Embed Size (px)
Citation preview
Twitter- @tweetopians
CHAPTER-5: BUSINESS PROCESS AUTOMATION THROUGH APPLICATION SOFTWARE
❖ IT has made the concept of “Geography is history” as true
❖ However, the level of automation needs to be controlled considering the inherent risks of technology
which makes it imperative to implement adequate level of appropriate controls during all stages of
computer processing right from the data capture to the data storage phase.
CLASSIFICATION OF BUSINESS APPLICATIONS-
❖ Business define (Refer SM)
❖ Application is defined as a computer program to fulfill a particular purpose
❖ Business application is a computer program used to fulfill the person’s need for regular occupation of
commercial activity
❖ Applications based on nature of processing- batch, online, real-time processing (refer audit)
❖ APPLICATIONS BASED ON SOURCE OF APPLICATION-
Custom-built application-
whether they are for one function or integrate processes across the company like an ERP- these
are the easiest ones to customize, to configure to meet a particular company’s requirements &
involves additional coding while configuration is based on settings which are inputted by the
user. Eg- inventory, attendance
Packaged software-
these are the standard applications which are not free, but licensed
customization to suit business requirements may or may not be allowed
eg- tally
Leased application-
user pays fixed rent for using the application for agreed terms
specialized vendors provide users with option to get their job done by paying monthly rent,
which is referred to as outsourcing.
❖ APPLICATIONS BASED ON SIZE & COMPLEXITY OF BUSINESS-
Small & medium enterprise business-
The best software is designed to help them run their operations better, cut costs, & replace
paper processes
Eg- accounts, office productivity, e-mail & communications, desktop or web-based applications
Large business-
the business tools that tend to be favored by large businesses include CRM, for recording
customer information and finding out trends in buying habits; and sales force automation,
which is helpful for organizing and managing sales team and leads
business may choose to HR software; business intelligence & dashboard tools; DBMS; ERP; &
SCM tools
however, these may not be for everyone & can add cost & complexity to the IT systems of small
businesses.
Twitter- @tweetopians
❖ APPLICATIONS BASED ON NATURE OF APPLICATION-
Accounting applications-
These are used by business entities for the purpose of day-to-day transactions of accounting &
generating financial information such as B/S, P/L & CFS
Eg- Tally, SAP and Oracle Financials
Office management software-
it helps entities to manage their office requirement like, word processors (MS Word), electronic
spreadsheets, (MS Excel), presentation software (PowerPoint), file sharing systems, etc
Its purpose is to automate the day-to-day office work and administration
Compliance application-
software which can help any entity to achieve compliances
a separate class of business application is available that facilitate meeting the compliance
requirements
CRM Software-
These are specialized applications catering to the need of orgs. largely in FMCG categories, as
they need to interact with their customers & respond to them, in the form of service support or
maybe lead to product innovation
These are sought by entities which deal directly with consumers
Management support software-
These are applications catering to the decision-making needs of the management, which may
be further classified based on the level of management using them
Eg- MIS (mid-level) & DSS (top-level)
ERP Software-
These are used by entities to manage resources optimally and to maximize the 3Es, i.e.,
economy, efficiency, and effectiveness of business operations
Product lifecycle management software-
These are used by enterprises that launch new products & are involved in development of new
products
the recent trend in auto-sector in India reflects the growing importance and need of this type of
software
these companies often say that “life cycle of auto products have significantly reduced”
Logistics management software
large logistics managing companies need to keep track of products and people across the globe
to check whether there are any discrepancies that need action
Legal management software-
a lot of effort is being put to digitize the legal system
government of India is keen to reduce the pendency in courts
as this process goes on, legal profession in India shall need such systems
there are big legal firms in India, which are already using such business applications
Twitter- @tweetopians
Industry specific applications-
These are industry specific applications focused on a specific industry sector
Eg- banking application, insurance application, billing system for mall, cinema ticketing software
BUSINESS PROCESS AUTOMATION-
❖ Business process automation is a strategy that is used to optimize & streamline the essential business
processes, using latest technology to automate the functions involved in carrying them out, to allow
the org to extract maximum benefit by using the available resources to their best advantage, while
keeping the operational cost as low as possible
❖ OBJECTIVES OF BPA-
Confidentiality- to ensure that data is only available to persons who have right to see the same
Integrity- to ensure that no unauthorized amendments can be made in the data
Availability- to ensure that data is available when asked for
Timeliness- to ensure that data is made available in at the right time
❖ BPA needs to have appropriate internal controls put in place.
❖ WHY BPA? - BENEFITS OF BPA
❖ by improving the performance, accuracy, and efficiency, of key business processes, the enterprise is
made more efficient & responsive to customer & employee needs
reduces the impact of human error by removing human participation in the process, which is
the source of many errors
transforming data into information by collecting, storing & analyzing data and making it
available in a form that is useful for decision-making
improving performance & process effectiveness- when manual tasks are the bottleneck in the
process automating them speeds up the effective throughput of the application
making users more efficient & effective- people can focus their energy on the task they do
best, allowing the computers to handle those that machines are best suited for
making business more responsive- enterprise can easily automate new applications &
processes, as they are introduced that provide greater control over business and IT processes
improving collaboration & information sharing- business processes designed through a
collaborative interface mean IT can integrate its processes with the business-side logic that
drives day-to-day operations
cost saving- it leads to saving in time and labor costs through higher efficiency & better
management of the people involved
to remain competitive- to provide the level of products & services as offered by competition
fast service to customers- it shortens cycle times in execution of processes through improved &
refined business workflows & help enterprises to serve their customers faster & better
❖ RISKS OF BPA-
It creates risk to job that were earlier performed manually as post-automation they would be
mechanized.
Twitter- @tweetopians
It creates false sense of security as automation of poor processes will not gain better business
practices
❖ HOW TO GO ABOUT BPA?
❖ Not all processes can be automated at a time. The best way to go about automation is to first
understand the criticality of the business process to the enterprise. Steps to implement BPA are-
❖ Step 1: Define why we plan to implement a BPA?
❖ It will provide justification for implementing BPA.
❖ Reasons for going for BPA may include-
errors in manual processes leading to higher costs
poor debtor management leading to high invoice aging & poor cash flow
not being able to find documents quickly during an audit or lawsuit or not being able to find all
documents
lack of management understanding of business processes
poor customer service
❖ Step 2: Understand the rules and regulations under which it needs to comply with?
the governance is established by a combination of internal corporate policies, external industry
regulations and local, state & central laws
it is important to understand that laws may require documents to be retained for specified
number of years and in a specified format
Entity needs to ensure that any BPA adheres to the requirement of law
❖ Step 3: Document the process, we wish to automate
The current processes which are planned to be automated need to be correctly and completely
documented at this step
the following aspects need to be kept in mind while documenting the present process-
▪ what documents need to be captured?
▪ where do they come from?
▪ who is involved in processing of documents?
▪ what is the impact of regulations on processing of these documents?
▪ can there be a better way to do the same job?
Benefit of the above process for user & entity-
▪ it provides clarity on the process
▪ it helps to determine the sources of inefficiency, bottlenecks, and problems
▪ it allows to design the process to focus on the desired result with workflow automation
No automation shall benefit the entity, if the process being automated is error-prone &
investment in hardware, workflow software and professional services would get wasted
❖ Step 4: Define the objectives to be achieved by implementing BPA
this enables the developer and user to understand the reasons for going for BPA
the goals need to be precise and clear
remember that goals need to be SMART: Specific, Measurable, Attainable, Relevant & Timely
Twitter- @tweetopians
❖ Step 5: Engage the business process consultant
Once the entity has been able to define the above, the entity needs to appoint an expert, who
can implement it for the entity
To decide as to which company/consultant to partner with, depends upon following-
▪ Objectivity of consultant in understanding/evaluating entity situation
▪ Does the consultant have experience with entity business process?
▪ Is the consultant experienced in resolving critical business issues?
▪ Whether the consultant is capable of recommending & implementing a combination of
hardware, software & services as appropriate to meeting enterprise BPA requirements?
▪ Does the consultant have the required expertise to clearly articulate the business value
of every aspect of the proposed solution?
❖ Step 6: Calculate the ROI for project
It can be used for convincing top management to say ‘yes’ to BPA exercise
Best way to convince would be to generate a proposition that communicates to stakeholders
that BPA shall lead to cost savings & improved efficiency & effectiveness of service offerings
Methods to justify BPA proposal-
▪ clearly computed & demonstrated cost savings
▪ How BPA could lead to reduction in required manpower leading to no new recruits need
to be hired & how existing employees can be re-deployed or used for further expansion
▪ Savings in employee salary by not having to replace those due to attrition
▪ eliminating fines to be paid by entity due to delays being avoided
▪ reducing the cost of audits and lawsuits
▪ taking advantage of early payment discounts and eliminating duplicate payments
▪ collecting accounts receivable faster and improving cash flow
▪ building business by providing superior levels of customer service
❖ Step 7: Developing the BPA
once the top management grant their approval, the right business solution has to be procured
& implemented or developed & implemented covering the necessary BPM
❖ Step 8: Testing the BPM
before making the process live, the BPA solutions should be fully tested
to determine how well it works and identify where additional “exception processing” steps
need to be included
the objective is to remove all problems during this phase
it allows room for improvements prior to the official launch of the new process, increases user
adoption and decreases resistance to change.
❖ APPLICATIONS THAT HELP ENTITY TO ACHIEVE BPA-
TALLY-
Accounting application that helps entity to automate processes relating to accounting of
transactions
it also helps to achieve automation of few processes in inventory management
Twitter- @tweetopians
helps user to achieve tax compliances also
has features, eg, tax audit & statutory compliance, payroll, excise for manufacturers, TDS, VAT
SAP R/3-
ERP software, which allows an entity to integrate its business processes
it aims at better utilization of resources & helps entity to achieve better business performance
it has the features, eg, time management, sales management, team management, leave
management, travel management & recruitment management
MS OFFICE APPLICATIONS-
This software helps to achieve automation of various tasks in the office
it has features, eg, customized ribbon, enhanced security, pivot for excel, paste
It includes MS Word, MS Excel, MS PowerPoint, MS Access, etc
ATTENDANCE SYSTEMS-
It helps entity to automate the process of attendance tracking and report generation
it has features, eg, holiday pay settings, labor distribution, employee scheduling and rounding,
overtime settings, optional door/gate access control
VEHICLE TRACKING SYSTEM-
It allows entity to track their goods while in translate
few applications are high-end, allowing owner of goods to check the temperature of cold stored
goods while in transit
it has features, such as, GPS based location, route accuracy on the fly while device is moving,
real-time vehicle tracking, SMS & e-mail notifications
AUTOMATED TOLL COLLECTION SYSTEMS-
Many toll booths allow users to buy pre-paid cards, where user need not stop in lane to pay toll
charges, but just swipe/wave the card in front of a scanner
It keeps the track of card and the number of time same has been swiped or waved
it has features, eg, real-time toll plaza surveillance system, automatic vehicle identification
system, transaction processing, &, violation enforcement
DEPARTMENT STORE SYSTEMS-
Two critical elements for managing departmental stores have been automated in India
These critical elements are- the billing processes and inventory management
it has features, eg, point of sale, multi-channel operation, supplier database, product database,
loyalty schemes and inventory management
TRAVEL MANAGEMENT SYSTEM-
Many business processes specific to this industry have been automated, including ticket
booking for bus, train, hotel, etc.
it has features, eg, streamlined foreign travel approval process, build-in and manage travel
policy compliance, ‘safe return’ process for people tracking, online retrieval of e-tickets,
reservations, and management of entry visas & medical requirements
EDUCATIONAL INSTITUTE MANAGEMENT SYSTEMS-
A lot of automation has been achieved, including student tracking and record keeping
Twitter- @tweetopians
Eg- a student based on his/her registration number can file many documents online including
exam forms in ICAI
It has features, eg, student’s registration, student’s admission, fee collection, student’s
attendance, result management, assets management and MIS
FILE MANAGEMENT SYSTEM-
these allow office records to be kept in soft copy and easy tracking of the same
it has features, eg, web access, search, Microsoft Office integration, records management
software, electronic forms (e-forms), calendar, document scanning and imaging
❖ OVERVIEW OF BPA-
to achieve BPA, we would need IT infrastructure, hardware, &, software to manage the same
further, all the systems have to be networked so that information can flow seamlessly
In addition, the need would be for database, so that the data & information can be stored &
retrieved in a desired and appropriate manner
Deploying a BPA solution can be the first step in a corporate BPM deployment
BPA solutions features three critical pillars, whose tight coupling enables org to streamline &
automate business processes, regardless of scope, scale & complexity.
These critical pillars are-
▪ Orchestration- it allows to read data, pass data and modify the data
▪ Integration- it brings task that exist across multiple computers under one umbrella
▪ Automation- it unites the above two
INFORMATION PROCESSING-
❖ About data & information- done already
❖ The effort to create information from raw data, is known as ‘Information Processing’.
❖ Classification of information based on level of human/computer intervention, is stated below-
Manual information processing cycle-
systems where the level of manual intervention is very high
Eg- valuation of exam papers, teaching, operations in operation theatres, ticket checking by
railway staff in trains.
its components- input, process and output
the quality of information generated from these systems is prone to flaws, eg, delayed
information, inaccurate information, incomplete information and low levels of detail
Computerized information processing cycle-
systems where computers are used at every stage of transaction processing
the components- input, processing, storage & output
the quality of information generated from these systems is timely, accurate, fast & reliable
DELIVERY CHANNELS-
❖ It refers to the mode through which information or product are delivered to users.
Twitter- @tweetopians
❖ Delivery channels for information include-
Intranet, e-mail, staff briefing, notice boards, manuals, guides, social networking sites.
❖ Delivery channels for products include-
buying from a shop, home delivery of products, buying from a departmental store, & buying online-
getting home delivery-making cash payment on delivery.
❖ Importance-
❖ Orgs need to be aware of ‘what information is required for effective delivery of products or services’
❖ It is important to have proper & accurate delivery channels for information or product distribution & to
consider of each of these channels while planning an overall information management &
communication strategy
❖ In practice, more than one of these delivery channels will be needed, with different channels used to
reach specific user groups.
❖ How to choose an information delivery channel?
More than just intranet-
Staff will use whichever methods are easiest & most efficient to obtain information
Any attempt to move staff usage to the Intranet away from existing information sources will
almost certainly fail, unless the Intranet is easier than the current methods
Eg- easier to put notice on notice board in canteen, rather than putting on Intranet
Understand staff needs & environment-
Job roles & work environment will have a major impact upon the suitability of delivery channel
It includes which systems do staff use, their level of PC access, their amount of computer
knowledge and their geographic location
Eg- in presence of one PC in org, makes it difficult for workers to access Intranet
Traditional channel need to be formalized-
instead of attempting to eliminate existing information sources in favor of the Intranet, it may
be more beneficial to formalize the current practice
❖ How to choose an product delivery channel?
Customers while going for online shopping find wide range of products
a customer in a small town/village can have a shopping experience of a large store
Change is so drastic that physical brick-&-mortar sellers have to bring themselves on Internet
Many online travel sites have opened brick & mortar offices in cities & towns to meet their
customers
the keywords are ‘convincing’ & ‘capturing’ the customer
So, any delivery channels shall work till it convinces customer
CONTROLS IN BPA-
❖ Control is defined as policies, procedures, practices & org structure that are designed to provide
reasonable assurance that business objectives are achieved & undesired events are prevented,
detected & corrected
Twitter- @tweetopians
❖ Objectives of control-
Authorization-
ensures that all transactions are approved by responsible personnel as per their authority.
Completeness, accuracy & validity (done in audit)
Physical safeguards & security-
ensures that access to physical assets & information systems are controlled & properly
restricted to authorized personnel
Error handling-
ensures that errors detected at any stage of processing receive prompt corrective action & are
reported to the appropriate level of management
Segregation of duties-
ensures that duties are assigned to individuals in a manner that ensures that no one individual
can control both recording function & procedures related to processing a transaction
❖ Controls are used to prevent, detect or correct unlawful events-
Preventive controls are those which prevent occurrence of an error
Detective controls are those which capture an error
Corrective controls are those which correct an error or reduce the loss due to error/risk
❖ INFORMATION SYSTEMS’ CONTROLS-
Auditors must evaluate the reliability of controls
controls reduce expected losses from unlawful events by -
▪ decreasing the probability of the event occurring in the first place, or,
▪ limiting the losses that arise of the event occurs
❖ Two parts of Information Systems’ controls-
MANAGERIAL CONTROLS-
It examines controls over the managerial functions that must be performed to ensure
development, implementation, operation, & maintenance of information systems in a planned
& controlled manner in an org
it provides a stable infrastructure in which information systems can be built, operated, &
maintained on daily basis, as shown below-
Types of Management Subsystems-
Top Management-
it is responsible primarily for long-run policy decisions on how Information Systems will be used
in the org
Information Systems Management-
it provides advice to top management in relation to long-run policy decision making &
translates long-run policies into short-run goals and objective
Systems development management-
it is responsible for the design, implementation, & maintenance of application systems
Twitter- @tweetopians
Programming management-
it is responsible for programming new system, maintaining old system and providing general
systems support software
Data administration-
it is responsible for addressing planning & control issues in relation to use of an org’s data
Quality assurance management-
it is responsible for ensuring information systems development, implementation, operation, &
maintenance conform to established quality standards
Security administration-
it is responsible for access controls and physical security over the information systems function
Operations management-
it is responsible for planning & control of daily operations of information systems.
APPLICATION CONTROLS-
It examines application functions that need to be in place to accomplish reliable information
processing
Types of Application Subsystems-
Boundary-
It comprises the components that establish the interface between the user and the system
Input-
It comprises components that capture, prepare & enter commands and data into the system
Communication-
It comprises the components that transmit data among sub-systems and systems
Processing-
It comprises the components that perform decision-making, computation, classification,
ordering and summarization of data in the system
Output-
It comprises the components that retrieve and present data to users of the system
Database-
It comprises the components that define, add, access, modify, &, delete data in the system
❖ MANAGERIAL FUNCTIONS BASED CONTROLS-
❖ Top management & information systems management controls-
❖ Major functions performed by senior manager-
Planning- Determining goals of information systems function & means of achieving these goals
Organizing- Gathering, allocating, &, coordinating resources needed to accomplish the goals
leading- motivating, guiding, and communicating with personnel
controlling- comparing actual performance with planned performance as a basis for taking any
corrective actions that are needed.
Twitter- @tweetopians
❖ Two types of Information systems plans made for information system function by top management
are-
Strategic plan is the long run plan, covering, say, the next 3 to 5 years of operations.
operational plan is the short plan, covering the next 1 to 3 years of operations.
Both the plans need to be reviewed regularly and updated as the need arises
the planning depends upon factors, such as, importance of- existing systems, proposed
information system, and the extent to which it has been integrated into the daily operations
❖ Systems Development Management Controls-
❖ Types of audit that may be conducted during system development process-
Concurrent audit
auditors are members of the system development team, who assist the team in improving the
quality of systems development for the specific system they are building and implementing.
Post-implementation audit-
Auditor seek to help an org, learn from its experiences in the development of a specific
application system, and, might be evaluating whether the system needs to be scrapped,
continued, or, modified in some way
General audit-
Auditors evaluate systems development controls overall
Determine whether they can reduce the extent of substantive testing needed to form an audit
opinion about management’s assertions relating to the financial statements for systems
effectiveness & efficiency
❖ Programming Management Controls-
❖ Aim- to produce or acquire & to implement high-quality programs
❖ It comprises six major phase with control phase running in parallel for all other phases.
❖ Purpose of control phase during software development/acquisition is to monitor progress against plan
& to ensure software released for production use is authentic, accurate and complete
❖ Phases of program development life cycle-
Planning-
Techniques like Gantt Charts, can be used to monitor progress against plan
Design-
A systematic approach to program design, such as, any of the structured design approaches or
object-oriented design is adopted
Coding-
Programmers must choose a module implementation & integration strategy, coding strategy &
a documentation strategy
Testing-
Three types of testing can be undertaken, to ensure that a developed/acquired program
achieves its specified requirement
▪ Unit testing focuses on individual program modules
▪ Integration testing focuses on groups of program modules
Twitter- @tweetopians
▪ Whole-of-program testing focuses on whole program
Operation & Maintenance-
Management establishes formal mechanisms to monitor status of operational programs to
identify maintenance needs on a timely basis.
Types of maintenance that can be used are-
▪ Repair maintenance, where program errors are corrected
▪ Adaptive maintenance, where program is modified to meet changing user requirements
▪ Perfective maintenance, where program is tuned to decrease the resource consumption
❖ Data Resource Management Controls-
❖ For data to be managed better-
users must be able to share data,
data must be available to users when it is needed,
in the location where it is needed,
in the form in which it is needed.
❖ Further, it must be possible to modify data fairly easily & integrity of the data be preserved
❖ Careful control should be exercised over roles, by appointing senior, trustworthy persons, separating
duties to possible extent and maintaining & monitoring logs of the data administrator’s & database
administrator’s activities
❖ Quality Assurance Management Control-
❖ Orgs. are increasingly producing safety-critical systems
❖ Orgs are undertaking more ambitious information systems projects, that require more stringent quality
requirements & are becoming more concerned about liabilities if they produce/sell defective software
❖ Security Management Controls-
❖ Information security administrators are responsible for ensuring that information systems assets are
secure
❖ assets are secure, when the expected losses that will occur over sometime are at an acceptable level
❖ Operations Management Controls-
❖ Operations management is responsible for the daily running of hardware & software facilities
❖ it typically performs controls over the functions like computer operations, data preparation & entry,
file library
❖ It must continuously monitor the performance of hardware/software platform to ensure that systems
are executing efficiently, an acceptable response time or turnaround time is being achieved, & an
acceptable level of uptime is occurring
❖ APPLICATION FUNCTIONS BASED CONTROLS (refer types of management subsystem & description)-
❖ Boundary controls-
❖ Its purposes are-
to establish the identity & authenticity of would-be-users of a computer system
to establish identity & authenticity of computer-system resources that users which to employ
to restrict actions undertaken by users who obtain computer resources to a set of authorized
actions
Twitter- @tweetopians
❖ Major types of controls exercised in boundary subsystem are-
Cryptographic controls-
Designed to protect privacy of data & to prevent unauthorized modifications of data
It achieves this goal by scrambling data into codes (cryptograms), so that it is meaningless to
anyone who does not possess authentication to access the respective system resource or file
Access controls-
it restricts use of computer system resources to authorized users, limit the actions authorized
users can take with these resources, & ensures that users obtain only authentic computer
system resources
In a shared resource environment, auditors should have 2 concerns-
▪ to determine how well any access control mechanism uses safeguards assets and
preserves data integrity, &,
▪ given the capabilities of access control mechanism that are available for any particular
application system, determine whether access controls chosen for that system suffice
it processes users’ requests for resources in 3 steps-
▪ Identification- users identify themselves to the mechanism, thereby indicating their
intent to request system resources
▪ Authentication is a two way process, wherein, mechanism must be sure it has a valid
user, users must also be sure that they have a valid mechanism
▪ Authorization-users must request specific resources & specify actions they intend to
take with the resources
How to identify the user?
▪ User identification by an authentication mechanism with personal characteristics can be
used as a password boundary access control, eg, scanned iris, employee code, Etc
Personal Identification Number (PIN)-
it is similar to a password assigned to a user by an institution based on the user characteristics
and encrypted using a cryptographic algorithm
the application generates a random number stored in its database, independent of user
identification details or a customer selected number
Digital Signatures-
it establishes the authenticity of persons and prevent the denial of messages or contracts when
data is exchanged electronically
Plastic Cards-
it is used to store information required in an authentication process
these cards that are used to identify a user need to go through procedural controls like
application for a card, preparation of the card, issue of card, use of card and return of card
❖ Input Controls-
❖ Responsible for ensuring accuracy & completeness of data that are input into an application system
❖ it is important since substantial time is spent on inputting data which involves human intervention &
are therefore, prone to errors & fraud
Twitter- @tweetopians
❖ the type of data input method used in an information system affects assets safeguarding, data
integrity, systems effectiveness, and system efficiency objectives
Source Document Control-
it is a well-designed source document reduces the likelihood of data recording errors, increases
the speed with which data can be recorded and controls the workflow
it facilitates the data entry and subsequent reference checking
Data Coding Controls-
these are put in place to reduce user error during data feeding
Batch Controls-
It is put in place when batch processing is being used
(Define what is batch processing- as done in audit)
Validation Controls-
It validates the accuracy/correctness of input data
It is intended to detect errors in transaction data before data is processed
❖ Communication Controls-
❖ It is responsible for transporting data among all the other subsystems within a system and for
transporting data to or receiving data from another system
❖ Three types of exposures arising in communication subsystems-
as data is transported across a communication subsystem, it can be impaired through
attenuation, delay distortion and noise
the hardware and software components in a communication subsystems can fail
the communication subsystem can be subjected to passive or active subversive attacks
Physical Component Controls-
One way to reduce expected losses in the communication subsystem is to choose physical
component that have characteristics that make them reliable & make them mitigate possible
effects of exposure
Involves transmission media (bounded/unbounded), communication lines (private/public), etc.
Line Error Controls-
whenever data is transmitted over a communication line, it can be received in error because of
attenuation, distortion, or noise that occurs on the line
error detection and error correction are the two major approaches under it.
Flow Controls-
these are needed because two nodes in a network can differ in terms of the rate at which they
can send, receive and process data
the simplest form of flow control is “stop-and-wait flow control” in which the sender transmits
frame of data only when the receiver is ready to accept the frame
Link Controls-
involves 2 common protocols-Higher Level Data Control (HDLC); Synchronous Data Link Control
(SDLC)
Twitter- @tweetopians
Topological Controls-
a communication network topology specifies location of nodes within a network, ways in which
these nodes will be linked, & data transmission capabilities of the link between the nodes
Channel Access Controls-
two different nodes in a network can compete to use a communication channel
whenever the possibility of contention for the channel exists, some type of channel access
control technique must be used
these techniques fall in 2 classes- polling methods and contention methods
Polling techniques establish an order in which a node can gain access to channel capacity
in contention method, nodes in a network must compete with each other to gain access to a
channel
Internetworking Controls-
Internetworking is the process of connecting two or more communication networks together to
allow the users of one network to communicate with the users of other networks
3 types of devices are used to connect sub-networks in an Internet- Bridge, Router & Gateway
❖ Processing Controls-
❖ It performs validation checks to identify errors during processing of data to ensure both the
completeness and accuracy of the data being processed
❖ Adequate controls should be enforced through the front-end application system also, to have
consistency in the control process
❖ Some of these are-
Run-to-Run Totals-
▪ It helps in verifying data that is subject to process through different stages
▪ A specific record can be used to maintain the control label
Reasonableness Verification-
▪ To ensure correctness, compare & cross-verify two or more fields
Edit Checks-
▪ Being similar to data validation controls, these can be used at processing stage to verify
accuracy & completeness of data
Field Initialization-
▪ Data overflow can occur, if records are constantly added to table/fields are added to
record without setting all values to zero before inserting field or record
Exception Reports-
▪ Generated to identify errors in data processed
Existence/Recovery Controls-
▪ The check-point/restart logs, facility is short-term backup & recovery control
▪ It enables system to be recovered, if failure is temporary & localized
❖ Output Controls-
❖ It ensures that data delivered to users will be presented/formatted/delivered, consistently & securely
❖ Ensure that confidentiality & integrity of output is maintained & output is consistent
Twitter- @tweetopians
Storage & logging of sensitive & critical forms-
▪ Securely store pre-printed stationery to prevent unauthorized destruction, removal, use
▪ Only authorized persons should be allowed access to security forms, negotiable
instruments, etc.
Logging of Output Program execution-
▪ When program, used for output of data, is executed, it should be logged & monitored
Controls over printing-
▪ Ensure prevention of unauthorized disclosure of information printed
Report distribution & collection controls-
▪ It should be made in secure way to avoid unauthorized disclosures of data
▪ Maintain a log as to what reports were generated & to whom it was distributed
Retention controls-
▪ It considers duration for which outputs should be retained before being destroyed
▪ Consider the type of medium on which output is stored
Existence/Recovery controls-
▪ It is needed to recover output if it is lost/destroyed
❖ Database Controls-
❖ It is responsible for defining, creating, modifying, deleting & reading data in an information system
❖ It protects the integrity of database when application software acts as an interface to interact between
database & user
Sequence check transaction & master files-
▪ Synchronization & correct sequence of processing between master file & transaction
file, is critical to maintain integrity of updation, insertion or deletion of records in master
file w.r.t transaction records
Ensure all records on files are processed-
▪ while processing transaction files records, mapped to respective master file, ensure the
end-of-file of transaction file w.r.t. end-of-file of master file
Process multiple transactions for a single record in a correct order-
▪ Multiple transactions can occur based on single master record
▪ The order in which transactions are processed against product master record, must be
done based on sorted transaction codes.
EMERGING TECHNOLOGIES-
❖ Virtualization-
❖ In computing, virtualization means to create a virtual version of a device or resources, such as a server,
storage device, network or even an operating system
❖ Its core concept lies in partitioning, which divides a single physical server into multiple logical servers
❖ Once the physical server is divided, each logical server came run an operating system and applications
independently
Twitter- @tweetopians
❖ Eg.- partitioning of a hard drive is considered virtualization, because one drive is partitioned in a way to
create separate hard drives. Devices, applications and human users are able to interact with the virtual
resources as if it were a real single logical resource
❖ Its major applications are-
Server consolidation-
It consolidates many physical servers into fewer servers, which in turn host virtual machines
Each physical server is reflected as a virtual machine “guest”, residing on a virtual machine host
system
This is also known as “physical-to-virtual” or “P2V” transformations
Disaster Recovery-
Virtual machines can be used as “hot-standby” envt. for physical production servers
This change classical “backup-&-restore” philosophy, by providing backup images that can boot
into live virtual machines, capable of taking workload for production server experiencing outage
Testing & Training-
Virtualization can give root access to virtual machines
This can be very useful, such as, in kernel development and operating system courses
Portable applications-
Portable applications are needed when running an application from a removable drive, without
installing it on the system’s main disk drive
It can be used to encapsulate the application with a redirection layer that stores temporary
files, windows registry entries and other state information in the application’s installation
directory and not within the system’s permanent file system
Portable workspace-
Recent technologies have used virtualization to create portable workspaces on device like
iPods, and USB memory sticks.
❖ Types of Virtualization-
Hardware virtualization refers to creation of a virtual machine that acts like a real computer
with an operating system.
Software executed on these virtual machines is separated from the underlying hardware
resources
Its basic idea is to consolidate many small physical servers so that processor can be used more
effectively
Software that creates a virtual machine on host hardware is called hypervisor/Virtual Machine
Manager, which controls processor, memory & other components by allowing several different
operating systems to run on the same machine without the need for a source code
operating system running on machine will appear to have its own processor, memory and other
components
Network Virtualization is a method of combining available resources in a network by splitting
up available bandwidth into channels, each of which is independent from others & each of
which can be assigned to particular server or device in real time
Twitter- @tweetopians
It allows large physical network to be provisioned into multiple smaller logical networks &
conversely allows multiple physical LANs to be combined into a larger logical network
It allows to improve network traffic control, enterprise & security
It involves platform virtualization, often combined with resource virtualization
It is intended to optimize network speed, reliability, flexibility, scalability and security
Storage Virtualization is the apparent pooling of data from multiple storage devices, even of
different types, into what appears to be a single device that is managed from central console
It helps perform the tasks of backup, archiving, & recovery more easily, & in less time, by
disguising the actual complexity of a Storage Area Network (SAN)
NOTE- These notes do not contain notes on topic of “GRID COMPUTING”- Do it Yourself.
