Join GEEKY BANKER on YouTube

Geeky Bankers
CAIIB (IT)
Module –D
Computer Security
Unit – 14
Join GEEKY BANKER on YouTube
CAIIB(IT) MODULE -D

Unit 14: Computer Security

What we will study?

Physical Security of a system?

Logical Security of a system?

Intrusion detection?

Access control?

Network security?

Biometric Authentication Technique?

OBJECTIVE

The number of computer networks is growing rapidly and also the number of
intrusions. With increasing economic importance of computer networks, the extent of
criminal activities is also growing, Banks have to take precautions to protect from the
risks. The objective of this unit is to make the reader understand different computer
security environments and security mechanisms.

PHYSICAL SECURITY

The point of controlling physical access to information systems is to prevent

unauthorized persons free getting near enough to exploit vulnerability. Giving someone
an opportunity to cause system security incident is likely to result in some form of loss
and is a poor management practice. The layers of security around the organization in
computer system are depicted in below figure.
Join GEEKY BANKER on YouTube

The aspects of physical security are intrusion prevention, intrusion detection,

proper information destruction, document security, power protection, water
protection, fire protection and contingency planning.

The intrusion detection mechanisms involve the following:

Disturbance sensors: These are perimeter detection sensors, commonly are fence
mounted.

Barrier detectors: These detection devices send forth a continuous beam of energy a
break in which indicates intruder penetration.

Buried-line sensors: These are underground cables or instruments designed to

sense pressure, seismic and magnetic signals.
Join GEEKY BANKER on YouTube
Capacitance sensors: These are for small distances. The shift in the capacitance, in
response to a physical presence in near vicinity, triggers corresponding changes in
dielectric characteristics in the field between the capacitor plates.

Surveillance: This is accomplished through the use of radar or Closed Circuit TV

(CCTV).

LOGICAL SECURITY

Logical security is related to software access controls. Software access controls

generally act as barriers between users and protected resources. The process of
access control is based on two points of authorization and authentication.
Authorization is carried out by a responsible official, who determines and grants need-
based rights to individual users. Authentication is the actual verification of the identity
of the user who is attempting to login.

These can be classified as under:

(a) Multiple types of access control- At user level, terminal level, menu level, file
level and application level.

(b) Internal access controls - Based on information such as date, time, terminal
location, and user identification.

(c) Limiting the number of unsuccessful tries and locking out the requester and
simultaneous broadcasting such event to all users.

(d) Automated audit trail of tracking of access situations,

(e) Limiting privileged access on directories and utilities,

(f) Encryption of data and files.

Access Controls

Access controls are controls designed to prevent, or limit the likelihood, of

unauthorized access to data files or program. Access controls which can be built into a
system's software are:
Join GEEKY BANKER on YouTube
(a) Passwords

(b) Personal identification of the user, and

(c) Encryption and authentication.

Passwords

Passwords are 'a set of characters which may be allocated to a person, a terminal or a
facility which are required to be keyed into the system before further access is
permitted'. Passwords can be applied to data files as well as program files.

Password Guidelines

 Ensure a strong, unique password is set for all accounts

 Use a combination of upper- and lower-case letters, numbers, and symbols in
passwords
 Use easy to remember pass phrases rather than passwords, that have a
minimum of 14 characters
 Never reuse passwords on multiple accounts
 Don’t use information in passwords that can be found in social media profiles
(DOB, spouse or pet name etc.) or is known to others
 Ensure 2-factor authentication is set up, especially for accounts containing
sensitive data
 Use a secure password generator to generate random strings of characters
Avoid using dictionary words and commonly used passwords
 Use a password manager for creating strong passwords and secure storage, and
set a long and complex passphrase for your password vault.

PINS

In some systems, the user might have a special PIN (Personal Identification Number)
which identifies him or her to the system. According to what the user's PIN is, the user
will be allowed access to certain part of the system, but forbidden access to other
parts. An example of authorization systems with PINS is, cards for banks' cash
Join GEEKY BANKER on YouTube
dispensers. The cash dispenser checks the PIN code on the magnetic strip ofthe card
against the code number keyed in by the cardholder, and the two codes must match
before the cardholder is allowed to withdraw any cash.

Note: -

One important difference between an online password and PIN is that the PIN is tied to
the specific device on which it was set up. That PIN is useless to anyone without that
specific hardware.

Encryption and Authentication

When data is transmitted over a telecommunications link or network, there are two
main security dangers:

unauthorized access by an eavesdropper, and direct intervention by someone who

sends false message down the line, claiming to be someone else - so that the recipient
of the message will think that it has come from an authorized source.

Encryption is the only secure way to prevent Eavesdropping (since eavesdroppers can
get passwords by the data at one end of the line, transmitting the scrambled data, and
unscrambling it at the receiver's end tapping the line or by experimenting with various
likely passwords). Encryption involves scrambling of the line.

Authentication is a technique of making sure that message has come from

authorized sender.

Encryption and Authentication

When data is transmitted over a telecommunications link or network, there are two
main security dangers unauthorized access by an eavesdropper, and direct
intervention by someone who sends false message down the line, claiming to be
someone else- so that the recipient of the message will think that it has come from an
authorized source.

Encryption is the only secure way to prevent eavesdropping (since eavesdroppers can
get passwords by the data at one end of the line, transmitting the scrambled data, and
unscrambling it at the receiver's end of the line.
Join GEEKY BANKER on YouTube
Authentication is a technique of making sure that a message has come from an
authorized sender. Authentication involves adding an extra field to a record, with the
contents of this field derived from the remainder of the record by applying an algorithm
that has previously been agreed between the senders and the recipients of data.

NETWORK SECURITY

The primary ways an intruder can get into a system are:

(i) Physical Intrusion: If an intruders have physical access to a machine (i.e. they can
use the keyboard or take apart the system), they will be able to get in. Techniques
range from special privileges the console has, to the ability to physically take apart the
system and remove the disk drive (and read/write it on another machine).

(ii) System Intrusion: This type of hacking assumes that the intruder already has a
low-privilege user account on the system. If the system doesn't have the latest security
patches, there is a good chance the intruder will be able to use a known exploit in
order to gain additional administrative privileges.

(iii) Remote Intrusion: This type of hacking involves an intruder who attempts to
penetrate a system remotely across the network. The intruder begins with no special
privileges. There are several forms of this hacking. For example, an intruder has a
much more difficult time if there is a firewall between him/her and the victim machine.

The threats in a typical local area network include

1. Impersonation
2. Eavesdropping
3. Data alteration
4. Denial of Service.
Impersonation: It refers to the possibility of someone sending a message, which
appears to have been sent from someone else. This can threaten contractual
messages, such as orders and invoices. In a network environment, impersonation can
take forms such as-forging the 'sender' field in an e-mail message falsifying the source
IP address for establishing a network connection or hijacking an existing connection
between two computers.
Join GEEKY BANKER on YouTube
Eavesdropping: It refers to the possibility of data being read by someone other than
the intended recipients. For example, a competitor may intercept your proposal to a bid
or your department plans Generally, eavesdropping is simpler for an attacker to
accomplish than impersonation, and is harder to detect.

Data Alteration: It refers to the risk of interception that results in tampering with data,
that is, the possibility of data being changed in such a way that it appears legitimate,
but no longer represents the originator's intention. For example, the intruder may
change a 'buy' order to 'sell', or adding zeros to a bid.

Denial of service (DOS) attacks: Where the intruder attempts to crash a service for
the machine), overload network links, overloaded the CPU, or fill up the disk.
So that actual user will not be able to use the system. An Intrusion Detection System
(IDS) is a system for detecting such intrusions.

Intrusion Detection System can be broken down into the following categories:

(a) Network intrusion detection systems (NIDS), monitors packets on the network
wire and attempts to discover if a hacker/cracker is attempting to break into a system
or cause a denial of service attack.

(b) System integrity verifiers (SIV), monitors system files to find when an intruder
changes them, thereby leaving behind a backdoor. One such famous system is
"Tripwire". A SIV may watch other components as well, such as the Windows registry
and configuration, in order to find well-known signatures. It may also detect when a
normal user somehow acquires root/administrator level privileges.

(e) Log file monitors (LFM), monitor log files generated by network services. In a
similar manner to NIDS, these systems look for patterns in the log files that suggest an
intruder is attacking. A typical example would be a parser for HTTP server log files that
looking for intruders who try well-known security holes.

The intrusions may be detected by using the methods of

(a) Anomaly detection

Join GEEKY BANKER on YouTube
(b) Signature recognition.

(a) Anomaly detection: The most common way people approach network intrusion
detection is to detect statistical anomalies. The idea behind this approach is to
measure a "baseline" of such stats as CPU utilization, disk activity, user logins, file
activity, and so forth. Then, the system can trigger when there is a deviation from this
baseline. The benefit of this approach is that it can detect the anomalies without having
to understand the underlying cause behind the anomalies.

(b) Signature recognition: This means that for every hacker technique, the engineers
code something into the system for that technique. This can be as simple as a pattern
match. The classic example is, every packet on the wire for the pattern

Firewalls: The firewall refers to network components connecting an internal, private

corporate network to an external, public network such as Internet. The aim of firewall
system is to protect corporate network users from outside attack.
Join GEEKY BANKER on YouTube

VPNs (Virtual Private Networks): VPN creates a secure connection over the Internet
for remote access (e.g. for telecommuters).

Lures/honey pots: Programs that pretend to be a service, but which do not advertise
themselves. It can be something as simple as one of the many Back office emulators,
or as complex as an entire subnet of bogus systems installed for intruder detection
purpose.

The following are the widely used biometric techniques:

1. Signature Recognition
2. Fingerprint Recognition
3. Palm print Recognition
4. Hand-geometry Recognition
5. Voiceprint Recognition
6. Eye Retina Pattern Recognition
Join GEEKY BANKER on YouTube

Thanks for Watching

Please visit my Telegram Channel to download all the PDFS.

Telegram Channel Link ->https://t.me/+bxiH9olUQ1tlODJl

For any query please drop Whatsapp Message on

9835634545
Join GEEKY BANKER on YouTube

Geeky Bankers
CAIIB (IT)
Module –D
Communication Security
Unit – 15
Join GEEKY BANKER on YouTube
CAIIB(IT) MODULE -D

Unit 15: Communication Security

What we will study?

Cryptography

Digital Signature?

Different Algorithm?

Certification authority?

Cryptography

Cryptography is the art and science of keeping files and messages secure. In
cryptographic terminology, the message is called plaintext or clear text. Encoding the
contents of the message in such a way that hides its contents from outsiders is called
encryption. The encrypted message is called the cipher text. The process of retrieving
the plaintext from the cipher text is called decryption. Encryption and decryption
usually make use of a key, and the coding method is such that decryption can be
performed only by knowing the proper key.
Join GEEKY BANKER on YouTube
What is key in cryptography?

In cryptography, an encryption key is a variable value that is applied using an algorithm

to a string or block of unencrypted text to produce encrypted text or to decrypt
encrypted text. The length of the key is a factor in considering how difficult it will be to
decrypt the text in a given message.

Cryptography is broadly classified into two categories

Symmetric key Cryptography ->Same Key is used for encryption and Decryption.

Asymmetric key Cryptography -> Private Key is used for encryption and public key is used for
Decryption.

Crypto Algorithm

A crypto algorithm is a procedure that takes the plaintext data and transforms it into
cipher text in a reversible way. A good algorithm produces cipher text that yields as
few clues as possible about either the key or the plaintext that produced it.

Three types of cryptography Algorithm

Secret-key - A secret key algorithm is symmetric; that is, it uses the same key for
encryption and decryption.

Public key- Public key algorithms use different keys for encryption and decryption.
One key, the private key, must be kept secret by its owner and in general is never
shared with anyone else. The other key, the public key, may be shared with anyone. In
fact, the two keys are mathematically related. Data encrypted with the private key may
be decrypted with the corresponding public key, and vice-versa.

Hash function- A hashing algorithm is a cryptographic hash function. It is a

mathematical algorithm that maps data of arbitrary size to a hash of a fixed size. A
hash function algorithm is designed to be a one-way function, infeasible to invert.

One-way Hash Eg-MD5

Join GEEKY BANKER on YouTube
Different Algorithm for Encryption

Data Encryption Standard: DES is a well-known crypto algorithm with familiar

strengths and weaknesses. The Data Encryption Standard is a symmetric-key
algorithm for the encryption of digital data. Although its short key length of 56 bits
makes it too insecure for applications.

Triple DES: DES is a technique by which the DES algorithm is applied three times to
each plaintext block. Typical approaches use two conventional DES key, yielding a
length of 112 bits. Some applications use three different keys yielding a total key size
of 168 bits, which is truly enormous for a symmetric cipher.

International Data Encryption Algorithm (IDEA): IDEA is a block cipher that

appeared in 1990.It is more efficient to implement in software than DES or 3DES, and
its 128-bit key makes it more attractive than conventional DES.

Rivest Cipher #4 It is a Stream Ciphers. Stream Ciphers operate on a stream of data

byte by byte. RC4 stream cipher is one of the most widely used stream ciphers
because of its simplicity and speed of operation. It is a variable key-size stream cipher
with byte-oriented operations. It uses either 64 bit or 128-bit key sizes. It is generally
used in applications such as Secure Socket Layer (SSL), Transport Layer Security
(TLS), and also used in IEEE 802.11 wireless LAN std.

Safe Key Length

The likely range of keys for symmetric ciphers will be between 40 and 128 bits,
although we may come across 168-bit 3DES implementations. The important question
Join GEEKY BANKER on YouTube
we may often have to consider is whether or not appropriate products have sufficient
key lengths to protect our information. A longer key is always
preferable to a shorter key. For low risk applications 40-bit crypto keys may be enough,
while for critical applications 112-bit key 3DES and 128-bit IDEA keys may be
considered.

DIGITAL SIGNATURES

The security of the electronic transaction is the main consideration for the success of
any business proposition on Internet. Digital Signatures play a major role for secure e-
commerce. A digital signature is an electronic substitute for a manual signature that
serves the same functions as a manual signature. It is to identify a person and a
document together when computer is used.

In technical terms, a digital signature is the sequence of bits that is created by running
an electronic message through a one-way hash function (a program). The resulting
message is called Message Digest (MD). Some of the popular MD algorithms are MD5
and SHAL. The MD is encrypted with the sender's private key. The encrypted
message digest is the digital signature, which looks like an unintelligible

Usage of Digital Signatures

Before a sender can digitally sign an electronic communication, the sender must first
create a public-private key pair. The private key is kept confidential by the sender. The
private key is used for creating digital signatures. The public key is disclosed generally
by posting the key in online databases, repositories, or anywhere else the recipient of
the message can access it.

Why use Digital Signatures?

Digital signatures satisfy certain legal requirements and a business perspective, as

below.

1.Authenticity

2.Integrity

3.Non repudiation
Join GEEKY BANKER on YouTube
(a) Authenticity: Authenticity is concerned with the source of origin of communication.
It answers two basic question:

Who is the sender of the message?

Is it a genuine message?

(b) Integrity: Integrity is concerned with the accuracy and completeness of the
message. Before the recipient of an electronic message takes any action on it, he must
ensure beyond doubt that

1.The document he received is the same as the document that the sender has sent.

2.The document is complete.

3.The document has not been altered either in transmission or storage.

(c) Non-repudiation: Non-repudiation is concerned with holding the sender

responsible for his message. The sender should not be able to.

1. deny the fact of having sent the communication, or

2.claim that the contents of the message as received are not the same as what he
sent.

CERTIFICATION AUTHORITIES

At present there are three general types of certificate systems:

Central Authority: All certificates are signed by a single authority and we can check
them with that authority's public key. The central authority's key is usually embedded in
the certification checking software, which is distributed manually to each host.

Hierarchical Authority: The ability to sign certificates is delegated through a

bureaucratic hierarchy. At the top of the hierarchy is a "root public key" that signs
certificates for all top level authorities and these authorities in turn sign certificates for
lower level authorities. An individual user's certificate is signed by a local CA. To
validate that certificate, we must validate the upper authority's certificate and so on.

Web of Trust: Anyone with a certificate may act as a CA by signing another certificate.
Individual who use the system must judge for them whether to trust a given certificate
Join GEEKY BANKER on YouTube
based on whether they can validate any of the certifiers' signatures and whether they
personally trust any of those certifiers.

CA function and Role

A CA is a trusted third person that ascertains the identity of a person, called a

"subscriber" and certifies that the public key of a public-private key pair used to create
digital signatures belongs to that person.

The certification process generally works in the following way. The subscriber:

(a) Generates his/her own public-private key pair;

(b) Contacts the CA (either in person or online) and produces proof of identity, such as
a driver's license and passport or any other proof required by the CA

(c) Demonstrates that he/she holds the private key corresponding to the public key
(without disclosing the private key).

Who Can Be a Certification Authority?

CA is a central authority for issue of digital certificate. The CA may be assisted by

Registration Authority (RA) to verify the identity of the User. That is, the RA provides
the interface between the user and the CA.

Certificate Revocation by CA

There will be times when a key needs to be revoked before it expires. A key is revoked
by revoking its certificate. The problem is how to notify people that they should no
longer rely on a key. The solution to this problem is the certificate revocation list or
CRL. A CRL is simply a database of certificates that have been revoked before their
expiration date. A CRL may be part of the repository maintained by the certification
authority.

Liability on CA
Join GEEKY BANKER on YouTube
A CA may be subject to claims for negligence in performing its functions or for
misrepresentation in issuing certificates that contain false information. A CA's liability
for such claims may be limited either by law or by contract.

There are typically three parties to a digitally signed electronic communication:

1.the sender of the message (who digitally signs the message)

2. the recipient of the message,

3. the CA who issues the certificate used by the recipient to verify the digital signature.

The obligations and responsibilities of each of these three parties is the subject of
legislation i.e. the IT ACT-2000
Join GEEKY BANKER on YouTube
Thanks for Watching

Please visit my Telegram Channel to download all the PDFS.

Telegram Channel Link -> https://t.me/+bxiH9olUQ1tlODJl

For any query please drop Whatsapp Message on

9835634545
Join GEEKY BANKER on YouTube

Geeky Bankers
CAIIB (IT)
Module –D
Disaster Management
Unit – 16
Join GEEKY BANKER on YouTube
CAIIB(IT) MODULE -D

Unit:16 Disaster Management

What we will study?

Disaster Recovery?

Disaster Recovery Planning?

Business Continuity Plan?

Computer Virus?

DISASTER RECOVERY

Definition: Disaster recovery is the organization's ability to get back into business
quickly after an event that disrupts the flow of information. This is done through a set of
pre-planned, coordinated, and totally familiar procedures with an established set of
priorities. The disaster recovery is the concept of "failsafe." That is, the bank's ability to
survive the disaster. The disaster recovery plan is extremely necessary to the survival
of a bank.

What is needed for an effective disaster recovery plan?

(a) Take data off-site: It is standard practice to store media at an off-site location. This
step reduces the likelihood that the same event will affect both on-site data and
backup. However, some banks take even greater steps by placing a large
geographical distance between the data centre and the vaulting site. (Different
seismic zones)

(b) Take data off-line: Many banks, particularly those who use paperless transactions
extensively, maintain a mirror image of their production data, sometimes in an off-site
facility. While this is an effective disaster-avoidance or continuity measure, it could
have a serious impact from a disaster-recovery perspective. Take for example, the
Join GEEKY BANKER on YouTube
introduction of a devastating virus. If you run a mirrored image of data to assure an up-
to-date backup, you end up with an up-to-date, virus-infected backup as well.

(c) Put data out of reach: Only by keeping multiple generations of data on tape and
shipping them to a remote location can be fully assured that are protected from
viruses, sabotage, human error, and other online attacks that a mirrored system does
not protect against. If data loss is due to an internal act of sabotage- an embezzler
attempting to cover the trail, for example there is virtually no chance that the culprit will
be able to access the vaulted data (at least not without leaving a lot of evidence).

(d) Test: This is an all-important and often-overlooked aspect of the data recovery
process. Schools conduct fire drills regularly. And the drills aren't simply to keep the
kids in practice. They are also used to check the amount of time it takes to clear the
building and to find any weak links in the safety process- before it's too late. A good
recovery plan requires the same attention. Do the drills, Contingency planning is the
process of devising plans and strategies for coping with emergency situations that
cause disruption of normal computer operations.

Resumption/Continuity and Disaster Recovery plan include the following.

 Employee awareness
 Fire detection and prevention
 Hardcopy records
 Human factor personnel considerations
 Local area networks
 Media handling and storage
 Miscellaneous considerations

(a) Employee Awareness

Security and safety awareness is critical to any disaster avoidance program. Develop a
good security and safety awareness program. Conduct exercise where employees
identify potential safety hazards and other conditions that could lead to an emergency.
Invite community service representatives such as the fire department, law enforcement
agencies, security companies, and others to come and speak to your employees at
awareness sessions. Piggyback onto Human Resources indoctrination programs for
Join GEEKY BANKER on YouTube
new employees to make new employees aware of safety, emergency, security and
other procedures. Consider inserting safety tips into pay-stub/ cheque envelopes. Post
safety and security posters on Bulletin Boards throughout the organization.

(b) Fire Detection and Prevention

Fire detection and suppression systems are the responsibility of Facilities and
Services. However, each business unit should ensure that these systems are
adequate and in good working order. Fire detection and suppression systems should
be maintained and tested on a regular basis. Exit signs should be checked regularly to
ensure that they are lit. If any require maintenance, Facilities and Services should be
notified.

(c) Hardcopy Records

Hard copy records should be protected against fire and water damage, Records stored
off-site should also receive similar protection, Fire resistant cabinets should be
considered for the storage of hard copy records that are deemed critical to the
Business Unit. Backup for hard copy documents include microfilming. imaging
technology and writeable CD-ROM technology.

(d) Human factor - personnel considerations

This is not an easy area to deal with and more often than not, it's an area that is either
ignored or not even considered by recovery and continuity planners. However, it is an
extremely important area to tack since avoiding disasters and recovering from them,
depends to a large extent on how you handle the human factor Develop a trauma
intervention plan. Considerations include Ensure trauma intervention is initiated within
the first 24 to 72 hours after an incident. If in house expertise is not available, seek
assistance from outside professionals experienced in post-crisis response. Make sure
you have a good communication plan in place.

(e) Local area networks

Many Business Units now depend on LANs to process and store information locally as
well as to access institutional systems. It is therefore becoming increasingly critical that
LAN environments be afforded a reasonable level of protection in order to ensure that
the environment is stable.
Join GEEKY BANKER on YouTube
Make sure that the plan provides for the appropriate support of personnel required to
help with the emergency and subsequent recovery. Consider lodging, food,
transportation, communication with family, friends and relatives and other creature
comforts. Provisions for scheduled, unattended backups of the server should be
implemented. Backup of server files should be automated and should happen on a
nightly basis.

Technique used to provide to achieve Hardware Redundancy: -

1. Disk Mirroring
2. Disk Duplexing
3. Drive Arrays
4. Hot Backup
Disk Mirroring: Disk mirroring is a technique used to protect a computer system from
loss of data and other potential losses due to disk failures. In this technique, the data is
duplicated by being written to two or more identical hard drives, all of which are
connected to one disk controller card.

Disk Duplexing: Disk Duplexing is similar to disk mirroring except that each drive has
its own controller circuitry, if one disk or controller fail, the file server issues an alert
and continues operating.

Disk Arrays: Some disk array systems enable the administrator to replace a failed
drive while the server is still running. With such a system the server does not have to
be brought down, thus users can continue operating while a defective drive is being
replaced. The system automatically copies redundant data on the file server to the new
disk. RAID (Redundant Array of Inexpensive Disks) technology is in use for failure
recovery mechanisms.

Hot Backup: Hot backup, also known as dynamic or online backup, is a backup
performed on data while the database is actively online and accessible to users. A hot
backup is the standard way of doing most database backups. Oracle is a principal
vendor of the process, but the company doesn't have a monopoly on the concept.
Join GEEKY BANKER on YouTube
(f) Media Handling and Storage

Magnetic media is vulnerable to all sorts of damage caused by humidity, temperature,

magnetism, air-borne particles and handling by people.

 Backup media should be stored off-site if at all possible.

 Magnetic media should be kept away from sources of heat, radiation, and
magnetism.
 Magnetic media should be stored in protective jackets or media boxes.
 Backup media should be stored in data safes. Data safes are designed to protect
media against the effects of heat, humidity, water, magnetism, smoke and air-
borne particles. Information on media safes is available from Computer Security
Administration.
 Users should be instructed in the proper handling of magnetic media. Guidelines
on the proper care and handling of magnetic media are available from Computer
Security Administration.

DISASTER RECOVERY PLANNING

A disaster recovery plan (DRP) is a formal document created by an organization that

contains detailed instructions on how to respond to unplanned incidents such as
natural disasters, power outages, cyber-attacks and any other disruptive events.

The DCP methodology consists of eight separate phases, as described below.

1. DETERMINE THE SCOPE OF YOUR DISASTER PLAN

The first step in your disaster recovery plan is to understand your end goals. Do you
need your data immediately available after a disaster? Can you wait several hours to
regain access? Several days? Also, what data is most important to recover? When?
Knowing your recovery time objectives (RTO) and recovery point objectives (RPO) will
help you to understand what your needs truly are in your disaster recovery plan.
Join GEEKY BANKER on YouTube
In this first step, you will address how your company currently accesses data and
applications as well as access to your servers. For example, if your company has
regulations that require your clients to access their records and files within a certain
window of time, you will need to ensure that your disaster recovery plan allows for this
to occur seamlessly. Your IT disaster recovery plan should focus on ensuring your
proprietary information is kept safe and secure, and also that it can be quickly
accessed in the event of a disaster. For most small and mid-sized businesses, this
means exploring offsite data storage options like cloud storage and/or geographically
redundant data centre colocation.

2. EXPLORING YOUR IT INFRASTRUCTURE WEAKNESSES

With your end goal in mind, the next step is to develop an understanding of your most
glaring IT vulnerabilities. Let’s say for example your top weakness is that you house
your server onsite at your office, where there is no redundant power or connectivity
and limited battery backup. You will want to not only protect those servers from an
outage, but also ensure that in the event of an outage, the data is accessible so your
business is not severely impacted. Colocation hosting of physical servers can ensure
proper redundancies in power, cooling, and connectivity and cloud storage can offer
flexibility with backups to ensure data is protected in the event of failure of those
devices.

In this part of the planning, you will need assess your hardware location/s and how
your virtual environments (if any) are supported, and consider offsite and storage
options for redundancy and better protection.

3. CONDUCT A RISK ANALYSIS

Any plan you implement should also include a risk analysis the uncovers the direct
cost of downtime. This cost can also help to inform the criticality of certain
infrastructure and your desired RTOs and RPOs. The loss of files or applications can
be very high as a result of regulatory penalties, customer turnover, and reputational
damage depending on your industry.

What is RTO and RPO?

RTO (Recovery Time Objective) is the goal your organization sets for the maximum
length of time it should take to restore normal operations following an outage or data
Join GEEKY BANKER on YouTube
loss. RPO (Recovery Point Objective) is your goal for the maximum amount of data the
organization can tolerate losing.

4. IDENTIFY DATA RECOVERY STRATEGIES

After a thorough risk assessment, it’s time to review your data recovery strategy. In this
stage of the plan, you will want to review the current data recovery strategies and go
into a role play of “real world” testing situations.

For the purpose of this portion of your planning, let’s say you’ve determined that your
onsite data storage is your greatest vulnerability, you should map out the most efficient
way to migrate your data to a public cloud. This is where understanding your RTO and
RPO is key. Critical infrastructure will need to be available as quickly as possible, while
less critical data and applications might not be available for several hours or even
several days depending on your budget and pain tolerance.

5. CREATE YOUR PLAN

This stage of planning will involve collecting the insights you’ve gathered and arranging
them in an easy-to-understand, sequential guide.

6. TESTING YOUR IT DISCOVERY PLAN

With your plan in place, you will need to run through your plan in “real world”
conditions. You will need to see if the plan will work, and not wait until the real thing
occurs. The testing portion of your plan will allow you to tweak your plan and ensure
success.

7. TRAIN YOUR TEAM

Once you’re tested the plan to ensure its properly aligned, it’s now time to introduce it
to your team. In an ideal world of planning, you have been consulting with your key
personnel throughout the previous six steps. To ensure your plan works with precision,
you must communicate your disaster recovery plan with everyone in your organization.

8. REVIEW, REVISE YOUR PLAN

IT disaster planning is not a one and done operation. It is recommended that you
review your IT disaster recovery plan yearly. As your company grows, your IT
Join GEEKY BANKER on YouTube
infrastructure changes as does the personnel who will be responsible for implementing
the plan should review or revise the plan. It’s important to always keep your IT disaster
plan fresh.

Computer Viruses

A computer virus is a type of malicious software, or malware, that spreads between

computers and causes damage to data and software. Computer viruses aim to disrupt
systems, cause major operational issues, and result in data loss and leakage.

The features of these are described below:

(a) A Trojan is a program that while visibly performing one function, secretly carries
out another. For example, a program could be running in a computer game, while
simultaneously destroying a data file or another program. A Trojan's work is
immediate, and obvious. They are easy to avoid as they do not copy themselves.

(b) A worm: - A computer worm is a standalone malware computer program that

replicates itself in order to spread to other computers. It often uses a computer network
to spread itself, relying on security failures on the target computer to access it.

(c) A trap door (back door) is an undocumented entry-point into a computer system.
It is not to be found in design specifications but may be put in by software developers
to enable them to bypass access controls while working on a new piece of software.
Because it is not documented, it may be forgotten and used at a later date.

(d) A logic bomb is a piece of code triggered by certain events. A program will behave
normally until a certain event occurs, for example disk utilization reaches a certain
percentage. A logic bomb, by responding to set of conditions, maximizes damage. For
example, it will be triggered when a disk is nearly full, or when a large number of users
are using the system.

(e) Rootkits: It is a malware that takes root access and replaces system executables.
Rootkit is set of malicious program that enables administrator-level access to a
computer network.
Join GEEKY BANKER on YouTube
Thanks for Watching

Please visit my Telegram Channel to download all the PDFS.

Telegram Channel Link -> https://t.me/+bxiH9olUQ1tlODJl

For any query please drop Whatsapp Message on

9835634545
Join GEEKY BANKER on YouTube

Geeky Bankers
CAIIB (IT)
Module –D
INFORMATION SYSTEM AUDIT
Unit –17
Join GEEKY BANKER on YouTube
CAIIB(IT) MODULE -D

Chapter 17: Information System Audit

What we will study?

What is Information System Audit?

Why Information System Audit?

Importance &Scope of Information System Audit?

System Audit Procedures?

What is Information System Audit?

An information system audit is conducted to evaluate the information systems and suggest
measures to improve their value to the business. The audit can be used as an effective tool for
evaluation of the information system and controlling computer abuse.

Who can Conduct IS Audit?

The appointed Auditor's resources should possess at least one of the following
certifications: CISA (Certified Information System Auditors) from ISACA. DISA (Post
Qualification Certification in Information Systems Audit) from Institute of Chartered
Accountants of India (ICAI).

When to conduct Information System Audit in Branches?

High Risk Branches: - Once in 9 to 12 Month period.

Medium Risk Branches: - Once in 12 to 15 Month period.

Low Risk Branches: - Once in 15 to 18 Month period.

Join GEEKY BANKER on YouTube
Why there is a need of information system audit.

Information system audit is essentially an audit of computer system. The basic objectives of
such audit are to safeguard the assets, maintain data integrity, maintain process integrity, and
achieve the goals of an organization effectively and efficiently.

1. Safeguarding the assets: These include hardware, software, human ware (manpower).
Even some items like physical manuals of hardware and software systems are important
assets of the organization although in normal course these are not required very often.
Similarly, documentation of various system files is important assets of the organization.
These assets are to be safeguarded from damages, miss utilization and other losses. The
objective of the System Audit is to ensure that the organization has taken adequate
measures to protect the assets.

2. Maintaining data integrity: Integrity of data is required to be maintained at various

levels-input, output and maintenance of outputs. Integrity of data implies that data is
complete, accurate, without any distortion and appears and preserves in a manner as
desired by the organization. This is more important in present day scenario where data
base is shared between various offices at various places.
The purpose of System Audit is to ensure that an effective data integrity process is in place
in the organization and it is cost effective.
Join GEEKY BANKER on YouTube
3. Maintaining process integrity: In order to ensure data integrity, it is essential to ensure
that processing by any computer system is done in uniform manner and the processing
is not corrupted either by manual intervention or by virus or by otherwise. This mainly
refers to the program part of software which processes the input and generates the
outputs in the desired manner. Any System Audit must focus on this aspect also to
ensure that programs are run in the manner they should run and yield the desired
result.

4. Effectiveness auditing: Any System Audit must aim at effective auditing. An organization
must have some goals. Whether the computer system set up by the organization is
achieving those goals is the objective of effectiveness auditing. In order to evaluate the
effectiveness, an auditor must know the characteristics of the users as also the system
of the organization. Effectiveness Auditing takes place after a system has been running
for some time. The feedback coming out of this audit helps the management to decide
whether to scrap the system, continue its running or modify it in some way.
Effectiveness auditing can also be carried out during the process of designing a system.
If a system is complex and costly to implement, management may decide to have an
effectiveness audit to judge whether the design of the system will be effective for the
organization.

5. Efficiency auditing: The System Audit should also focus on efficiency of the system. In
other words, such audit should throw light on whether efficiency has been increased
after adopting the computer system in achieving the goals of the organization. This is
also known as Efficiency Audit. This reveals software etc. Again, such audit is an effective
tool for the management to take suitable decision regarding not only the quality of
functioning of the system as a whole but also the adequacy of the hardware, utilization
of capacity of the system qualitatively as well as quantitatively.

Scope of IS Audit

The basic areas of an IT audit scope can be summarized as: the organization policy and
standards, the organization and management of computer facilities, the physical
environment in which computers operate, contingency planning, the operation of
Join GEEKY BANKER on YouTube
system software, the applications system development process, review of user
applications and end-user access.

Importance of system audit in computerized environment:

 IS audit being important because it gives assurance that the IT systems are adequately
protected, provide reliable information to users and properly managed to achieve their
intended benefits
 Many users rely on IT without knowing how the computers work. A computer error
could be repeated infinite times, causing more extensive damage than a human mistake.
 IS audit could also help to reduce risks of data tampering, data loss or leakage, service
disruption, poor management of IT systems.
 It improves decision making process of management, based on correct data sources
since it helps in maintaining data integrity.
 It reduces the probability of fraud and embezzlement which may cause havoc to any
organization, particularly in a computerized environment where there is no limit for
such loss.
 It reduces the probability of computer error by detecting the same earlier which may be
high costly.
 It ensures the optimum utilization of high value computer resources through
Effectiveness Auditing and Efficiency Auditing.
 It ensures that security aspects in the computerized environment are strictly followed
and secrecy in respect of system relating to individual, company is maintained.
 It ensures that any evolutionary use of computer system does not adversely affect the
interest of the company.

SYSTEM AUDIT PROCEDURES

Apart from thorough audit of computer system, system audit also critically examines link
between computer system and its manual interface and analyze the strength and weaknesses
of such interface.

Therefore, a system auditor must have an understanding of the business activities undertaken
in a computerized environment. He must be able to assess implication of risks, analyze and
evaluate controls.
Join GEEKY BANKER on YouTube
Join GEEKY BANKER on YouTube
Generally, IS audit is carried out in the following phases:

1. Establish the IS audit objectives and scope.

2. Develop an audit plan to achieve the IS audit objectives.

3. Gather information on the relevant IT controls and evaluate them.

4. Perform audit tests, using Computer-Assisted Audit Techniques (CAATS) such as data
extraction and analysis software or test data, where appropriate.

5. Report on the IS audit findings.

6. Follow up.

Audit Plan may be broadly divided into three parts.

1. Audit Organization i.e. Who will conduct the audit?

2. Process of planning i.e. How the audit will be conducted?
3. Audit Reporting i.e. How and in what format the audit report will be presented?

Audit Organization

Audit Organization determines whether the audit will be done by Internal Auditors or by
External Auditors. While Internal Auditors understand the system and procedures as also the
objectives of the organization better, they may be influenced by the management. In such
cases, the audit may not reveal something which is not liked by the management. Thus, audit
by the Internal Auditors may not fully serve the purpose.

On the contrary, External Auditors may be impartial and cannot be influenced, but they will
take a lot of time to understand the systems and procedures of the organization. Thus, both
the systems have advantages and disadvantages. In any case, if the audit is done by Internal
Auditors, it is to be ensured that the Internal Auditors can work in an open, uninfluenced
environment.
Join GEEKY BANKER on YouTube
Process of planning

For the purpose of System Audit, the Process of Planning may be divided into the following
steps.

(i) Reviewing the latest Audit Report and take necessary steps,

(ii) Obtaining a preliminary understanding of the system to be audited and documenting it

properly,

(iii) Determining the most effective and efficient audit strategy.

(iv) Documenting the planned audit strategy.

Audit Reporting

Audit Reporting is the auditor's formal written communication with the management detailing
their Observations on various issues relating to the audit objectives with the purpose of
assisting the management to establish and maintain adequate system of internal control.

Collection of Evidence

For evaluating a computerized system, auditors must collect evidence relating to performance
of the system. Various tools and techniques are available to assist the auditors to collect such
evidence.

Some of the tools and techniques are mentioned below.

 Generalized Audit Software

 Other Audit Software
 Program Source Code Review
 Test Data
 Program Code Comparison
 Concurrent Audit Techniques
 Manual Techniques
Join GEEKY BANKER on YouTube
Generalized audit software: By using Generalized Audit Software, auditors can gain access to
the data maintained in computerized media. This enables the auditors to assess the quality of
records in the system. The functions available in Generalized Audit Software are- File Access,
File Reorganization, Selection, Arithmetic, Stratification and frequency analysis, File creation
and updating, Reporting etc. By carefully combining these functional capabilities, the following
audit tasks can be accomplished.

 Evaluating the quality of data

 Evaluating the quality of system processing
 Examining the existence of the entities the data purports to represent
 Analytical Review.

Other audit software: Other Audit Software includes

 Industry Specific Audit Software

 Spreadsheet Audit Software
 High Level Languages
 System Software
 Specialized Audit Software
 Decision Support System Software.

Computer Aided Audit Tools and Techniques (CAATTS):- Refer to any computer program
utilized to improve the audit process. Generally, however, it is used to refer to any data
extraction and analysis software. This would include programs such as data analysis and
extraction tools, spreadsheets (e.g. Excel), databases (e.g. Access), statistical analysis (e.g.
SAS), general audit software (e.g. ACL, Arbutus, EAS, business intelligence (e.g. Crystal Reports
and Business Objects), etc.

Program source code review: While Generalized Audit Software is used to examine the quality
of data produced by a program, Program Source Code Review is a direct way of examining
program codes. The Program Source Code Review identifies Erroneous code, unauthorized
code, ineffective code, inefficient code, and non-standard code. This helps the auditors to
identify the low quality of functioning of some programs.
Join GEEKY BANKER on YouTube
Test data: The Test Data approach indicates creation of dummy data to test specific aspects of
a program. The main objective of Test Data Technique is to assess whether the program
contains errors.

Program code comparison: By using this technique, auditor can ascertain audit of the correct
version of the software by comparing the program codes of the audit version of the software
with the same or the standard version of the software. There are two types of software
available - Source Code Comparison and Object Code Comparison. The Object Code
Comparison assures whether the audit version is authorized one or not. The Source Code
Comparison gives a meaningful list of discrepancies between the audit version and the
standard version of the software. This technique is easy to use requiring little technical
knowledge.

Concurrent audit techniques: These are used when the auditors need to collect evidence and
evaluate the same instantaneously. This is done mostly to ensure the process integrity. The
techniques available for concurrent auditing are- Integrated Test Facility (ITF),
Snapshots/Extended Records, System Control Audit Review File (SCARF), Continuous and
Intermittent Simulation (CIS).

The advantages of Concurrent Audit Techniques are as follows.

1. The quality of processing can be determined directly.

2. The evidences collected are online and comprehensive.

Benefits of audit software

They are independent of the system being audited and will use a read-only copy of the file to
avoid any corruption of an organization's data. Many audit-specific routines are used such as
sampling. Provides documentation of each test performed in the software that can be used as
documentation in the auditor's work papers.

Manual techniques: Apart from Computer Assisted Audit Techniques, evidences can also be
collected manually through Interviews, Questionnaires, and Control Flow Charts etc. After
collecting evidences, the same are to be evaluated to judge the functioning of the system in
respect of the four objectives of the System Audit as stat earlier. valuation of Asset
Safeguarding and Data Integrity Capability is done simultaneously as the same methodology is
Join GEEKY BANKER on YouTube
followed for the same. This evaluation is focused on qualitative as well as quantitative aspects.
The Auditors also evaluate the effectiveness of the system by judging some parameters like
Improvement in Task Accomplishment, Improvement in quality of Working Life, Organizational
Effectiveness, Technical Effectiveness, Economic Effectiveness etc. Such evaluation must also
include cost-benefit evaluation. Similarly, audit of System Efficiency is also to be done.
Join GEEKY BANKER on YouTube
Thanks for Watching

Please visit my Telegram Channel to download all the PDFS.

Telegram Channel Link ->https://t.me/+bxiH9olUQ1tlODJl

For any query please drop Whatsapp Message on

9835634545
Join GEEKY BANKER on YouTube

Geeky Bankers
CAIIB (IT)
Module –D PART - 2
INFORMATION SYSTEM AUDIT
Unit –17
Join GEEKY BANKER on YouTube
CAIIB(IT) MODULE –D PART - 2
Chapter 17: Information System Audit
What we will study?

SYSTEM AUDIT- SECURITY?

IS AUDIT CONTROLS & APPROACHES?

SYSTEM AUDIT- SECURITY

All Commercial organizations are exposed to various risks irrespective of
the system they might use. Therefore, the organizations need to secure
their systems from potential risks. But the steps to be taken for security
must be cost effective. The security of the system can be ensured only
through various controls and strict implementations of those control
measures.
The System Audit should ensure that the organization has taken
appropriate measures to secure their systems and also has adequate
control measures to ensure this security.
There are various types of controls in a computerized environment.
They are as follows.
(i) Environmental Controls
(ii) Access Controls
Join GEEKY BANKER on YouTube
(iii) Input controls
(iv) Communication Controls
(v) Processing Controls
(vi) Database Controls
(vii) Output Controls
(viii) Control of Last Resort

(i) Environmental Controls: These include the following.

Clean and Uninterrupted Power: In order to ensure smooth functioning
of the system to avoid any data loss or corruption, an organization must
ensure smooth and uninterrupted supply of power.
Fire Control: Fire Control means the measures to be taken to prevent
hazards arising out of fire. This also includes steps for spreading
awareness relating to control of fire. Display of "No Smoking Board' in the
System Room and other important places in the organization, installation
of Smoke Detectors, Fire Extinguishers.

Clean and Dust Free Environment: The System Room must be in clean
and dust free environment. The temperature and the humidity in the
System Room must be controlled for better maintenance of the system.
This apart, a system of Water Damage Control and Pest Control should be
Join GEEKY BANKER on YouTube
in place, other aspects like Location of the System Room, Maintenance of
System Room should also be taken care of.

(ii) Access Controls: The security through Access Control comprises

mainly of two parts – (a) Physical Security (b) Logical Security.
Physical Security: Physical Security means only the authorized persons
will be allowed to access to the system physically. This includes System
Room Locking, Control through System Room access Register, Control
through System Access Register, Locking arrangements, Burglar Alarm,
CCTV may be used for prevention or detection of unauthorized physical
access.
Logical Security: Logical Security is more significant in a computerized
environment. This means a person may get physical access to the system,
but he cannot do anything unless he passes the Logical Security. Logical
Security includes use of User-Id, Encrypted Passwords, ID Cards,
Biometrics Technology, Restrictions of Rights to different Users,
Restrictions regarding allocation of Supervisory Rights etc

The Password secrecy is another important logical security feature in

any system.

Password Expiry Date: Password expires automatically after a certain

date so that the Users will be compelled to change their passwords after
the date of expiry of the password.
Join GEEKY BANKER on YouTube
Grace Login: How many times the Users will be allowed to login after
expiry of password.
Unique Password: Whether Users will be allowed to use the already used
password.
Minimum Password Length: Users will be forced to use a password of
minimum length of these many digits. Generally, passwords must be at
least 8 characters long and include upper and lower case character sand
at least one numeric character and one special character.
Review and Removal of Dormant Users: The IDs of the Users who are
transferred from the office i.e., who are not required to use the system
any longer should be deleted from the system.
Restriction to Concurrent Connections: The Users should not be allowed
to connect to the system concurrently i.e., login more than one machine
at a time.
Restriction to Operating System: Excepting the System Administrators,
normal Users should not be given rights to access the Operating System.
Logging of all Activities: All activities performed by all Users are logged so
that controller will have the knowledge about various activities
performed and whether Users have done any activity beyond their rights
due to any mistake in allocating rights or otherwise.
Join GEEKY BANKER on YouTube

Hours/Days Restriction for Users: Users may be restricted to the system

on Sundays or non-Working days. Similarly, working hours in the system
for the Users can be restricted.

Terminal Restriction for Users: Users should be restricted to work only in

one machine as in most of the cases, since they work in a network
environment, they can access to the system from any of the machines.
Security Codes for Menu Access: In a menu driven package, some
sensitive menus may be given security codes so that only users required
to use those menus can do so.
(iii) Input Controls: The purpose of Input controls is to prevent:-

 Unintentional entry of wrong data

 Intentional entry of fraudulent data
 Preparation of false Input Forms
 Alteration in Input Forms
 Use of unauthorized Input Forms for data entry
 Deliberate error during data entry.
In order to ensure that adequate controls are there at the point of input,
various steps are taken. These are Verification, Authorization, Clearance
of Exception Conditions, On Screen Transaction Checking, Checking of
Reports etc.
Input Controls will ensure that the data entering the system is correct
and free of any error which will ultimately give good, accurate output.
Input Controls basically ensure Maintenance of Data Integrity.
Join GEEKY BANKER on YouTube
(iv) Communication Controls: Computing has evolved from centralized
mainframe-based to distributed processing. With networking of
computers, interception of messages has become a major problem. In
distributed processing environment, information can be manipulated and
processed across multiple platforms. As a result, security regarding
communication through network relies heavily on Network Operating
System (NOS) and other PC-capable add-on security software packages.

(v) Processing Controls: The purpose of Processing Controls is to ensure

that the system processes the data-financial as well as non-financial-
correctly. This is ensured by maintaining the integrity of the programs
responsible for processing the data. The System Auditors are to ensure
that the Security relating to Processing by the system is in place. This can
be done by System Control and also by Manual Control.
In Processing Control through the system, the Auditors copy the program
files running in the system. Then, the same is compared with the
standard version of the program and deviations, if any, can easily be
detected. In Manual Control, the Auditors depend mostly on the
computer generated transactions which are verified with the same
derived manually.

(vi) Database Controls: The Database Controls ensure that the data in the
database is not corrupted by any means and the integrity of data in the
database is maintained. To this end, data in the data base is copied to
another database or to any other storage media like magnetic tape. This
Join GEEKY BANKER on YouTube
method is known as Back-Up. This ensures that even if the database of
the system is corrupted by any chance, the same can be restored back to,
with the help of the copied database. In addition to this, the Back-Up
tapes should be stored in off-site storage so that in case some untoward
incidents occur in the office, tape backing up the data and kept in off-site
storage will be safe and can be used to restore data.

This apart, database must be free from virus so that the same is not
corrupted.
(vii) Output Controls: The objectives of Output Controls are to safeguard
against
 Unauthorized alteration in the reports
 Willful suppression of reports or its parts
 Delivery of reports to unauthorized persons
 Misplacement/exchange/deliberate destruction of reports
 Careless handling of reports after expiry of retention period.

The outputs are preserved by the following ways.

 Checked Outputs are returned to the designated official/employee,
 Outputs are sent for centralized filing and storage,
 All Outputs (including 'Nil' reports) are filed/bound in proper
sequence
 Outputs are preserved for their respective periods of retention as
per laid down instructions.
Join GEEKY BANKER on YouTube
(viii) Controls of Last Resort: Besides all the security mentioned above,
some other aspects like Disaster Prevention and Recovery Plan (DPRP)
and Insurance are part of any security measures. The purpose of DPRP is
to identify the probable disasters that may affect the system and find out
the methods by which the same can be prevented or their effects may be
minimized.
Similarly, all assets should be insured against all types of eligible risks so
that if the system is damaged, the organization can at least claim the
insured amount and reduce their risk.

IS AUDIT CONTROLS & APPROACHES

1. Audit Trails as Control Tool
2. Computer Audit Approaches
3. Competence of Computer Auditors
4. Auditing Software Development and Maintenance
5. Emerging Trends in IS Audit
1. Audit Trails as Control Tool
Audit trail controls; attempt to ensure that a chronological record of all
events that have occurred in a system is maintained. An audit trail, at its
most basic, is a record of financial transactions. The audit trail is,
however, not simply a record: it is listed in order, step-by-step, and
serves as proof of a transaction's history, right from recording to tracking
all changes that may take place.
Join GEEKY BANKER on YouTube
Two types of audit trail must be maintained.
(a) The accounting audit trail shows the source and nature of data and
processes that update the database.
(b) The operations audit trail maintains a record of attempted or actual
resource consumption within a system.
The following sorts of data must be kept in the accounting audit trail:
1. Identity of the would be user of the system
2. Authentication information supplied
3. Action privileges requested
4. Terminal identifiers
5. Start and finish time
6. Number of login attempts
7. Resources provided/denied
8. Action privileges allowed/denied

Accounting Audit Trail

The accounting audit trail must allow a message to be traced through
each node in the network. Some examples of data items that might be
kept in the accounting audit trail are:
Join GEEKY BANKER on YouTube
1. Unique identifier of the source code
2. Unique identifier of the person/process authorizing dispatch of the
message
3. Time and date at which message dispatched
4. Message sequence number
5. Unique identifier of each node in the network that the message
traversed
6. Time and date at which each node in the network was traversed by the
message.
Operations Audit Trail
The operations audit trail in the communication subsystem is especially
important, as the performance and, ultimately, the integrity of the
network depends on the availability of comprehensive operations audit
trail data. Using this data, a network supervisor can identify problem
areas in the network and reconfigure the network accordingly. Some
examples of data items that might be kept in the operations audit trail
are:
1. Number of messages that have traversed each link
2. Number of messages that have traversed each node
3. Queue lengths at each node
4. Number of errors occurring on each link or at each node
Join GEEKY BANKER on YouTube
5. Number of retransmissions that have occurred across each link
6. Log of errors to identify locations and patterns of errors
7. Log of system restarts
8. Message transit times between nodes and at nodes
2. Computer Audit Approaches
There are three main approaches for computer auditing:
(i) Audit around the computer.
(ii) Audit with the computer.
(iii) Audit through the computer.
(a) Audit around the computer
Auditing around the computer is when the audit team doesn’t inspect IT
system controls. Instead, they obtain source documentation from the
system (i.e. system reports) and compare that information to the
financial statements. Unless the audit team has specific IT knowledge,
this is the route most audit teams take as it is less complex. . It is more
often known as black box audit approach. Most often this approach is
used either because: processing done by the computer is too simple
Advantages:
1. Logic is reasonable, simple to use and familiar to auditors.
2. Specialized training not needed.
3. Small and simplistic system can be easily audited by this approach.
Join GEEKY BANKER on YouTube
Disadvantages:
1. Where input data goes through many changes, true comparisons are
limited.
2. It is tedious and time consuming.
(b) Audit with the computer
In this approach, an auditor has his own PC or Laptop which he can use as
a terminal with the main server and using the software on his machine
can audit application running on the server. This approach enables the
auditor to do audit also from remote place. Thus, this approach enables
auditor to undertake remote on-line real time concurrent audit.
(c) Audit through the computer
For the most part, the auditor now is involved in auditing through the
computer. The auditor can use the computer to test:
(i) The logic and controls existing within the system and
(ii) The records produced by the system.
Depending upon the complexity of the application system being audited,
the approach may be fairly simple or require extensive technical
competence, on the part of the auditor.
Join GEEKY BANKER on YouTube
There are several circumstances where auditing through the computer
must be used:
(i) The application system processes large volumes of input and produces
large volumes of output that make extensive direct examination of the
validity of input and output difficult.
(ii) Significant parts of the internal control system are embodied in the
computer system.
(iii) The logic of the system is complex and there are large portions that
facilitate use of the system or efficient processing.
(iv) Because of cost benefit considerations, there are substantial gaps in
the visible audit trail.
The primary advantage of this approach is that the auditor has increased
power to effectively test a computer system. The range and capability of
tests that can be performed increases and the auditor acquires greater
confidence that data processing is correct. By examining the system's
processing, the auditor also can assess the system's ability to cope with
environmental change.
The primary disadvantages of the approach are the high costs sometimes
involved and the need for extensive technical expertise when systems are
complex.
Join GEEKY BANKER on YouTube
3. Competence of Computer Auditors
Knowledge about different computer controls. Strong understanding of
data analytics. Familiar with basic IT system infrastructure and
architecture. Ability to recognize or predict cyber-security risks. The
higher the competency of an auditor will affect the auditor in reporting
the client error. The auditor will also have a good audit quality when
understanding the client's information system, so audit reporting will also
get better.
An IT auditor uses some general tools, technical guides and other
resources recommended by ISACA or any other accredited body. This is
why many audit organizations will encourage their employees to obtain
relevant certifications such as CISA (Certified Information Systems
Auditor) which is awarded by ISACA.
4 Auditing Software Development and Maintenance
The following points set forth the minimum level of IS auditor's
involvement necessary for developing new systems and maintaining
existing ones. The internal computer auditor needs to be involved in the
critical phases of the Software Development Life Cycle as follows:
(a) System Planning
In this phase, the project's scope, objectives, costs, benefits, technical
and economic feasibility are defined and determined. The internal
computer auditor should be involved in this phase so that he can
anticipate future systems developments which may require him to gain
Join GEEKY BANKER on YouTube
the necessary knowledge to deal with any new technical concepts that
are planned.
(b) User Specifications
In this phase, the computer auditor should define the controls by which
the systems can be monitored and regulated. The computer auditor
should review the potential exposures and related controls. Computer
auditors are also the users of the new system.
(c) Detailed Technical Specifications & System Designing
Within this phase, the system analyst translates the user specifications
into technical concepts at the level necessary to communicate with
programmers. This phase involves even closer coordination between the
user and the EDP department/CPPD. With appropriate technical
knowledge and computer experience, the computer auditor can review
this phase to ascertain if a reasonable translation has been made with
adequate security & control features. Otherwise the major problems
during/after implementation can prove to be very costly.
(d) Programming
This is the conversion of technical specifications defined (design made) by
the system analyst in to computer operating instructions (source coding).
All the programs and modules are tested here by programmers/system
analyst on an individual basis.
Join GEEKY BANKER on YouTube
(e) User Procedures & Training
This phase includes the preparation of procedures for the conversion to,
and the operation of, the new system. Computer auditors should check to
see if the user has adequate procedure manuals and related job
descriptions which serve to increase user awareness and control over the
system.
(f) System Test
The system test is an acceptance test conducted by the systems group
and the user. Computer auditor's participation is very much essential. It is
the last line of defense before implementation. Tests performed should
be recorded and test checks should be retained (with their results) to
indicate the adequacy and success of system testing. Users' & auditors'
approvals should be the last step in this phase.

(g) Implementation (i.e., porting from existing to new System)

This is the phase in which the conversion of data, equipments and
procedures takes place. It should occur in a carefully planned and
controlled environment. The computer auditor should be concerned
about the integrity and consistency of the data and procedures (manual
as well as computer procedures) while doing the conversion. This gives
rise to the concept of "Conversion Audit".
Join GEEKY BANKER on YouTube
(h) Post-implementation Review
A review (on a continuous basis) should be made by the computer
auditor after the implementation to assure that all areas of the system
are operating as intended.
In many banks & financial institutions, number of computer auditors is
quite inadequate to cope up with the task spelled out here. There is an
urgent need to develop this area.

5 Emerging Trends in IS Audit

There are also new audits being imposed by various standard boards
which are required to be performed, depending upon the audited
organization, which will affect IT and ensure that IT departments are
performing certain functions and controls appropriately to be considered
compliant. Examples of such audits are SSAE 16, ISAE 3402, PCI DSS and
ISO27001:2013.
ISAE 3402 and SSAE 16 audits deal with internal control over financial
reporting and compliance controls of an organization respectively.
Join GEEKY BANKER on YouTube
Thanks for Watching

Please visit my Telegram Channel to download all the PDFS.

Telegram Channel Link ->https://t.me/+bxiH9olUQ1tlODJl

For any query please drop Whatsapp Message on

9835634545
Join GEEKY BANKER on YouTube

Geeky Bankers
CAIIB (IT)
Module –D PART -3
INFORMATION SYSTEM AUDIT
Unit –17
Join GEEKY BANKER on YouTube

CAIIB(IT) MODULE –D PART - 3

Chapter 17: Information System Audit

What we will study?

CYBER LAW?

LEGAL DEFINITION OF COMPUTER CRIME?

AMENDMEND TO IT ACT IN 2008?

DIGITAL RIGHT MANAGEMENT (DRM)?

CYBER LAW
Cyber Law is a generic term referring to all the legal and
regulatory aspects of the internet.

Cyber Law also called IT Law is the law regarding

Information-technology including computers and the
internet. It is related to legal informatics and supervises the
digital circulation of information, software, information
security, and e-commerce.
Join GEEKY BANKER on YouTube

IT ACT – 2000

The Information Technology Act, 2000 is an act proposed by

the Indian Parliament reported on 17th October 2000. It is
the primary law in India for matters related to cybercrime
and e-commerce. The main objective of this act is to carry
lawful and trustworthy electronic, digital and online
transactions and alleviate or reduce cyber crimes.

Objective behind IT ACT – 2000

 To give legal sanction to electronic commerce and

electronic transactions, to enable e-governance.

 For any crime involving a computer or a network

located in India, foreign nationals can also be charged.

 The law prescribes penalties for various cybercrimes

and fraud through digital / electronic format.

 It also gives legal recognition to digital signatures.

Join GEEKY BANKER on YouTube

 The IT Act also amended certain provisions of

the Indian Penal Code (IPC), modify these laws to make them
compliant with new digital technologies.

What are the amendments made in IT Act 2008?

These changes included expanding the definition of

cybercrime and adding new penalties for offenses such as
identity theft, publishing private images without
consent, cheating by impersonation, and sending
offensive messages or those containing sexually explicit
acts through electronic means.

Who will be originator of an electronic record?

 If it was sent by the originator himself,

 If it was sent by a person who had the authority to act

on behalf of the originator in respect electronic record.

 If it was sent by information system programmed by or

on behalf of the originator to operate automatically.
Join GEEKY BANKER on YouTube

Legal Recognition of Digital Signature

Any document needs to be signed or bear signature of any

person, such requirement will be considered to be satisfied
if such information or matter is authenticated by means
of Digital Signature.

However, the manner and format in which digital signature

shall be affixed, the manner or procedure which facilitates
identification of the person affixing the digital signature, will
be governed by the rules prescribed by the Central
Government.

This is very relevant for the Banks. Banks can now use
digital signature in case of payments, remittances,
appraising loan proposals and even putting up internal notes
between various offices electronically.
Join GEEKY BANKER on YouTube

Submission of Forms in Electronic means

Wherever any form, application or any other document

needs to be submitted in any office, the same may be done
by means of such electronic form. Banks can now open
accounts of the customers electronically by receiving forms
by electronic means. Similarly, customers may submit
their loan proposals to the Bank electronically. This will
facilitate e-banking. E.g. Pre approved personal loan etc.

Receipt or Payment of Fee or Charges

Receipt or payment of fees or charges may be affected by
means of electronic form. When Banks go for e-business,
they can receive or pay fees/other charges
electronically. Thus, customers need not to visit the Banks.
They give instructions to Bank electronically and Bank
debits to their accounts and credits the same to the
appropriate accounts.
Join GEEKY BANKER on YouTube

How Digital Signature works?

Digital Signature Certificate by a Certifying Authority

will be granted if below points are satisfied?
(a) Applicant holds the private key corresponding to the
public key to be listed in the Digital Signature Certificate,

(b) Applicant holds a private key, which is capable of

creating a digital signature,

(c) The public key to be listed in the certificate can be used

to verify a digital signature affixed by the private key held by
the applicant.
Join GEEKY BANKER on YouTube

Certifying Authority while issuing a Digital Signature

Certificates shall certify that
(a) It has complied with the provisions of the IT Act, rules
and regulations,

(b) The subscriber identified in the Digital Signature

Certificate holds the private key corresponding to the public
key, listed in the Digital Signature Certificate,

(c) The subscriber's public key and private key constitute a

functioning key pair.

Legal Definition of Computer Crime

A person is said to commit Computer Crime if he or she does
below, without the consent of the owner or the person in
charge of a computer, computer system or computer
network system.

(a) Secures access to such a computer or a computer

network.

(b) Downloads, copies or extracts any data, computer

data base or information from such computer,
Join GEEKY BANKER on YouTube

(c) Contaminant or introduce computer virus into a

computer or in a computer network. E.g:- Ransomware
attack etc.,

(d) Damages or causes to be damaged any computer or

computer network or any other programs residing in such
computer or computer network system,

(e) Disrupts or causes disruption of any computer, computer

system or computer network system,

(f) Denies or causes the denial of access to any person

authorized access any computer, computer system or
computer network system by any means.

important point related to evidence in computer crime

 With the introduction of IT Act, 2000, some
amendments to the Indian Penal Code, 1860 have been
made. Under this, electronic records will also be treated as
 Join GEEKY BANKER on YouTube

documents in the court of justice. This has facilitated use

of electronic records by the Banks as they will now get
legal protection in respect of electronic records.

 Indian Evidence Act, 1872 has also been amended in

tune with the IT Act, 2000. According to this amendment,
Banks can now produce any electronic record, entries made
in electronic form, or any content in electronic form, as
evidence in the court.

 Amendment to the Banker's Book of Evidence Act,

1891 - According to this amendment, 'Banker's Book'
includes ledgers, day books, cash books, account books, and
all other books used in the ordinary business of a bank
whether kept in written form or as printouts of data stored in a
floppy, disc, tape or any other form of Electro-magnetic
storage device. Therefore, when a Bank is working in a
computerized environment, data stored in electronic media
will be adequate and there will be no need for maintaining
data in physical form.
Join GEEKY BANKER on YouTube

E.g. A customer wants to deposit R.s 10000 in a bank. He

deposits the amount with a banker who acknowledges the
deposit with a receipt. The banker will then make proper
entry of the same in a ledger book or an account book. Later,
the customer claims that he deposited R.s 15000 in the bank
but only R.s 10000 was credited in his account.

In this case, the banker will have appropriate records to verify

it. The bank can verify that only R.s10000 was deposited by
the customer. If any legal proceedings are initiated against
the bank, it can produce a certified copy of the record. The
Bankers’ Books Evidence Act, 1891 provides the law with
respect to bankers’ books and what are the certified copies of
the bank records.

Some Legal Issues

Data Theft: Usually the theft of electronic data results in the
diminishing of its value. Under such circumstances data theft
would be covered under Section 66 of the Information
Technology Act, 2000 (IT Act), which recommends a
Join GEEKY BANKER on YouTube

punishment of up to three years imprisonment and/or fine

up to Rs. 2 lakh. The theft of source or object code is also
included under data theft. The specific provision dealing with
this is Section 65 of the IT Act.

Email Abuse: Sending pornographic or obscene emails

are punishable under Section 67 of the IT Act. An offence
under this section is punishable on first conviction with
imprisonment for a term, which may extend to five years
and with fine, which may extend to one lakh rupees.

 In the event of a second or subsequent conviction the

recommended punishment is imprisonment for a term, which
may extend to ten years and also with fine which may
extend to two lakh rupees.
 Emails that are defamatory in nature are punishable
under Section 500 of the Indian Penal Code (IPC), which
recommends an imprisonment of up to two years or a fine
or both.
Join GEEKY BANKER on YouTube

Data Alteration: Section 66 of the IT Act covers

unauthorized alteration of data. This section deals with
hacking According to this section, unauthorized alteration of
data is punishable with three years imprisonment and/or
fine up to Rs. 2 lakh.

Unauthorized Access: Unauthorized access is covered by

Section 43 of IT Act, which provides for a penalty of up to 1
crore for this offence.

Virus & malicious code: Introduction of a computer virus

or contaminant (including worms, Trojans etc.) is covered
by Section 43 of IT Act, which provides for a compensation
of up to Rs. 1 crore for this offence. If pursuant to the
introduction of this malicious code loss of data occurs then
Section IT Act will also be applicable.

Denial of Service (DoS): This category has been dealt with

under Section 43 of the IT Act, which provides for a
compensation of up to Rs. 1 crore for this offence.
Join GEEKY BANKER on YouTube

Amendment to IT Act in 2008

A major amendment to IT Act 2000 was made in 2008. It
introduced the Section 66A which penalized sending of
"offensive messages". It also introduced the Section 69,
which gave authorities the power of "interception or
monitoring or decryption of any information through any
computer resource". It also introduced penalties for child
porn, cyber terrorism and voyeurism.

However, on 24 March 2015, the Supreme Court of India,

gave the verdict that Section 66A is unconstitutional in
entirety. The court said that Section 66A of IT Act 2000 is
"arbitrarily, excessively and disproportionately invades
the right of free speech" provided under Article 19(1) of the
Constitution of India.

Digital Rights Management (DRM)

Digital rights management (DRM) is a systematic approach
to copyright protection for digital media. The purpose of DRM
is to prevent unauthorized redistribution of digital media and
Join GEEKY BANKER on YouTube

restrict the ways consumers can copy content they've

purchased.

DRM products were developed in response to the rapid

increase in online piracy of commercially marketed material,
which proliferated through the widespread use of peer-to-
peer file exchange programs.

Typically DRM is implemented by embedding code that

prevents copying, specifies a time period in which the
content can be accessed or limits the number of devices the
media can be installed on.

Digital Rights Management is a technology designed to

track and/or copy protect digital copyright content
includes Secure Distribution mechanisms which
generally use Encryption and Digital Watermarks. DRM
typically controls the exploitation of content by 'meta tagging'
content with the relevant usage rules (license rights) prior to
the content being encrypted. It can only be unlocked by a
user who has access to the necessary decryption technology
and used within the permitted usage rules.
Join GEEKY BANKER on YouTube

Thanks for Watching

Please visit my Telegram Channel to download all the PDFS.
Telegram Channel Link ->https://t.me/+bxiH9olUQ1tlODJl

For any query please drop Whatsapp Message on

9835634545
Join GEEKY BANKER on YouTube

Geeky Bankers
CAIIB (IT)
Module –D
COMPETITIVE BID PROCESS- RFP AND SLA
Unit –18
Join GEEKY BANKER on YouTube
CAIIB(IT) MODULE -D
Chapter 18
COMPETITIVE BID PROCESS- RFP AND SLA

What we will study?

RFP Process?
Pre-proposal Conference?
Scope of Work of RFP?
Evaluation of proposals?
Service Level Agreement?

What is an RFP?
The RFP invites relevant vendors to submit a proposal to
meet the desired need. More specifically, the RFP is a
document that explains a project's needs and asks for
proposed solutions from potential vendors.
Join GEEKY BANKER on YouTube
Difference between RFP and Tender?
Tender:-
Tenders are more rigid than RFPs. The tender is an “offer”
which the bidders accept in submitting a bid, resulting in a
bid contract. The bid contract requires that the project
owner and the successful bidder must enter a contract to
perform the project. In a tender process, the project owner
must follow several requirements that are implied into the
bid contract, unless the requirements are removed by the
bid invitation (which must be done carefully and typically
with legal advice).

RFP:-
RFP is the process that an organization goes through to
communicate a need for services. The RFP invites relevant
vendors to submit a proposal to meet the desired need.
More specifically, the RFP is a document that explains a
project's needs and asks for proposed solutions from
potential vendors.
Join GEEKY BANKER on YouTube
The life cycle Of a contractual relationship always starts
with requirements phase.
There are four major stages of a contractual relationship.
1. Setup
2. Contract
3. Operations
4. Transition-out.

The first two stages, setup and contract need a lot of focus
in order to ensure smooth 3 and 4h stages i.e., operations
and exit.

There are important differences among various documents

used to solicit responses from vendors
Request for information (RFI)
An RFI is used when we don't know exactly what we want
or don't know what is available in the marketplace. The
information received as a result of the RFI may assist in
Join GEEKY BANKER on YouTube
determining whether a formal request for bid or proposal is
necessary.

The request for bid (RFB)

An RFB is used when we know precisely what we need and
have precise requirements and specifications.

The request for proposal (RFP).

The RFP is a hybrid of these documents. An RFP is used
when we have a general idea with some specifications
and/or it's a large, complex project with potential for
multiple solutions.

RFP PROCESS
The process begins with scope of work (SOW) statement
(description of services) or specifications (description of
goods), and proposal evaluation criteria.

These are submitted to the Purchasing Office, which takes

SOW or specifications and develops a complete request to
Join GEEKY BANKER on YouTube
Proposal including standard contract clauses, special
clauses, instructions to prospective vendors, and any
requisite technical specifications.

The RFP States a specific date and time deadline tor

proposal receipt and often has mandatory pre-proposal
meetings for vendors to attend. This meeting offers the
opportunity to ask question and gives the organization a
chance to determine whether any changes need to be
issued to the RFP.

After proposals are received, they are evaluated against

evaluation criteria, which were stipulated in the RFP.
Purchasing committee/department agree on the awarded
firm. Once approved, a purchase order and/or contract are
processed.
Join GEEKY BANKER on YouTube
Pre-proposal Conference
While a pre-proposal conference is not always required, it
is highly recommended. If one is conducted, Vendors are
required to attend, so that organization can be sure that
all vendors receive the same information and receive
constructive feedback about the RFP. Although a
representative from the Purchasing Office leads the
conference and answers any contractual questions, the
department must be represented to answer any questions
about the technical aspects and performance anticipated in
the scope of work detailed in the RFP.

Scope of Work of RFP

The scope of work is the heart of the RFP. A well-written

scope of work can do more for the success of a contract
than any other part of the contracting process. A good
scope of work is clear, complete, and logical enough to be
Join GEEKY BANKER on YouTube
understood by the vendor and department. The RFP must
be Concise and clear.

Suggested Content in the RFP include - Introduction and

general information, task description, constraints on the
contractor, contractor personnel requirements,
organization responsibilities, special conditions, evaluation
criteria.

EVALUATION OF PROPOSALS
Proposal openings are open to the public and are
scheduled two to four weeks after the pre-proposal
Conference. This may vary depending on the complexity of
project that is being bid.

Late proposals are marked with the time and date

received, however, they are not opened or read and will
not be considered.
Join GEEKY BANKER on YouTube
A prerequisite for award is that the vendor must be
responsible and must submit a responsive offer. To be
responsible means the vendor has the requisite business
integrity, as well as financial and organizational capacities,
to ensure good-faith performance.

Some evaluation criteria to consider for inclusion in the

RFP are as follows:

(1) Performance record of the contractor (2) safety

record (3) relevant experience in providing comparable
services on projects of similar size and scope, (4) overall
quality of proposal (5) Pricing.

The RFP must contain a cost proposal format that allows the
vendors to explicitly identify their charges for the
deliverables identified in the project. Deliverables must be
well defined so that all vendors can respond to the same
Join GEEKY BANKER on YouTube
deliverables thus allowing the organization to make
comparative analyses of the vendor's costs.

Negotiation: When all proposals are determined to be

non-responsive, all must be rejected and a new RFP is
issued. Negotiation is normally only permitted where
effective competition is not available. However, when
written evaluations support it, the Purchasing Office may
authorize negotiation with each vendor, whose proposal
can reasonably be expected to be amended to meet the
needs of the organization.

CONTRACT CO-ORDINATION
Contract co-ordination is basically the performance
monitoring of the vendor. After award, the project
coordinator, who is usually named in the contract
document, monitors the vendor's performance, approves
Join GEEKY BANKER on YouTube
Invoices, and notifies the Purchasing Office if any problems
are encountered.

Depending on the type or service, the manner in which

performance is monitored may involve any number of
procedures including regular and unscheduled inspections,
complaints brought to management's attention, and reports
or surveys of consumers of the services.

The key to rectifying poor performance is keeping good

documentation. Each contract contains provisions for
dealing with poor performance. Such provisions are usually
cited under the default clause in a contract.

Under the standard default clause, the contractor has a

specified time period to correct, or provide a Corrective
action plan for any non-conformances identified by the
project coordinator. If the contractor is clearly at fault and
organization has documentation to prove it, organization
Join GEEKY BANKER on YouTube
can cancel the contract for default and hold the contractor
liable for the increased costs of obtaining substitute
services from another vendor. All the performance aspects
are to be specified in Service Level Agreement (SLA) with
the vendor.
Join GEEKY BANKER on YouTube
Thanks for Watching

Please visit my Telegram Channel to download all the PDFS.

Telegram Channel Link ->https://t.me/+bxiH9olUQ1tlODJl

For any query please drop Whatsapp Message on

9835634545
Join GEEKY BANKER on YouTube

Geeky Bankers
CAIIB (IT)
Module –D
COMPETITIVE BID PROCESS- RFP AND SLA
Unit –18 Part - 2
Join GEEKY BANKER on YouTube

CAIIB(IT) MODULE -D
Chapter 18
COMPETITIVE BID PROCESS- RFP AND SLA

What we will study?

What is an SLA and its type?

SLA benefits?
SLA Processes?

SERVICE LEVEL AGREEMENT (SLA)

A service-level agreement/contract is a commitment
between a service provider and a client that defines the
services provided, the indicators associated with these
services, acceptable and unacceptable service levels,
liabilities on the part of the service provider and the
customer, and actions to be taken in specific Circumstances.
Join GEEKY BANKER on YouTube

Other important aspects of SLA

 SLAs validate expectations of the respective

parties and set parameters for measuring project
success.

 An effective SLA can help to ensure that the

outsourcing vendor is helping the customer meet
business and technology service levels, which in turn
leads to increased productivity and flexibility, and
improved standardization and capacity.

 SLAs focus on measuring and managing two of these,

productivity and service quality improvement.

There are two broad categories of SLAs:

(i)External SLA (ii) Internal SLA

Join GEEKY BANKER on YouTube

External SLA: Those which form the basis of an agreement

between organizations. An SLA is generally a contract
between two organizations; an external service
provider and a customer. This type of SLA is called an
external SLA.

 It is the most rigorous type of agreement since it is

usually a legally binding contract between two
organizations.

 A legal review of an external SLA is strongly

recommended From the service provider's point of view,
such a contract guards against expectation creep
and provides clear targets in terms of service levels.
Join GEEKY BANKER on YouTube

 From a customer's point of view, the necessity is quite

clear, without guaranteed service levels it can only
be hoped that the services provided meet their
needs. If the services provided do not meet their
requirements what they will do.

 One of the benefits of an SLA is that it makes the

business aware that there is a relationship between
service levels and cost.

 If customers can better understand the relationship

between cost and service level, then they can make a
better business decision about the service level
required and how much it will cost.
Join GEEKY BANKER on YouTube

Internal SLA: Those which form the basis of an agreement

between bodies within the same organization. This is
also known as Local Partner Agreement (LPA), reflecting
its intra-organization standing

An SLA can also be used internally to define requirements

for a wide range of services from help-desk services to
network performance and availability, application
performance and availability, and internal processes. When
the service provider and customer work for the same
company, familiarity should not be allowed to
prevent the establishment of a comprehensive
contract.

The basic objectives of an internal SLA are as follows:

 To assist in the development of business processes.
 To lead to better overall organizational performance.
Join GEEKY BANKER on YouTube

 To help foster good relations between the service

provider and other departments.
 To manage expectations.
 To boost productivity.
 To increase employee morale.

When an internal SLA is used, it is generally better to

refer to improved service levels rather than
conformance.

SLA Benefits
SLAs make use of the knowledge of enterprise capacity
demands, peak periods, and standard usage baselines to
compose the enforceable and measurable outsourcing
agreement between vendor and client.
Join GEEKY BANKER on YouTube

By applying a well-defined and orderly approach when

setting up SLAs, outsourcing vendors are able to provide
measurable and enforceable results to their clients.

SLAs also provide requisite methodologies for root

cause analysis of problems, leading to easier, faster
fixes. This, in turn, can lead to improved overall quality,
lower overall risk, and lower production and maintenance
costs.

An SLA provides a number of benefits some as follows:

 Better communication: It facilitates two-way

communication between a service provider and its

Customers. This communication starts at the beginning of

the process to establish an SLA and, hopefully, continues
throughout the life of the arrangement.
Join GEEKY BANKER on YouTube

 Guards against expectation creep: It is not

uncommon for one party's expectations of another to be
higher than that which may be considered reasonable.
Discussing these expectations and the resource
commitments necessary to meet them is one activity
undertaken in the establishment of a SLA.
 Mutially agreed standard: SLA sets an agreed
standard against which performance may be measured.
it identifies customer expectations, defines the
boundaries of the service provision and clarifies
responsibilities.

 A process for gauging service effectiveness:

As the SLA defines standards against which the

service may be measured and evaluated. It provides
Join GEEKY BANKER on YouTube

the basis for performing an assessment of the

effectiveness of the service.

various tools are used to monitor the performance of

vendor against various stipulations of SLA.

For instance,

 A vendor is expected to maintain minimum RTO

(Recovery Time Objective - the time taken to resume
operations in case of a disaster, which is generally 2 to

6 hours in a CBS environment)

 RPO (Recovery Point Objective-a measure of data that

may be allowed to be lost in case of a disaster)-in case of
a typical CBS environment, RPO would always be zero
and near-zero.
Join GEEKY BANKER on YouTube

 Similarly for optimum response to users, a server may

not be allowed to cross, say 70% of utilization limit, for
Memory or CPU usage. Then the vendor is responsible to
size the server accordingly and ensure that the utilization
limits do not cross the specified limit, especially during
user access time.

Please download Geeky Banker APP

from Google play store
Join GEEKY BANKER on YouTube

SLA PROCESSES
Before determining what can be measured, both parties
must understand the customer's goals. By focusing
initially on the identification of goals, prospective
partners are in a better position to clearly recognize
which financial, performance, and strategic metrics
are appropriate for measuring success.

Having decided what is required and how it is measured for

success, the next step is to develop agreements and
contracts that capture these components and are
structured to evolve to meet dynamic business
requirements.
For instance, by drawing upon prior outsourcing project
experience, the vendor should be able to recommend the
relevant metrics to be tracked and the appropriate
reporting tools for the IT and business environment.
Join GEEKY BANKER on YouTube

The basic sequence of steps of the SLA process is:

1. Commitment
2. Preparation
3. Negotiation
4. Management

Commitment involve below process

i . Assess whether a SLA is appropriate
ii. Get management commitment
iii. Assemble a team
Assemble a team: Establishing an SLA is not a process that
can be carried out casually or as an afterthought. It requires
a lot of thought and careful planning. It requires capable,
knowledgeable and dedicated staff to lead the effort of
establishing the SLA and to manage it after it has been
implemented.
Join GEEKY BANKER on YouTube

Ideally, the team should comprise:

a) An SLA Manager who will be responsible for the SLA

process;

b) Service representative(s);

c) A Finance representative;

d) If applicable, other experts of relevant subject matters

and a legal adviser.

Preparation
Join GEEKY BANKER on YouTube

Negotiation
a) Create a draft SLA
b) Finalize SLA

Management
a) Implement Performance
b) Measurement System
c) Report attained service levels
d) Review SLA
Join GEEKY BANKER on YouTube
Thanks for Watching

Please visit my Telegram Channel to download all the PDFS.

Telegram Channel Link ->https://t.me/+bxiH9olUQ1tlODJl

For any query please drop Whatsapp Message on

9835634545
Join GEEKY BANKER on YouTube

Geeky Bankers
CAIIB (IT)
Module –D
COMPETITIVE BID PROCESS- RFP AND SLA
Unit –18 PART-3
Join GEEKY BANKER on YouTube

CAIIB(IT) MODULE -D
Chapter 18 PART - 3
COMPETITIVE BID PROCESS- RFP AND SLA

What we will study?

SLA STRUCTURE?
CHANGE MANAGEMENT?
SPOF AND CLUSTERING?
WORKLOAD SCHEDULING?
MONITORING TOOL?

STRUCTURING AN SLA
Structuring an SLA is an important, multiple-step process
involving both the client and the vendor. In order to
successfully meet business objectives, SLA best practices
dictate that the vendor and client collaborate to conduct a
detailed assessment of the client's existing applications
Join GEEKY BANKER on YouTube

suite, new IT initiatives, internal processes, and currently

delivered baseline service levels.
Application portfolio assessment is done in order to
highlight the core of a business unit and which are
strategic in nature.

Application portfolio assessment provides below

information:-
 Collects information related to various applications;
 Analyses the data;
 Identifies potential issues;
 Identifies applications that are ready to, and can easily,
be outsourced;
 Supplies a baseline report on findings;
 Submits recommendations to IT management for
approval.
Join GEEKY BANKER on YouTube

The structure of an SLA can be broadly divided into three groups:

 General Clauses
 Services and Service Levels
 Management Elements

Each group is further divided into the following subgroups:

General Clauses
1. Scope
2. Parties to the Agreement
3. Term
4. Conventions

Scope: In general, the scope of an SLA is to agree upon the

quality and quantity of the delivered services.

Parties to the Agreement: Normally there are two parties

who negotiate the agreement: service provider and the
customer.
Join GEEKY BANKER on YouTube

Term: This section provides information about the contract

period and clauses concerning the validity and
termination of the contract.

Conventions: This section details the conventions used in

the SLA. This may include the definitions of time, dates and
other key words used.
Services and Service Levels
1. Service Description
2. Optional Services
3. Exclusions
4. Limitations
5. Entities Involved
6. Service Levels
7. Service Level Indicators

Will Explain One by One.

Service Description :- Everything which will be covered in
services.
Join GEEKY BANKER on YouTube

Optional Services:- Other than mandatory service or service

needs once in a while by customer during contract period.

Exclusions :- one time instances where SLA is not in effect eg.

During Natural Disaster etc.

Limitations:- Services which will not be covered in SLA.

Entities Involved:- Different entities involved in SLA.
Service Levels:- Defines the level of service expected by a
customer from a supplier/Vendor.

Service Level Indicators:- Parameters which measures the

level of service being provided by vendor.

Management Elements
1. Rewards and Remedies
2. Escalation Procedures
3. Reporting
4. Reviews
5. Change Process
Join GEEKY BANKER on YouTube

6. Points of Contact
7. Approval

Rewards and Remedies:- Remedies or penalties should

agreed-on, If desired service levels not be achieved.

Escalation Procedures:- Escalation is the process where a

unresolved issues move to a higher-level as per defined hierarchy.
E.g. First Level of Contact, Second Level of contact and Last Level
of Contact.

Reporting:- Different Key or management reports by vendor to

customer so that customer will be well informed about services.

Reviews:- Reviews to be held by management time so that

services will be in check.
Join GEEKY BANKER on YouTube

Change Process:- Management should be well aware

of change process.

Points of Contact:- Point of contact of different stake

holders in providing services so that they can be
contacted in time of need.

Approval:- Approval of management is mandatory in

all the cases during contract period.

Change Management
A well-defined change management procedure is a critical
security measure to protect the production IT environment
Join GEEKY BANKER on YouTube

from any unwanted/unintended disruptions on account of

application of system, application patches and hardware
changes.

The vendor should be bound through SLA to strictly follow

the laid down change management processes.

Changes in the system may be divided into two types

(a) Scheduled changes. (b) Emergency changes.

System Resiliency, SPOF & Clustering

System Resiliency:- System resilience is the ability of
organizational, hardware and software systems to mitigate
the severity and likelihood of failures or losses, to adapt to
changing conditions, and to respond appropriately after the
natural disaster or any other disaster. Resiliency may also at
times be called as fault tolerance.
Join GEEKY BANKER on YouTube

Data center resiliency is often achieved through the use of

redundant components, subsystems, systems or facilities.
When one element fails or experiences a disruption, the
redundant element takes over seamlessly and continues to
support computing services to the user base. Ideally, users
of a resilient system never know that a disruption has even
occurred.

Single point of failure (SPOF) and clustering:-

SPOF refers to one fault or malfunction that can cause an

entire system to stop operating.

In a data center or other information technology (IT)

environment, a single point of failure (SPOF) can
compromise the availability of workloads or the entire data
center.

Consider a data center where a single server runs a single

application. The underlying server hardware would present
Join GEEKY BANKER on YouTube

a single point of failure for the application's availability. If

the server failed, the application would become unstable or
crash entirely; preventing users from accessing the
application and possibly even resulting in some measure of
data loss.

In this situation, the use of server clustering technology

would allow a duplicate copy of the application to run on a
second physical server. If the first server failed, the second
would take over to preserve access to the application and
avoid the SPOF.

What is Clustering?

clustering is the use of multiple computers, typically PCs or

UNIX workstations, multiple storage devices, and redundant
interconnections, to form what appears to users as a
Join GEEKY BANKER on YouTube

single highly available system. Cluster computing can be

used for load balancing as well as for high availability .

Workload Scheduling

In the context of IT systems and data center management, a

"workload" can be broadly defined as "the total requests
made by users and applications of a system."

However, it is also possible to break down the entire

workload of a given system into sets of self-contained units.
Such a self-contained unit constitutes a "workload" in the
narrow sense: an integrated stack consisting of application,
middleware database and operating system devoted to a
specific computing task.

Typically, a workload is "platform independent," meaning

that it can run in physical, virtual or cloud computing
environments.
Join GEEKY BANKER on YouTube

Systems Performance Monitoring Process

These tools are primarily divided into two main categories:

1.Real time
2.Log-based.

Real time monitoring tools are concerned with measuring

the current system state and provide up to date
information about the system performance.

Log-based monitoring tools record system performance

information for post-processing and analysis and to find
trends in the system performance.
Join GEEKY BANKER on YouTube

Top System Monitoring Software

1. Sematext Monitoring
2. SolarWinds Server & Application Monitor
3. Atera
4. Datadog Infrastructure Monitoring
5. Site24x7 Server Monitoring
6. Paessler PRTG Network Monitor
7. ManageEngine Applications Manager
8. Nagios
9. Zabbix
10. NinjaOne
11. Spiceworks

Tools for network performance analysis include GFI

LanGuard, Nagios, Open NMS, Fiddler etc.
Join GEEKY BANKER on YouTube

Six steps can help create the fundamental building blocks

of an effective performance monitoring strategy:

Collect:- Any performance monitoring strategy starts with

data collection.

Baseline:- To establish a baseline for "normal"

performance. The performance monitoring platform should
do this automatically for every metric you collect. This
includes baselines for unstructured data, such as logs,

Alert:- We may employ two types of alerts: those based on

static thresholds and those based on deviation from
baseline performance. Static thresholds are useful in cases
such as wanting to know when a CPU exceeds 95%
utilization for a period of 15 minutes or more.

For example, we'd want to know when the voltage on a UPS

falls outside of a specified range. Or when the temperature
Join GEEKY BANKER on YouTube

of a device exceeds a high or low manufacturer

recommendation.

Report:- We typically access reports in one of two ways:

summary/daily scheduled reports provided via a saved
template or ad-hoc reports generated to respond to specific
business conditions.

Analyse, share and act:- Analysis needs to be proactive to

be more effective.

SLA MANAGEMENT
SLA agreements require constant discussion and
renegotiation as the needs of the business change. Using
software tools to automate the measuring process saves
time and reduces the chance of errors and conflict.

In addition to simple and automated measurement

techniques, SLA management processes must be in place to
Join GEEKY BANKER on YouTube

ensure clear communication throughout the entire project

between the parties involved.

SMART Principle of SLA Terms

1. Specific-target a specific area for improvement.
2. Measurable - quantify or at least suggest an indicator of
progress.
3. Achievable - state what results can realistically be
achieved, given available resources.
4. Responsible-specify who will do it.
5. Time-related-specify when the result(s) can be achieved.
Join GEEKY BANKER on YouTube
Thanks for Watching

Please visit my Telegram Channel to download all the PDFS.

Telegram Channel Link ->https://t.me/+bxiH9olUQ1tlODJl

For any query please drop Whatsapp Message on

9835634545
 Geeky Bankers
CAIIB (IT)
Module –D
RBI guidelines on IT security (2016) & ATM
Security (2017)
Unit – 19

Join GEEKY BANKER on YouTube

 CAIIB (IT) MODULE -D
Chapter 19: RBI guidelines on IT security (2016)
& ATM Security (2017)

What we will study?

What is information Security?

What is Cyber Security?

RBI Guidelines on Cyber Security -2016?

RBI Advisory on securing ATMs – March-2017 guidelines?

The Reserve Bank of India on 02-June 2016 had issued a circular (RBI/
2015-16/418DBS.CO/CSITE/BC.11/33.01.001/2015-16) on Cyber Security
Framework in Banks. This was for All Scheduled Commercial Banks
(excluding Regional Rural Banks).

Earlier in 2011, the Reserve Bank of India had provided guidelines on

Information Security, Electronic Banking, Technology Risk Management
and Cyber Frauds (G. Gopala Krishna Committee) vide Circular
DBS.CO.ITC.BC. No. 6/31.02.008/2010-11 dated April 29, 2011.

Join GEEKY BANKER on YouTube

 INFORMATION SECURITY

 Information Security focuses on protecting confidentiality, integrity, and

availability of information.

Confidentiality The term 'confidentiality' means only authorized

user can access the information.
The term 'integrity' means guarding against
integrity improper information modification or destruction.
It means that systems and data are available to
individuals when they need it under any
Availability circumstances, including power outages or natural
disasters.

 Cyber Security

 Cyber Security is the ability to protect or defend the use of

cyberspace from cyberattacks.

 Cybersecurity strikes against Cyber-crimes, cyber frauds, and law

enforcement.

 It deals with threats that may or may not exist in the cyber realm

such as protecting your social media account, personal

information, etc.

Join GEEKY BANKER on YouTube

Important points in RBI Guidelines
Need for a Board approved Cyber-Security Policy
Banks should immediately put in place a cyber-security policy
elucidating the strategy containing an appropriate approach to combat
cyber threats given the level of complexity of business and acceptable
levels of risk, duly approved by their bank.

Cyber Security Policy to be distinct from the broader IT policy/IS

Security Policy of a bank
In order to address the need for the entire bank to contribute to a
cyber-safe environment, the Cyber Security Policy should be distinct and
separate from the broader IT policy/IS Security policy so that it can
highlight the risks from cyber threats and the measures to
address/mitigate these risks.

Arrangement for continuous surveillance

Testing for vulnerabilities at reasonable intervals of time is very
important. The nature of cyber-attack-are such that they can occur at
any time and in a manner that may not have been anticipated. Hence, it
is mandated that a SOC (Security Operations Centre) be set up at the
earliest, if not yet been done. It is also essential that this Centre ensures
continuous surveillance and keeps itself regularly updated on the latest
nature of emerging cyber threats.
Join GEEKY BANKER on YouTube
IT architecture should be conducive to security
The IT architecture should be designed in such a manner that it takes
care of facilitating the security measures to be in place at all times. The
same needs to be reviewed by the IT Sub Committee of the Board and
upgraded, if required, as per their risk assessment in a phased manner.

Comprehensively address network and database security

Recent incidents have highlighted the need to thoroughly review
network security in every bank. In addition, it has been observed that
many times connections to networks/databases are allowed for a
specified period of time to facilitate some business or operational
requirement. However, the same do not get closed due to oversight
making the network/database vulnerable to cyber-attacks. It is essential
that unauthorized access to networks and databases is not allowed and
wherever permitted, these are through well-defined processes which
are invariably followed.

Ensuring Protection of customer information

Banks, as owners of data, should take appropriate steps in preserving
the Confidentiality, Integrity and Availability of the same, irrespective of
whether the data is stored/in transit within themselves or with
customers or with the third party vendors.

Join GEEKY BANKER on YouTube

Cyber Crisis Management Plan
A Cyber Crisis Management Plan (CCMP) should be immediately evolved
and should be a part of the overall Board approved strategy.
Considering the fact that cyber-risk is different from many other risks,
the traditional BCP/DR arrangements may not be adequate and hence
needs to be revisited keeping in view the nuances of the cyber-risk.

In India, CERT-IN (Computer Emergency Response Team - India, a

Government entity) has been taking important initiatives in
strengthening cyber-security by providing proactive & reactive services
as well as guidelines, threat intelligence and assessment of
preparedness of various agencies across the sectors, including the
financial sector.

A Cyber Crisis Management Plan (CCMP) should address the following

four aspects: (i) Detection (ii) Response (iii) Recovery and (iv)
Containment.

Cyber security preparedness indicators

The adequacy of and adherence to cyber resilience framework should
be assessed and measured through development of indicators to assess
the level of risk/preparedness.
These indicators should be used for comprehensive testing through
independent compliance checks and audits carried out by qualified and
Join GEEKY BANKER on YouTube
competent professionals. The awareness among the stakeholders
including employees may also form a part of this assessment.
Sharing of information on cyber-security incidents with RBI
It is observed that banks are hesitant to share cyber-incidents faced by
them. However, the experience gained globally indicates that
collaboration among entities in sharing the cyber-incidents and the best
practices would facilitate timely measures in containing cyber-risks. It is
reiterated that banks need to report all unusual cyber-security incidents
(whether they were successful or were attempts which did not fructify)
to the Reserve Bank.

Banks are also encouraged to actively participate in the activities of

their CISOS (chief information security officer) Forum coordinated by
IDRBT (Institute for Development and Research in Banking Technology)
and promptly report the incidents to Indian Banks - Center for Analysis
of Risks and Threats (IB-CART) set up by IDRBT.

Supervisory Reporting framework

It has been decided to collect both summary level information as well as
details on information security incidents including cyber-incidents to RBI
Organizational arrangements Banks should review the organizational
arrangements so that the security concerns are appreciated, receive
adequate attention and get escalated to appropriate levels in the
hierarchy to enable quick action.
Join GEEKY BANKER on YouTube
Cyber Security awareness among stakeholders /Top Management
/Board
Top Management and Board should also have a fair degree of
awareness of the fine nuances of the threats and appropriate
familiarization may be organized. Banks should proactively promote,
among their customers, vendors, service providers and other relevant
stakeholders an understanding of the bank's cyber resilience objectives,
and require and ensure appropriate action to support their
synchronized implementation and testing.

Join GEEKY BANKER on YouTube

Some illustrative steps to improve the security posture of the ATMs.
1. Ensure that BIOS password is enabled at all the ATMs.

2. Auto run facility of exe files from a network or a USB port shall be
disabled immediately.

3. Deploy full hard disk encryption (FHDE) and encryption and

authentication solutions to protect internal communications between
the genuine ATM PC core and ATM modules, including the dispenser.

4. Whitelisting of applications in ATMs may be carried out expeditiously.

5. Recommendations on security made by the OEMs may be examined

carefully and implemented.

6. Outbound traffic from ATMs may be monitored for any unusual

activities.

7. Banks may randomly select four or five ATMs at different

geographical locations and subject to a deeper malware analysis so as to
find out any variant of malwares are residing in such ATMs.

8. Surveillance of ATM operations may be strengthened to monitor any

abnormal/suspicious activity at ATMs and take immediate corrective
action, including filing of police complaints.

Join GEEKY BANKER on YouTube

9. Immediately initiate steps to upgrade the OS at ATMs (to OEM
supported software. Steps taken in this regard, including timeline which
this will be achieved, may be intimated to CSITE cell immediately.

10. ATM passwords need to comply with password security best

practices.

11. For ATMs communicating through a shared or outsourced network,

a local firewall is necessary.

Cyber security guidelines which were already issued by RBI

 As default rule, use of removable devices and media should not be

permitted in the banking environment unless specifically authorized for
defined use and duration of use.
 Banks should consider implementing whitelisting of internet
websites/systems.
 Banks should define and implement policy for restriction and
secure use of removable media/BYOD (Bring Your Own Device) on
various types/categories of devices.
 Banks shall be accountable for ensuring appropriate management
and assurance on security risks in outsourced and partner
arrangements.

Join GEEKY BANKER on YouTube

 Have mechanism to automatically identify unauthorized device
connections to the bank's network and block such connections.
 Appropriate physical security measures shall be taken to protect
the critical assets of the bank.
 Banks should continuously monitor the release of patches by
various vendors/OEMs, advisories issued by CERT-in and other similar
agencies and expeditiously apply the security patches as per the patch
management policy of the bank.
 Banks should have mechanism to, centrally/otherwise, control
installation of software/applications on end-user PCs, laptops,
workstations, servers, mobile devices, etc. and mechanism to
block/prevent and identify installation and running of unauthorized
software/applications on such devices systems.

Join GEEKY BANKER on YouTube

 Thanks for Watching

Please Download our APP to access all the PDFS.

Telegram Channel Link ->https://t.me/+bxiH9olUQ1tlODJl

Join Geeky Banker Telegram Channel

Join GEEKY BANKER on YouTube