Management Information Control System (MICS)

Categories of E-Commerce ............................................................................... 10

Electronic Payment Processes .......................................................................... 11
Contents
Cloud Computing ............................................................................................... 12
Chapter 2: Different Types of Information System ................................................... 4 Cloud Computing Architecture ........................................................................... 12
Information ........................................................................................................... 4 Cloud Computing Service Models ..................................................................... 12
System ................................................................................................................. 4 Mobile Computing .............................................................................................. 13
Information System (IS) ....................................................................................... 4 Green Computing............................................................................................... 13
Data Mining .......................................................................................................... 4 Virtualization ...................................................................................................... 13
Operational Level System .................................................................................... 4 Virtual Organization ........................................................................................... 14
Management Level System ................................................................................. 4 Data Exchange .................................................................................................. 14
Strategic Level System ........................................................................................ 4 Grid Computing .................................................................................................. 14
Transaction Processing System (TPS) ................................................................ 4 Chapter 7: E-Business Enabling Software Packages ............................................ 15
Knowledge Management System (KMS)/ Knowledge Work and Office System . 5 Enterprise Resource Planning (ERP) ................................................................ 15
Management Information System (MIS) .............................................................. 5 Supply Chain Management ............................................................................... 16
Decision Support System (DSS) .......................................................................... 6 Sales Force Automation .................................................................................... 16
Executive IS/Executive Support System (EIS) .................................................... 7 Customer Relationship Management (CRM) ..................................................... 17
Expert Support System (ESS) ............................................................................. 7 Reverse Logistics............................................................................................... 17
Interrelationship among System .......................................................................... 8 Chapter 11: Ethical and Legal Issues in Information Technology .......................... 17
Sales and Marketing IS ........................................................................................ 8 Patents ............................................................................................................... 17
Manufacturing and Production IS ........................................................................ 8 Trademarks ........................................................................................................ 17
Finance and Accounting IS: ................................................................................. 9 Copyrights .......................................................................................................... 17
Human Resource IS............................................................................................. 9 Ethics ................................................................................................................. 17
Artificial Intelligence (AI) ...................................................................................... 9 Hacking .............................................................................................................. 17
Artificial Neural Networks ..................................................................................... 9 Ethical Hacking .................................................................................................. 17
Fuzzy Logic .......................................................................................................... 9 Digital Signature................................................................................................. 18
Effect of Change of Technology in Business ....................................................... 9 Digital Certificates .............................................................................................. 18
Chapter 6: E-Commerce and Inter Organizational Systems .................................. 10 Digital Data Exchange ....................................................................................... 18
E-commerce....................................................................................................... 10 XML Standard .................................................................................................... 18

1
Complied by: Anish Shrestha
Management Information Control System (MICS)

XBRL Standard .................................................................................................. 18 Auditing .............................................................................................................. 25

Control OBjectives for Information and related Technologies (COBIT) ............. 18 IT/IS Audit .......................................................................................................... 25
COSO Internal Control Framework:................................................................... 19 IS Audit Strategy ................................................................................................ 25
Chapter 1: Organizational Management and Information System ......................... 19 Audit Trials ......................................................................................................... 25
Revision of Organization and Management Level ............................................. 19 Role of IS Auditor in General ............................................................................. 25
Characteristics of Good Information .................................................................. 19 Role of IS Auditor in Physical Access Control (PAC) ........................................ 26
Information System (IS) ..................................................................................... 19 Role of IS Auditor in Environmental Controls (EC) ............................................ 26
Needs for Computer Based MIS (CBMIS) ......................................................... 19 Computer Aided Audit Technique (CAAT) ......................................................... 26
Business Perspective of IS (Needs of IS in Business) ...................................... 19 Steps in IS Audit ................................................................................................ 26
IT and Information Security ................................................................................ 20 Snapshot Technique .......................................................................................... 27
Governance ....................................................................................................... 20 Impact of Technology on Internal Controls ........................................................ 27
IT Governance ................................................................................................... 20 Chapter 4: System Development Life Cycle .......................................................... 27
Information and Communication Technology (ICT) ........................................... 20 System Development Life Cycle ........................................................................ 27
Factors affecting IT ............................................................................................ 20 Feasibility Study ................................................................................................. 27
IT Infrastructure.................................................................................................. 20 Usability Analysis ............................................................................................... 28
Business and IT Alignment ................................................................................ 21 Underlying Principles for System Development ................................................ 28
Chapter 9: Disaster Recovery ................................................................................ 21 Steps/Phases in System Development Life Cycle ............................................. 28
Business Continuity Plan (BCP) ........................................................................ 21 Computer Aided Software Engineering (CASE) ................................................ 28
Disaster Recovery Planning (DRP) ................................................................... 21 Models of System Development ........................................................................ 29
Key Points to be taken into account while conducting a Disaster Recovery Waterfall Model .................................................................................................. 29
Testing Policy ..................................................................................................... 22 Spiral Model ....................................................................................................... 29
General Steps to Create BCP/DRP ................................................................... 22 Prototyping ......................................................................................................... 30
Importance/Need of Data Backup...................................................................... 22 Approaches to System Development ................................................................ 30
Types of Backup ................................................................................................ 22 System Testing .................................................................................................. 31
Business Process Re-engineering (BPR) .......................................................... 23 Importance of Good Knowledge of Business to develop Effective IT System .. 31
Redundant Array of Independent Disks (RAID) ................................................. 23
Chapter 5: System Analysis and Design ................................................................ 32
Mirroring ............................................................................................................. 24
System Analysis................................................................................................. 32
Clustering ........................................................................................................... 24
Techniques for Performing /System Analysis/System Design .......................... 32
Chapter 10: Auditing and Information System ....................................................... 25
2
Complied by: Anish Shrestha
Management Information Control System (MICS)

Concept of Data and Process Modeling ............................................................ 32 Other Random Topics ............................................................................................ 39
Factors affecting Output Design ........................................................................ 33 Conditions to be analyzed while recommending change of the System ........... 39
Chapter 8: Information Security, Protection and Control ....................................... 33 Batch Processing ............................................................................................... 39
Vulnerability ....................................................................................................... 33 Online Processing .............................................................................................. 39
Threats ............................................................................................................... 33 Intranet ............................................................................................................... 39
Internet Vulnerabilities ....................................................................................... 34 Extranet .............................................................................................................. 39
Wireless Security Challenge .............................................................................. 34
Internet Security ................................................................................................. 34
Major aspects in which Internet Security Professionals should be fluent .......... 34
Information Security ........................................................................................... 34
Computer Virus .................................................................................................. 34
Worms ................................................................................................................ 35
Trojan Horse ...................................................................................................... 35
Computer Fraud ................................................................................................. 35
Software Vulnerability ........................................................................................ 35
Firewall ............................................................................................................... 36
Principles of Information Security ...................................................................... 36
Risks to Business from Computer Frauds ......................................................... 36
Security Mechanisms used for E-Commerce (Components) ............................ 36
Major Steps in Developing E-Commerce Security Plan .................................... 37
Public Key Encryption ........................................................................................ 37
Intrusion Detection System ................................................................................ 37
Intrusion Prevention System .............................................................................. 37
Major Areas to consider as a Security Auditor .................................................. 37
Chapter 3: Information Technology Strategy and Trends ...................................... 38
Business Strategy .............................................................................................. 38
IT Strategy Plan ................................................................................................. 38
Factors Influencing Information Technology ...................................................... 38

3
Complied by: Anish Shrestha
Management Information Control System (MICS)

Chapter 2: Different Types of Information System Application of IS in Enterprise processes:

1. Support Organization Business Processes and Operations: Includes
Information operation support system such as TPS.
• Processed Data 2. Support Business Decision Making: Includes MIS, DSS, EIS
• Data is facts or values of results. 3. Support Strategic Competitive Advantage: Includes Export Systems,
KMS
• Information may be represented in forms of text, graphics, pictures etc.
• Information adds knowledge, helps in decision making, analyzing future and Data Mining
taking action in time It can be applied in database analysis and decision support i.e., market analysis and
management by finding patterns that are helpful in the business.
System
• Group of inter connected components working towards accomplishment of Operational Level System
a common goal. • Support operational managers in tracking elementary activities.
• Consists of input, processing, storage, output • Includes tracking customer order, invoice tracking etc.
• Ensure business procedures is followed.
Information System (IS) • Objective to improve operational efficiency.
• System that comprises of people, computer systems, data and network that
helps to collect, store and analyze data to produce desired information for Management Level System
functioning, betterment and expansion of business. • Support middle managers in monitoring, decision making and administrative
• Plays vital role in enterprise collaboration and management and strategic activities.
success of business. • Provide periodic reports
• Facilitates E-Business and E-Commerce operation. • Support managers in effective decision making by providing relevant and
required information at right time.
Functions of Information System:
Strategic Level System
1. Finance and Accounting:
• Helps senior management tackle and address strategic issues and long-
Ensure financial viability of organization, enforce financial discipline and pan
term trends.
and monitor financial budget.
2. Marketing and Sales: • Principal concern is matching changes in external environment with existing
Maximize sales and ensure customer satisfaction. organizational capabilities.
3. Production or Manufacturing: Transaction Processing System (TPS)
Optimally deploy man, machine and materials to maximize production or
• IS that manipulate data from business transaction.
services.
• Computerized system that performs and records daily routine transactions.
4. Inventory/Store Management:
• Involves following activities:
Keeping track of materials in stores, regulate maximum and minimum level
− Capturing data to organize in files or databases.
of stock, raise alarm at danger stock level etc.
5. Human Resource Management: − Processing of files/databases using application software.
Effective and efficient use of manpower in dispute free environment for − Generating information in forms of reports.
disruption free and timely service in business. − Processing of queries from various quarter of organization.

4
Complied by: Anish Shrestha
Management Information Control System (MICS)

Features of TPS: (LABS) Management Information System (MIS)

1. Large Volume of Data: Transaction oriented and generally consists of • Computer bases system that provides flexible and seedy access to accurate
large volume of data and requires greater storage capacity. data.
2. Automation of Basic Operations: Aims at automating basic operation and • Supports managers at different level to take strategic or tactical decisions.
play critical role in day-to-day functioning. • Provides reports to management that can help in making effective,
3. Benefits are Easily Measurable: Reduces workload of people associated structured types as applicable to decisions of day-to-day operations.
with operations and improves efficiency by automation.
4. Source of Input for Other System: Basic Source. Important for tactical Pre-requisites of a MIS:
and strategic decisions. 1. Database:
• It is a super file which consolidates data records formerly stored in
Components of TPS: many data files.
1. Input: Source documents that are physical evidence of inputs. • The data in database is organized in such a way that access to the
2. Processing: Use of journals and registers to provide a permanent and data is improved and redundancy is reduced.
chronological records of inputs. 2. Qualified System and Management Staff:
3. Storage: Ledgers and file provide storage of data on both manual and
• MIS should be manned by qualified officers. These officers who are
computerized system.
experts in the field should understand clearly the views of their
4. Outputs: Any documents generated in the system.
fellow officers.
Knowledge Management System (KMS)/ Knowledge Work and Office • Their whole hearted support and cooperation will help in making
System MIS effective.
Knowledge Management: Process of capturing, developing, sharing and 3. Support of Top Management:
effectively using organization knowledge. • An MIS becomes effective only if it receives the full support of top
management.
KMS: • To gain the support of top management, the officer should place
before them all the supporting facts and state clearly the benefits
• IT System that: which will accrue from it to the concerned.
− stores and retrieves knowledge, 4. Control and Maintenance of MIS:
− improves collaboration, • Control of the MIS means the operation of the system as it was
− locates knowledge source, designed to operate.
− mines re-positioners for hidden knowledge, • Maintenance is closely related to control. There are times when the
− captures and uses knowledge or need for improvements to the system will be discovered.
− in some other way enhances knowledge management process. 5. Evaluation of MIS:
• KMS facilitates organization learning and knowledge creation. • The capability of MIS to meet the information requirements of the
• Firm’s competitive gain depends on its knowledge processing. executives can be maintained by evaluating the MIS and taking
• Types of Knowledge: appropriate timely actions.
− Explicit Knowledge: Easily formalized and easily available across • Evaluation of MIS should take into account following points:
organization as spoken, written or compiled data. − Examining the flexibility to cope with future requirements;
− Tacit Knowledge: Resides in few hands and represented by − Ascertaining the view of the users and designers about the
individual beliefs, values, intuition and experience. capabilities and deficiencies of the system

5
Complied by: Anish Shrestha
Management Information Control System (MICS)

− Guiding the appropriate authority about the steps to be Implications of MIS:

taken to maintain effectiveness of MIS. • Organization can thrive and survive,
• Knowledge generated useful to managers in unusual situations,
Characteristics of Effective MIS:
• Provides reports to make sound decisions,
1. Management Oriented: Efforts for development starts from appraisal of
• Support managers at different level
management needs and overall business objectives.
2. Management Directed: Necessary that the management should actively
direct system development efforts. Limitations of MIS:
3. Integrated: Integrated IS has capability of generating more meaningful • Quality of output depends on quality of input and processes,
information to management. • Less useful for making non-programmed decisions,
4. Common Database: Organization of database allows it to be accessed by • Based on Internal Data,
several information sub-system and eliminates necessity of duplication. • Effectiveness decreases due to frequent change in top management,
5. Computerized: Use of computers increases effectiveness of system. organization structure and operational team,
• Provide information for quantitative data only.
Misconception about MIS:
• Accuracy plays vital role, Prerequisite of MIS:
• Any reporting system is MIS, 1. Database:
• MIS is bunch of technologies, • It is super file consolidating and integrating data records formerly
• Any computer based IS is MIS, stored in many separate data files.
• MIS is management technique • It should be user oriented, capable of being used as a common data
• Study of MIS is about use of computers. source, available to authorized person only.
2. Qualified System and Management Staffs:
Major Constraints in Operating MIS: • MIS should be manned by qualified officers who are experts in the
1. Non-availability of experts who can diagnose objective of organization an field to understand clearly the views of fellow officers.
provide a desired direction for installing and operating system • Two categories of officers:
2. Problem of selecting sub-system of MIS to be installed and operated upon. − System and Computer Experts
3. Approach adopted by experts for designing and implementing MIS may be − Management Experts
non-standardized one. 3. Support of Top Management: It is required for effectiveness of MIS.
4. Non-availability of cooperation from staffs 4. Control and Maintenance: System shall be operated as designed to be
5. High turnover of experts operated.
6. Difficulty in quantifying benefits of MIS. 5. Evaluation of MIS:
• Evaluation to:
Grounds to Evaluate MIS: − Examine whether enough flexibility exists in the system
• Able to meet future information needs, − Ascertaining views of users and designers
• Meeting unexpected/demanding flexibility of information needs, − Guiding appropriate authority about steps to maintain
• Take views of designers/users, effectiveness.
• Guide authority to take steps to maintain it.
Decision Support System (DSS)
• Computerized IS that supports business and organizational decision-
making activities.
6
Complied by: Anish Shrestha
Management Information Control System (MICS)

• System that provides tools to managers to assist them in solving semi- 3. Model Base: The planning language in DSS allows user to maintain a
structured and unstructured problems. dialogue with the model base which is known as brain of DSS.
• Supports human decision-making process.
Executive IS/Executive Support System (EIS)
Goal of DSS: • Serves Strategic Level.
− Primary goal is to present information to the customer in an easy-to- • Creates generalized computing and communication environment rather that
understand way. providing preset applications or specific competence.
− Generate many types of reports based on user specifications. • Address non-routine decision requiring judgement, evaluation and insight.
Application of DSS: Characteristics of EIS:
− Way to promote better projections, management and analysis within a • Serves information needs of top executives.
company. • Provides rapid access to timely information and direct access to reports.
− Allows faster decision making • Capable of accessing both internal and external data.
− Allows identification of negative trends • Easily be given as DSS support for decision making.
− Allows better allocation of business resources.
− Helps management to take strategic decisions. Guidelines for EIS:
• Measures to be easy to understand and collect
Characteristics of DSS: • Depends on user needs
− Supports decision making at all level of management. • Must evolve as organization change in needs
− Focuses on decision rather that data and information • Information to all employees and confidential not part of EIS
− Can be used for structured decision • Performance indicators to indicate everyone’s contribution.
− Should be friendly
− Should be extensible and evolve over time. Purpose of EIS:
• To support managerial learning
Examples of DSS in Accounting: • Allow timely access to information
• Direct management’s attention to specific areas of organization.
− Cost Accounting System
− Capital Budgeting System Expert Support System (ESS)
− Budget Variance Analysis System • Highly developed DSS that utilizes knowledge generally possessed by
expert to share a problem.
Components of DSS:
• Software system that imitates the reasoning process of human experts and
1. User: Usually a manager with an unstructured or semi-structured problem
provide decision makers with type of advice they would normally receive
to solve.
from such expert system.
2. Databases: DSS includes one or more databases that contain both routine
and non-routine data from both internal and external sources. Database Benefits of ESS:
also captures data from other sub-systems. • Preserve knowledge
Data is implemented at 3 levels: • Assist novices in thinking the way experienced professionals do
− Physical Level • Are not subject to human failures
− Logical Level • Can be effectively used as strategic tool
− External Level • Put information into active form

7
Complied by: Anish Shrestha
Management Information Control System (MICS)

Limitation of ESS: • Data may also be exchanged among systems serving different functional
• High cost to develop and maintain areas.
• Fail to make subjective evaluations • It is advantageous to integrate systems so that information can flow easily
• Cannot maintain and update knowledge themselves between different parts of organization.
• Fail to solve problem requiring broad knowledge base

Business Application of Expert System

1. Accounting and Finance: Provide tax advice, investment advice
2. Marketing: Establishing quotas, responding to customer inquiries etc.
3. Manufacturing: Determining whether process running correctly, analyze
quality etc.
4. Personnel: Useful in assessing applicants
5. General Business: Helps in assisting with project proposals, evaluating
performance.

Components of Expert System:

1. Knowledge Base: It contains:
• Facts about specific subject area. Sales and Marketing IS
• Heuristics that express reasoning procedures of an expert. • Sales: It is concerned with contacting customers, selling products and
• Ways knowledge is represented in EIS: services and taking orders.
− Rule Based • Marketing: It is concerned with identifying customers for firm’s product or
− Frame Based services, what customers need or want, planning and developing product or
− Object Based services.
− Case Based • At Strategic Level:
2. Software Resources: ESS contains inference engine and other programs − Monitor trends
for refining knowledge and communicating with users. − Support planning
− Monitor performance of competitors.
Process of Developing ESS: • At Management Level:
1. Team of Experts and Knowledge Engineers are firstly formed. − Support market research, advertising and promotional campaign
2. Knowledge Engineers work with experts to capture their knowledge to build
− Pricing decisions
knowledge base.
• At Operating Level:
3. A limited working prototype of knowledge base is constructed, tested and
− Assist in locating and contacting prospective customers
evaluated using inference engine and program.
− Tracking sales
4. Knowledge of engineers and experts may modify the knowledge base as
required, retest and evaluate results. − Processing orders etc.
5. Step No. 4 is repeated unless knowledge base and results are accepted. Manufacturing and Production IS
Interrelationship among System • It deals with:
• TPS are typically a major source of data for other systems. − planning, development and maintenance of production facilities
• EIS are primarily a recipient of data from lower-level systems. − establishment of production goals
− acquisition, storage and availability of production materials etc.
8
Complied by: Anish Shrestha
Management Information Control System (MICS)

• At Strategic Level: Deals with firm’s long term manufacturing goal • Types of AI:
• At Management Level: Deals with manufacturing and production system, − Neural Networks
analysis and monitoring manufacturing and production cost − Case-based reasoning system
• At Operational Level: Deal with status of production task. − Rule based expert system
− Intelligent agents
Finance and Accounting IS: − An Expert System
• Finance: It is responsible for managing firm’s financial assets to maximize
return of the financial assets. Artificial Neural Networks
• Accounting: It is responsible for maintaining ana managing firm’s financial • Artificial neural networks are one of the main tools used in machine
records. learning.
• At Strategi Level: • As the “neural” part of their name suggests, they are brain-inspired systems
− Establish long-term investment goals for the firm which are intended to replicate the way that we humans learn.
− Provide long-range forecast of firm’s financial performance. • Neural networks consist of input and output layers, as well as (in most
• At Management Level: Helps manager oversee and control firm’s financial cases) a hidden layer consisting of units that transform the input into
resources. something that the output layer can use.
• At Operational Level: Track flow of funds in firms through transaction. • They are excellent tools for finding patterns which are far too complex or
numerous for a human programmer to extract and teach the machine to
Human Resource IS recognize.
• It is responsible for attracting, developing and maintaining the work force.
• It helps in identifying potential employees, maintaining complete records on Fuzzy Logic
existing employees and creating programs to develop employee’s talent and • It represents a small, but serious application of AI in business.
skills. • It is a method of reasoning that resembles human reasoning.
• At Strategic Level: Identify manpower requirements for meeting firm’s long • Some general observations about fuzzy logic are:
term business plans. − Fuzzy logic is conceptually easy to understand
• At Management Level: It helps managers monitor and analyze the − It is flexible
recruitment, allocation and compensation of employees. − It is tolerant to imprecise data
• At Operational Level: Track recruitment and placement of firm’s − It can model non-linear functions of arbitrary complexity
employees. − It can be built on top of experience of experts
− It is based on natural language
Artificial Intelligence (AI)
− It can be blended with conventional control technique.
• It is a branch of computer science that deals with writing computer programs
that can solve problems creatively. Effect of Change of Technology in Business
• It is an effort to develop computer-based system that can behave like • Need to change system to be up to date
humans with ability to learn language, accomplish physical tasks, use • Changes in business processes to adopt and adapt
perceptual apparatus and emulate human expertise and decision making. • Creates need for Human Resource management challenges.
• Advantages of AI:
• Can work 24 hours a day
• Will not become ill, die or be hired away
• Extremely fast processors.

9
Complied by: Anish Shrestha
Management Information Control System (MICS)

Chapter 6: E-Commerce and Inter Organizational Systems − E-Commerce reduces transaction cost and saves time to go to
market for products.
E-commerce 2. Global Reach:
• Process by which enterprises conduct business electronically with their − E-Commerce permits commercial transaction across cultural and
customers and/or public at large using internet as enabling technology. national boundaries conveniently, quickly and cost effectively than
• It encompasses the entire online process of: in traditional commerce.
1. Developing, 3. Universal Standards:
2. Marketing, − Technical standards for conducting E-Commerce through internet
3. Selling, are universal standards i.e., followed by all nations.
4. Delivering, − All users use common technology for transaction.
5. Servicing etc. 4. Richness:
− Traditional commerce has richness i.e., allow personal face-to-face
Advantages of E-Commerce for Business: gestures and inter action for transaction.
1. Allows business of virtually any size that is located virtually anywhere on the − E-Commerce can also deliver richness via audio, video, animation
planet to conduct business with anyone. etc. much better than traditional commerce.
2. Allows geographical barriers to disappear. 5. Interactivity:
Advantages of E-commerce for Customer: − E-Commerce allows interaction i.e., Two-way communication
− No checkout queues between customer and merchant.
− Reduced prices 6. Information Density:
− You can shop anywhere in the World − It relates to technical capabilities of E-Commerce.
− Easy access 24 hours a day − E-Commerce technology reduces information collection, storage,
processing and communication costs and raises quality of
− Wide selection to cater for all consumers
information.
− No hassle of transport/ leave from work place to do shopping
7. Personalization/Customization:
− You feel that you are in a one-stop shop for every thing
− E-Commerce permits personalization i.e.; merchants can target
Disadvantages of E-commerce for Customer: specific individuals for marketing and send personalized messages
− Unable to examine products personally to target group.
− Not everyone is connected to the internet − E-Commerce permits customization i.e., changing product or
− There is a probability of credit card frauds services as per user’s preference/requirements.
− On average only 1/9th of stock is available on the stock
Categories of E-Commerce
− Return/Exchange of goods (not in correct size, etc.) will be very difficult and
Business to Customer (B2C):
costly.
• It is a process of selling goods and services through internet by business to
− Cannot negotiate the price.
customers.
Features of E-Commerce: • In B2C, company offers:
1. Ubiquity: − E-Commerce Websites,
− It means available anywhere at all times. − Order Processing,
− E-Commerce removes concept of physical market place. − Secure online payment system,
− Online Customer Support etc.
10
Complied by: Anish Shrestha
Management Information Control System (MICS)

Customer to Customer (C2C): Electronic Fund Transfer:

• It is a process of selling goods and services through internet directly from • It is a system of transferring money from one bank account directly to
one consumer to anther consumer. another without any paper money changing hands.
• It enables selling of used products of one consumer to another consumer at • It refers to any transfer of funds initiated through an electronic terminal.
comparatively lower price than new product. • Benefits of Electronic Fund Transfer:
• Third party websites like E-Bay, Hamrobazar are used. − Reduces Administrative Cost
− Increased transaction efficiency
Business to Business (B2B):
− Simplified book keeping
• It is a process of selling goods and services through internet among
− Greater security
businesses.
− Saving time.
• It reduces cost of distributor and other middle men.
• Generally, company’s own website is used such as www.alibaba.com. Secure Electronic Payment (SEP):
• It is a form of protocol for E-Credit Card Payments.
Electronic Payment Processes
• SEP protocol is used to facilitate secure transmission of customer’s credit
It includes:
card information via electronic avenues.
1. Web Payment Process
• Security Measures used:
2. Electronic Fund Transfer
i. Encrypt data passing between customer and merchant.
3. Secure Electronic Payment
ii. Encrypt data passing between customer and company authorizing
Web Payment Process: credit card transaction.
• E-Commerce enables customers to select products from websites and put iii. Take sensitive information offline.
them in virtual shopping carts. • Methods developed for security:
1. Secure Socket Layer:
− It is a method that automatically encrypts data passing
between customer’s web browser and merchant’s server.
2. Digital Wallet System:
− It involves adding security-software add-on modules to web
browsers.
− It enables browser to encrypt credit card data such that only
the bank authorizing credit card transaction can see it.
− Bank informs merchant only whether the credit card
transaction is approved or not.
3. Secure Electronic Transaction (SET):
− It is the standard that will enable secure credit card
transactions on the internet.
− It provides mechanism whereby credit card details are
transferred directly to card issuer for verification.

11
Complied by: Anish Shrestha
Management Information Control System (MICS)

e. Audit
Cloud Computing f. Data Stealing
• It means use of computing resources as service through networks and ii. Implementation/ Adaptation Issues:
internet. a. Threshold Policy
• It allows users to access database resources via internet from anywhere for b. Interoperability
as long as they need without worrying about maintenance or management c. Hidden Cost
of actual resources. d. Unexpected Behavior
• It combines software and hardware based computing resources delivered Cloud Computing Architecture
as networked services.
• It is a structure of system, which comprises of on-premise and cloud
• It provides facilities for users to develop, deploy and manage their resources, services, middleware and software components their
applications on cloud. geographical location, their extremely visible properties and relationship
Characteristics of Cloud Computing: between them.
1. High Scalability: Enables servicing of business requirements for larger • In cloud computing, protection depends upon Right Architecture for Right
audience. Application.
2. High Availability and Reliability: Availability of server is high and minimal • Cloud Computing Architecture consists of Front End and Back End which
chances of failure. connect to each other through network.
3. Multi-sharing: Multiple users and applications can work more efficiently • Front End Architecture: It comprises of client’s device and some
with cost reductions by sharing common infrastructure. application needed for accessing cloud computing system.
4. Virtualization: This technology allows servers and storage devices to • Back End Architecture: It refers to some service facilitating peripheral.
increasingly share and utilize application. Groups of these clouds make up whole computing system.
5. Performance: Performance is monitored consistently and loosely coupled
architecture are constructed.
Cloud Computing Service Models
Advantages of Cloud Computing: 1. Infrastructure as a Service (IaaS)
1. Cost Efficiency: It is cost efficient to use, maintain and upgrade. 2. Platform as a Service (PaaS)
2. Almost Unlimited Storage: Almost unlimited storage capacity. 3. Software as Service (SaaS)
3. Backup and Recovery: Backing up and recovering data is relatively easier.
4. Automatic Software Integration: No need to take additional efforts to Infrastructure as a Service (IaaS):
customize and integrate applications. • It is a hardware level service that provides computing resources such as
5. Quick Deployment: Entire system can be fully functional in mater of few processing power, memory, storage and networks for cloud users to run
minutes. their application on-demand.
• IaaS providers offer computers and other resources as service.
• Services offered by IaaS providers:
Challenges related to Cloud Computing: − Compute
i. Security Issue: − Network
a. Confidentiality − Storage
b. Integrity − Load Balancers
c. Availability
• Characteristics of IaaS:
d. Governance

12
Complied by: Anish Shrestha
Management Information Control System (MICS)

1. Web access to resources: It enables user to access infrastructure − Multidevice support

resources over internet. − Better Scalability
2. Centralized management − High Availability
3. Elasticity and Dynamic Scaling: It can provide resources and − API Integration
elastic service where usage of resources can be increased or
decreased according to requirements. Mobile Computing
4. Shared Infrastructure: Multi Users same infrastructure. • It is a technology that allows to transmit data via computer without connect
5. Metered Service: It allows rent instead of buying computing to fixed physical link.
resources. • It transmits data from remote locations to other remote proving to be solution
to biggest problem of business people on move.
Platform as a Service (PaaS):
• Security Issues:
• It provides users ability to develop and deploy application on development
1. Confidentiality
platform provided by service providers.
2. Integrity
• Service offered by PaaS providers: 3. Availability
− Programming language 4. Bandwidth
− Application frameworks 5. Reliability, Coverage, Capacity and Cost
− Database
− Other tools Green Computing
• Characteristics of PaaS: • It is a study and practice of environmentally sustainable computing or
− All in one Information Technology for establishing/using computers and IT resources
− Offline access in efficient an environment friendly and responsible way.
− Web access to developed platforms • It includes implementation of energy efficient COU, servers and peripherals
− Built in scalability as well as reduced resource consumption.
− Collaborative platform
Virtualization
− Diverse client tool
• It refers to abstraction of computer resources.
Software as a Service (SaaS): • It hides the physical characteristics of computing resources from their users.
• It provides users to access large variety of application over internet hosted • It also includes making multiple physical resources appear as a single virtual
on service providers infrastructure often referred as software on demand resource.
and utilizing it is kin to renting software rather than buying it. • Types of virtualization:
• Service provided by SaaS: − Server Virtualization
− Business Services − Client/Desktop/Application Virtualization
− Documents Management − Network Virtualization
− Social Networks − Storage Virtualization
− Mail Services − Service/Application Infrastructure Virtualization
• Characteristics of SaaS:
Server Virtualization
− One to Many
• It is a process of masking the physical computing resources of a server or
− Web Access
computing device.
− Centralized Management

13
Complied by: Anish Shrestha
Management Information Control System (MICS)

• It can subdivide a single set of machines into multiple logical units that can − Telecommuters
operate independently in terms of operating system, applications, network − Outsourcing employees/competencies
identity and services. − Completely Virtual
Storage Virtualization Data Exchange
• Storage virtualization refers to the process of abstracting logical storage • It is a process of taking data structured under a source and actually
from physical storage. transforming into data structured under target scheme.
• Storage virtualization is hard to define in a fixed manner due to the variety
of ways that the functionality can be provided. Grid Computing
• Typically, it is provided as a feature of: • It is a network of computing or processor machines managed with a kind of
− Host Based with Special Device Drivers software such as middleware in order to access and use the resources
− Array Controllers remotely.
− Network Switch • The idea of Grid Computing is to make use of such non-utilized computing
− Stand Alone Network Appliances power by needy organization and thereby the ROI on computing
investments can be increased.
Benefits of Virtualization for Business Organization: • It makes cost effective use of large number of computer resources.
− Efficient utilization of resources. • Characterized by:
− Better management as a single virtual environment − Cluster Computing
− Economical for a growing organization − Parallel Processing
− A growing enterprise can manage the IT system using minimum number of
dedicated human resource
− Efficient for manpower allocation as well as getting external support from
vendors or service providers.

Virtual Organization
• It is a network of cooperation made possible by information and
communication technology which is flexible and comes to meet dynamics of
market.
• A social network in which all horizontal and vertical boundaries are removed.
• Characteristics:
− Flat Organization
− Dynamic
− Informal Communication
− Goal Orientation
− Power Flexibility
− Multi-disciplinary teams
− Vague Organization Boundaries
− Sharing of Information
• Types:

14
Complied by: Anish Shrestha
Management Information Control System (MICS)

Chapter 7: E-Business Enabling Software Packages 5. ERP Marketing Module: Supports organizational marketing of products.
Helps to develop appropriate marketing strategy.
Enterprise Resource Planning (ERP) 6. ERP Financial Module: Gathers financial data from several other
• It is a business process management software that allows an organization department and modules to help generate financial reports.
to use a system of integrated application to facilitate the information flow 7. ERP Human Resource Module: Helps maintain complete HR database
between business functions of organization. and helps to take promotion decisions, performance, evaluation etc.
• It integrates all operation including product planning, development, Challenges of Implementation of ERP:
manufacturing, sales and marketing. − Cost of acquiring or developing system is high.
Benefits of ERP: − Low level of awareness and lack of proper understanding.
− Improved workflow and efficiency − Human reluctance to use new system
− Improved customer satisfaction − Cost factors associated with system reengineering and data conversions.
− Reduced inventory cost − High dependency on IT
− Reduced redundant data entry and process Challenges in ERP implementation in SME:
− Provide consolidated picture − Low level of awareness
− Improved cost control − Perception that ERP is meant for large organization only
− Provides greater accuracy of information − Cost of acquiring or developing system is high
− Helps to achieve competitive advantage − Most people resist change in organization
Features of ERP: − Reliance on external agencies resulting in high implementation cost.
− Integration of functions Points to be considered before Implementation of ERP:
− Latest use of technology − Infrastructure Resource Planning
− Common database is used to record data − Educate about ERP
− Common interface to all users − Human Resource Planning
− Best Business practices − Top Management Commitment
− Flexible − Training facilities
− Multi Language − Commitment to release right person for implementation
Modules/Functional Areas of ERP: Reasons of ERP Failure:
1. ERP Production Planning Module: used for production planning for − Resistance to change
optimization of manufacturing capacity, resources.
− Inability to cope latest technologies
2. ERP Purchasing Module: Streamlines procurement of Raw materials.
− Inappropriate HR Training
Automates process of identifying potential suppliers, negotiate price,
awarding purchase order to supplier. Process of ERP Implementation:
3. ERP Inventory Control Module: Facilitates maintaining appropriate level 1. Identifying the needs for implementation
of stock and keep inventory holding and ordering cost at minimum level. 2. Evaluating the situation to understand Strengths and Weaknesses.
Integrates with sales, purchase, finance. 3. Deciding changes expected after implementation
4. ERP Sales Module: Helps in accepting orders, order schedule, shipping, 4. Reengineering business process to achieve desired results
invoicing. Closely integrated with organization E-commerce website. 5. Evaluating various ERP packages to assess suitability

15
Complied by: Anish Shrestha
Management Information Control System (MICS)

6. Finalizing most suitable ERP packages for implementation − Product/service launch,

7. Installing required hardware and network − Manufacturing/operations planning and control,
8. Finalizing implementation − Customer relationship collaboration etc.
9. Implementing ERP package
Importance of Supply Chain Management:
Risks of Implementing ERP: − Critical backbone to business organization today
− Single point of failure as all data of organization is within one system − Boost customer service
− Traditional roles of users are changed to empowered based role − Effective market coverage
− Increased access to application and data by users and outsiders
− Dependency on external assistance Benefits of Supply Chain Management:
− Requires audit expertise − Rapidly communicate orders
− Reduces security administration efforts associated with administrating web- − Track status of orders
based access to multiple system − Reduce inventory, transportation and warehousing cost
− Check inventory availability and monitor inventory level
Structure of ERP − Track shipment
− Production Planning

Sales Force Automation

• It is a type of program that automates business tasks such as inventory
control, sales processing and tracking of customer interactions as well as
analyzing sales forecast and performance.
• It is the use of computer to automate sales recording and reporting by sales
people as well as communication and sales support.
• Provides following services.
− Tracking contacts made with customers
− Listing of potential customers
− Sales forecasting
− Inventory control
Supply Chain Management − Order processing
• It is an integrated approach to planning implementing and controlling the
flow of information, material and services from Raw Materials and Disadvantages of Sales Force Automation:
components suppliers through manufacturing of the finished − Difficult to implement
goods/products for ultimate distribution to end users. − Requires continuous maintenance
• It is management of network of interconnected business involved in − Difficult to integrate with other existing Information System
providing goods/services required by end customers. − Costly
• It is also called art of management of providing right product at right time, at
right place and at right cost to customers. Characteristics/ Benefits of Sales Force Automation:
• It includes system integration of processes for: − Increases personal productivity of sales people
− Demand planning, − Speeds up capture and analysis of sales data
− Order fulfillment/delivery, − Allows marketing and sales management to improve delivery of information
16
Complied by: Anish Shrestha
Management Information Control System (MICS)

− Way to gain strategic advantage in sales productivity and marketing Chapter 11: Ethical and Legal Issues in Information Technology
responsiveness
− Identify target markets and loyal customers Patents
− Saves time and assist quick decision making. • It safeguards an original invention for certain period of time and granted by
United States Patent and Trademark Office.
Customer Relationship Management (CRM)
• It is a cross functional E-business application that integrates and automates Types of Patents:
many customer servicing processes. − Utility Patent: Up to 20 years
• It helps firms in managing their relationship with their customers. − Plant Patent: Up to 20 years
• CRM software provides tools that enables a business and its employees to − Design Patent: Up to 14 years
provide fast, convenient, dependable and consistent service to its
customers. Trademarks
• It protects words and design elements that identify source of the product.
Merits of Customer Relationship Management: • For example: Brand Names and Corporate Logos.
− Enables real-time customization and personalization of products and
services. Copyrights
− Allows business to identify and target their best customers • It protects works of authorship such as writings, arts, architecture and music.
− Keep track of when a customer contacts the company • The copyright owner has the sole right to display, share, perform or license
− Enables company to provide consistent customer experience and service the material.

Challenges of Customer Relationship Management: Ethics

− Insufficient Training • It refers to principal of right and wrong that individuals acting as a free moral
− High implementation cost agent use to make choices to guide their behavior.
− Failure to do enough data conversion and testing • They affect how people make decisions and lead their lives.
− Underestimating complexity of planning, development and training
Ethical issues raised by Information System:
− Un-participative management
− Commit crimes
Reverse Logistics − Threaten cherished social values
• It is a process of planning implementing and controlling the cost-effective − Establishing accountability for consequence of Information System
flow of raw materials, WIP inventory, finished goods from the point of − Setting standards to safeguard system quality
consumption to point of origin for recapturing value or proper disposal. − Preserving values.
• It is concerned with sale of returned products.
• It helps organization maintain good customer relation.
Hacking
• It refers to unauthorized access and use of computer system usually by
means of personal computer and telecommunication network.

Ethical Hacking
• It is process of deliberately hacking into system in full knowledge of the
system developers or owner to find out flaws and vulnerabilities.

17
Complied by: Anish Shrestha
Management Information Control System (MICS)

• Software companies may have their own internal ethical hacking team or − the algorithm that is used to create the signature.
they can also hire external hackers.
• It is a kind of fire drill to make sure that the system in question is secure and Digital Data Exchange
able to handle any malicious threats and attempt of compromise. It is a standard setting organization that was formed to:
− Design standardized XML message formats for exchange of metadata
Digital Signature across the digital content value chain,
• It is a mathematical technique used to validate the authenticity and integrity − Develop common protocols for the automated communication and
of a message, software or digital document. management of messages,
• It provides added assurance of evidence to origin, identity and status of an − Originate material to promote its standards and assist company in their
electronic document, transaction or message as well as acknowledging implementation.
informed consent by the signer.
• In many countries, digital signature has same significance as the traditional XML Standard
forms of signed documents. • It is standards for communication of metadata between record company,
music right societies and retailers.
Benefits of Digital Signature: • These are:
− Provide proof of authenticity − Electronic Release Notification Message Suite Standard
− Provide proof of data integrity − Digital Sales Reporting Message Suite Standard
− Provide proof of non-repudiation − Musical Work Licensing Message Suite Standard
− Receiver can be sure of sender’s identity
XBRL Standard
Authentication of Digitized Information/ Working Procedure: • It is open international standard for digital business reporting managed by a
1. Digital signature work by proving that digital message or document was not global Not for Profit Consortium, XBRL International.
modified intentionally or unintentionally from the time it was signed. • It provides a language in which reporting terms can be authoritatively
2. Digital signatures do this by generating a unique hash of message or defined.
document and encrypting it using the sender’s private key.
3. The message or digital document is digitally signed and sent to recipient. Benefits of XBRL:
4. The recipient generates their own hash of message or digital document and − Makes reporting more accurate and efficient
decrypts the sender’s hash using sender’s public key. − Reduces mechanical data entry
5. The recipient compares hash they generate against sender’s decrypted − Eliminates entry errors
hash; if they match the message or digital document has not been modified − Encourages more analysis of data
and sender is authenticated. − Facilitates comparison
− Provides greater transparency
Digital Certificates
• A digital certificate is a certificate issued by a CA (Certificate Authority) to Control OBjectives for Information and related Technologies (COBIT)
verify the identity of the certificate holder. • It is a set of best practices of Information Technologies management
• It uses a digital signature to attach a public key with a particular individual developed by Information System Audit and Control Association (ISACA).
or an entity. • It incorporates latest thinking in enterprise governance and management
• A digital certificate contains the following information: techniques
− a serial number that is used to uniquely identify a certificate, • It provides globally accepted principles, practices, analytical tools and
− the individual or the entity identified by the certificate, models to help increase trust in and value from Information System.
18
Complied by: Anish Shrestha
Management Information Control System (MICS)

• It enables organization to balance resource usage, risk optimization and Chapter 1: Organizational Management and Information System
realizing benefits.
Revision of Organization and Management Level
Benefits of COBIT:
Managers Information Required
− Adapt to user demand
Chief Executive (Top Level) Strategic Information
− Manage risks and security
Functional Manager (Middle Level) Tactical Information
− Maximize value of intellectual property Line Managers Operational Information
− Conform to industry regulations and compliance initiatives.
Characteristics of Good Information
COSO Internal Control Framework: 1. Timeliness: Available in proper time
[From Audit] 2. Accuracy: Free of errors
3. Format/Mode: Printed, audio, visual, tabular, graphic etc.
4. Reliable: from authorized source and free from biasness
5. Integrated: Cover all necessary factions
6. Complete: Not miss out important matters

Information System (IS)

• It is an arrangement of number of elements that provide effective information
for decision making and/or control of some functionalities of organization.
• It is an arrangement of people, data, processes, interfaces, network,
technology together for providing information required to:
− Solving day to day business operation
− Structured decision
− Unstructured decision
• The type of IS depends upon type of decision to be taken, nature of
organization etc.

Needs for Computer Based MIS (CBMIS)

− Rapid rate of industrial development
− Efficient management
− Volume of data has increased
− Allows managers to analyze data more efficiently
− Competitive market
− Effective interaction with interested parties

Business Perspective of IS (Needs of IS in Business)

− Helps improve efficiency and effectiveness of business processes and
decision making
− Helps strengthen competitive position
− Helps large volume data handling
19
Complied by: Anish Shrestha
Management Information Control System (MICS)

− Helps in effective communication among business functions Information and Communication Technology (ICT)
− Helps generate multiple reports • It is a combination of hardware, software and communication devices so
that the raw data can be processed to give relevant information and can be
IT and Information Security transmitted to target place.
Information Security has three primary goals: • It involves use of computer devices, various types of software programs and
1. Confidentiality: Tools to promote confidentiality: its transmission to destination at right time.
i. Encryption
ii. Access Control List Benefits/Merits of ICT:
2. Integrity: Making sure information has not been changed from how it was − Data storage, online transactions
intended to be. Tools to promote integrity: − Quick and effective communications
i. Access Control List − Reduce cost of operation, manpower and time
ii. Physical Security − Business efficiency
iii. Regular Backup − Creates large number of new job opportunities
3. Availability: Making sure that information is available for use when needed.
Demerits of ICT:
Governance − Viruses and worms are developed
• It is a process of interaction and decision to create, reinforce or reproduce − Steal confidential information
social norms and institutions. − Unemployment of old people without computer education
• Key concept of governance includes that senior management is responsible − Requires technical manpower
for ensuring accountability is shared. − Reduce employee performance and efficiency
IT Governance Factors affecting IT
• It is a system in which directors of the enterprise evaluates, direct and 1. Internal flexibility of organization
monitor IT management to ensure effectiveness, accountability and 2. Budget available
compliance of IT. 3. Governing rules and regulations of country
• It is a system by which IT activities in a company or enterprise are directed 4. Knowledge and qualification of personnel
and controlled to achieve business objectives. 5. Functional business unit of organization
6. International norms and practices about technology
Benefits of IT Governance:
− Increased value delivered IT Infrastructure
− Increased user satisfaction It is a shared technology resources that provide platform for firm’s specific IS
− Better cost performance application.
− Improved transparency
− Improved management and mitigation of IT related risks Components:
− Improved compliance − Hardware,
− More optimal use of IT resources − Operating system software,
− Network Channels,
− Database Management System,
− Internet etc.

20
Complied by: Anish Shrestha
Management Information Control System (MICS)

Stages of IT Infrastructure Evolution: Chapter 9: Disaster Recovery

1. Earliest Stage: Used Electronic accounting machines
2. 2nd Stage- Mainframe Era: Thousands of terminals could be networked to Business Continuity Plan (BCP)
mainframe computers • It is a creation and validation of practical logistical plan for how enterprise
3. 3rd Stage- Personal computer Era: Use of desktop computers will recover and restore partially or completely interrupted critical functions
4. 4th Stage- Client Server Era: Desktops and laptops connected to powerful within predetermined time after disaster or extended disruption.
server computers • This creates a detailed plan along with recovery procedures, roles,
5. 5th Stage- Internet Era: All computers around the world linked via internet responsibilities and stepwise plan of action to restore the system and
network services in event of natural or man-made disaster.
Business and IT Alignment • It involves the following:
− Analysis of organizational threats
− A list of the primary tasks required to keep the organization
operations flowing
− Easily located management contact information
− Explanation of where personnel should go if there is a disastrous
event
− Information on data backups and organization site backup
− Collaboration among all facets of the organization

Importance of BCP:
− Acts as guiding document for management and IT team for organization to
restore the services, recover data.
• There exists two-way relationship between information systems and − Tells how to recover data, restore services and whom to involve and resort
organizations. in case of an emergency.
• Information systems must be aligned with the organization to provide useful − Lack of BCP can lead to chaos, data loss, mismanagement and loss of
information to important groups within the organization. creditability.
• Organizations must be aware of and be open to the influences of information
systems in order to take benefit from new information technologies. Disaster Recovery Planning (DRP)
• It is a process, policies and procedures related to preparing for recovery or
continuation of technology infrastructure critical to an organization after a
natural or human induced disaster.
• It focuses on how an organization can restore its business operations when
a disaster strikes.
• It primarily focuses on technical issue involved in keeping system up and
running.

Main Aspect of DRP:

− Strategy to restore the system and its operations if a disaster leads to
system failure

21
Complied by: Anish Shrestha
Management Information Control System (MICS)

− Making provision of a disaster recovery setup preferably in separate • Have a scribe take notes.
geographical location. • Complete an after-action report about what worked and what failed.
− Detailed data backup and restoration plan to ensure that necessary data are • Use the results from the test to update the DR plan.
recovered even after major disaster.
− Predefine procedure for data recovery using available backup. General Steps to Create BCP/DRP
− Mechanism to alert all concerned immediately in event of disaster. 1. Identify scope and boundaries of BCP/DRP:
− Enables to define scope
Components of DRP: − Provides idea of limitations and boundaries of plan
1. Emergency Plan: 2. Business Impact Analysis:
− Outlines action to be taken immediately after disaster occurs. − Study and assessment of effects to the organization in the event of
− Provides guidelines on shutting down equipment, termination of loss or degradation of business function resulting from disaster.
power supply, removal of storage etc. 3. Inform Top Management:
− Sets out evacuation process and return procedures. − Inform top management about importance of BCP/DRP and also
2. Recovery Plan: about the analysis.
− Sets out how the full capabilities will be restored. − Obtain commitment for BCP/DRP from top management.
− Recovery Committee is formed and its responsibilities are also 4. Seek help of all Departments:
prepared as per the plan. − Each department will be affected by disaster and breakdown of
3. Backup Plan: system.
− Systems are always vulnerable to disaster irrespective of − Involve each department in planning phase so that each
Information System Security. So, backup of everything that could department understands plan and follow accordingly.
be destroyed should be taken. 5. Implement the BCP/DRP:
− It is essential to make copies of important data, programs, files etc. − After approval from top management, plan should be maintained
so that recovery can be made after disaster. and implemented.
− It requires continuous updating. − Guidelines set up in plan are to be followed.
4. Test Plan:
− Purpose is to identify deficiencies in emergency, recovery or Importance/Need of Data Backup
backup plan for future better plans. − Creates redundant copy which can be used to recover in event of damage
− Reviews whether any amendments are required. of original.
− Ensures integrity and security of data.
Key Points to be taken into account while conducting a Disaster − Lost data cannot be recovered.
Recovery Testing Policy − All organization depend on computer-based information system
• Secure management approval and funding for the test. − Help disaster recovery and business continuity.
• Provide detailed information about the test.
• Make sure the entire test team is available on the planned test date. Types of Backup
• Ensure the test does not conflict with other scheduled tests or activities. Full Back up:
• Confirm test scripts are correct. − It captures all files on disk within folder selected.
• Verify that the test environment is ready. − Mostly used as initial or 1st backup followed with subsequent incremental/
• Schedule a dry run of the test. differential backups.
• Be ready to halt the test if needed. − Any good backup plan has at least one full backup of server.

22
Complied by: Anish Shrestha
Management Information Control System (MICS)

− Restores are fast and easy to manage. 3. Error Checking: Redundant data is stored to multiple disks that
− Backup takes longer period of time. allow problems to be detected and possibly corrected.

Incremental Backup: Goal of RAID:

− It captures files that were created or changed since last backup regardless − Increase data reliability
of backup type. − Increase input/output performance
− One full backup is done first and subsequent backup runs are just changed
Benefits of RAID:
files and new files since last backup.
− It can combine small disks to create a large virtual disk
− Faster backups but slower restore.
− It can create redundancy
− Efficient use of storage.
− Different RAID levels can be configured to achieve high capacity, high
Differential Backup: reliability or a combination of both using available, inexpensive disks
− It falls in middle between full backup and incremental backup.
Different Types of RAID:
− Stores files that have changed since last backup.
1. RAID 0:
− Faster backups and efficient use of storage (but less than incremental).
• 2 or more hard disks are connected in such a way that all information is
− Faster restoring than incremental.
divided into logical blocks and saved on different hard disks simultaneously
Mirror Backup: i.e.; stripping.
− In mirror backup, source is backed up. • Advantages:
− It is to be used with caution as file that is deleted by accident sabotage or − Provides faster read write speed
through virus may also cause that same file in mirror to be deleted as well. − Easy to implement.
• Disadvantages:
Business Process Re-engineering (BPR) − If one disk fails, entire array of data is lost.
• It is fundamental rethinking and radical redesign of processed to achieve 2. RAID 1:
improvement in performance like cost, quality, services and speed. • Whenever data is written to a disk, same data is also written to other
• Consists of following stages: redundant disk(s).
1. Identify business processes • There exist at least 2 copies of every information.
2. Review, update and analyze as is business processes • Advantages:
3. Design to be business processed − Excellent read write speed
4. Test and implement to be business processes. − Data can be easily recovered from other disk in event of failure of
Redundant Array of Independent Disks (RAID) one disk
• It is a wary of storing same data in multiple disks called array of drives. • Disadvantages:
• Technology that allows high level of storage reliability. − Effective storage capacity is only half of total disk space.
3. RAID 2:
• It combines two or more physical hard disks into a single logical unit using
special hardware and software solution. • It has bit-level stripping with dedicated parity.
• Three concepts in RAID: • Data is stripped such that each sequential bit is on different disk.
1. Mirroring: Writing identical data to more than 1 disk. • An additional drive stores parity information.
2. Striping: Splitting of same data across more than 1 disk. • At least 3 disks are required.
• Advantages:

23
Complied by: Anish Shrestha
Management Information Control System (MICS)

− Data error correction.

− High data transfer rates. Note: Beneficial to draw the following table in examination: -
− Can withstand single disk failure without losing data Minimum
• Disadvantages: Parity Number Fault
RAID Stripping/ Mirroring
− Complex to implement Type of Disk Tolerance
Required
− More resources required.
0 Block Level Stripping N/A 2 Not Tolerant
4. RAID 3:
1 Mirroring N/A 2 n-1 disk
• It has byte-level stripping with dedicated parity. 2 Bit Level Stripping Dedicated 3 1 disk
• Data is stripped such that each sequential byte is on different disks. 3 Byte Level Stripping Dedicated 3 1 disk
• An additional drive stores parity information. 4 Block Level Stripping Dedicated 3 1 disk
• At least 3 disks are required. 5 Block Level Stripping Distributed 3 1 disk
• Advantages and Disadvantages: 6 Block Level Stripping Distributed 4 2 disks
− Same as RAID 2.
5. RAID 4:
• It has block-level stripping with dedicated parity.
Mirroring
• In data storage, disk mirroring or RAID1 is the replication of logical disk
• Data is striped such that each sequential block is on different disk.
volumes onto separate physical hard disks in real time to ensure continuous
• An additional drive stores parity information.
availability.
• At least 3 disks are required.
• In a Disaster Recovery context, mirroring data over long distance is referred
• Advantages:
to as storage replication.
− Same as RAID 2.
• Mirroring is typically only synchronous. Synchronous writing typically
• Disadvantages:
achieves a Recovery Point Objective (RPO) of zero lost data.
− Worse write transaction speed.
• providing an additional copy of the data for the purpose of redundancy in
6. RAID 5:
case of hardware failure, disk mirroring can allow each disk to be accessed
• It has block-level parity with distributed parity. separately for reading purposes.
• It distributes parity information across all disks in an array.
• Drive failure requires replacement but array is not destroyed by single Clustering
drive failure. • It is a technique in which Information System (IS) server is designed in
• At least 3 disks are required. such a way that data and applications are replicated in more than 1
• Advantages: physical system.
• Two or more computers are connected such that they behave like a
• Disadvantages: single computer.
− Complex to design • In a good cluster system, switch over from one equipment to another is
− Drive replacement during failure is difficult. automatic when any equipment fails.
7. RAID 6: • Clustering is used for:
• It has block-level parity with distributed parity. − Parallel Processing
• It provides fault tolerance up to 2 drive failures. − Fault Tolerance

24
Complied by: Anish Shrestha
Management Information Control System (MICS)

Chapter 10: Auditing and Information System IS Audit Strategy

• Audit strategy is a key driver determining the type, scope and frequency of
Auditing IT Audits an organization conducts and defining the criteria organization use
• An evaluation of person, organization, system, process, enterprise, project, to prioritize items in audit universe.
product, performed to ascertain the validity and reliability of information and • Audit strategy sets the direction, timing and scope of an audit.
also to provide as assessment of system Internal Control. • It is used as guidelines when developing audit plan
• It is based on following considerations:
IT/IS Audit − Characteristics of Engagement
• Audit that encompasses review and evaluation of automated information − Timing of an audit
processing system, related non-automated processes and the interfaces − Reporting objectives
among them.
− Nature of communication
• It is an examination of management control within an IT Infrastructure.
− Significant factors directing engagement team efforts
Objectives of IS Audit: − NTE of resource available for engagement
− Asset safeguarding − Knowledge gained on other engagement
− System effectiveness
Audit Trials
− Data integrity
• Logs that can be designed to record activity at the system, application and
− System efficiency
user level.
Benefits of IS Audit: • It provides an important detective control to help accomplish security policy
• Evaluation of system's internal control design and effectiveness. objectives.
• Information technology audits are used to evaluate the organization's ability • It can be used to support security objectives in three ways:
to protect its information assets and to properly dispense information to − Detecting unauthorized access to system
authorized parties. − Facilitating the reconstruction of events
• Gives assurance that the IT systems are adequately protected, provide − Promoting personal accountability
reliable information to users and properly managed to achieve their intended
benefits. Role of IS Auditor in General
• Help to reduce risks of data tampering, data loss or leakage, service • In general, the role of the IS auditor is to review and evaluate internal
disruption, and poor management of IT systems. controls that protect the system.
• Auditor should ascertain that following objectives are met:
Aim of IS Audit: − Security of IT are met and data are protected.
Evaluate the following: - − System development and/or acquisition processes are in
• Will the organization's computer systems be available for the business at all accordance with management’s general procedures
times when required? (known as availability) − Modifications have permission from authorities
• Will the information in the systems be disclosed only to authorize users? − Data processing is accurate
(known as security and confidentiality) − The bugs are identified and handled according to prescribed
• Will the information provided by the system always be accurate, reliable, process.
and timely? (measures the integrity)

25
Complied by: Anish Shrestha
Management Information Control System (MICS)

Role of IS Auditor in Physical Access Control (PAC) Computer Aided Audit Technique (CAAT)
• It requires auditor to review physical access risk and controls to form an • It is a tool which is used by auditor that facilitates them to make search for
opinion on effectiveness of Physical Access Controls. irregularities from given data.
• It involves: • It is really helpful tool that helps auditor to work in an efficient and productive
1. Risk Assessment: Auditor must satisfy himself that Risk manner.
Assessment Procedures adequately covers periodic and timely • CAAT tools support the forensic accounting in which larger amount can be
assessment of all assets, physical access threats etc. diverted to the analytical form.
2. Control Assessment: Based on risk profile, auditor evaluates
whether Physical Access Controls are in place and adequate to Why use CAAT/ Need of CAAT:
protect Information System against risks. − Enables auditor to shift focus from traditional ‘transaction’ audit to ‘system
3. Review of Documents: It requires examination of relevant and operation’ audit.
documents. − Reducing cost of basic audit assignment by enabling auditors to test larger
• Observation of Safeguards and Physical Access procedures would include sample and examining data faster and more efficiently.
inspection of: − Reducing time and cost
− Core computing facilities − Increasing quality of audits
− Backup ad off site facilities − Can be used in performing tests of transactions continuously.
− Computer storage room
Steps in IS Audit
− Disposal yards and bins
1. Establish Terms of Engagement (TOE):
− Communication closet
− It allows the auditor to set the scope and objectives of relationship
− Inventory of supplies and consumables. between auditor and organization.
Role of IS Auditor in Environmental Controls (EC) 2. Preliminary Review:
• Audit of Environmental Control should form critical part of every IS audit − Allows auditor to gather organization information as a basis for
plan. creating their audit plan.
3. Obtain understanding of Control Structure:
• Critical audit consideration that IS Auditor should take into account are:
− Auditor should consider information from previous audits,
− Risk profile to include different kinds f environmental risk that
assessment of inherent risks, judgement about materiality and
organization is exposed to
complexity of organization operation and system.
− Controls assessment must ascertain that controls safeguards
4. Assess Control Risk:
organization against all acceptable risks
− Auditor assess control risk in terms of each major assertions that
− Security policy of organization to be reviewed to assess policies and
management should prepare about material items in financial
procedures
statements.
− Building plans and wiring plans need to be reviewed
5. Test of Controls
− IS Auditor to interview relevant personnel to satisfy himself about
− Ascertain whether controls are operating effectively.
employee’s awareness.
− Auditors will carry out testing of both application and management
[Same answer could be written for “Audit tools and techniques to ensure that
controls.
Disaster Recovery Plan (DRP) is in order”]
6. Reassess Controls:
− Auditors reassess the control risk and might revise the anticipated
control risk.

26
Complied by: Anish Shrestha
Management Information Control System (MICS)

7. Completion of Audit: Chapter 4: System Development Life Cycle

− After the audit procedures developed have been performed and
results have been evaluated, the auditor will issue whether System Development Life Cycle
unqualified or qualified audit report. • It is a systematic and orderly approach to solve system problems.
• It is a multi-stage cycle of activities which are performed during the life of
Snapshot Technique
system
• Tracing transaction in computer system performed by snapshots or
extended records. Feasibility Study
• Snapshot software is built into system at those points where material • Feasibility is a measure of ow beneficial or practical the development of
processing occurs which takes images to flow of any transaction as it moves system to the organization.
through application. • It is the process of evaluating alternative system through cost/benefit
analysis so that most feasible and desirable system can be selected for
Impact of Technology on Internal Controls
development.
• Personnel should have proper skill and knowledge to discharge their duties.
• Authorization procedures often are embedded within a computer program. Dimensions of Feasibility Study
• Lack of visible audit or management trial 1. Legal Feasibility:
• Remote supervision of employees can be conducted. − Concerned with analysis of any possible conflict between newly
• Unless due to any kind of failures, there is independent checks on proposed system and legal obligation of organization’s existing
performance. system.
• Difficulty in delegating authority and responsibility in unambiguous way. 2. Operational Feasibility:
− It measures the urgency of the problem or the acceptability of
solution.
− Two aspects of operational feasibility to be concerned:
▪ Is the problem worth solving or will the solution to problem
work?
▪ How do the end users and management feel about the
problem (solution)?
3. Schedule Feasibility:
− Focus on time frame needed for development of new system and
make it operational.
− Evaluates the promptness of service provided after implementation
of new system.
4. Economic Feasibility:
− Includes evaluation of incremental cost and benefits expected if
proposed system is implemented.
− Financial and economic concerns are:
▪ Cost of conducting full system
▪ Cost of technology
▪ Benefits in terms of reduced cost.

27
Complied by: Anish Shrestha
Management Information Control System (MICS)

5. Technical Feasibility: − Comparison of proposed system is made with existing system and
− Concerned with hardware and software. detail requirement of user is analyzed.
− Technical feasibility issues are: − This stage is also called System Analysis.
▪ Is the essential technology available to do task? 3. System Design:
▪ Does the proposed equipment have technical capacity to − Computerized design of hardware, database, front/back ends and
hold data? networking is done to facilitate basic working operation of business.
▪ Does system provide Data security, reliability and ease of 4. System Development/Acquisition:
access? − New System according to design is physically developed or
▪ Does system have Scalability feature? acquired from the external sources.
▪ Does proposed system provide adequate response? 5. System Testing:
− The developed system or acquired system is tested in the real time
Usability Analysis to ensure that system will function properly in real life.
• It is a test of system user interfaces and is measured in how easy they are 6. Implementation & Maintenance:
to learn and to use and ow they support the desired productivity level of the
− The developed and tested system is deployed in real business
users.
operation.
• There are certain goals or criteria that experts agree help measure usability.
− Working of newly developed system is evaluated eventually and
• They are: maintenance is also done in case of failure.
− Ease of learning
− Satisfaction Computer Aided Software Engineering (CASE)
− Ease of use • A software tool that helps software designers and developers specify,
generate and maintain some or all of software components of an application.
Underlying Principles for System Development • It provides software tools to automate system development process by
− Justify system as capital investment reducing amount of repetitive work developers normally do.
− Divide and conquer • Generally, CASE tools are Personal Computer based with powerful
− Establish phase graphical capabilities.
− Design system for growth and change • The objective of CASE tool is to help system analyst and designers in
− Establish standards developing good quality system within specified time and budget
− Get the owners and users invested constraints.
− Problem solving approach
− Don’t be afraid to cancel Various Types of CASE Tools:
− Analytical tool
Steps/Phases in System Development Life Cycle − Code generator tool
1. Preliminary Investigation: − Diagrammatic tool
− It consists of clearly identifying what is the requirement of originator. − Documentation generator tool
− Consists of three parts: − Display and report generator tool
▪ Request classification − Testing and debugging tool
▪ Request approval
▪ Feasibility study Advantages of CASE Tools:
2. Requirement Analysis: − Improve productivity
− Better and more consistent documentation
28
Complied by: Anish Shrestha
Management Information Control System (MICS)

− Reduce life time maintenance − Easy to manage

− Improve quality − Clearly designed stages
− Easy to arrange tasks
Models of System Development − Process and results are well documented.
1. Waterfall Model
2. Spiral Model Weaknesses:
− Not a good model for complex projects
Waterfall Model − Difficult to measure progress within stages
• It is the First Process Model to be introduced which illustrates software − Poor model for long and ongoing projects
development process in a linear sequential flow.
− High risk and uncertainty.
• It is a very simple to understand and use.
• Each phase mut be completed before next phase can begin and there is not Spiral Model
overlapping. • It is a continuous process of development which is combination of elements
of both design and prototyping-in-stages in an effort to combine advantages
of both top-down and bottom-up concepts.
• It is similar to incremental model with more emphasis placed on risk
analysis.
• Each loop of spiral is split into 4 sectors:
1. Objective Setting: Specific objective for the phase of project is
defined. Project risks are defined and detailed plan is drawn up.
2. Risk Assessment and Reduction: For each identified risks,
detailed analysis is done and steps are taken to minimize such
risks.
3. Development and Validation: Planned product is developed along
with future testing.
4. Planning Phase: The project is reviewed and with a further loop at
the spiral.

[The details of each points are same as that of “Steps/Phases in System

Development Life Cycle” above.]
Situations where Waterfall Model is most appropriate:
− Requirements are very well documented, clear and fixed
− Product definition is stable
− Technology is understood and not dynamic
− There are not ambiguous requirements.
− Project is short.

Strengths:
− Simple and easy to understand and use

29
Complied by: Anish Shrestha
Management Information Control System (MICS)

Prototyping
• It is a usable system or system component that is built quickly and at less
cost and with intention of modifying/ replicating/ expanding or even
replacing it by full scale and fully operational system.

Steps involved in development:

1. Working in manageable modules
2. Building initial prototype rapidly
3. Modifying the prototype in successive iterations
4. Stress test and user interface optimization.

Limitations:
− Based on hit and trial
− Can lead to entirely different end system
− May increase complexity

Advantages:
Situation where Spiral Model is most appropriate: − Makes development process faster and easier
− When costs and risk evaluation is important. − Used for both small and large applications
− For medium to high risks project. − Provides potential for change.
− Users are unsure of their needs. Approaches to System Development
− Requirements are complex. 1. Traditional Approach:
− New product line. • System development activities are performed in sequence.
− Significant changes are expected. • System Development phases are: [List Waterfall Model Phases]
Strengths: • Advantages:
− Flexible − User needs are addressed
− Less costly than Waterfall Model − High morale
− Better user involvement than Waterfall Model • Disadvantages:
− Allows extensive use of prototype − Rigid
− Lack user involvement
Weakness: 2. Prototyping: [As above]
− Management is more complex. 3. End User Development Approach:
− Process is complex. • End users are responsible for system development instead of
− Possibility of repetition of work in different loops. computer professionals.
− More time consuming than Waterfall Model. • Advantages:
− User needs are addressed
− High morale
• Disadvantages:

30
Complied by: Anish Shrestha
Management Information Control System (MICS)

− Inadequate system testing System Testing

− Chances of failure • The developed system is thoroughly checked before it is used by end users.
4. Top-Down Approach: • System testing is also excellent time to train employees in operation of new
• Assume high degree of top management involvement in system system.
planning and development. • One of the effective ways of system testing is to perform parallel operations
• System are development in line with organization goals, objectives with existing system.
and strategies.
Steps:
• Advantages:
1. Preparation of realistic test data.
− Consistent system to organization goal 2. Processing the test data via new system
• Disadvantages: 3. Checking results thereof.
− Lack of morale
− Dissatisfaction to employees Types of Testing:
5. Bottom-Up Approach: 1. Unit Test: Testing of individual programs of new system for: -
• System development is started from basic system required for day- − Correct functioning
to-day business operations and only other parts of system required − Proper performance
for top management is developed. − Coding inspections.
• Advantages: 2. Integration test: Testing of programs that are interlinked with one another
− User satisfaction for their correct working and proper linking.
− Involvement of operational staffs 3. System Testing: Testing of overall system from views of:
• Disadvantages: − Performance test
− It may not be in line with organization goal. − Backup and recovery test
6. Systematic Approach: − Stress test
• User requirements are identified and then search for suitable − Security test
software is done. 4. User Acceptance Testing: Test by user to endure that system is working as
required for them.
• Focuses on goal and objectives.
7. Application Software Package: Importance of Good Knowledge of Business to develop Effective IT
• Advantages: System
− Eliminates need to write program codes • A system becomes effective for a business organization if it is designed and
− Cuts down system analysis, design, development, testing. developed with the specific requirements of the organization in mind.
• Disadvantages: • A custom-build system is always better than a general-purpose off-the-shelf
− Software may not meet precise user needs system. However, to make such custom-built systems effective, the design
8. Outsourcing: and development process should be based on good understanding of the
• Advantages: nature of the business and the activities, processes and transactions
− Save development cost involved in the business activities.
− No need of internal technical staffs
• Disadvantages:
− Less control over IS
− High dependency on external vendors.
31
Complied by: Anish Shrestha
Management Information Control System (MICS)

Chapter 5: System Analysis and Design Data Flow

The flow of data into or out of a
process
System Analysis Process that transforms data from
Transformation Process
input to output
The act, process or profession of studying an activity by mathematical means in
order to define its goal or purpose and to discover operations and procedures for
Data Stores The storage of data.
accomplishing them most efficiently.

Techniques for Performing /System Analysis/System Design • Advantages of Data Flow Diagram:
1. Modern Structured Analysis: Process oriented technique of breaking of − Straight forward graphical technique
large program into hierarchy of modules that result in computer program − Used as part of system documentation file
that is easier to implement and design. − Supports logic behind data flow
2. Information Engineering: Data centered technique which involve − Provide detailed representation of system component
conducting a business area requirements analysis from which IS • Disadvantages of Data Flow Diagram:
applications are carved out and prioritized. − Little confusing to developers
3. Prototyping: It is a usable system or system component that is built quickly − Physical considerations are left out
and at less cost and with intention of modifying/ replicating/ expanding or − Takes long time to create
even replacing it by full scale and fully operational system.
4. Joint Application Development (JAD): Technique that complements E-R Diagram:
other system analysis and design techniques by emphasizing participative • It is graphical illustrations used to display objects or events within a system
development among system owners, users, designer and builders. and their relationship to one another.
5. Rapid Application Development (RAD): Merger of various structured • It is a data modeling technique that creates an illustration of an IS entities
techniques with prototyping techniques and JAD techniques to accelerate and relationship between those entities.
system development. • It has three ingredients:
6. Object Oriented Design (OOD): It is an extension of object-oriented
Name Symbol Explanation
analysis strategy. It is used to refine the object requirements definitions
identified earlier during analysis. Represents people, place, items, events
Entities
or concepts.
Represent properties or descriptive
Attributes qualities of an entity. Also known as data
Concept of Data and Process Modeling elements
Data Flow Diagram:
Relationship Represent link between different entities
• It is graphical presentation of flow of data through IS.
• It uses few simple symbols to illustrate flow of data among external entities, • Three basic types of relationship are:
processing activities and data storage elements.
• It is composed of four basic elements

Symbol Name Explanation

The people and organization that
Data Source and
send data to and receive data from
Destination
system

32
Complied by: Anish Shrestha
Management Information Control System (MICS)

Chapter 8: Information Security, Protection and Control

Vulnerability
• It is intersection of 3 elements:
− System susceptibility or fault
− Attacker access to the fault
− Attacker ability to exploit the fault

Threats
• It is an entity or event with potential to cause harm to computer system.
• It should be identified and analyzed to determine likelihood of their
occurrence and potential to harm
• Steps in Building E-R Diagram: • It arises from:
1. Determine the data entities
Technical Condition Program bugs, disk crash
2. Generate a list of potential entity relationship or pairings
Natural Disaster Fires, floods
3. Determine relationship between entity and pairings
Environmental condition Electric surges
4. Analyze the significant entity relationship
Human factors Lack of training, error
5. Develop an integrated E-R Diagram
Unauthorized access Hacking or virus
6. Define and group attributes for each data entry.

Factors affecting Output Design Internal Threats:

1. Content: • Those threats that originate from inside the organization mostly by
− It refers to actual information to be given to the user of the system. employees which may be intentional or unintentional.
− It should be very precise and free of unessential information. • Common techniques used are
2. Timeliness: − Data Entry Error
− It is related to time/interval at which the required information is − Alteration of data during input
provided to user. − Equipment or software failure
− Information received after required time has no use. − Alteration of software instructions or functions
3. Format:
− Data destruction
− It is an arrangement of information on report such as tabular or
graphical. External Threats:
4. Media: • Those threats that originate form outside the organization system when it is
− It refers to actual physical accessories at which the output connected through internet to external networks.
information is presented such as monitor, printed documents etc. • Some examples:
5. Form: − Removal of information during transmission through internet
− It is related with way information is presented such as audio, video − Transmission of virus, worms
or text. − Interception of email
− Hacking
− Interception of electronic payment during transmission.
33
Complied by: Anish Shrestha
Management Information Control System (MICS)

Preventive Measure: Intrusion Detection:

− Adequate segregation of duties • Intrusion detection is the process of identifying the unlawful entry into the
− Protect system from viruses system or an attempt for such entry.
− Fire and earthquake proof building • For timely detection of such unwanted entry, the security professional
− Develop strong system of Internal Controls should have good idea of the symptoms and signs of such intrusion.
− Restrict access to computer equipment and data files • It is also necessary to have idea about the remedial action to be performed
− Encrypt data and programs in storage and during transmission in case of identification of such incidents.
− Train employees.
Incidence Response:
Internet Vulnerabilities • Whenever a security incidence such as a system breach, network breach,
• Internet is more vulnerable because it is a large public network open to data loss or identity theft etc. happens and is reported or identified, the
everyone. security personnel should be able to respond appropriately.
• When internet becomes part of computer network, Information System Legal/Audit Compliance:
becomes vulnerable to outsiders. • Security incidences are related to legal provisions and actions. Hence, the
• Computers with constant access to internet are more open to penetration security personnel should also be aware of the existing legal provisions
by outsiders because they have fixed internet addresses and can be easily related to security incidents related to information systems and related
identified. assets.
Wireless Security Challenge Information Security
• Wireless networks using radio-based technologies are vulnerable because • It is protection of data or information against harm from threats that will lead
radio frequencies are easier to track. to loss, inaccessibility, alteration or wrongful disclosure.
• Hackers target unprotected networks because they are easy to enter. • It can be achieved through a layered series of technological and non-
technological safe guards.
Internet Security
• Internet security involves the protection of a computer's Internet account Need for Protection of Information Security:
and files from intrusion of an unknown user. • Organizations depend on timely, accurate, complete, valid, consistent,
• Basic security measures involve protection by well selected passwords, relevant and reliable information.
change of file permissions and back up of computer's data. • Management has responsibility to ensure organization provides all users
with secure information processing environment.
Major aspects in which Internet Security Professionals should be
• Information Security failures may result in both financial losses and/or
fluent intangible losses.
Penetration Testing:
• Penetration testing is a predefined step-by-step procedure to test the Computer Virus
vulnerability of the system. • It is a rogue software program that attaches itself to other software programs
• For this, the security professional should have good knowledge and or data files in order to be executed usually without user’s knowledge or
experience of conducting such testing. permission.
• The professional should also have good idea about the system being tested
Measures to protect from Virus:
and its potential weaknesses.
− Use of latest updated Antivirus
− Use of portable memories only after scanning for viruses
34
Complied by: Anish Shrestha
Management Information Control System (MICS)

− Do not visit untrusted websites. telecommunication network. Normally, hackers do not intend
− Use appropriate firewall. to cause any damage.
Hacker with malicious intentions i.e.; unauthorized entry.
Cracking
Worms Un-ethical hacking is Cracking.
• It is an independent computer programs that copy themselves from one Changing data before in or after entered in system in order
computer to another over a network. Data Diddling to delete, alter, or add key system data is referred as data
• It can destroy data and programs as well as disrupt or even halt the diddling.
operation of computer networks. Refers to unauthorized copying of company data such as
Data Leakage
comp files.
Trojan Horse Action or series of actions that prevents access to software
• It is a software program that appears to be benign, but then does something Denial of Service system by its intended/authorized users; causes delay of its
other than expected. (DoS) Attack time-critical operations; or prevents any part of system from
functioning.
• It is not itself a virus because it doesn’t replicate but is often a way for viruses
Refers to using Internet to disrupt E Commerce & to destroy
or other malicious code to be introduced into system. Internet Terrorism
co & Individual communications.
Computer Fraud Program that lies idle until some specified circumstances or
Logic Time Bomb particular time triggers it. Once triggered, bomb sabotages
• It is an unauthorized and/or illegal activities like:
system by destroying programs, data or both.
− Modification of data, Masquerading or Perpetrator gains access to system by pretending to be
− Modification of software, Impersonation authorized user.
− Destruction of hardware, Intruder penetrates system’s defense, steals file containing
Password
− Unauthorized access etc. valid passwords, decrypts them & then uses them to gain
Cracking
• It is performed with knowledge of computer technology. access to system resources such as programs, files & data.
• It includes the following: Refers to tapping in telecommunication line & latching on to
Piggybacking
− Unauthorized use, access, modification, copying of software or data legitimate user before he logs into system.
Computer rounds down all interest calculations to 2 decimal
− Theft or destruction of software and data
Round Down places. Remaining fraction is placed in account controlled by
− Theft or destruction of computer hardware perpetrator.
− Use or conspiracy to use computer resources to commit offense Scavenging or Refers to gaining access to confidential information by
− Intend to illegally obtain information or tangible property through Dumpster Diving searching corporate records.
use of computer system. Refers to unauthorized use of special system programs to
Super Zapping
bypass regular system controls & performs illegal acts.
Impact of Computer/Cyber Fraud: Perpetrator enters in system using back door that bypasses
− Financial loss Trap Door
normal system controls & perpetrates fraud.
− Loss of Creditability
− Legal Repercussions
− Disclosure of Confidential Information. Software Vulnerability
• Errors in software provide severe threat to Information System.
Techniques to Commit Computer/Cyber Fraud: • There are chances of hidden bugs or program code defects.
Refers to unauthorized access & use of computer systems, • Software designers may have documented some codes incorrectly as a
Hacking
usually by means of personal computer & software has thousands of lines of codes.
• Intruders are looking to attack software through virus and worms.
35
Complied by: Anish Shrestha
Management Information Control System (MICS)

Firewall − Security must address taking into consideration both technological

• System or combination of system that enforces boundary in 2 or more and non-technological issues such as administrative,
networks, typically forming barriers between secure and open environment organizational, operational and legal issues.
such as internet. 4. Cost Effectiveness:
• It protects system from invasive attacks and unauthorized access. − Security must be cost effective.
• It protects private networks from public networks. − Security levels and associated costs must be compatible with
values of information.
Types of Firewall: 5. Integration:
1. Packet Filtering: − Security measures, practices, procedures, policies must be
− Firewall has list of addresses integrated with one another as well as organizational procedures,
− Allows data packet only from those addresses. practices to be effective.
2. Proxy Firewall: 6. Re-assessment:
− Doesn’t check addresses for data − Security must be reassessed periodically as Information System
− Checks data for viruses and non-standard codes. and requirements for their security vary over time.
3. Application Level: 7. Timeliness:
− Specific user instructions are fed into it by user. − Security procedures must provide from monitoring and timely
4. Stateful Inspection: response on attempted security breaches.
− Creates tunnel to pass data packets instead of checking every data 8. Social Factors:
packets. − Information Security should be provided by ensuring that rights and
interest of other are respected.
Role of Firewall in System Security:
− Designed to control access to and from a system or network Risks to Business from Computer Frauds
− Used to protect a particular system, a set of systems or networks − Alteration of Data
− Protect unwanted and illegitimate access − Removal of Information
− Alert/inform system administrators about any unwanted events or activity − Destruction of System Integrity
related to system. − Interception and Alteration of Electronic Payments
− Tampering, copying of software processed in an unauthorized manner.
Principles of Information Security
1. Accountability: − Alteration of Input.
− Responsibility and accountability must be explicit. Security Mechanisms used for E-Commerce (Components)
− Security of information requires an express and timely 1. User authentication mechanism using simple means to more complex
apportionment of responsibility and accountability among data means
owners, technology providers and users. 2. Use of secure transaction channels over encrypted virtual private networks
2. Awareness: 3. Use of secure mechanism such as secure HTTP, public key infrastructure
− Data owners, process owners, technology providers, users and or digital signatures
other parties must be able to gain knowledge of existence and 4. Use of professional and dedicated 3rd party certification, monitoring and
general extent of risks facing the organization and its system. control mechanism
3. Multi-disciplinary: 5. Use of robust system to counter threats.

36
Complied by: Anish Shrestha
Management Information Control System (MICS)

Major Steps in Developing E-Commerce Security Plan − Check whether proper data and system backup procedures are followed.
1. Risk Assessment: Assessment of Risk and points of vulnerability. − Check for proper Firewall
2. Develop Security Policy: Set of Statements prioritizing the information − Well defined guidelines are present
risks, identifying acceptable risk targets and identifying mechanism for − Make sure system is regularly monitored for errors and alerts.
achieving these targets. − Ensure system hardware is well maintained.
3. Create Implementation Plan: Create a plan on how to implement security
policy and which measures to use.
4. Create Security Team: Individuals who will be responsible for ongoing
maintenance, audits, improvements.
5. Perform Periodic Security Audits: Perform periodic Information System
security audits to ensure security is in order an as per security plan.

Public Key Encryption

• It is also known as Asymmetric Encryption.
• It is based on public/private key pair.
• These keys are mathematically linked so that data encrypted with public key
can only be decrypted with corresponding private key.
• With public key encryption, the sender concerts plain text message into
cipher text by encrypting with public key. The message recipient converts
the cipher text back into plain text message by decrypting it with
corresponding private key.

Intrusion Detection System

• It is a type of security software designed to automatically alert administration
when someone or something is trying to compromise Information System
through malicious activities or through security policy violations.
• It automatically monitors the internet to search for any of the latest threats
which could result in future attacks.

Intrusion Prevention System

• It is preemptive approach to network security used to identify potential
threats and respond to them swiftly.
• It monitors network traffic.
• intrusion prevention systems also have the ability to take immediate action,
based on a set of rules established by the network administrator.

Major Areas to consider as a Security Auditor

− Installation quality of system
− Make sure access to system servers and system room is restricted only to
designated person
37
Complied by: Anish Shrestha
Management Information Control System (MICS)

Chapter 3: Information Technology Strategy and Trends − Business Process

− Organizational Culture
Business Strategy − Internal Policies
• It is a set of activities and decision firms make that determine the following: − Organizational Structure
− Products and services the firm produces − Management Decision Making Process.
− Industries in which firm competes
Dimensions of Planning:
− Competitors, suppliers and customers of the firm
− Long term goals of the firm
• Conscious strategic planning processes results strategies. Factors Influencing Information Technology
• Strategic plans are useful interim tools for defining what the firm will do until 1. Flexibility of changes in business and technology:
the business environment changes. − There should be sufficient room in any business and its involved
technology for the improvement.
Level of Strategy:
− If business and the involved technology are confined within a small
1. Business: a single firm producing a set of related products and services.
boundary new ideas and concept cannot be groomed.
2. Firm: a collection of business that make up a single, multidivisional firm.
2. Budget:
3. Industry: a collection of firms that make up an industrial environment.
− Budget is major influencing factor of any process or system.
− The size of the budget determines the level of integration, reliability
• IS and IT plays crucial role in corporate strategy and strategic planning at
and efficiency of technology to the business.
each of these three levels.
3. Speed to the market:
• IT and the ability to use IT effectively will shape what the firm makes or
− How fast system is brought to the market determine the life of the
provides customers, how it makes product/service, how it competes in
technology.
industry etc.
− If the technology is brought when its time value expires, then the
IT Strategy Plan success of the technology will not be as expected.
• IT Strategy is a comprehensive plan that IT management professionals use 4. Legal and Regulatory Body:
to guide their organization. − The regulatory and legal authorities are the major entity about the
• It should cover all faces of technology management, including: deployment of any technology.
− Cost management − If any technology is banned by the legal authority its faith will sink.
− Vendor management 5. Other Factors:
− Human capital management − International norms and practices about the technology
− Risk management − Personnel self-interest and motivations towards the use of
− Hardware & Software management technology
• Executing an IT strategy requires strong IT leadership. − The functional business units of the organization
• The primary objective of IT Strategy is to provide a holistic view of current − Knowledge and qualifications of the personnel
IT Environment, future direction and initiatives required to migrate to desired
future environment.

Points to be considered while planning IT Strategy with Business Strategy:

− Business Environment

38
Complied by: Anish Shrestha
Management Information Control System (MICS)

Other Random Topics

Conditions to be analyzed while recommending change of the System

• Technology saturation or need of new technology
• The operational outcome of the system i.e., sometime due to the changing
organizational environment and growth of the organization, the output of the
system becomes insufficient and ineffective.
• The technical support from the vendor i.e., the vendor may not be able to
provide technical support for the old system
• The existing capacity of the database may become insufficient to hold the
growing needs of the data
• To eradicate the errors and bugs and vulnerability in the existing system.

Batch Processing
• Transactions are accumulated and submitted to the computer as a single
“batch.”
• Inherent in batch processing is a time delay between the batching of the
transactions and the updating of the records.
• Errors in a batch processing system caused by incorrect programs or data
may not be detected immediately.

Online Processing
• The computer processes each transaction individually as the user enters it.
• The user is in direct communication with the computer and gets immediate
processing/feedback on whether the transaction was accepted or not.
• User can make immediate decisions.

Intranet
• Permits sharing of information throughout an organization by applying
Internet connectivity standards and Web software (e.g., browsers) to the
organization’s internal network.
• Its use is restricted to those within the organization.

Extranet
• Consists of the linked intranets of two or more organizations.
• Uses the public Internet as transmission medium but requires a password
for access

39
Complied by: Anish Shrestha