding strategy
(that follows percepts of structured programming), and a documentation
strategy (to ensure program code is easily readable & understandable).
Testing Three types of testing can be undertaken:
 Unit Testing – which focuses on individual program modules;
 Integration Testing – Which focuses in groups of program
modules; and
 Whole-of-Program Testing – which focuses on whole program.
These tests are to ensure that a developed or acquired program
achieves its specified requirements.
Operation Management establishes formal mechanisms to monitor the status of
and operational programs so maintenance needs can be identified on a
Maintenance timely basis. Three types of maintenance can be used are as follows:
 Repair Maintenance – in which program errors are corrected;
 Adaptive Maintenance – in which the program is modified to meet
changing user requirements; and
 Perfective Maintenance - in which the program is tuned to
decrease the resource consumption.

IV. Data Resource Management Controls

Many organizations now recognize that data is a critical resource that must be
managed properly and therefore, accordingly, centralized planning and control are
implemented. For data to be managed better; users must be able to share data;
data must be available to users when it is needed, in the location where it is needed,
and in the form in which it is needed. Further it must be possible to modify data
easily and the integrity of the data be preserved. If data repository system is used
properly, it can enhance data and application system reliability. It must be
controlled carefully, however, because the consequences are serious if the data
definition is compromised or destroyed. Careful control should be exercised over
the roles by appointing senior, trustworthy persons, separating duties to the extent
possible and maintaining and monitoring logs of the data administrator’s and
database administrator’s activities.
V. Quality Assurance Management Controls
Quality Assurance management is concerned with ensuring that the –
 Information systems produced by the information systems function achieve
certain quality goals; and
 Development, implementation, operation and maintenance of Information
systems comply with a set of quality standards.
Quality Assurance (QA) personnel should work to improve the quality of
information systems produced, implemented, operated, and maintained in an
organization. They perform a monitoring role for management to ensure that –
 Quality goals are established and understood clearly by all stakeholders; and
 Compliance occurs with the standards that are in place to attain quality
information systems.
VI. Security Management Controls
Information security administrators are responsible for ensuring that information
systems assets categorized under Personnel, Hardware, Facilities, Documentation,
Supplies Data, Application Software and System Software are secure. Assets are
secure when the expected losses that will occur over some time, are at an
acceptable level. The control’s classification based on “Nature of Information
System Resources – Environmental Controls, Physical Controls and Logical Access
Controls are all security measures against the possible threats. However, despite the
controls on place, there could be a possibility that a control might fail. Disasters
are events / incidents that are so critical that has capability to hit business
continuity of an entity in an irreversible manner.
When disaster strikes, it still must be possible to recover operations and mitigate
losses using the last resort controls - A Disaster Recovery Plan (DRP) and Insurance.
A comprehensive DRP comprise four parts – an Emergency Plan, a Backup Plan,
a Recovery Plan and a Test Plan. The plan lays down the policies, guidelines, and
procedures for all Information System personnel. Adequate insurance must be able
to replace Information Systems assets and to cover the extra costs associated with
restoring normal operations.
BCP (Business Continuity Planning) Controls: These controls are related to
having an operational and tested IT continuity plan, which is in line with the overall
business continuity plan, and its related business requirements to make sure IT
services are available as required and to ensure a minimum impact on business in
the event of a major disruption
VIII. Operations Management Controls
Operations management is responsible for the daily running of hardware and software
facilities. Operations management typically performs controls over the functions as below:
(a) Computer Operations: The controls over computer operations govern the
activities that directly support the day-to-day execution of either test or
production systems on the hardware/software platform available.
(b) Network Operations: This includes the proper functioning of network
operations and monitoring the performance of network communication
channels, network devices, and network programs and files. Data may be lost
or corrupted through component failure.
(c) Data Preparation and Entry: Irrespective of whether the data is obtained
indirectly from source documents or directly from, say, customers, keyboard
environments and facilities should be designed to promote speed and
accuracy and to maintain the wellbeing of keyboard operators.
(d) Production Control: This includes the major functions like- receipt and
dispatch of input and output; job scheduling; management of service-level
agreements with users; transfer pricing/charge-out control; and acquisition
of computer consumables.
(e) File Library: This includes the management of an organization’s machine-
readable storage media like magnetic tapes, cartridges, and optical disks.
(f) Documentation and Program Library: This involves that documentation
librarians ensure that documentation is stored securely; that only authorized
personnel gain access to documentation; that documentation is kept up-to-
date and that adequate backup exists for documentation. The documentation
may include reporting of responsibility and authority of each function;
Definition of responsibilities and objectives of each functions; Reporting
responsibility and authority of each function; Policies and procedures; Job
descriptions and Segregation of Duties.
(g) Help Desk/Technical support: This assists end-users to employ end-user
hardware and software such as micro-computers, spreadsheet packages,
database management packages etc. and provided the technical support for
production systems by assisting with problem resolution.
(h) Capacity Planning and Performance Monitoring: Regular performance
monitoring facilitates the capacity planning wherein the resource deficiencies
must be identified well in time so that they can be made available when they
are needed.
(i) Management of Outsourced Operations: This has the responsibility for
carrying out day-to-day monitoring of the outsourcing contract.
B. Application Controls and their Categories
The objective of application controls is to ensure that data remains complete,
accurate and valid during its input, update and storage.
I. Boundary Controls: The major controls of the boundary system are the
access control mechanisms that links the authentic users to the authorized
resources, they are permitted to access. The boundary subsystem establishes the
interface between the would-be user of a computer system and the computer itself.
Major Boundary Control are as follows:
 Cryptography: It deals with programs for transforming data into cipher text
that are meaningless to anyone, who does not possess the authentication to
access the respective system resource or file. A cryptographic technique
encrypts data (clear text) into cryptograms (cipher text) and its strength
depends on the time and cost to decipher the cipher text by a cryptanalyst.
Three techniques of cryptography are transposition (permute the order of
characters within a set of data), substitution (replace text with a key-text) and
product cipher (combination of transposition and substitution).
 Passwords: User identification by an authentication mechanism with
personal characteristics like name, birth date, employee code, function,
designation or a combination of two or more of these can be used as a
password boundary access control.
 Personal Identification Numbers (PIN): PIN is similar to a password
assigned to a user by an institution a random number stored in its database
independent to a user identification details, or a customer selected number.
Hence, a PIN may be exposed to vulnerabilities while issuance or delivery,
validation, transmission and storage.
 Identification Cards: Identification cards are used to store information
required in an authentication process. These cards are to be controlled
through the application for a card, preparation of the card, issue, use and
card return or card termination phases.
 Biometric Devices: Biometric identification e.g. thumb and/or finger
impression and eye retina etc. are used as boundary control techniques.
II. Input Controls: Data that is presented to an application as input data must
be validated for authorization, reasonableness, completeness, and integrity. These
controls are responsible for ensuring the accuracy and completeness of data and
instruction input into an application system. Input controls are important and
critical since substantial time is spent on input of data, involve human intervention
and are, therefore error and fraud prone. These are of following types as shown in
the Fig. 3.4.3:
 Fig. 3.4.3: Classification of Input Controls
A Source Document Controls: In systems that use physical source documents
to initiate transactions, careful control must be exercised over these
instruments. Source document fraud can be used to remove assets from the
organization. For example, an individual with access to purchase orders and
receiving reports could fabricate a purchase transaction to a non-existent
supplier. In the absence of other compensating controls to detect this type
of fraud, the system would create an account payable and subsequently write
a cheque for payment. To control against this type of exposure, the
organization must implement control procedures over source documents to
account for each document.
B. Data Coding Controls: Two types of errors - Transcription and
Transposition errors can corrupt a data code and cause processing errors.
Any of these errors can cause serious problems in data processing if they go
undetected. These simple errors can severely disrupt operations.
• Transcription Errors: It is a special type of data entry error that is
commonly made by human operators or by Optical Character
Recognition (OCR) programs. Like Addition errors (when an extra digit
is added to the code); Truncation Errors (when a digit is removed from
the code) and Substitution Errors (replacement of on digit in a code
with another).
• Transposition Errors: It is a simple error of data entry that occur when
two digits that are either individual or part of larger sequence of
numbers are reversed (Transpose) when posting a transaction. For
example, a sales order for customer 987654 that is transposed into
897654 will be posted to the wrong customer’s account. A similar error
in an inventory item code on a purchase order could result in ordering
unneeded inventory and failing to order inventory that is needed.
C. Batch Controls: Batching is the process of grouping together transactions
that bear some type of relationship to each other. Various controls can be
exercises over the batch to prevent or detect errors or irregularities. To
identify errors or irregularities in either a physical or logical batch, three types
of control totals are as follows:
• Financial totals: Grand totals calculated for each field containing
 money amounts.
• Hash totals: Grand totals calculated for any code on a document in the
batch, eg., the source document serial numbers can be totalled.
• Document/Record Counts: Grand totals for number of documents in
record in batch.
D. Validation Controls: Input validation controls are intended to detect errors
in the transaction data before the data are processed. Some of these controls
include the following:
• Field interrogation: It involves programmed procedures that examine
the characters of the data in the field. This includes the checks like Limit
Check (against predefined limits), Picture Checks (against entry into
processing of incorrect/invalid characters), valid check codes (against
predetermined transactions codes, tables) etc.
• Record interrogation: This includes the reasonableness check
(Whether the value specified in a field is reasonable for that particular
field?); Valid Sign (to determine which sign is valid for a numeric field)
and Sequence Check (to follow a required order matching with logical
records.)
• File Interrogation: This includes version usage; internal and external
labeling; data file security; file updating and maintenance authorization
etc.
III. Communication Controls: These discuss exposures in the communication
subsystem, controls over physical components, communication line errors,
flows, and links, topological controls, channel access controls, controls over
subversive attacks, internetworking controls, communication architecture
controls, audit trail controls, and existence controls. Some communication
controls are as follows:
(a) Physical Component Controls: These controls incorporate features
that mitigate the possible effects of exposures.
(b) Line Error Control: Whenever data is transmitted over a
communication line, recall that it can be received in error because of
attenuation distortion, or noise that occurs on the line. These errors must
be detected and corrected.
(c) Flow Controls: Flow controls are needed because two nodes in a
network can differ in terms of the rate at which they can send, received,
and process data. For example, a main frame can transmit data to a
microcomputer terminal.
(d) Link Controls: In Wide Area Network (WAN), line error control and flow
 control are important functions in the component that manages the link
between two nodes in a network.
(e) Channel Access Controls: Two different nodes in a network can
compete to use a communication channel. Whenever the possibility of
contention for the channel exists, some type of channel access control
technique must be used.
IV. Processing Controls
The processing subsystem is responsible for computing, sorting, classifying,
and summarizing data. Its major components are the Central Processor in
which programs are executed, the real or virtual memory in which program
instructions and data are stored, the operating system that manages system
resources, and the application programs that execute instructions to achieve
specific user requirements. Some of these controls are as follows:
(i) Processor Controls: Table 3.4.6 enlists the Controls to reduce expected
losses from errors and irregularities associated with Central processors.
Table 3.4.6: Processor Controls
Control Explanation
Error Occasionally, processors might malfunction because of design errors,
Detection manufacturing defects, damage, fatigue, electromagnetic interference,
and and ionizing radiation. The failure might be transient (that disappears
Correction after a short period), intermittent (that reoccurs periodically), or
permanent (that does not correct with time). For the transient and
intermittent errors; retries and re-execution might be successful,
whereas for permanent errors, the processor must halt and report error.
Multiple It is important to determine the number of and nature of the execution
Execution states enforced by the processor. This helps auditors to determine
States which user processes will be able to carry out unauthorized activities,
such as gaining access to sensitive data maintained in memory regions
assigned to the operating system or other user processes.
Timing An operating system might get stuck in an infinite loop. In the absence
Controls of any control, the program will retain use of processor and prevent
other programs from undertaking their work.
Component In some cases, processor failure can result in significant losses.
Replication Redundant processors allow errors to be detected and corrected. If
processor failure is permanent in multicomputer or multiprocessor
architectures, the system might reconfigure itself to isolate the failed
processor.
(ii) Real Memory Controls: This comprises the fixed amount of primary
storage in which programs or data must reside for them to be executed
or referenced by the central processor. Real memory controls seek to
 detect and correct errors that occur in memory cells and to protect areas
of memory assigned to a program from illegal access by another program.
(iii) Virtual Memory Controls: Virtual Memory exists when the addressable
storage space is larger than the available real memory space. To achieve
this outcome, a control mechanism must be in place that maps virtual
memory addresses into real memory addresses.
(iv) Data Processing Controls: These perform validation checks to identify
errors during processing of data. They are required to ensure both the
completeness and the accuracy of data being processed. Normally, the
processing controls are enforced through database management
system that stores the data. However, adequate controls should be
enforced through the front-end application system also to have
consistency in the control process.
V. Database Controls
Protecting the integrity of a database when application software acts as an
interface to interact between the user and the database, are called Update
Controls and Report Controls.
Major Update Controls are as follows:
 Sequence Check between Transaction and Master Files:
Synchronization and the correct sequence of processing between the
master file and transaction file is critical to maintain the integrity of
updating, insertion or deletion of records in the master file with respect
to the transaction records. If errors, in this stage are overlooked, it leads
to corruption of the critical data.
 Ensure All Records on Files are processed: While processing, the
transaction file records mapped to the respective master file, and the
end-of-file of the transaction file with respect to the end-of-file of the
master file is to be ensured.
 Process multiple transactions for a single record in the correct
order: Multiple transactions can occur based on a single master record
(e.g. dispatch of a product to different distribution centers). Here, the
order in which transactions are processed against the product master
record must be done based on a sorted transaction codes.
 Maintain a suspense account: When mapping between the master
record to transaction record results in a mismatch due to failure in the
corresponding record entry in the master record; then these
transactions are maintained in a suspense account.
Major Report Controls are as follows:
  Standing Data: Application programs use many internal tables to
perform various functions like gross pay calculation, billing calculation
based on a price table, bank interest calculation etc. Maintaining
integrity of the pay rate table, price table and interest table is critical
within an organization.
 Print-Run-to Run Control Totals: Run-to-Run control totals help in
identifying errors or irregularities like record dropped erroneously from
a transaction file, wrong sequence of updating or the application
software processing errors.
 Print Suspense Account Entries: Similar to the update controls, the
suspense account entries are to be periodically monitors with the
respective error file and action taken on time.
 Existence/Recovery Controls: The back-up and recovery strategies
together encompass the controls required to restore failure in a
database. Backup strategies are implemented using prior version and
logs of transactions or changes to the database. Recovery strategies
involve roll-forward (current state database from a previous version) or
the roll-back (previous state database from the current version)
methods.
VI. Output Controls
Output Controls ensure that the data delivered to users will be presented,
formatted and delivered in a consistent and secured manner. Output can be
in any form, it can either be a printed data report or a database file in a
removable media. Various Output Controls are as follows:
 Storage and Logging of sensitive, critical forms: Pre-printed stationery
should be stored securely to prevent unauthorized destruction or removal
and usage.
 Logging of output program executions: When programs used for
output of data are executed, these should be logged and monitored;
otherwise confidentiality/integrity of the data may be compromised.
 Spooling/Queuing: “Spool” is an acronym for “Simultaneous Peripherals
Operations Online”. This is a process used to ensure that the user can
continue working, while the print operation is getting completed. A queue
is the list of documents waiting to be printed on a particular printer; this
should not be subject to unauthorized modifications.
 Controls over printing: Outputs should be made on the correct printer
and it should be ensured that unauthorized disclosure of information
printed does not take place.
 Report Distribution and Collection Controls: Distribution of reports
 should be made in a secure way to prevent unauthorized disclosure of data.
It should be made immediately after printing to ensure that the time gap
between generation and distribution is reduced. A log should be maintained
for reports that were generated and to whom these were distributed.
Retention Controls: Retention controls consider the duration for which
outputs should be retained before being destroyed. Retention control
requires that a date should be determined for each output item produced.

3.5 INFORMATION SYSTEMS’ AUDITING

IS Auditing is defined as the process of attesting objectives (those of the external
auditor) that focus on asset safeguarding, data integrity and management
objectives (those of the internal auditor) that include effectiveness and efficiency
both. This enables organizations to better achieve four major objectives (Fig. 3.5.1)
that are as follows:
a. Asset Safeguarding Objectives: The information system assets (hardware,
software, data information etc.) must be protected by a system of internal
controls from unauthorized access.
b. Data Integrity Objectives: It is a fundamental attribute of IS Auditing. The
importance to maintain integrity of data of an organization requires all the
time. It is also important from the business perspective of the decision maker,
competition and the market environment.
c. System Effectiveness Objectives: Effectiveness of a system is evaluated by
auditing the characteristics and objective of the system to meet business and
user requirements.
d. System Efficiency Objectives: To optimize the use of various information
system resources (machine time, peripherals, system software and labour)
along with the impact on its computing environment.

3.5.1 Need for Audit of Information Systems

Factors influencing an organization toward controls and audit of computers and
the impact of the information systems audit function on organizations are depicted
in the Fig. 3.5.1.
 4. Value of hardware, 5. High costs of
3. Cost of software &personnel computer error
computer abuse
6. Maintenance
2. Costs of
incorrect decision Organization of privacy

7. Controlled
1. Organizational
evolution of
costs of data loss Control and Audit of Computer-
based Information Systems computer use
Information Systems Auditing
a. Improved
d. Improved System
Safeguarding of assets
efficiency
Organization
b. Improved Data
Integrity c. Improved System
effectiveness

Fig. 3.5.1: Impact of Controls and Audit influencing an Organization

Let us now discuss these reasons in detail:
1. Organizational Costs of Data Loss: Data is a critical resource of an
organization for its present and future process and its ability to adapt and
survive in a changing environment.
2. Cost of Incorrect Decision Making: Management and operational controls
taken by managers involve detection, investigations and correction of the
processes. These high-level decisions require accurate data to make quality
decision rules.
3. Costs of Computer Abuse: Unauthorized access to computer systems,
malwares, unauthorized physical access to computer facilities and
unauthorized copies of sensitive data can lead to destruction of assets
(hardware, software, data, information etc.)
4. Value of Computer Hardware, Software and Personnel: These are critical
resources of an organization, which has a credible impact on its infrastructure
and business competitiveness.
5. High Costs of Computer Error: In a computerized enterprise environment
where many critical business processes are performed, a data error during
entry or process would cause great damage.
6. Maintenance of Privacy: Today, data collected in a business process
contains private information about an individual too. These data were also
collected before computers but now, there is a fear that privacy has eroded
beyond acceptable levels.
7. Controlled evolution of computer Use: Use of Technology and reliability of
complex computer systems cannot be guaranteed and the consequences of
using unreliable systems can be destructive.
3.5.2 Tools for IS Audit
Types of Audit Tools: Different types of continuous audit techniques may be used.
Some modules for obtaining data, audit trails and evidences may be built into the
programs. Audit software is available, which could be used for selecting and testing
data. Many audit tools are also available; some of them are described below:
(i) Snapshots: Tracing a transaction is a computerized system can be performed
with the help of snapshots or extended records. The snapshot software is built
into the system at those points where material processing occurs which takes
images of the flow of any transaction as it moves through the application.
These images can be utilized to assess the authenticity, accuracy, and
completeness of the processing carried out on the transaction. The main
areas to dwell upon while involving such a system are to locate the snapshot
points based on materiality of transactions when the snapshot will be
captured and the reporting system design and implementation to present
data in a meaningful way.
(ii) Integrated Test Facility (ITF): The ITF technique involves the creation of a
dummy entity in the application system files and the processing of audit test
data against the entity as a means of verifying processing authenticity,
accuracy, and completeness. This test data would be included with the normal
production data used as input to the application system. In such cases the
auditor must decide what would be the method to be used to enter test data
and the methodology for removal of the effects of the ITF transactions.
(iii) System Control Audit Review File (SCARF): The SCARF technique involves
embedding audit software modules within a host application system to
provide continuous monitoring of the system’s transactions. The information
collected is written onto a special audit file- the SCARF master files. Auditors
then examine the information contained on this file to see if some aspect of
the application system needs follow-up. In many ways, the SCARF technique
is like the snapshot technique along with other data collection capabilities.
(iv) Continuous and Intermittent Simulation (CIS): This is a variation of the
SCARF continuous audit technique. This technique can be used to trap
exceptions whenever the application system uses a database management
system. During application system processing, CIS executes in the following
way:
• The database management system reads an application system
transaction. It is passed to CIS. CIS then determines whether it wants to
 examine the transaction further. If yes, the next steps are performed or
otherwise it waits to receive further data from the database
management system.
• CIS replicates or simulates the application system processing.
• Every update to the database that arises from processing the selected
transaction will be checked by CIS to determine whether discrepancies
exist between the results it produces and those the application system
produces.
• Exceptions identified by CIS are written to an exception log file.
• The advantage of CIS is that it does not require modifications to the
application system and yet provides an online auditing capability.
(v) Audit Hooks: There are audit routines that flag suspicious
transactions. For example, internal auditors at Insurance Company
determined that their policyholder system was vulnerable to fraud every
time a policyholder changed his or her name or address and then
subsequently withdrew funds from the policy. They devised a system of
audit hooks to tag records with a name or address change. The internal
audit department will investigate these tagged records for detecting fraud.
When audit hooks are employed, auditors can be informed of questionable
transactions as soon as they occur. This approach of real-time
notification displays a message on the auditor’s terminal.

3.6 AUDIT TRAIL

Audit Trails are logs that can be designed to record activity at the system,
application, and user level. When properly implemented, audit trails provide an
important detective control to help accomplish security policy objectives.
Audit trail controls attempt to ensure that a chronological record of all events that
have occurred in a system is maintained. This record is needed to answer queries,
fulfill statutory requirements, detect the consequences of error and allow system
monitoring and tuning.
 The Accounting Audit Trail shows the source and nature of data and processes
that update the database.
 The Operations Audit Trail maintains a record of attempted or actual resource
consumption within a system.
Applications System Controls involve ensuring that individual application systems
safeguard assets (reducing expected losses), maintain data integrity (ensuring
complete, accurate and authorized data) and achieve objectives effectively and
efficiently from the perspective of users of the system from within and outside the
organization.
(i) Audit Trail Objectives: Audit trails can be used to support security objectives
in three ways:
• Detecting Unauthorized Access: Detecting unauthorized access can
occur in real time or after the fact. The primary objective of real-time
detection is to protect the system from outsiders who are attempting
to breach system controls. A real-time audit trail can also be used to
report on changes in system performance that may indicate infestation
by a virus or worm. Depending upon how much activity is being logged
and reviewed; real-time detection can impose a significant overhead on
the operating system, which can degrade operational performance.
After-the-fact detection logs can be stored electronically and reviewed
periodically or as needed. When properly designed, they can be used
to determine if unauthorized access was accomplished, or attempted
and failed.
• Reconstructing Events: Audit analysis can be used to reconstruct the
steps that led to events such as system failures, security violations by
individuals, or application processing errors. Knowledge of the
conditions that existed at the time of a system failure can be used to
assign responsibility and to avoid similar situations in the future. Audit
trail analysis also plays an important role in accounting control. For
example, by maintaining a record of all changes to account balances,
the audit trail can be used to reconstruct accounting data files that were
corrupted by a system failure.
• Personal Accountability: Audit trails can be used to monitor user
activity at the lowest level of detail. This capability is a preventive
control that can be used to influence behavior. Individuals are likely to
violate an organization’s security policy if they know that their actions
are not recorded in an audit log.
(ii) Implementing an Audit Trail: The information contained in audit logs is
useful to accountants in measuring the potential damage and financial loss
associated with application errors, abuse of authority, or unauthorized access
by outside intruders. Logs also provide valuable evidence or assessing both
the adequacies of controls in place and the need for additional controls. Audit
logs, however, can generate data in overwhelming detail. Important
information can easily get lost among the superfluous detail of daily
operation. Thus, poorly designed logs can be dysfunctional.
.

3.8 SEGREGATION OF DUTIES

The concept of segregation of duties has been long-established in organization
accounting departments where, for instance, separate individuals or groups are
responsible for the creation of vendors, the request for payments, and the printing
of checks. Since accounting personnel frequently handle checks and currency, the
principles and practices of segregation of duties controls in accounting
departments are the norm.
3.8.1 Segregation of Duties Controls
Preventive and detective controls should be put into place to manage segregation
of duties matters. In most organizations, both the preventive and detective controls
will be manual, particularly when it comes to unwanted combinations of access
between different applications. However, in some transaction-related situations,
controls can be automated, although they may still require intervention by others.
3.8.2 Some Examples of Segregation of Duties Controls
 Transaction Authorization: Information systems can be programmed or
configured to require two (or more) persons to approve certain transactions.
Many of us see this in retail establishments where a manager is required to
approve a large transaction or a refund. In IT applications, transactions
meeting certain criteria (for example, exceeding normally accepted limits or
conditions) may require a manager’s approval to be able to proceed.
 Split custody of high-value assets: Assets of high importance or value can
be protected using various means of split custody. For example, a password
to an encryption key that protects a highly-valued asset can be split in two
halves, one half assigned to two persons, and the other half assigned to two
persons, so that no single individual knows the entire password. Banks do this
for central vaults, where a vault combination is split into two or more pieces
so that two or more are required to open it.
 Workflow: Applications that are workflow-enabled can use a second (or
third) level of approval before certain high-value or high-sensitivity activities
can take place. For example, a workflow application that is used to provision
user accounts can include extra management approval steps in requests for
administrative privileges.
 Periodic reviews: IT or internal audit personnel can periodically review user
access rights to identify whether any segregation of duties issues exist. The
access privileges for each worker can be compared against a segregation of
duties control matrix.
When SOD issues are encountered during a segregation of duties review,
management will need to decide how to mitigate the matter. The choices for
mitigating a SOD issue include -
 Reduce access privileges: Management can reduce individual user privileges
so that the conflict no longer exists.
 Introduce a new mitigating control: If management has determined that
the person(s) need to retain privileges that are viewed as a conflict, then new
preventive or detective controls need to be introduced that will prevent or
detect unwanted activities. Examples of mitigating controls include increased
logging to record the actions of personnel, improved exception reporting to
identify possible issues, reconciliations of data sets, and external reviews of
high-risk controls.