CHAPTER – 3

INFORMATION SYSTEMS & ITS COMPONENTS

DATA, INFORMATION & SYSTEM

 Data

Raw & unorganized pieces of information which do not convey any

message as such. Data can be both qualitive as well as quantitative.

 Information

Processed form of data. Organization collects data from both internal &
external sources & after processing, it becomes information.

 System

Group of inter-related components or elements working together to

achieve some common goal or objectives like Traffic System, Government
System, Information System etc.

INFORMATION SYSTEM

 Meaning

Mechanism which takes input (data), processes it & converts into output
(information) & has a feedback mechanism to control the entire operation.

 Function
- Input
- Processing
- Output
- Feedback & Control
 Components / Resources
- People
 - Hardware Computer
- Software System
- Data
- Network

COMPONENTS OF INFORMATION SYSTEMS

1. People

2. Computer System

Hardware

- Input Devices
- Processing Devices
- Storage Devices
- Output Devices

Software

a. Operating System
b. Application Software

3. Data

• Database
• DBMS
• Database Models

4. Network

COMPONENT - HARDWARE

 Meaning & Architecture

Tangible portion of computer system which can be seen touched & have
weight.
  Input Device

Devices used to interact with computer system & through which

instructions are given to the computer system about the task to be
performed.

Types of Input Device

Text Based Keyboard
Position Based Mouse, Touchpad
Image Based Scanner
Voice Based Microphone

 Processing Device

In computer system, CPU acts as processing device that executes the

programs & instructions & co-ordinates the hardware & software. CPU acts
like brain of the computer. It has three functional units:

- Control Unit (CU)

- Arithmetic Logical Unit (ALU)
- Registers
• Data Storage Devices
 Meaning

Memory where data & programs are stored temporary basis or permanent
basis.

 Types
- Internal Memory
a. Processor Registers
b. Cache Memory
- Primary Main Memory
a. RAM
b. ROM
- Secondary Memory
 - Virtual Memory
• Output Devices

Devices through which computer system responds & shows the result of
task given to computer for executions. Like printer, monitor, speaker,
projector etc. Output can be:

- Textual Output
- Graphical Output
- Tactile Output
- Audio Output
- Video Output

(a) Internal Memory - Memory built within the CPU.

• Processor Registers - Low capacity (64 Bits) very high-speed memory

within CPU & directly involved in the execution of instructions. Volatile in
nature.
• Cache Memory - Smaller, faster & violative memory within CPU that
stores most frequently used instructions from primary memory locations.

(b) Primary/ Main Memory - Memory which are directly & quickly accessed by
CPU.

• Random Access Memory (RAM) - Volatile & stores data, file, program &
software currently used by computer.
• Read Only Memory (ROM) - Non-volatile & storing basic codes &
instructions for initial booting of computer.

(c) Secondary Memory - Non-volatile high capacity memory that stored data &
program on permanent basis. It is slow & cheaper memory. Like CD, DVD, Pen
Drive, Hard Disk etc.

(d) Virtual Memory - If computer lacks RAM, operating system creates a

temporary space called "Paging File" in hard disk to compensate RAM. It is not a
physical memory but an imaginary or virtual memory.
COMPONENT- SOFTWARE

 Meaning

Set of instructions that tells hardware what to do. Without software,

hardware will be Non- operational. Is stored in some storage device
(hardware).

 Application Software

Software that performs the task beyond the running of the computer itself.
Through it, user can perform multiple tasks. Examples:

- MS Office
- Accounting Software
- ERP Software
- CBS Software
 Operating System Software

Set of computer programs that manages the hardware & acts as

intermediary between the user & the computer. It performs following
activities:

- Performs Hardware functions

- Provides user interface
- Provides hardware Independence to
- APP Developers
- Memory Management
- Task Management
- File Management
- Networking Capabilities
- Logical Access Security
COMPONENT - DATA RESOURCE

 Introduction

Organization generates & collects huge quantity of different types of data like
production related data, HR related data, Marketing Related Data etc. These
data are stored in Databases.

 Database
- Meaning

Organized collection of related data where all data stored are related to
each other. Hence to manage unrelated data, separate databases are
created.

- DBMS

Database Management System are software that helps entity in

organizing, using & controlling the data stored in databases.

DBMS

• Operations Performed
- Adding new file
- Deleting existing file
- Inserting data in existing file
- Modifying data in existing file
- Deleting data from existing file
- Retrieving data from existing file
• Data Evolution Hierarchy
- Database
- Files
- Record
- Field
- Character/Byte
- Bits
 • Types
- Enterprise Level
 Oracle Database
 DB2
 SQL etc.
- Personal Usages
 Microsoft Access
 Open Office Base
• Models
- Hierarchical
- Network
- Relational
- Object Oriented
• Advantages
- Permits data sharing
- User friendly
- Improved security
- Minimizes data redundancy
- Achieving program/data independence
- Faster application development
• Disadvantage
- Cost
- Security

DATABASE MODEL

 Meaning

It determines the logical structure database & manner in which data can be
stored, organized & retrieved.

 Database Model Types

- Hierarchical
 Records are logically structured into a hierarchy of relationship that
forms an inverted tree like structure. All records are linked as parent-
child relationship. Top parent record is called Root Record. This model
implements one to one & one to many relationships. Here search is
difficult & time consuming.

- Network

It views all records in set where each set is composed of one owner
record & one or more-member record. Here a record can be a member
of more than one set at the same time. This model implements many to
one & many to many relationships also, Here data search is fast.

- Relational

Data is structured in a table which is made of rows & colors. Three

important terms are:

 Relation - Table made of rows & columns.

 Attributes - Named column
 Domain - Set of values attributes can take.

Different tables are linked through key in this database model.

- Object Oriented

All data are modeled & created as objects where each object is an
independently functioning unit. Objects are organized by grouping them in
class & sub-class. This model is mainly used to store complex data like
images, audio, video etc.

COMPONENT - NETWORK & TELECOMMUNICATION SYSTEM

• Meaning
- Telecommunication Refers to exchange of data & information over the
computer network.
- Computer Network refers to collection of computers, server & other
networking devices (router, switch etc.) connected to each other.
 • Types
- Connection Oriented - First connection is established then data are
exchanged. Like circuit switching.
- Connection Less - No prior connection is established & data to be
exchanged contains the complete information (IP Address) of the
sender & recipient. E.g. pocket switching
• Terms Used
- Routing - Process of determining how to communicate data from
source to destination.
- Bandwidth - Quantity of data that can be transmitted in a given time
like second. E.g. MBPS, GBPS etc.
- Resilience - Ability of the computer network to recover from any kind
of error like connection failure, data loss etc.
- Contention - Situation where there arises some conflict for some
common resource in a network.
• Benefits
- Distributed nature of information
- Resource sharing
- User communication
- Computational power
- Reliability

INFORMATION SYSTEM’S AUDITING

• Meaning & Objectives

Process of attesting objectives (external auditor) focused on data integrity,

asset safeguarding & management objectives (internal auditor) focused on
effectiveness & efficiency. Four Main Objectives

- Asset safeguarding
- Data integrity
- System effectiveness
- System efficiency
• Need
 - Organizational cost of data loss
- Cost of incorrect decision making
- Cost of computer abuse
- High cost of computer error
- Maintenance of privacy
- Value of hardware, software
• Tools

1. Today organization produces data on real- time basis & hence there is a
need of continuous auditing tools. It enables auditors to significantly
reduce or eliminate the time between occurrence of event & its auditing.

2. Types of Tools

Snapshot

Snapshot software are embedded in system at those points where

material processing occurs. Snapshot software captures image of those
processing & such images can be utilized to access the authenticity,
accuracy & completeness of processing.

Audit Hooks

There are codes which are embedded in the application that enables
auditors to flag transactions which he thinks are suspicious are report
such transactions to the auditor.

Integrated Test Facility (ITF)

Here a dummy entity (like dummy master file) is created in the

application system then submit the test data for processing against the
entity to verify the authenticity, accuracy & completeness of the
processing.

Continuous & Intermittent Simulation (CIS)

It is used to trap the exceptions and report it when the application

system uses a DBMS. DBMS passes transaction to CIS & CIS determines
 whether to examine it or not. If it determines to examine it, CIS will
simulate the processing & check the processed data by it with the data
processed by application system. Exceptions, if identified, are recorded
in an exception log file. The biggest advantage of CIS system is that it
does not require any embedment in the application still provides online
auditing capability.

System Control Audit Review File (SCARF)

It involves embedding audit software module in the application system

for the continuous monitoring of the system transaction. The
information so collected is written in a special audit file called SCARF
Master File.

MASTER CHART OF CLASSIFICATION OF INFORMATION SYSTEM'S

CONTROLS

1. Objectives of Controls
2. Nature of IS Resources
3. Audit Function

(I) CLASSIFICATION BASED ON OBJECTIVES OF CONTROLS

• Preventive Controls
- Employing Qualified Personnel
- Segregation of Duties (SOD)
- Access Control
- Authorization of transactions
- Validation of transactions
- Edit Checks in applications
- Firewalls, Antivirus Software
- Login ID, Password
• Detective Controls
- Internal audit system
 - Intrusion Detection system
- Budgeting & Maintaing actual expenditure against budgets
- Bank Reconciliation system
- Check points in production system
- Rechecking of calculations
- Echo control in telecommunication
- Hash Totals
• Corrective Controls
- Business continuity plan (BCP)
- Contingency planning
- Backup procedures
- Rerun procedures
- Variance Analysis
- Submitting connective journal entries after discovering errors

 Preventive Controls: Controls established to prevent the error or omission

from occurring.
 Detective Controls: Controls established to detect and report the error or
omission after they occurred.
 Corrective Controls: Controls established to correct (eliminate or
minimize) the impact of errors and omission after they have been
detected.

(II) CLASSIFICATION BASED ON NATURE OF IS RESOURCES

• Environmental Controls
- Fire / Explosion Damage
- Power Spike / Electrical Exposure
- Water Damage
- Pollution Damage & Others
• Physical Access/Security Controls
- Lock on Doors
 Cipher Locks
 Bolting Door Locks
  Electronic Door Locks
- Physical Identification Medium
 Plastic Cards
 Personal Identification Number
 Identification Badge
- Logging on Facilities
 Manual Logging
 Electronic Logging

Environmental Controls: Controls relating to IT environment such as

power, air- conditioning, UPS, smoke detectors, fire extinguishers etc.

Physical Access Controls: Controls relating to the physical security of

tangible IS resources and intangible resources (data & program stored on
them. These controls saves entity from abuse of IS resources, blackmail,
damage etc of IS resources.

- Other Means
 Video Camera
 Security Guard
 Controlled Visitor Access
 Bonded Personnel
 Dead Man Doors
 Non-Exposure of Sensitive Facilities
 Controlled Single Entry Point
 Computer Technical Lock
 Control of Out of Hours of Employees
 Perimeter Fencing
 Secured Distributor Carts
 Alarm System
• Logical Access Controls

1. Types of Technical Exposures

o Data Diddling
 o Bomb/Logic Bombs
o Christmas card
o Worms
o Rounding Down
o Salami Technique
o Trap Doors/Back Doors
o Spoofing

2. Asynchronous Attacks

o Data Leakage
o Wire Tapping
o Piggy Backing
o Subversive Attacks

3. Types of Logical Access Controls

A. User Access Management

- User Responsibilities
- Privilege Management
- User password Management
- Review of user access rights

B. Operating System Access Control

- Automated Terminal Identification

- Terminal Time Out
- Terminal Log-In Procedure
- Password Management System
- Access Control List
- Access Taken
- Limitation of Connection Time
- Discretionary Access control

C. User Registration
 - Password use
- Unattended User Equipment

D. Network Access Control

- Policy on use of Network Services

- Segregation of Network
- Security of Network Services
- Enforced Path
- Firewalls
- Encryption
- Call Back Devices

E. Application and Monitoring System Access Control

- Sensitive system Isolation

- Information Access restriction
- Event logging
- Clock Synchronization
- Monitor system use

F. Mobile Computing Controls

 Logical Access Controls: Controls established to ensure that access to the

system, data and program is restricted to authorized users only so to
safeguard them from unauthorized use, modification, damage etc. Weak
or ineffective Logical Access Controls gives opportunity to logical access
violators and results in technical exposures for the entity.

(III) CLASSIFICATION BASED ON AUDIT FUNCTION

• Managerial Controls

A. Top Management & Information System Management Controls

- Planning
 - Organizing
- Leading
- Controlling

B. System Development Management Controls

- System Authorization Activities

- User Specification Activities
- Technical Design Activities
- Internal Auditor's Participations
- Program Testing
- User Test & Acceptance Procedures

C. Programming Management Controls

- Planning
- Control
- Design
- Coding
- Testing
- Operation & Maintenance

D. Operations Management Controls

- Computer Operations
- Network Operations
- Data Preparation & Entry
- File Library
- Documentation & Program Library
- Help Desk/Technical Support
- Management of Outsourced Operations

E. Quality Assurance Management Controls

F. Securities Management Controls

G. Data Resource Management Controls

• Application Controls

A. Boundary Controls

- Cryptography
- Password
- Personal Identification Number
- Identification card
- Biometric Devices

B. Input Controls

- Source Document Controls

- Data Coding Controls
- Batch Controls
- Validation Controls

C. Communication Controls

- Physical Component Controls

- Line Error Control
- Flow Control
- Link Control
- Channel Access Control
- Internetworking Controls
- Topological Controls

D. Output Controls

- Storage & Logging of Sensitive Critical Forms

- Logging of Output Program Execution
- Spooling/Queuing
- Control over Printing
- Report Distribution & Collection Controls
- Retention Controls

E. Database Controls
 (i) Update Controls

- Maintain a Suspense Account

- Sequence Check between Transaction & Master File
- Ensure all Records on File Processed
- Multiple Transactions for a Single Record

(ii) Report Controls

- Standing Data
- Run to Run Control Totals
- Print Suspense Account Entries
- Existence/Recovery Controls

F. Processing Controls

- Processor Controls
- Real Memory Controls
- Virtual Memory Controls
- Data Processing Controls
 Managerial Controls: Controls over managerial functions to ensure that
the development, implementation, operation and maintenance of
information system should be in the planned and controlled manner
 Managerial Controls: Controls to ensure that data remains, complete,
accurate and valid during its input, processing, storage, communication
etc.

AUDITING OF DIFFERENT CONTROLS IMPLEMENTED BY ENTITY

• Environmental Controls

Auditor should audit

- Power Conditioning
- Back-up power
- HVAC
- Water Detection
 - Fire detection
- Cleanliness
• Physical Access Controls

Auditor should audit

- Sitting & Marking

- Physical Barriers
- Surveillance
- Guards & Dogs
- Key Card System
• Logical Access Controls
I. Internet Point of Presence
- Search Engine
- Social Networking sites
- Online Sales Sites
- Domain Names
- Justification of Online Presence
II. User Access Control
- Auditing User Access Controls
- Password Management
- User Access Provisioning
- Employee Termination
III. User Access Log
- Centralized access logs
- Access log protection
- Access log review
- Access log retention
IV. Investigative Procedure
- Investigation policies & procedures
- Computer crime investigation
- Computer forensics
• Managerial Controls
 - Top Management & Information System Management
Controls - Auditor should audit the Planning, Organizing,
Leading & Controlling task performed by senior management.
- System Development Management Controls - Auditors do
Concurrent Audit, Post Implementation Audit & General Audit.
Where first two are done by internal auditor while general audit
by external auditor.
- Programming Management Controls - Auditor should audit all
the phases like Planning, Control, Design, Coding,Testing &
Operations & Maintenance.
- Data Resource Management Controls - Auditor should exercise
controls to verify data integrity.
- Quality Assurance Management Controls - Auditor should
conduct interviews, review documents, and have observations
etc, for the same.
- Security Management Control - Auditor should check whether
entity has security administrators, disaster recovery plan,
insurance etc.
- Operations Management Controls - Auditor should conduct
evaluate whether documentations are maintained security &
issued only to authorize personnel.
• Application Controls

Auditor should verify two types of audit trails in each sub-system

- Accounting Audit Trail - Maintains record of events.

- Operational Audit Trail - Maintains record of resource consumption.

A. Boundary Controls

Maintains chronology of events occurs when user attempts to gain access

& employ system resources.

- Accounting Audit Trail - Action privileges allowed or denied.

- Operations Audit Trail - Resources used form log-in to log-out time.
B. Input Controls

Maintains chronology of events from the time data entered till it is deemed
valid & passed for processing.

- Accounting Audit Trail

 Person who was source of data
 Person who entered data into system
 Time & date when data was captured
 Physical device used to input data etc.
- Operations Audit Trail
 Time taken to key-in (typing) data
 No. of keying errors
 No. of read errors by optical scanner
 Time taken to give instruction via mouse or pen.

C. Database Controls

Maintains chronology of events occurs to database.

- Accounting Audit Trail

 Attach time stamp to all transaction.
 Attach before & after images of data
- Operations Audit Trail - Resource consumption of events that
affects database.

D. Processing Controls

Maintains chronology of events from the time data received from input or
communication system to data dispatched to database, communication or
output system.

- Accounting Audit Trail

 Check existence of Flow Chart or DFD
 Trace & replicate processing performed
- Operations Audit Trail
 Log of hardware consumption like CPU uses etc.
  Log of software consumption like software libraries used, file
management facilities used.

E. Communication Controls

Maintains chronology of events from the time massage send till it is

received by recipient.

- Accounting Audit Trail

 Unique identifier of source/sink node
 Unique identifier of node traversed massage
 Time & date node traversed massage
 Unique identifier of person send massage
 Time & date massage dispatched
- Operations Audit Trail
 No. of massage traversed by each node.
 Massage transit time
 Queue lengths at each node
 No. of errors at each node
 No. of retransmissions

F. Output Controls

Maintains chronology of events from the time output content is

determined till user completes its disposal.

- Accounting, Audit Trail

 What output presented to user?
 Who received the output?
 When output was received?
- Operations Audit Trail - Record of resource used like paper,
printing time etc. to produce output.

SEGREGATION OF DUTIES (SOD)

• Meaning
 Also known as separation of duties, it ensures single individuals do not
possess excess privileges that may result in unauthorized activities like
manipulation of sensitive data or fraud.

• SOD Controls
- Transaction Authorization
- Split custody of high-value assets
- Workflow
- Periodic reviews
• Mitigating SOD Issue
- Reduce access privileges
- Introduce a new mitigating control
- Increased logging requirements
- Improved exception reporting
- Reconciliations of data sets
- External reviews

AUDIT TRAIL

Logs that can be designed to record activity at the system, application, and user
level. When properly implemented, audit trails act as an important detective
control.

- Accounting Audit Trail shows the source & nature of data and processes
that update database.
- Operations Audit Trail maintains a record of resource consumption within
system.
• Need
- Fulfill statutory requirements
- Detect causes & consequences of error
- Answer queries
- Overall system monitoring
• Objectives
- Detecting Unauthorized Access
- Reconstructing Events
 - Personal Accountability
• Generating Audit Logs

Information contained in audit logs is useful for accountants in measuring

the potential damage & financial loss due to application errors, abuse of
authority or unauthorized access.

ORGANIZATION STRUCTURE & RESPONSIBILITIES

To function properly, organisation needs proper structure to distribute the rights

and responsibilities among various users. This is called Organisational Structure
or Organisational Chart.

Why Structure Changes

- Short & long-term objectives

- Market conditions
- Regulations
- Available Talent

Individual Roles & Responsibilities

- Owner
- Executive management
- Manager
- User

Standard Job Titles

- Recruiting
- Compensation base lining
- Career advancement

JOB TITLES & DESCRIPTIONS IN THE IT FIELD

A. Executive Management
- CTO
- CSO
 - CISC
- CPO
B. Software Development
- Systems Architect
- Systems Analyst
- Software Developers
- Software Tester
C. Data Management
- Database Architect
- Database Administrator
- Database Analyst
D. General Operations
- Operators Manager
- Operators Analyst
- Control Analyst
- Systems Operator
- Data Entry
- Media Librarian
E. Service Desk
- Help Desk Analyst
- Technical Support Analysts
F. Network Management
- Network Architect
- Network Engineer
- Network Administrator
- Telecom Engineer
G. Security Operations
- Security Architect
- Security Engineer
- Security Analyst
- User Account Management
- Security Auditor
H. System Management
- Systems Architect
- Systems Engineer
- Storage Engineer
- Systems Administrator