Documente Academic
Documente Profesional
Documente Cultură
Certificate Examination in
Information System Banker
(For Dec 2019 – IIBF & Other Exams)
(Updated up to 21.07.2019)
QUICK REVISION
Compiled by
Page | 1
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
About Certificate Examination in Information System Banker
OBJECTIVE
The evolution of Information Technology (IT) affects the banking environment in many significant
ways. It has changed the banking practices and altered the ways in which systems should be controlled
and it has also increased the need for well educated banking professionals in the fields of Information
Systems (IS), governance, assurance, security and control.
In the information based banking environment, banking professionals who are technically competent in
IS, or IS specialists who understand security, control and banking operations, are in great demand for
IS audit careers. The IS specialist and the IS auditor must continuously receive training to upgrade their
knowledge, skills and abilities.
The Certified Information System Banker course has been specially designed to meet the needs of IS
professionals.
This comprehensive course aims :
(i) To develop functional expertise in the areas of system identification, development, implementation
and designing.
(ii) To develop expertise in computer security, implementation of threat prevention and detection sys-
tems, designing and testing risk mitigation strategies.
(iii) To develop skills for objective assessment of information system control, information privacy and
integrity.
(iv) To study the tools that provides assurance in the system by measuring against four essential princi-
ples: availability, security, integrity and maintainability.
(v) To aid the bank management in developing sound information system audit, control and security
functions by providing criteria for personal selection and development.
FOR WHOM
(i) Banking professionals who are technically competent in IS, or
Page | 2
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
DIPLOMA IN INFORMATION SYSTEM AUDIT (DISA)
Candidates who clear all the following three Certificate examinations under the revised syllabus will be
given a "DIPLOMA IN INFORMATION SYSTEM AUDIT (DISA)" from May 2017 :
SUBJECT OF EXAMINATION
(1) Information System for Banks
PASSING CRITERIA:
Minimum marks for pass in the subject is 60 out of 100.
EXAMINA- For Members For Non-
TION FEES* : Members
Particulars
First attempt Rs.1,000/- * Rs.1,500/- *
Subsequent each Rs.1,000/- * Rs.1,500/- *
attempt
PROCEDURE FOR APPLYING FOR EXAMINATION
Application for examination should be registered online from the Institute‟s website www.iibf.org.in.
The schedule of examination and dates for registration will be published on IIBF website.
PROOF OF IDENTITY
Non-members applying for Institute‟s examinations / courses are required to attach / submit a copy of
any one of the following documents containing Name, Photo and
Signature at the time of registration of Examination Application. Application without the same shall be
liable to be rejected.
1) Photo I / Card issued by Employer or 2) PAN Card or 3) Driving Licencse or 4) Election Voter‟s I /
Card or 5) Passport 6) Aadhaar Card
(ii) In respect of the examinations to be conducted by the Institute for the period August to January of a
calendar year, instructions / guidelines issued by the regulator(s) and important developments in bank-
ing and finance up to 30th June will only be considered for the purpose of inclusion in the question pa-
pers
Page | 4
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
SYLLABUS
a) Technology in Banks
I) Hardware Architecture.
iv) Networking.
Tools.
iii) Standards - ISO, CMM, CoBIT, RBI guidelines.
d) Continuity of Business
i) Difference between CoB, BCP and DRP.
ii) Review of Human Resources Management Function, Technology Management Function, Data
Management Function, Application Management Function,
Page | 6
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
Use of CAAT‟s - use of general audit software
INDEX
S.No Contents Page No
01 MODULE A 008
02 MODULE B 029
03 MODULE C 066
04 MODULE D 085
05 MODULE E 090
06 0
07 0
08 Additional Information 064
09 Recollected Questions 170
10 Glossary 174
11
12
13
14
15
Page | 7
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
MODULE A-TECHNOLOGY IN BANKS
2.The second revolution was the Industrial Revolution in the 18th century which enabled man to
use machines for bulk production and faster economic growth.
3.Towards the middle of 20th Century, computers were developed as a means of expediting almost all
the functions which man was doing himself.
4.Computer and communication technology enabled the third revolution which is the Information
Revolution.
5.The Information Revolution has enabled the transformation of the world into a global village.
19.The terms like “Anytime” and “Anywhere” banking have become a reality by networking the
branches through CBS and WAN.
21.The Liberalisation era which dawned on the recommendations of the Narasimham Committee
launched the advent of new generation which led to a high level of service enabled by technology.
23.'Core Banking' means the entire data & information of the customers alongwith the transactions get
centralized at a “Core Server” with all branches networked in the central server through a mesh of
leased data communication lines.
24.AAA : Anywhere, Anytime and Anyhow(through multiple delivery channel) Banking offered by
CBS
27.As the entire data of a bank resides at one place, viz the Data Centre(DC) there is concentration
Page | 9
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
risk.
28.To avoid concentration risk, another similar DC called the Disaster Recovery site(DR Site) is set up
in different seismic zone.
30.The branches are linked to both DC & DR through a web of communication lines. Redundancy is
provided at every stage in the form of a dial-up ISDN lines as a backup for leased lines, the city NAP
being connected to both DC & DR.
34.With the implementation of CBS, the bank should be in a position to have a 360 degree view of its
business as well as the customers.
37.Requirement study and gap analysis : A proper study is to be done at this stage to identify the
requirements of bank vis-a-vis the functionality and features of software.
38.Training the users and Parameterization : The advantage would be that for any small additional
requirement or modification, there is no need to write or modify the code. User involvement is
necessary at the parameterization stage also. Therefore, with the parameterization, the system could be
expected to perform in accordance with the requirements of users.
39.UAT : User Acceptance Test. Testing is one of the most important phase before rolling the solutions
to production. After setting the parameters in the system, the functionalities should be tested against
test cases. The test cases are based on functional requirements.
40.Once the UAT is carried out successfully, the software is ready for installation. From Governance
Page | 10
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
and Security point of view, it has to be ensured that there are three distinct environment set ups :
i)Development/Customization
ii)Testing
iii)Live environment(also called production)
41.Migration to a centralized system has improved efficiency, availability and convenience of banking.
42.Before the advent of CBS, for any electronic based service of product, banks had to identify/develop
a software or system which could support that particular product or service. This resulted in banks
having a number of disparate and dispersed systems.
44.Proper disaster recovery mechanism gives many benefits to banks such as:-
i)The load between a Data Centre(DC) and Disaster Recovery(DR) servers are shared always
ii)The DR servers constantly get tested for their availability
iii)The network connecting bank branches to a DR centre also gets tested for its availability.
2.An IT Policy needs to be framed for secure management of IT Systems and processes, detailed
documentation in terms of procedure and guidelines. The policy is reviewed annually.
3.A working group constituted by RBI on Information Security, Electronic Banking, Technology Risk
Management and Cyber frauds submitted its report in January 2011.
4.The report of working group of RBI on Information Security, Electronic Banking, Technology Risk
Management and Cyber frauds has been published in April 2011.
5.As a latest development, RBI has started the process of setting up an IT Subsidiary in 2016.
6.The IT Subsidiary mainly deals with IT and Cyber Security, and IT Audit in all the RBI regulated
Financial Institutions in the Country.
7.IT strategy, as a framework, provides feedback to IT Operations on the services to be supported and
their underlying business processes and prioritisation of these services etc.
Page | 11
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
8.A well defined IT Strategy framework will assist IT Operations in supporting IT services as required
by the business and defined in OLA/SLAs.
9.IT Strategy processes provide guidelines that can be used by banks to design, develop, and implement
IT Operations not only as an organisational capability but as a strategic asset.
13.Service Valuation :-It is the mechanism that can be considered by banks to quantify services, which
are available to customers(internal or external) and supported by IT operations in financial terms.
14.Financial Management uses Service Valuation to quantify financial terms, value of IT services
supported by IT operations.
15.Combined with Service Level Management, Service Valuation is the means to a mutual agreement
with business, regarding what a service is, what its components are, and its cost and worth.
17.Provisioning Value : The actual underlying cost of IT, related to provisioning a service, including all
Page | 12
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
fulfilment elements-tangibles and intangible. This cost element includes items such as :-
a)Hardware and software license cost
b)Annual maintenance fees for hardware and software
c)Personnel resources used in the support or maintenance of the services
d)Upgrades/service patches/enhancement patches
e)Utilities, data centre or other facilities charge
f)Taxes, capital or interest charges
g)Compliance costs.
18.Service Value Potential : SVP is the value-added component based on a customer's perception of
value from the service or expected marginal utility and warranty from using the services in comparison
with what is possible using the customer's own assets.
19.Portfolio Management : It provides guidelines that can be considered by banks for governing
investments in service management across an enterprise and managing them for value. Portfolio
management contains information for all existing services, as well as every proposed service those that
are in conceptual phase.
20.Demand Management : DM process provides guidelines which can be used by banks to understand
the business processes IT operations supports to identify , analyse, an codify patterns of business
activities to provide sufficient basic for capacity requirement.
22.One of the very early and widely used Payment Processing System is the clearing of cheques.
24.STP : With the advent of technology, now many other new methods and products for payment and
settlement have evolved. It is now possible to have the transactions between the entities shown above
totally on an automated manner, without any manual intervention. These kinds of transactions, where
there is no manual intervention, are called Straight Through Processing.
25.Based on the payment system vision document, policies are framed and strategies devised to
implement them.
26.Safety, security, soundness and efficiency assume critical importance in RBI's policy.
28.Previous payment system vision document of RBI is for the period 2012-15.
Page | 13
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
29.Under the Payments and Settlement System Act, 2007, any existing or proposed payment system
will have to obtain authorization from RBI.
30.Under the Payments and Settlement System Act, 2007, any existing or proposed payment system
will have to obtain authorization from RBI with effect from 12th August 2008.
31.Implementing grid based clearing, standardizing security features on cheque leaves to enable
Straight Through Processing(STP).
35.India Pay, POS Switch and Mobile Payments Settlement Network were started by NPCI
36.ECS is an electronic mode of funds transfer from one bank account to another bank account.
37.ECS system involves exchange of files and data among banks in electronic form.
38.ECS system is used for transactions that are repetitive in nature, e.g. EMI, SIP etc.
39.ECS is used by institutions for making bulk payment of amounts towards distribution of dividend,
interest, salary, pension etc or for bulk collection of amounts towards telephone/electricity/water dues,
tax collections, loan instalment repayments, periodic investments in mutual funds etc.
40.ECS can be either ECS credit, where the originating bank sends credit entry for credit to large
number of beneficiaries having accounts with various bank branches.
41.ECS Debit, where the customer mandates the bank to pay towards utilities, EMI, SIP etc from
customer's account and one consolidated credit entry is passed to the beneficiary.
43.If an ECS fails or bounces, it will have the same fines/penalties that would have for a bounced
cheque.
Page | 14
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
46.NECS has been launched in October 2008
47.On an average around 20 million ECS transactions are processed each month.
49.Cheque truncation is the process in which the physical movement of cheque within a bank,
between banks or between banks and the clearing house in curtailed or eliminated, being replaced in
whole or in part, by electronic records of their content(with or without the images) for further
processing and transmission.
50.The term truncate means to remove an original paper cheque from the cheque collection or return
process and send to a recipient, in lieu of such original paper cheque, a substitution cheque or, by
agreement, information relating to the original cheque(including data taken from the MICR line of the
original cheque or an electronic image of the original cheque), whether with or without subsequent
delivery of the original paper cheque.
51.In cheque truncation with the image, data on the MICR band, date of presentation, presenting bank,
etc is also sent.
52.Truncation brings along efficiency, cost reduction, speed and also minimizes frauds, losses etc that
associated with physical cheques.
53.In India, CTS has been implemented in National Capital Region(NCR) since 1st July, 2009.
54.Amendments to N.I.(amendments & misc provisions) Act 2002, provides legal status as :- A
“Cheque” is a bill of exchange drawn on a specified banker and not expressed to be payable otherwise
than on demand and it includes the the electronic image of a truncated cheque and a cheque in the
electronic form(section 6 of the act) and subsequent sections relevant to payment of such cheques
57.RTGS/NEFT is electronic payment systems which were started in the year 2004.
Page | 15
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
60.NEFT is an electronic fund transfer system that operates on a Deferred Network System(DNS) basis
which settles transactions in batches. In DNS, the settlement takes place with all transactions received
till the particular cut-off time. These transactions netted (payable and receivables) in NEFT.
61.NEFT operates in hourly batches. There are 12 settlements from 8 am to 7 pm on week days and 6
settlements from 8 am to 1 pm on Saturdays.
61.In RTGS the transactions are settled individually. In the RTGS transactions are processed
continuously throughout the RTGS business hours.
62.RTGS is meant for inter bank transfer of funds as also for larger amounts > Rs.2 lakh per remittance
effective from April 2010.
64.NEFT is mainly meant for B2B, B2C, C2C remittances. The remittances and relative messages are
pooled, transmitted in batch mode and settled periodically on a 'Net basis'.
65.There is no restriction on the minimum or maximum amount that can be remitted through NEFT.
66.Payment and settlement systems(including RTGS & NEFT) in India are regulated by the Payment
and Settlement Systems Act, 2007(PSS Act), legislated in December 2007.
70.NPCI conducted successfully a pilot study on the mobile payment system with the banks like SBI,
BOI, UBI and ICICI in August 2010.
72.IMPS offers an instant, 24x7, interbank electronic fund transfer service through mobile phones.
73.IMPS is an emphatic tool to transfer money instantly within banks across India through mobile,
internet and ATM which is not only safe but also economical.
Page | 16
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
75.Introduced by NPCI in April 2016, the Unified Payment Interface is intended to enable peer-to-peer
immediate payment via a single click two factor authentication process.
77.UPI will use existing systems such as IMPS and AEPS to ensure seamless settlement across
accounts.
78.It would facilitate push(pay) and pull(receive) transactions and even work for over-the-counter or
barcode payments as well as for multiple recurring payments such as utility bills, school fees, other
subscriptions.
80.BBPS is run by NPCI at behest of RBI, is an integrated bill payment system in India offering inter-
operable and accessible bill payment service to customers through a network of agents, enabling
multiple payment modes and providing instant confirmation of payment.
81.Based on the RBI's Payment system vision document, GOI enacted the Payment and Settlement Act,
2007(Act 51 of 2007). The Act received the assent of the President on 20th December 2007 and it came
into force w.e.f. 12th August 2008.
83.The Board for Regulation and Supervision of payment and settlement systems(BPSS) is the apex
body for regulation and supervision of payment systems in the country.
84.The RBI is authorized under the Act to constitute a Committee of its Central Board known as the
Board for Regulation and Supervision of payment and settlement systems(BPSS), to exercise its
powers and perform its functions and discharge its duties under this statute.
85.The Act also provides the legal basis for 'netting' and 'settlement finality'.
Page | 17
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
86.In India, other than the Real Time Gross Settlement(RTGS) system all other payment systems
function on a net settlement basis.
87.As banks move towards implementing CBS, a three Back Office structure can be implemented. This
comprises of :-
a)Branch Back Office(BBO)
b)City Back Office(CBO)
c)National Back Office(NBO)
88.The BBO is located within the branch premises, but preferably located in an area not visible to
customers.
89.The CBO is nothing but an expanded form of the Service Branch or Main Branch in each city,
which already handles certain activities such as clearing and payment of demand drafts.
91.The NBO will handle those back office activities that are optimally handled centrally at one location
for the Bank as a whole with a view to obtaining economies of scale.
92.The NBO need not be located in the Head Office of the Bank-ideally, the NBO should be in a low
cost location with good data communications and logistics facilities.
93.Ideally, the NBO should be in a low cost location with good data communications and logistics
facilities.
Page | 18
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
a)Inward clearing
b)Outward clearing instruments
c)Processing of upcountry cheques for collection
d)Account opening & scanning of signatures for new accounts.
e)Payment of demand drafts drawn on the city
f)Retail loan application processing
g)Document and PDC storage
h)ATM operations
i)Establishment
j)TDS(back office activities)
k)Printing
99.The BBO has to be within the branch premises, preferably in a location not visible to customers.
100.The logistics of paper cheque movement from the branches and physical proximity to the clearing
house would dictate the location of the CBO.
101.The NBO is typically located close to the Data Centre. However this is not mandatory-all the NBO
needs is a high speed link to the Data Centre.
Page | 19
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
CHAPTER-3-ACCOUNTING INFORMATION SYSTEM
103.An AIS is a system of collection, storage and processing of financial and accounting data that is
used by the decision makers and in banking it is being used by the different members of Senior
Management for taking appropriate decisions.
104.An AIS is generally a computer based method for tracking accounting activity in conjunction with
information technology resources.
105.In the computerized environment accounting records are kept in computer files, which are of three
types, namely (i)master file, (ii)parameter file and (iii)transaction file.
108.Every transaction processing system has three components-input, processing and output.
110.There are two types of TSP – Batch processing and Online processing
102.Today accounting information systems are more commonly sold as prebuilt software packages
from vendors such as Microsoft, Sage Group, SAP and Oracle, where it is configured and
customized to match organization's business processes.
Page | 20
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
104.In ERP system such an accounting information system is built as a module integrated into a suite
of applications that can include manufacturing, supply chain, human resources.
105.With the ubiquity of ERP for business, the term “accounting information system” has become
much less about pure accounting (financial or managerial) and more about tracking processes across all
domains of business.
107.The Presentation Layer manages how the information is displayed and viewed by functional
users of the system(through mobile devices, web browsers or client application).
108.The application Layer retrieves the raw data held in the database layer, processes it based on the
configured business logic and passes it onto the presentation layer to display to the users.
109.Reporting is major tool for organizations to accurately see summarized, timely information used
for decision making and financial reporting.
110.Consolidation is one of the greatest hallmarks of reporting as people do not have to look through
enormous number of transactions.
111.The steps necessary to implement a successful accounting information system are as follows :-
i)Detailed Requirement Analysis
ii)Systems Design
iii)Documentation
iv)Testing
v)Training
vi)Data Conversion
vii)Launch
viii)Support
Page | 21
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
CHAPTER-4-INFORMATION ORGANIZATION AND MANAGEMENT
112.The term “MIS” arose to describe such applications providing with information about, and other
data that would help in managing the performance and to enable the Senior Management to take
appropriate planning for the growth of the banks.
117.Third era (Client/Server) : Computers on a common network were able to access shared
information on a server.
118.Fourth era(Enterprise) : Enabled by high speed networks, tied all aspects of the business enterprise
together offering rich information access encompassing the complete management structure.
119.Fifth and latest era (Cloud computing) : Information systems employs networking technology to
deliver applications as well as data storage independent of the configuration, location or nature of the
hardware.
120.MIS : involve three primary resources – people, technology, and information or decision making.
121.The development and use of MIS has certain fundamental concepts which are the information
concept, the information management concept, the information system concept and the management
information concept.
123.Best in 1988 defines Information Management as the economic, efficient and effective co-
ordination of the production, control, storage and retrieval and dissemination of information from
Page | 22
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
external and internal sources, in order to improve the performance of the organization.
124.Information System is a system for accepting data/information as a raw material and through one
or more transmutation processes, generating information as a product.
125.Information System comprises the functional elements which relate to an organization and its
environments :- perception, recording, processing, transmission, storage, retrieval, presentation and
decision making.
133.Decision making : A controversial inclusion, except to the extent that the information system
engages in decision making that concerns itself.
134.Planning, directing, and controlling are the essential ingredients for “management”.
135.The processing of data into information and communicating the resulting information to the user is
the key function of MIS.
136.Users in banks constantly require various reports for (i) Monitoring purposes, (ii) analytical and
(iii)Action oriented.
138.Data Warehouse is a relational database that is designed for query and analysis rather than for
transaction processing. It is the main repository of an organization's historical data, its corporate
memory.
139.A data warehouse contains the raw material for management's decision support system.
Page | 23
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
140.A data warehouse can be defined as a single, complete and consistent store of data from various
sources, which facilitates providing information to the end-users in the form required by them to be
used in the context of business.
141.While operational systems are optimized for simplicity and speed of modification through heavy
use of database normalization and an entity-relationship model – Online Transaction
Processing(OLTP).
142.The data warehouse is optimized for reporting and analysis – Online Analytical
Processing(OLAP).
143.In setting up the Data Warehouse, three distinct steps are involved. They are called
ETL(Extraction, Transformation & Loading)
144.Data Transformation involves converting data from the source systems in a consistent, managed
and well understood manner. This involves integration, conversion and summarization.
147.DW provide historical and factual position, analytics, for marketing, customer acquisition, business
growth etc. It enables Data Mining capabilities.
148.There are many advantages of using a data warehouse, some of them are :-
(i)Enhances end-user access to a wide variety of data.
(ii)Business decision makers can obtain various kinds of trend reports e.g. the item with the most sales
in a particular area/country for the last two years.
149.Online Analytical Processing answers many of the questions relating to the trends, growth,
customer segmentation etc in a bank.
150.Transaction Processing is primarily enabled for facilitating transactions through the various
delivery channels.
Page | 24
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
151.Transaction processing vis-a-vis analytical processing :-
152.The functions of management can be grouped into five areas :- planning, decision making,
organization and coordinating, leadership and motivation and control.
155.Common end state : the state of complete automation for submission of returns without any manual
intervention.
Page | 25
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
CHAPTER-5-RISK ASSOCIATED WITH TECHNOLOGY IN BANKING
158.Given the increasing reliance of customers on electronic delivery channels to conduct transactions,
any security related issues have the potential to undermine public confidence in the use of e-banking
channels and lead to reputation risks to Banks.
158.Inadequate technology implementation can also induce strategic risks in terms of strategic
decision making based on inaccurate data/information.
159.Compliance risk is also an outcome in the event of non-adherence to any regulatory or legal
requirements arising out of the use of I.T. These issues ultimately have the potential to impact the
safety and soundness of a bank and in extreme cases may lead to systemic crisis.
160.The Risk Management Principles fall into three broad and often overlapping, categories of issues
that are grouped to provide clarity : Board and Management Oversight, Security Controls; and Legal
and Reputational Risk Management.
161.The Board of Directors and Senior Management are responsible for developing the institution's
business strategy.
162.The activities of fraud prevention, monitoring, investigation reporting and awareness creation
should be owned and carried out by an independent fraud risk management group in the bank. The
group should be adequately staffed and headed by senior official of the bank, not below the rank of
General Manager/DGM.
163.Fraud review councils should meet at least every quarter to review fraud trends and preventive
steps taken that are specific to that business function group.
164.No new products or process should be introduced or modified in a bank without the approval of
control groups like compliance, audit and fraud risk management groups.
165.Banks should put in place automated systems for detection of frauds based on advanced statistical
algorithms and fraud detection techniques.
166.In case of credit card frauds, some banks follow the practice of reporting the frauds net of
chargeback credit received while other reports the amount of original transactions.
167.In a shared ATM network scenario, when the cards of one bank is used to perpetrate a fraud
through another bank's ATM, it is the bank acquiring that should report the fraud. The acquiring bank
Page | 26
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
should solicit the help of the issuing bank in recovery of the money.
170.An Audit Charter/Audit Policy : is a document which guides and directs the activities of the
internal audit function, should also be governed by the same Audit Policy.
171.The audit policy should be documented to contain a clear description of its mandate, purpose,
authority and accountability(of relevant members/officials in respect of IS Audit i.e. IS Auditors, audit
management and the audit committee) and the relevant operating principles.
174.The IS Auditor should consider establishing a quality assurance process e.g. interviews, customer
satisfaction surveys, assignment performance surveys etc.
175.Banks need to carry out IS Audit planning using the Risk Based Audit Approach(RBAA).
176.The RBAA approach involves aspects like IT operational risk assessment methodology, defining
the IS Audit, Universe, scoping and planning the audit, execution and follow up activities.
177.The IS Audit Universe : can be built around the four types of IT resources and various IT processes
like application systems, information of data, infrastructure(technology and facilities like
hardware, operating systems, database management systems, networking, multimedia etc. and the
environment that houses and supports them that enable the processing of the applications) and people
(internal or outsourced) personnel required to plan, organize, acquire, implement, support, monitor and
evaluate the information systems and services.
178.The IS Auditor must define, adopt and follow a suitable risk assessment methodology.
179.The IS Audit Head is responsible for the annual IS Audit Plan which is required to be prepared
based on the scope document and risk assessment.
Page | 27
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
180.IT governance, information security governance related aspects, critical IT General controls like,
data centre controls and process and critical business applications/systems having financial compliance,
implications including MIS and regulatory reporting systems and customer access points(like delivery
channels) need to be audited at least once a year(or more frequently, if warranted by risk assessment).
182.CAAT : may be used effectively in areas such as detection of revenue leakage, assessing impact of
control weaknesses monitoring customer transactions under AML requirements and generally in areas
where a large volume and value of transactions are reported.
183.Suitable “read only” access rights should be provided to the auditors for enabling use of CAATs.
184.In order to provide assurance to management and regulators, banks are required to conduct a
quality assurance at least once in every three years, on the Banks Internal Audit including IS Audit
function to validate the approach and practices adopted by them in the discharging their responsibilities
as laid out in an Audit Policy.
186.A far advanced IS Audit is also regularly conducted for various critical IT units including Bank's
Data Centre and Disaster Recovery Site(DC & DRS).
Page | 28
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
MODULE-B -TECHNOLOGY-SYSTEM, DEVELOPMENT,
PROCESS, IMPLEMENTATION
CHAPTER-7-HARDWARE ARCHITECTURE
187.Computers can be generally divided into two i.e. Small Computer and Large Computers.
189.Large Computers – Workstation, Servers, Main Frame Computer and Super Computer
191.Today single user computers are basically categorized as Apple Macintoshes and PCs.
192.The principal characteristics of personal computers are that they are single-user systems and are
based on microprocessors.
193.High-end models of Macintosh and PC offer the same computing power and graphics capability as
low-end workstations by Sun Microsystems, Hewlett-Packard and DEC.
194.Because of the shape of Desktop Model, these computers are generally limited to three internal
mass storage devices.
195. Desktop Models designed to be very small are sometimes referred to as slim line models or thin
clients.
197. Notebook Computers use a variety of techniques, known as flat-panel technologies to produce a
lightweight and non-bulky display screen.
198.Hand-held computers are designed to cater to applications, which require mobility, smart card
interface and modem connectivity. These devices, in addition to normal features also have finger print
reading devices, so that even illiterate persons can also be served.
Page | 29
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
199.The field of PDA was pioneered by Apple Computer, which introduced the Newton Message Pad
in 1993.
200.The Indian Govt. has come out with a very cost-effective tablet PC called Akash. It is targeted at
the student community. It is priced at about Rs.2500/- per piece, which is less than one-tenth of the
price of a commercial tablet PC.
203.The most common operating systems for workstations are UNIX and Windows NT.
206.The trend towards minicomputers was started by HP and DEC in the early 1970s.
207.In general a minicomputer is multi processing system capable of supporting upto 200 users
simultaneously.
208.Mainframe – a mainframe computer is a large and fast computer with superior data processing
capabilities.
209.IBM led the development of mainframe computers during the late 1950s
210.Mainframe computers are usually installed in very large organizations such as military service and
weather bureaus.
211.The term mainframe originally referred to a cabinet containing the central processor unit or
“mainframe” of a room-filling Stone Age batch machine.
212.The main difference between a super computer and a mainframe is that a supercomputer channels
all its power into executing a few programs as fast as possible, whereas a mainframe uses its power to
execute many programs concurrently.
213.Supercomputer – They are usually used to deal with complicated computations e.g. weather
Page | 30
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
forecasting and scientific research requiring massive calculations within a short period of time. Other
uses are scientific simulations, animated graphics, fluid dynamic calculations, nuclear energy research,
electronic design and analysis of geological data e.g. in petrochemical prospecting.
214.Input output devices – The I/O devices form the bridge between the user and the central processing
unit.
217.Smart card – A smart card is a small electronic device about the size of a credit card that contains
electronic memory and possibly an embedded Integrated Circuit(IC).
219.Smart cards are used for a variety of purposes including storing a patient's medical records, storing
digital cash and generating network ID.
210.Pen – A Pen computer is a computer that utilizes an electronic pen(called a stylus) rather than a
keyboard for input.
211.Stylus – It is a pointer, a drawing device shaped like a pen. It can be used with a digitizing tablet or
touch screen.
215.Most desktop monitors use a CRT, while portable computing devices such as laptops incorporate
Page | 31
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
LCD, LED, gas plasma or other image protection technology.
216.If the CRT monitor has a refresh rate of 72 Hertz(Hz), then it cycles through all the pixels from top
to bottom 72 times a second.
218.Lower refresh rates can lead to flicker and thereby headaches and eystrain.
219.Televisions have a lower refresh rate than most computer monitors. To help adjust the flicker rate,
a technique called interlacing is used.
220.Interlacing : This means the electron gun in the television's CRT will scan through the odd rows
from top to bottom and then start again with the even rows. The phosphors hold the light long enough
so that the human eyes are tricked into thinking that all the lines are being drawn together.
221.A tape is a magnetically coated strip of plastic on which the data can be encoded. Tapes are
sequential-access media.
222.Disks are random-access media because a disk drive can access any point at random without
passing through intervening points.
224.Floppy drive – A floppy disk is made from a thin piece of plastic coated with a magnetic material
on both sides. The tracks are arranged in concentric rings.
226.There are two standard sizes for floppy disks : 3.5 inches and 5.25 inches in diameter with
capacities of 1.44 MB and 1.2 MB respectively.
227.Floppy disks, still find their applications for accessing data of one computer on a second computer
when the two computers are not networked, bootable diskettes to update the BIOS on a personal
computer and software recovery after a system crash or a virus attack.
229.Hard disk is an airtight sealed units, consisting of a number of metallic disks mounted on a spindle,
which rotates at a speed of about 3600-7200 RPM.
Page | 32
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
230.Data can be written to or read from a hard disk twenty times faster than from a floppy.
233.CD-ROM can store upto 650 MB to 700 MB and are used for distribution of massive quantities of
data (e.g. encyclopedias, document archiving, manuals, statistics, software packages) at relatively low
cost.
234.Spin rate : The spin rate is the rotation speed of the disk and it influences the information retrieval
speed(access time).
237.Much like a regular CD, DVD uses a laser to read microscopic pits on a disc to gather information
and translate it into music, video or information.
238.The microscopic pits are made smaller and placed much closer together to achieve a stunning 4.7
gigabytes on a single layer of the new DVD disc.
241.Double layer, double sided DVD disc can store an amazing amount of 17 gigabytes of information
which is more than the storage of 11,800 floppy discs.
243.Flatbed scanners, sheet-fed scanners, hand-held scanners, drum scanners are some of the popular
types of scanners.
246.Disadvantage of Dot Matrix Printers is that the speed of printing about 300 characters/second is
low.
Page | 33
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
247.Inkjet Printer : A typical Inkjet Printer or Bubble Jet Printer head has 64 or 128 tiny nozzles, and
all of them can simultaneously fire a droplet.
248.The advantage of the Inkjet Printers are that the print quality is high and the print speed is faster –
500 characters/second.
249.The advantages of laser printers : Extremely high print quality(resolution from 300 dpi upto 2000
dpi for commercial printers), a wide selection of type fonts, quiet printing because they are non-
impact. Very fast (400 to 500 pages/minute produced by commercial laser printers) although the low-
end lasers used with PCs can only print about 8-10 pages/minute.
250.In a Microcomputer, the entire CPU is contained on a tiny chip called a microprocessor.
251.Every CPU has at least two basic parts, the control unit and the arithmetic logic unit(ALU).
252.Upward compatibility : Usually when a new CPU is developed, the instruction set has all the same
commands as its predecessor plus some new ones. This allows software written or a particular CPU to
work on computers with newer processors of the same family – a design strategy known as upward
compatibility.
253.Downward or backward compatibility : When a new hardware device or piece of software can
interact with all the same equipment and software its predecessor could, it is said to have downward or
backward compatibility.
254.The latest Intel processor named Intel Core i73960X Extreme edition, consists of 6 core, has a
processor speed of 3.90 GHz, with 15 MB of Cache memory.
255.Clock Speed – The clock speed is the speed at which the processor executes instructions. Clock
speed is measured in megahertz(MHz)-which is a million cycles per second.
256.Super scalar – Some micro processors are super scalar, which means that they can execute more
than one instruction per clock cycle.
257.Cache : Processors incorporate their own internal cache memory. The cache acts as temporary
memory and boosts processing power significantly.
258.The cache that comes with the processor is called Level One(L 1) cache.
259.The L 1 cache is divided into 2 sections – one for data, the other for instructions.
Page | 34
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
260.Secondary cache – Level Two(L 2) cache.
261.To overcome the slow performance of L2 cache, newer chips (Pentium II and Pentium III) house
the L2 cache in a cartridge along with the CPU.
262.System Memory – Just like the human brain, which helps to determine what to do and when,
computers need blocks of space that it can address from time to time to help in processing arithmetical
and logical operations and also hold programs and data being manipulated. This area is called memory.
263.Moore's Law – It is a rule of thumb in the history of computer hardware. According to this law, the
number of transistors that can be placed inexpensively in an integrated circuit doubles once in two
years.
266.The distance between two transistors has shrunk now to almost 30 nano-meters.
267.RAM – The memory system constructed with metal oxide semi conductor storage elements that
can be changed is called a RAM.
270.FPM DRAM was used in most computers until EDORAM came along.
273.One variation called burst EDO (BEDO) DRAM assumes that the next data address to be requested
by the CPU follows the current one so it sends that also.
275.SDRAM can synchronize itself with the clock that controls the CPU.
Page | 35
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
276.RDRAM – Rambus Dynamic Random-Access-Memory
277.RDRAM sends data down a high-band width “channel” 10 times faster than standard DRAM.
280.Some dynamic RAM memory circuits include built-in “refresh circuits” to relieve the computer.
284.ROM may be used for code converter, function generator and character generators.
285.In IBM personal computer, a PC with 2 MB of RAM is capable of running Microsoft Windows
operating system, even though the program actually occupies 10 MB of disk storage space.
286.The moment the user launches a program or double-clicks an application icon, the microprocessor
of the computer loads the program file from the hard disk into the memory of RAM.
Page | 36
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
CHAPTER-8-SOFTWARE PLATFORMS
287.A computer system can be divided into four components :
i)Hardware
ii)Operating System
iii)Application Programs
iv)Users
289.The application programs include compilers, database systems, video games, and business
programs.
290.The application programs include compilers, database systems, video games, and business
programs.
291.In a computer there are four main resources. They being, the processor, the main memory(RAM),
all I/O devices and the information that is stored in the computer.
292.Operating systems provide four management schemes. They being Job Management, Memory
Management, Device Management and Information Management.
293.Present day OS are – Mainframe OS, Multi-user OS, Single-user(PC-based) OS, Network OS,
Distributed OS and Real time OS.
294.Programs that are frequently required by the system during normal processing operations are
termed as Utility Programs.
Page | 37
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
iv)Scalability
v)Reliability
298.First generation languages : The machine code represents the first generation language. These are
machine dependent and are written in strings of 1s and 0s.
299.The second generation languages were developed in the late 1950s and early 1960s.
303.The assembly language code is converted to machine code by a program called an assembler.
304.The third generation languages are called modern or structured programming languages.
305. The third generation languages are characterized by strong procedural and data structuring
capabilites.
306.Typical examples of 3rd generation languages are BASIC, COBOL, FORTRAN, PASCAL and C.
307.In order to convert a 3rd generation language statement into machine executable code, one uses a
programming language compiler/interpreter.
308.Fourth generation languages, like all artificial languages contain a distinct syntax for control and
data structure representation.
310. The fourth-generation languages include query languages, program generators and application
generators.
311.Programming languages based on artificial intelligence are termed as fifth generation languages.
312.Object oriented languages – With technical development in the field of object technologies,
Page | 38
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
specialized programming languages to handle the features of objects were developed. Such
programming languages were termed as OOL. Typical examples are Small talk, C++ and Java.
313.Codd's rules-Codd's 12 rules are a set of rules proposed by Edgar F. Codd, a pioneer of the
relational model for databases, designed to define what is required from a database management system
in order for it to be considered relational i.e. a relational database management system.
314.A Database Management System(DBMS) is essentially a collection of interrelated data and a set of
programs to access this data. This collection is called a Database.
315.The primary objective of a DBMS is to provide a convenient environment to retrieve and store
database information.
316.A database system consists of two parts. Database Management System and Database Application.
317.DBMS is the program that organizers and maintains the information whereas the Database
Application is the program that lets us view, retrieve and update information stored in the DBMS.
320.Data maintenance-It checks whether each record has fields containing all information about one
particular item.
321.Data manipulation-Allows data in the database to be inserted, updated, deleted and stored.
Page | 39
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
iv)Program and datafield
v)User and transaction
vi)User and datafield
325.Advantages of DBMS :-
i)Data independence for application system.
ii)Ease of support and flexibility in meeting changed data requirements.
iii)Transaction processing efficiency.
iv)Reduces data redundancy.
v)Maximises data consistency.
vi)Minimises maintenance cost through data sharing.
vii)Offers an opportunity to enforce data/programming standards.
viii)Offers an opportunity to enforce data security.
ix)Provides for stored data integrity checks.
x)Facilitates terminal users ad hoc access to data, especially designed query language/application
generators.
327.File manager-Manages the allocation of space on disk storage and the data structures used to
represent information stored.
328.Database manager-Provides the interface between the low-level data stored in the database and
the application programs and queries submitted to the system.
Page | 40
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
331.DDL compiler-Converts DDL statements to a set of table containing metadata or “data about data”.
337.Query of sophisticated users is submitted to a query processor whose function is to take a DML
statement and break it down into instructions that the database manager understands.
339.Naive users-Unsophisticated users interact with the system by invoking a permanent application
programme written previously.
341.File Management System(FMS): The FMS was the first method used to store data in a
computerized database. In this system, the data item is stored sequentially in one large file.
342.A File Management System or a File Manager is a software used for creating, retrieving and
manipulating files.
343.An index file contains a subset of the data files based on one or more key fields.
344.The necessity for establishing a relationship among records and the need for an easier and quicker
way to access record led to the development of another model called the Hierarchical Database Model.
Page | 41
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
ii)Lack of data integrity
iii)Lack of programme independence
346.Data redundancy : Data redundancy means that the same data fields appear in many different file
and often in different formats. Thus separate files tend to repeat some of the data.
347.Hierarchical model : This model was introduced in the Information Management System(MIS)
developed by IBM in 1968.
351.A network is a graph and can be used to represent a data scheme. It consists of nodes connected
together by edges.
353.When applied to database technology, nodes of a network represent record types and edges
connecting the nodes represent the relationship between them. In their most general form edges can
represent 1:1, 1:N and N:M relationship.
Page | 42
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
356.Relational model has acquired wide prominence and in fact, most of the Database Management
Systems(DBMS) adopted the relational model today.
357.Characteristics of a table :-
i)No two rows can be identical.
ii)All entries in a column belong to the same category.
iii)Ordering of rows and columns is insignificant.
iv)A row can have n number of columns. In that case, the row is termed as one of n-tuple.
359.The information rule : All information is explicitly and logically represented in tables as data
values.
360.The rule of Guaranteed Access : Every item of data must be logically found with the help of a
table name, primary key value and column name. Primary key condition prevents the entry of
duplicate and null values.
361.The systematic treatment of null values : The RDBMS must be able to support null values(these
values are different from zeroes and spaces) to represent missing or inapplicable information. Null
values for all data types must be the same.
362.The database description rule : The same logical structure must be used for both description of
database and definition of data. These are accessible to users with appropriate authority and are stored
in the data dictionary.
363.Comprehensive data sub language : The RDBMS must support the following criteria according
to this rule-Data definition, View definition, Data manipulation, Integrity constraints, Authorisation and
Page | 43
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
Transaction management operations.
364.The view updating rule : All views that are theoretically updateable must also be updateable by
the system.
365.The insert and update rule : A single operand must hold good for all retrieval, update, delete and
insert activities. This rule implies that all the data manipulation commands must be operational on sets
of rows in a relation rather than on a single row.
366.The physical independence rule : Application programs must remain unimpaired when any
changes are made in storage representation or access methods.
367.The logical data independence rule : The changes that are made should not affect the user's
ability to work with the data. The change can lead to splitting the table into many more tables.
368.The integrity independence rule : The integrity constraints should be stored in the system
catalogue or in the database as a table.
369.The distribution rule : The system must be able to access or manipulate data that is distributed in
other systems.
370.The non-subversion rule : This rule states that different levels of the language can not subvert or
bypass the integrity rules and constraints. To state it simply, if a RDBMS supports a lower level
language then it should not bypass any integrity constraints defined in the higher level.
371.Normalization : The purpose of normalization is to decompose large tables into smaller ones so
that they can be easily managed. The problems of addition, modification and deletion anomalies are
also taken care off.
372.The main types of normal forms are First, Second, Third, Boyce-Codd, Fourth and Fifth.
374.First Normal Form : Unnormalised tables converted into a tabular form and keys are identified.
375.Second Normal Form : Identification of data items, which are fully dependent and partially
dependent on the key. Tables are then decomposed into smaller ones.
376.Third Normal Form : Identification of transitive dependencies between non-key attributes and their
removal.
Page | 44
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
377.Boyce-Codd Normal Form : Problems that arise from overlapping composite keys are removed.
378.Fourth Normal Form : Takes care of problems arising from multi valued dependencies.
380.The major task of developing, designing and maintaining the database is entrusted to a Database
Administrator.
384.Conceptual schema – This provides the overall logical view of the entire database.
385.Internal schema – It describes the physical representation of the data in the database.
388.DDL – It permits one to declare records, links, fields and keys. It also provides description
facilities of the various entities and their connections to DBMS.
Page | 45
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
389.DML – It helps in operating i.e. inserting, deleting, modifying and the like on the data in the
database.
390.Two important DML that are in widely used are Structured Query Language(SQL) and Query
Language(QUEL).
391.Data dictionary : The data dictionary holds on the information about the data stored in the
database.
392.Data Item or Entity : The indivisible part of a database is generally referred to as a Data Item or
Entity.
393.Database are :-
i)One-to-one : Here each entity has only one association. Eg. Employee and Employee ID.
ii)One-to-many : Here, one entity has many associations. Eg. Designation-Employee relationship.
iii)Many-to-many : Here, each entity has many associations. Eg. Vendor-Inventory Items.
394.Database : A database is a program that stores, manipulates, and expresses data. It is a collection
of data that is related to each other.
396.Database security : It ensures that only an authorised person has the right to access the right data.
There are two issues in ensuring this
i)'Right people' (or the authorised user) is one who has the privilege of accessing the database.
ii)'Right access to the right data' : Though certain users are allowed to interact with the database, certain
rights have to be restricted.
Page | 46
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
397.Authentication – The process of determining the right person to interact with the data in the
database is called Authentication.
398.Authorisation and Access Control – The process of determining the privileges to be given to the
user is known as Authorisation and Access Control.
404.Specialised users-These users write specialized database applications that do not fit into the
traditional data processing framework.
405.Naive users-They invoke permanent application programs written previously. This group includes
people accessing database over the web, bank tellers, clerical staff and the like.
Page | 47
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
vii)Monitoring performance and responding to changes in requirements.
407.Authentication :-It is the process of checking whether a user operating upon the database has the
right to do so.
408.In order to allow only authenticated users to interact with a database, password protection is
necessary. This can be done by associating with the sub-schema of a schema.
410.Magnetic film badges:-These check the stored pattern against the one entered by the user. The
user is allowed to access the data only if both match.
411.The basic model for accessing control usually involves three things – Subjects, Objects and Access
rights.
413.Object-An item for which right have to be granted is known as the Object.
414.Access Rights-The access permissions to read or write are called as Access Rights.
416.Under the flat-scheme, access rights are independent and stand alone.
417.In a hierarchical scheme, the possession of certain access right may imply the possession of the
rights subordinates to it(i.e possession of rights are governed by an order of hierarchy).
418.A user may have several forms of authorization on parts of database. Among these are :-
i)Read authorization
ii)Insert authorization
iii)Update authorization
iv)Delete authorization
v)Index authorization
vi)Resource authorization
vii)Alteration authorization
viii)Drop authorization
Page | 48
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
419.Read authorization-It allows reading, but not modification of data.
420.Insert authorization-It allows insertion of new data, but not modification of existing data.
428.SQL is the de facto language used to communicate with databases. ANSI defines it is the standard
language for relational database management systems.
430.Commercial DBMS software of Oracle, Sybase, Microsoft SQL Server, Access, Ingres etc use
SQL.
431.The language of SQL are broadly classified into three broad categories. They being -
i)Data Definition Language(DDL)
ii)Data Manipulation Language(DML)
III)Transaction Control Language(TCL)
433.Comparison operators(CO): Cos are used in conditions to compare one expression with another.
The comparison operators are =, not equal to, >, <, >=, <= etc.
Page | 49
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
435.Join Operator(JO) :A JO is used to combine the data from multiple tables. It is actually
performed by the where clause which combines the specified rows of the table.
436.There are three different types of join. They being Simple join, Self join, Outer join.
437.Simple join : It retrieves rows from two tables having a common column and is further classified
into equi-join and non-equi-join.
440.Self join : Joining of a table to itself is known as a self-join i.e. it joins one row in a table to
another.
441.Outer join : The outer join extends the result of a simple join. It returns all the rows returned by
the simple join as well as those rows from one table that do not match any row from the other table.
The symbol (+) represents outer join.
443.Entropy : Entropy refers to the inherent tendencies in systems to fail over passage of time or use.
The systems approach must necessarily deal with the entropy and manage it effectively.
445.Natural or man made : While a natural system is one that is found in nature, a man-made system
Page | 50
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
is artificial.
446.Closed or open : A closed system in one which does not interact with the outside environment,
whereas an open system is one which has interface with the external environment.
447.Conceptual or physical : A conceptual system is abstract in nature. One may not be able to
directly experience the system. A physical system in one whose components exists in a real world.
449.System Analyst : whose main responsibility is to interview the users in understanding their
requirements.
450.Programmers : who are the builders of the system. They are responsible for converting designs
into program code.
451.Database Administrator(DBA) : The DBA has primary responsibility of designing the data sets
required for the project.
452.The Domain or functional specialist : is a person who is an expert on the business area for which
the system is developed.
453.Quality Assurance(QA) : lays down the standards for the development project. QA is responsible
for measurement and comparison of deliverables and results against the standards set.
454.Delineation of Scope : Here the boundaries of the system are defined so as to develop the software
solution.
Page | 51
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
455.A DFD(Data Flow Diagram) consists of four elements :-
i)Data flow
ii)Process
iii)Data stores
iv)External entity
463.Architectural Design- Deals with the hierarchy of modules and sub-modules. All major modules,
their functions and scope, interface of modules and data received and released by each module are
identified at this step.
464.Physical Design- Type of hardware and operating systems to be used, network architecture,
processing method(whether batch, online or real time), frequency of inputs and outputs and period end
cycles are addressed during physical design.
466.Software Testing is a process under controlled environment in order to verify that the software
meets its design specifications. Two broad categories of testing are :-
i)Unit Testing and
ii)System Testing
Page | 52
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
467.Unit Testing-refers to the testing of individual modules or units in the software.
469.System testing is a testing process where a collection of programs is integrated into the final
system and tested.
471.Bottom up integration testing – follows the traditional method of testing where individual units
are tested first, then sub-systems and finally the system as a whole.
472.Top down integration testing-The testing of the main routine is attempted first. Once the program
coding of all modules are complete, the incomplete program code with logical end points called Stubs
are replaced by real modules and tested again.
473.Stubs-the incomplete program code with logical end points called Stubs.
474.Acceptance testing-is the final stage of testing where the user is required to work on the system and
be satisfied as to the functional and operational completeness of the system.
477.Parallel Implementation-where the new system is started with the old system running in a
parallel manner. The results of the new system are compared with those of the old system on a
continuous basis. Once the new system is found to be better, then the old system is discarded.
Page | 53
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
478.Phased Implementation-where the entire business process is divided into manageable units and
the new system is implemented in these units one by one.
479.Pilot implementation-where a small non-critical unit of the business process is selected and the
new system implemented.
487.Coding:-One of the prime goals of software engineering is to automate the process of coding.
There are two ways of doing the same.
i)By Algebraic specification
ii)Usage of Computer Aided Software Engineering(CASE) tools.
Page | 54
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
CHAPTER-10-COMPUTER NETWORKS
491.A WAN covers a large geographic area with various communication facilities such as long distance
telephone service, satellite transmission, and under-sea cables.
492.Examples of WANs are interstate banking networks and airline reservation systems.
494.In WAN channels are of relatively low capacity(measuring through put in kilobits per second, k
bits).
495.In WAN channels are relatively error-prone(eg, a bit error rate of 1 in 105 bits transmitted).
497.A typical LAN connects as many as hundred or so micro computers that are located in a relatively
small area, such as a building or several adjacent buildings.
498.LANs use high-speed media 1 Mbps to 1 Gbps or more and are mostly privately owned and
operated.
499.In LAN, channels are relatively high capacity(measuring throughput in mega bits per second,
Mbits/s).
500.Channels are relatively error free (eg, a bit error rate of 1 in 109 bits transmitted).
502.The term MAN is sometimes used to refer to networks which connect systems or local area
networks within a metropolitan area (roughly 40 kms in length from one point to another).
Page | 55
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
503.MANs are based on fiber optic transmission technology and provide high speed (10 Mbps or so),
interconnection between sites.
504.A MAN can support both data and voice, cable television networks are examples of MANs that
distribute television signals.
505.Signal- A signal is generally defined as a function, which conveys information about a physical
system, usually about its state or behaviour.
507.Amplitude : It refers to value of the signal at any point on the wave. It also refers to the vertical
distance of a given point in the graph from the horizontal axis.
508.Frequency : This indicates the number of cycles a signal completes in one seconds.
511.Phase : Phase is the position on the wave at a given point of time. This is in terms of the angle it
makes on the wave form cycle.
513.Phase difference : The difference between the angles of two wave articles at a particular instant of
time is known as phase difference.
514.There are two types of signals – Analog signals and Digital signals.
515.Analog signal-An analog signal is one in which the amplitude varies continuously with time. If the
speech of a human being is picturised as a signal, it is an analog signal.
516.Digital signal-If the information is represented only in discrete states, then the signal is termed as
digital signal. If the number of discrete states is only two, then it is called as a binary signal.
517.Multiplexing-It is the technique of sending multiple signals on a single carrier at the same time.
Page | 56
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
519.TDM-Time Division Multiplexing
522.TDM-In TDM time is the basis for multiplexing. This is a technique where a short time slot is
allotted to each of the users(equipment) who wish to use the common channel. Each user uses time slot
in turn on the basis of time, and then the sequence is repeated. One example for TDM is the traffic
signal.
523.FDM-It is a scheme where numerous signals are assigned different sub-channels within the main
channel. A guard-bank is used to separate the channels and ensure that they do not interfere with one
another. A typical example of FDM is the cable television.
524.WDM-It is a form of frequency division multiplexing specifically for packing many optical carrier
signals into a single optical fibre.
525.Switching Technologies- ST refer to the establishment of communication path between the sender
and the receiver. The various STs available today are :-
i)Circuit switching
ii)Message switching
iii)Packet switching
a)Datagram
b)Virtual circuit
528.Packet Switching-PS is similar to message switching. Here the entire message is split into small
units called packets. Each packet has three important portions-Header, Body and Footer.
529.Header-The header holds information about the data contained in the packet. The contents are
Length of the packet, Packet number, Destination address and Originating address.
530.Body-This is the actual data that is contained in the packet that is delivered to the destination.
Page | 57
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
531.Footer-The portion of packet that holds control information for error checking.
532.There are two basic approaches to packet switching-Virtual circuit and Datagram.
534.The most common forms of virtual circuit networks are X.25 and frame relay, which are
commonly used for public data networks(PDN).
535.Datagram-In this approach, each packet is treated as an independent entity and its header contains
full information about the destination of the packet. The intermediate nodes examine the header of the
packet and decide on the node for the packet to be sent so that it reaches its destination.
536.The main implementation of datagram is in the internet, which uses the IP network protocol.
537.Data is transmitted over a channel in three different modes-simplex, half-duplex and full-duplex.
539.Half-duplex: In half-duplex communication, facilities exist to send and receive, but only one
activity, either send or receive is possible at a time. Examples- walkie-talkies, internet surfing etc.
541.There are two methods of communications, viz, asynchronous transmission and synchronous
transmission.
Page | 58
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
544.Synchronous communication-In SC, the clock of the receiver is synchronized with the clock of the
transmitter. On account of this, higher data transmission rates are possible.
548.Mesh topology – Here every node is physically connected to every other node.
549.The primary advantage of Mesh topology is that it is highly fault tolerant; when one node fails,
traffic can easily be diverted to other nodes.
553.In a star topology, there exists a central hub to which each and every node is connected. This
necessitates drawing a separate cable from each and every node to the central hub. All inter-node data
transmission has to pass through the hub.
Page | 59
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
a)Easy to troubleshoot
b)Cabling types can be mixed
c)Easy to install and wire
d)No disruptions to the network and some nodes are down.
e)No disruptions to the network when connecting or removing devices.
556.Tree Topology :-A tree topology is also called as expandable star topology.
557.Tree topology consists of groups of star-configured machines connected to one another by the use
of a device called hubs.
558.There are two types of hubs viz active hubs and passive hubs.
559.Active hubs need electric power and have the ability to drive other hubs and nodes.
560.However passive hubs can not drive hubs and are used to connect machines.
561.The connection between active hub and active hub and between active hub and passive hub is
permitted.
562.The connection between passive hub and active hub and between passive hub and passive hub is
not permitted.
565.Bus Topology:-In a bus topology, a single cable also called the backbone runs through the entire
network connecting all the workstation, servers, printers and other devices on the network. The cable
runs from device to device by using “tee” connectors that plug into the network adapter cards. A device
Page | 60
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
wanting to communicate with another device on the network sends a broadcast message onto the wire
that all other devices see, but only the intended recipient actually accepts and processes the message.
569.Ring Topology – In a ring network, every device has exactly two neighbours for communication
purposes. All messages travel through a ring in the same direction (effectively either 'clockwise' or
'anti-clockwise'). A token, or a small data packet, is continuously passed around the network. Whenever
a device needs to transmit, it holds the token. Whoever holds the token has the right to communicate.
570.Token networks have the physical cabling of a star technology and the logical function of a ring
through use of MAU.
574.Irregular topology-A topology that does not fit in any of the Mesh, Star, Tree, Bus or Ring methods
mentioned above is called an irregular topology.
Page | 61
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
575.The main considerations to be borne in mind when choosing a topology are – Money, Length of
cable, Future growth, Cable type.
579.Attenuation-As signals travel through the network, they become weak and distorted. This process
is called attenuation.
581.The main function of a repeater is to receive incoming signals (a packet of data), regenerate the
signals to their original strength, and retransmit them.
582.For a repeater to be used, both the network segments must be identical. E.g. Ethernet-to-Ethernet
or Token Ring-to-Token Ring.
583.Bridges-A Bridge is an intra-networking device that is used either to extend or to segment the
networks.
584.Since bridges are concerned with the addresses of individual machines, they operate at the Datalink
layer and Physical layer.
585.Bridges are also used to join dissimilar media such as UTP cabling and fibre optic cabling, and to
join different network architectures such as Token Ring and Ethernet.
587.Bridges are of two major types viz. Local bridges and remote bridges.
588.Primarily, three types of bridging methodologies are employed viz transparent, spanning tree and
source routing.
590.The purpose of router is to connect nodes across an inter-network regardless of the Physical layer
Page | 62
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
and Datalink layer protocol that is used.
592.Routers are not aware of the type of medium or frame that is being used(Ethernet, Token Ring,
FDDI, X.25 and the like).
594.Brouter-It is a network device that has the capabilities of both a bridge and a router.
595.Usually, a brouter will act as a router for one protocol(eg TCP/IP and a bridge for all other
protocols(eg IPX/SPX).
IPX-Inter-network Packet Exchange
SPX-Sequenced Packet Exchange
597.A gateway might translate protocols to allow transparent communications between IPX based
systems and systems based on TCP/IP, SNA, or Apple Talk.
600.Every protocol has three important components viz syntax, semantics and timing.
604.For software developers to build software products based on protocols it is essential that standards
be developed. To this end, various regulatory bodies are involved in development of standards. They
are ISO, ITU, ANSI, IEEE, EIA.
Page | 63
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
605.ISO-Internal Standards Organisation
610.The ISO developed a seven layer model for computer network. The model is known as ISO, OSI
reference model.
613.The Applications, Presentation and Session layers mainly focus on applications and are more user-
oriented.
614.The Network, Datalink and Physical layer focus more on hardware(network support) and how to
move data from source to destination.
615.The Transport layer acts as a bridge between the lower layers, which are more concerned with
hardware and upper layers, which are more user-oriented.
Page | 64
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
i)Data format conversion.
ii)Encryption
iii)Data Compression
iv)Validating user log-on ids and passwords
623.IP-Internet Protocol
624.OSI is a seven layered standard, but TCP/IP is a four layered protocol stack.
Page | 65
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
MODULE-C-COMMUNITY OF BUSINESS
CHAPTER-11-BUSINESS CONTINUITY & DISASTER RECOVERY
PLANNING
628.BCP-Business Continuity Plan is a plan containing set of procedures to ensure the continuity of the
critical banking operations in spite of disruptions caused by natural/man-made disasters/catastrophe.
629.DRP-Disaster Recovery Plan is a plan containing set of procedures to restore the information
processing facility of applications/data that critical from customer point of view.
630.The difference between BCP and DRP :- BCP refers to set of procedures to provide continuity of
various business activities such as production facilities, critical operations, marketing facilities,
purchase facilities, stores activities and information processing facilities. DRP is only pertaining to
Information Processing Facility(IPF).
631.BCPs generally cover most or all of an organisation's critical business processes and operations.
632.As part of the business continuity process and organisation will normally develop a series of DRPs.
634.Banking applications shall have to be ranked based on the recovery window time available for
recovery(service breach tolerance time) from the customer point of view and degree of automation.
636.Critical Systems : CS are the systems, which can not be substituted, by manual systems and
tolerance time for them is near zero for disruptions to business operations. Eg. online transactions, m-
commerce/e-commerce transactions, internet banking & ATM operations, Treasury/Forex operations
etc.)
637.Vital Systems : VS are the systems, which can be substituted by manual systems only for a brief
period and tolerance time is relatively more than critical systems and less than non-critical systems. Eg.
Opening/closing of SB A/c, Current a/c, Deposits a/c etc changes to KYC fields etc.
638.Non-critical Systems : NCS are the systems, which can be substituted, by manual systems for a
Page | 66
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
very long period and do not impact the operations. Even it these systems are not available for some
reasonable period, it may not have adverse impact/serious consequences. Eg. Disbursement in non-
priority loans, suit filed accounts operations, MIS information for business etc.
640.Batch processing-BP systems are the systems wherein transactions are manually recorded over a
period of time and then updated in computer file in one stroke batch by batch. Eg. Payroll.
641.Online Processing- OP systems are the systems wherein transactions are effected through computer
but updations to various computer files are made at random intervals of time. Eg.ATM transaction
updations from one city to another city as done in the present days in Indian environment.
642.Real time Processing-RP systems are the systems wherein transaction is initiated through
computer and also various updations are instantly carried out. Eg. Payments & receipts and remittances
in the nature of SWIFT, NEFT, RTGS, IMPS etc.
645.Minor threat-Disk crash, network failure, corruption of application software, virus attack on some
data/application files.
647.Catastrophe-Destruction of all IPF facilities due to threat like prolonged fire and high intensive
earthquake etc.
649.Preparatory procedures-indicate preparation activities before the occurrence of the disaster. These
Page | 67
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
activities helps to reduce the impact of the disaster in case it occurs.
650.Emergency response-refers to activities that are carried out during or immediately after disaster.
These activities include evacuation of human beings, shut down of network computers, cut off of
power, removal of files etc.
654.All Emergency plan, Backup plan, Recovery plan and Test plans are part of the preparatory
procedure face of disaster life cycle.
657.In batch processing data files in CD/Floppy/DATs can be sent to off site on daily basis.
Page | 68
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
658.In online processing data can be sent by on-line file transfer at periodical intervals.
659.In real time processing data are to be transferred online instantly from on site to off site on
transaction-to-transaction basis.
661.Concept of RAID is used to have backup of contents of entire hard disk in alternative disks.
662.Recovery Plan-This plan deals with choosing the best recovery strategy out of the following
alternatives :-
a)Mirror site(duplicate processing facility)
b)Hot site
c)Warm site
d)Cold site
e)Mobile site
f)Reciprocal agreement
663.Mirror Site- MS is a site wherein backup of all the processing facilities are maintained. Restoration
is readily possible. This site contains the backup of the following :-
a)Master and transaction files
b)Application program files
c)System software files
d)System/operation manuals
e)Telephone contact list
f)Pre-printed stationery and numbered documents
g)Supplies
h)A copy of BCP
i)All hardware items
j)Networking facilities
Page | 69
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
a)Some system software files
b)Some hardware items
c)Some networking facilities
d)Building with electrical connections
670.Mobile site is a heavy vehicle installed with minimum computer operation facilities wherein the
following facilities are provided :-
a)Some system software files
b)Some hardware items
c)Some networking facilities
671.Restoration time in the case of mobile site is less than warm site.
672.Reciprocal Agreement : RA is an arrangement wherein two different companies under the same
industry mutually agree for providing the respective information processing facilities to the other
company affected by disaster.
675.Contracts with various service providers :-The following points have to be considered in executing
the agreement with service provider providing facilities of hot site/cold site/warm site:-
a)Number of subscribers
b)Priority amongst subscribers
c)Usage period limitation
d)Insurance of resources of the organisation when using the recovery site.
e)Permission for conducting simulation test.
Page | 70
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
This plan involves the following teams :-
a)Off site team
b)Transportation team
c)Hardware engineers team
d)System programmers team
e)Application programmers team
f)Data team
g)Emergency operation team
h)Security team
i)Network recovery team
j)Administrative support team
677.Relocation-After interim processing period the information processing facilities will have to be
finally shifted to original or nearby original location wherein disaster occurred. The following teams
handle these jobs :-
a)Salvage team
b)Relocation team
678.Salvage team- is responsible to handle the insurance matters and also to decide the place of
relocation.
679.Relocation team-is responsible to shift the processing facilities from interim recovery sites to final
place of relocation.
680.Salvage team-is responsible to handle the insurance matters and also to decide the place of
relocation.
681.Relocation team-is responsible to shift the processing facilities from interim recovery sites to final
place of relocation.
Page | 71
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
683.Types of testing are as under :-
a)Paper testing
b)Action test(dynamic test)
685.Checklist test- is a paper test carried out by team leaders and team members to find out the
completeness of action items to be carried out by each team member. Here detailed procedures are not
considered for review.
686.Structured walkthrough- is a paper test carried out by team leaders and team members to find out
the completeness of detailed procedures of action items to be carried out by each team members. Here
various stages of every item of checklist are considered for testing.
687.Action test-includes preparedness test(phased simulation test), parallel test and full interruption
test.
688.Under preparedness test disaster scenario-is simulated in phased manner. For instance total disk
crash scenario can be simulated and the actions of relevant teams can be observed and tested. Second
example is connectivity failure scenario can be simulated and the actions of the relevant team can be
observed.
689.Parallel test – is a test carried out in recovery site without disturbing the data processing systems in
on site, i.e. testing in recovery site is carried out without simulating any types of disaster scenario in on
site.
690.Full interruption test-is carried out to find out the operational capability of recovery procedures by
simulating a total disaster scenario. Organisation should take adequate care to prevent the simulation to
turnout to be a real disaster.
692.The backups should be consistent and current. Various types of backups include :-
Page | 72
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
i)On-line backups at alternative recovery site branches/locations say hot sites.
ii)Daily day end backups on tapes/floppies/DATs/CDs say cold backups.
iii)Incremental backups, say warm backups.
iv)Weekly backups, monthly backups, year end backups and milestone backups.
v)Purge backups, trouble shooting backups.
693.DRP for every category of branch has to be maintained i.e. separate DRP should be in place in
respect of each and every category of following branches :-
a)Centrally computerised fully networked banks
b)Fully networked banks with distributed computing
c)Banks offering Internet Banking, POS connectivity etc.
d)ATMs including SWADHAN
e)Local area networked and wide area networked administrative offices.
f)Fully computerised branches.
g)Partially computerised branches.
h)ALPM branches
i)PC based branches
j)Banks at different stages of SDLC
k)Corporate e-mail systems.
694.DRP :-
i)Regional Office – nearby Regional Offices.
ii)Zonal Office – nearby Zonal Offices.
iii)Head Office-nearby Zonal Offices or separate locations.
695.Where the place has only one branch of the bank, offsite backups are to be stored in the nearest
bank by hiring a locker.
697.BCP is the process whereby financial institutions ensure the maintenance or recovery of
operations, including services to customers, when confronted with adverse events such as natural
disasters, technological failures, human error, or terrorism.
Page | 73
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
699.The following points guide a process-oriented approach to business continuity planning:-
i)Business Impact Analysis(BIA)
ii)Risk assessment
iii)Risk management
iv)Risk monitoring
700.Disaster Planning- basically is a planning and implementation process which ensures that business
and data will survive an unforeseen calamity and ensure systems and business can work efficiently
even when during incidents beyond normal contract adversely affect the business.
702.Cold Site Replication-This is basically an entry level solution where the recovery time may be as
much as 10 days but for a medium sized bank are typically between 5-7 days.
704.Warm Site Replication-This is a good initial level solution for a medium sized branch where the
recovery time generally is between one hour to 8 hours extending sometimes to 24 hours.
706.Hot Site Replication is a high end solution for business which can not even stop for seconds.
Recovery times can be as low as a minute extending to 10 minutes.
709.For our Software Development Cycle version management we use Microsoft Visual Source Safe
among other freeware utilities.
Page | 74
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
710.Technical staff-Programmers, administrators and operators
716.Senior management and the board of directors are responsible for identifying, assessing,
prioritizing, managing and controlling risks.
717.A financial institution's board of directors and senior management are responsible for :-
a)i)Allocating sufficient resources and knowledgeable personnel to develop the BCP.
ii)Setting policy by determining how the institution will manage and control identified risks.
iii)Reviewing BCP test results.
iv)Approving the BCP on an annual basis.
v)Ensuring the BCP is kept up-to-date and employees are trained and aware of their role in its
implementation.
b)Facilities
c)Logistics
d)Testing
e)Assessments
718.Taking a comprehensive view, we recognize that people, process and technology play prominent
roles in all business continuity programs. In this regard, we assess and define acceptable levels of risk
covering policies, technology architectures, facilities, access controls, processes, organization and
personnel.
Page | 75
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
710.Building Business Continuity Programmes:-Typical deliverables may include :-
i)Business continuity and disaster recovery policies.
ii)High-availability architectures covering applications architectures, database architectures, network
architectures, server configurations, storage architectures, management systems architectures.
iii)Facility plans covering N+X designs
iv)Business continuity processes covering change management, production acceptance, intrusion
detection, intrusion response, user access management, backup and recovery, and disaster recovery and
v)Organization structures, functional descriptions and training plans.
712.Firms that play significant roles in critical financial markets are those that participate in sufficient
volume or value such that their failure to perform critical activities by the end of the business day could
present systemic risk.
713.A financial institution's business continuity planning process should reflect the following
objectives:-
i)Business continuity planning is about maintaining, resuming, and recovering the business, not just the
recovery of the technology.
ii)The planning process should be conducted on an enterprise-wide basis.
iii)A through business impact analysis and risk assessment is the foundation of an effective BCP.
iv)The effectiveness of a BCP can only be validated through testing or practical application.
v)The BCP and test results should be subjected to an independent audit and reviewed by the board of
directors.
vi)A BCP should be periodically updated to reflect and respond to changes in the financial institution or
its service providers.
717.BIA is identification of business impacts over period of disruption(from the time of disruption).
Page | 76
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
718.A BIA is the first step in developing a BCP. It should include :-
i)Identification of the potential impact of uncontrolled, non-specific events on the institution's business
processes and its customers;
ii)Consideration of all departments and business functions, not just data processing; and
iii)Estimation of maximum allowable downtime and acceptable levels of data, operations, and financial
losses.
719.Gap Analysis:-A GA is a methodical comparison of what types of plans the institution(or business
line) needs to maintain, resume, or recover normal business operations in the event of a disruption,
versus what the existing BCP provides. The difference between the two highlights additional risk
exposure that management and the board need to address in BCP development.
721.The risk assessment is the second step in developing a BCP. It should include:-
i)A prioritizing of potential business disruptions based upon severity and likelihood of occurrence.
ii)A gap analysis comparing the institution's existing BCP, if any, to what is necessary to achieve
recovery time and point objectives and
iii)An analysis of threats based upon the impact on the institution, its customers, and the financial
markets, not just the nature of the threat.
722.In addition to documenting BCPs, other policies, standards and practices should address continuity
and availability considerations. These include Systems Development Life Cycle(“SDLC”), change
control, and data synchronization.
723.As part of the SDLC process, management should incorporate business continuity considerations
into project plans.
724.During the development and acquisition of new systems, SDLC standards and project plans should
address, at a minimum, issues such as :
i)Business unit requirements for resumption and recovery alternatives.
ii)Information on back up and storage
iii)Hardware and software requirements at recovery locations
iv)BCP and documentation maintenance
v)Disaster recovery testing and
Page | 77
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
vi)Staffing and facilities
725.Insurance is by no means a substitute for an effective BCP, since its primary objective is not the
recovery of the business. eg, insurance cannot reimburse an institution for damage to its reputation.
726.Especially since September 11th, the need for a comprehensive disaster recovery plan has become a
priority for many organizations.
727.Management should ensure recovery testing is conducted at least annually, or more frequently,
depending on the operating environment and criticality of the applications and business functions.
728.The validation requires the participation of appropriate business, operations, and technology staff.
Plan assumptions requiring validation include :-
i)Criticality of services
ii)Volume of transactions
iii)Inter-ralationships among business functions.
iv)Selecting the business continuity planning strategy related to use of facilities and other outages and
v)Availability and adequacy of resources required to provide the planned service level, such as the time
required to establish facilities, obtain backup files, or reconstruct documents.
730.Full Scale Testing-Full-scale testing is the most comprehensive type of test. In a full-scale test, the
institution implements all or portions of its BCP by processing data and transactions using backup
media at the recovery site. It involves :-
i)Validation of crisis response functions
ii)Demonstration of knowledge and skills, as well as management response and decision -making
capability.
iii)On-the-scene execution of coordination and decision-making roles.
iv)Actual, as opposed to simulated, notifications, mobilization of resources, and communication of
decisions.
Page | 78
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
v)Activities conducted at actual response locations or facilities.
vi)Enterprise-wide participation and interaction of internal and external management response teams
with full involvement of external organizations.
vii)Actual processing of data utilizing backup media and
viii)Exercises generally extending over a longer period of time to allow issues to fully evolve as they
would in a crisis, and allow realistic role-play of all the involved groups.
732.Changing in concert with changes in the business activities it supports. Senior management, the
planning team or coordinator, team members, internal audit, and the board of directors should review
the plan at least annually.
738.When testing with the critical service providers, determine whether management considered
testing :-
i)From the institution's primary location to the TSPs' alternative location.
ii)From the institution's alternative location to the TSPs' primary location and
iii)From the institution's alternative location to the TSPs' alternative location.
739.Determine if institution management has assessed the adequacy of the TSP's business continuity
program through their vendor management program e.g. contract requirements, SAS 70 reviews.
740.Crisis Management is a systematic response to unexpected events that threaten the people, property
and operating continuity of the organization. It is a formal response to any event that threatens the
financial and operational stability of an organization.
741.Backup Generation-A methodology for creating and storing backup files whereby the youngest(or
most recent file) is referred to as the “son”, the prior file is called the “father” and the file two
generations older is the “grandfather”. This backup methodology is frequently used to refer to master
files for financial applications.
Page | 79
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
742.BCP-A comprehensive written plan to maintain or resume business in the event of a disruption.
744.Capital financial markets:-Financial markets whose operations are critical to the U.S economy,
including markets for fed funds, foreign exchange, commercial paper, and Govt, corporate and
mortgage-backed securities.
745.Data synchronization:-The comparison and reconciliation of interdependent data files at the same
time so that they contain the same information.
746.Disaster recovery plan:-A plan that describes the process to recover from major processing
interruptions.
747.Emergency plan:-The steps to be followed during and immediately after an emergency such as a
fire, tornado, bomb threat etc.
750.Gap analysis-A comparison that identifies the difference between actual and desired outcomes.
751.GETS-Govt. Emergency Telecom. Service card program. GETS cards provide emergency access
and priority processing for voice communications services in emergency situations.
753.Media-Physical objects that store data, such as paper, hard disk drives, tapes, and compact
disks(CDs).
754.Mirroring-A process that duplicates data to another location over a computer network in real time
or close to real time.
755.Object program-A program that has been translated into machine-language and is ready to be
run(i.e. executed) by the computer.
757.Reciprocal agreement-An agreement whereby two organizations with similar computer systems
Page | 80
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
agree to provide computer processing time for the other in the event one of the systems is rendered
inoperable. Processing time may be provided on a “best effort” or “as time available” basis.
758.Recovery point objectives :-The amount of data that can be lost without severely impacting the
recovery of operations.
759.Recovery site-An alternate location for processing information(and possibly conducting business)
in an emergency. Usually distinguished as “hot” sites that are fully configured centres with compatible
computer equipment and “cold” sites that are operational computer centres without the computer
equipment.
751.Recovery vendors-Organizations that provide recovery sites and support services for a fee.
753.Server-A computer or other device that manages a network service. Eg. print server, a device that
manages network printing.
756.SDLC-A written strategy or plan for the development and modification of computer systems,
including initial approvals, development documentation, testing plans and results, and approval and
documentation of subsequent modifications.
757.T-1 line-A special type of telephone line for digital communication only.
758.UPS-Un-interruptible power supply. A collection of batteries that provide electrical power for a
limited period of time.
759.Utility programs-A program used to configure or maintain systems, or to make changes to stored or
transmitted data.
760.Vaulting-It is a process that periodically writes backup information over a computer network
directly to the recovery site.
761.Given Government regulations to control ozone depletion, halon fire suppression systems are being
Page | 81
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
replaced with alternative fire suppressant systems.
762. Alternative fire suppressant systems utilize clean agents and include Inergen, FM-200, FE-13, and
carbon-dioxide. Dry pipe sprinkler systems should be used, which activate upon detection of a fire and
fill the pipe with water only when required, thereby minimizing the risk of water damage from burst
pipes.
763.When a third party performs services on behalf of the institution, increased levels of credit,
liquidity, transaction, and reputation risk can result.
764.When contracting with third-party providers for recovery services, institutions should consider :-
i)Staffing
ii)Processing Time Availability
iii)Access Rights
iv)Hardware and Software
v)Security Controls
vi)Testing
vii)Confidentiality of Data
viii)Telecommunications
ix)Reciprocal Agreements
x)Space
xi)Paper Files and Forms
xii)Printing Capacity/Capability
xiii)Contacts
767.Large institutions that operate critical real-time processing operations or critical high-volume
processing activities should consider mirroring or vaulting.
768.Smaller, less complex institutions may contract for a “mobile hot site” i.e. a trailer outfitted with
the necessary computer hardware that is towed to a predetermined location in the event of a disruption
and connected to a power source.
Page | 82
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
769.Duplicate Facilities/Split Operations(“active/active” model)-under this scenario, two or more
separate, active sites provide inherent backup to one another.
770.Cold Site-Cold sites are locations that are part of a longer-term recovery strategy. A cold site
provides a backup location without equipment, but with power, air conditioning, heat, electrical,
network and telephone wiring, and raised flooring.
771.Tertiary Location-Some financial institutions have identified the need to have a third location or a
“backup to the backup”.
773.The frequency of file back-up also depends on the criticality of the application and data.
774.Critical data should be backed up using the multiple generation i.e. 'grandfather-father-son' etc.
method and rotated to an off-site location at least daily.
775.Online/real-time or high volume systems may necessitate one aggressive backup methods such as
mirroring or electronic vaulting at a separate processing facility to ensure appropriate back up of
operations, as an alternative to backup tape storage.
776.Remote journaling is the process of recording transaction logs or journals at a remote location.
These logs and journals are used to recover transaction and database changes since the most recent
back up.
777.Software back up for all hardware platforms consists of three basic areas :-operating system
software, application software, and utility software.
778.The operating system software should be backed up with at least two copies of the current version.
779.When determining an alternate processing site, management should consider scalability, in the
event a long-term disaster becomes a reality.
780.Risk monitoring ensures a BCP is viable through testing, independent review, and periodic
updating.
781.Management should ensure recovery testing is conducted at least annually, or more frequently,
depending on the operating environment and criticality of the applications and business functions.
782.The Business Impact Analysis(BIA) determines the recovery point objectives and recovery time
Page | 83
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
objectives, which then help determine the appropriate recovery strategy.
784.A tabletop/mini-drill is somewhat more involved than an orientation/walk through because the
participants choose a specific event scenario and apply the BCP to it.
785.Functional Testing : FT is the first type that involves the actual mobilization of personnel at other
sites in an attempt to establish communications and coordination as set forth in the BCP.
786.Full Scale Testing : FST is the most comprehensive type of test. In a full-scale test, the institution
implements all or portions of its BCP by processing data and transactions using backup media at the
recovery site.
787.The participation of maximum number of personnel in a BCP test increases awareness, buy-in, and
ownership in achieving successful BCP implementation.
788.A BCP is a “living” document, changing in concert with changes in the business activities it
supports.
Page | 84
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
MODULE-D-OVERVIEW OF LEGAL FRAMEWORK
CHAPTER-12-ONLINE TRANSACTIONS-CONCEPTS, EMERGING TRENDS
AND LEGAL IMPLICATIONS
789.Traditional Money or Central Bank Money : Money or currencies of sovereign countries issued by
the banks of issue in their respective countries, has been accepted widely as a medium of exchange/
settlement, a value store and a unit of accounting.
790.Electronic Money or E-Money : An electronic store of monetary value on a technical device used
for making payments to undertakings other than the issuer without necessarily involving bank accounts
in the transaction, but acting as a prepaid bearer instrument.
791.RBI has to be geared up to meet the challenges posed by E-Money to the economy. These effects
include :-
i)Effect on exchange rate
ii)Effect on money supply
iii)Financial stability
792.Characteristics of E-Money :-
i)Value
ii)Exchange
iii)Storage
iv)Robustness
793.In 1995, the RBI had set up the Committee for Proposing Legislation on Electronic Funds Transfer
and other Electronic Payments under the Chair of Smt. K. S. Shere.
794.The Shere Committee had recommended a set of EFT Regulations by the Reserve Bank under the
RBI Act, 1934.
795.The Shere Committee amended the Bankers' Books Evidence Act, 1881 as short-term measures.
Page | 85
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
796.The Shere Committee had recommended promotion of a few acts like the Electronic Funds
Transfer Act, the Computer Misuse and Data Protection Act etc as long-term measures.
797.As per Shere Committee recommendations, the following legal corrective actions are taken :-
i)Enactment of the Information Technology Act, 2000 along with the consequential amendments to the
Bankers Book Evidence Act and the Reserve Bank of India Act.
ii)Amendment to the Negotiable Instruments Act.
797.Amendments in Bankers Book Evidence Act, the Reserve Bank of India Act and the Negotiable
Instruments Act brought legal standing to the following issues affecting funds transfer and payments in
electronic means :-
i)Encryption of messages transmitted over PSTN lines.
ii)Admission of electronic files as evidence and preservation of records.
iii)Cheque Truncation
iv)Need for Regulation/Legislation on Netting.
798.Liabilities accepted under multi-purpose pre-paid cards are in the nature of demand liabilities and
hence, banks may be preferred as issuers of e-money.
802.PSBs under the aegis of IBA have established a Shared Payment Network System(SPNS) of ATM
termed SWADHAN in Mumbai.
803.Smart Cards or Stored Value Cards represent a relatively new payment technology. These are
prepaid cards and represent the new electronic Money(E-Money) or Purse.
804.Smart Card : A smart card is a credit card sized plastic card which has an integrated circuit with a
micro-processor chip embedded in it. This technology enables storage of electronic information on a
card that can be used to make purchases.
Page | 86
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
805.Contact Smart Card : A contact smart card requires insertion into a smart card reader or a terminal
called a Card Acceptance Device. These cards have a contact plate(typically gold plated) on the face,
which makes an electrical connector.
806.Contact less card : A Contact less card has an antenna coil and chip embedded within the card and
hence requires close proximity to a reader equipped with an antenna.
807.Smart card based payment systems developed for the banks by IDRBT in association with the
Reserve Bank, IIT, banks and a few vendors have established inter-operability between different
technologies and standard of cards, card readers and clearing and settlement system.
808.Technical standards for cards and card readers have been formulated by IDRBT incorporating best
international practices.
810.INFINET : The Indian Financial Network. The INFINET is the communication backbone for the
Indian Banking and Financial Sector.
811.The INFINET is a Closed User Group(CUG) Network for the exclusive use of Member Banks and
Financial Institutions.
812.The INFINET uses a blend of communication technologies such as VSATs and Terrestrial Leased
Lines.
813.The INFINET consists of over 2000 VSATs located in 300 cities of the country and utilizes one
full transponder of 36 MHz on INSAT 3B.
815.The following systems which will be based on the INFINET would enable banks to optimize their
deployment of funds as well as effect electronic payments and settlements :
a)Real Time Gross Settlement System(RTGS)
b)Negotiated Dealing System(NDS) and Securities Services System(SSS) (for the settlement of Govt
Securities in a Delivery versus Payment mode)
c)Centralized Funds Management System(CFMS)
d)The Structured Financial Messaging Solution(SFMS)
816.Gross settlement reduces the risk significantly, as transactions are settled one by one on a bilateral
basis in a real time mode.
Page | 87
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
817.PVP : Payment Versus Payment
820.Wide Area Satellite based Closed User Group network, providing the communication backbone to
the proposed Integrated National Payments System.
821.Gross settlement in a real time mode eliminates credit and liquidity risks.
822.Various levels of security – Access security, 128 bit cryptography, firewall, certification etc.
824.The RTGSS provides for continuous(i.e in real time) processing and settlement of funds transfers.
The entire system is based on the concept of the 'Y' topology, which ensures that payment messages
emanate from a sending bank and are received by the RBI through an intermediate processor-the Inter-
Bank Funds Transfer Processor(IFTP)-with the beneficiary bank receiving the intimation of credit from
the settlement account processor combined with the IFTP.
825.First in First Out(FIFO) would be the base for the queuing mechanism for the Indian RTGS
system.
829.SFMS allows integration of the bank's corporate intranet into its own interfaces.
831.The SITPRO of the UK has formulated a series of questions to be addressed before rules on the
subject of paperless credit can be formulated. These include :-
i)The functions of documentary credit.
ii)Data requirements necessary for a successful documentary credit transaction.
iii)Information flow requirements to assess responsibilities of all contracting parties.
iv)The extent to which electronic messages can replace paper documents.
Page | 88
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
v)Security measures required to ensure the authenticity and uniqueness of messages which would
trigger payment.
832.The SITPRO model maps the process of paperless credit into various stages in the creation of a
documentary credit line. These stages are :-
i)Issuance of credit
ii)Amendment of credit
iii)Submission of documents, and
iv)Payment
833.The SITPRO model uses the standard UN/EDIFACT messages governing EDI.
834.UN/EDIFACT : United Nations Electronic Data Interchange for Administration, Commerce and
Transport.
Page | 89
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
MODEL-E -SECURITY & CONTROL STANDARD IN BANKING
CHAPTED-13-SECURITY
835.Some where during the early 1970s, as part of defence strategies to protect the vast information
resources from damage due to war, the ARPA project was launched and this led accidentally to the birth
of the Internet.
837.Vulnerabilities may exist in any component of technology such as hardware, operating systems,
application, communications, networking.
839.IS Risk Management is a continuous process which involves a structured approach for mitigation
of risks due to use of information technology, comprising of a Risk Assessment Process followed by a
Controls Assessment and initiation of corrective steps to mitigate the risks.
841.The perspectives of security of information can be understood on the basis of three broad
perspectives viz, Confidentiality, Integrity and Availability.
842.Confidentiality : Information should be disclosed only to authorized persons and for authorized
purposes. Any unauthorized disclosure can be detrimental to the interests of the enterprise.
843.Integrity : The accuracy and completeness of information is usually assumed or taken for granted.
Any violation of integrity of information value can be detrimental to the decision making and reliance
on the information.
844.Availability : Information should be available when required for purposes of business. With
Page | 90
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
Information Technology, the vulnerability of availability of information systems that deliver
information is very high due to technical and other reasons.
845.Besides confidentiality, integrity and availability, COBIT recognizes certain other factors like
effectiveness, efficiency, compliance and reliability of information.
849.While responsibility is generally used to indicate a relationship between the expected results and
persons, accountability refers to the ability to bind people for their actions.
851.Computer Security should be appropriate and proportionate to the business of the organisation, the
degree of dependence on such systems and the cost of not having security.
852.Computer security responsibilities should be integrated into the internal control framework of the
organization.
Page | 91
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
853.The internal control model recommended by the Committee of Sponsoring organizations of the
Treadway Commission provides guidance on the key components of internal control and how they
contribute towards effective control in an organization.
856.There should also be a mechanism to record at least all failed login attempts as good detective
control.
857.Anti-virus software may be installed on all terminals of the organization, an improper setting at the
firewall or server with respect to e-mail can result in a compromise.
859.Effective computer security is result of appropriate tuning of various controls which comprise
management controls, application controls, operational controls and administrative controls.
860.Policy refers to a set of specific security rules for specific category of systems e.g. firewall policy,
e-mail policy etc.
863.Policies, standards, guidelines and procedures provide an overall approach to computer security
from a broader perspective to finer details.
Page | 92
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
864.A good computer security policy should address the following aspects :-
i)Objective and purpose
ii)Scope of the policy
iii)Accountability
iv)Compliance
865.COBIT is a product of Information Systems Audit and Control Foundation and the IT Governance
Institute.
868.Data : means a representation of facts, concepts or instructions in a formalised manner suitable for
communication, interpretation or processing by human beings or by automatic means.
869.Information : is the meaning assigned to data by means of conventions applied to that data.
871.Availability : means the characteristic of data, information and information systems being
accessible and usable on a timely basis in the required manner.
872.Confidentiality : means the characteristic of data and information being disclosed only to
authorised persons, entities and processes at authorised times and in the authorised manner.
873.Integrity : means the characteristic of data and information being accurate and complete and the
preservation of accuracy and completeness.
Page | 93
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
8.Reassessment
9.Democracy
875.In October 1988, the Committee for information, computer and communications policy(ICCP) of
the OECD approved the preparation by the OECD Secretariat of a study on the subject of security of
information systems.
876.The report on security of information systems entitled Information Network Security was
submitted to the ICCP Committee in October 1989.
877.Based upon the advice of the experts, the ICCP Committee, in March 1990 approved the creation
of a Group of Experts to draft guidelines for the security of information systems.
878.The Group of Experts was chaired by the Hon. Michael Kirby, President of the Court of Appeal,
Supreme Court of New South Wales, Australia.
879.The Secretariat of the Information, Computer Technology and Industry drafted the
recommendation, the guidelines and explanatory memorandum, based upon the deliberations of the
Expert Group at its meetings.
880.OECD membership encompasses North America, the Pacific region and Europe.
881.A computer, a computer program and data constitute basic elements of an information system.
883.The software may be installed in the computer or stored on magnetic, optical or other media.
884.Experience in other sectors involving new technologies with the potential for serious harm reveals
a three-part challenge :-
i)developing and implementing the technology.
ii)providing for avoiding and meeting the failures of the technology.
iii)and gaining public support and approval of use of the technology.
885.The air transport industry has been successful in implementing safety techniques and requirements.
887.Viruses, often introduced into the system via infected software, parasites, trap doors, trojan horses,
worms, and logic bombs are some of the technical means used to disrupt, distort or destroy normal
system functions.
Page | 94
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
888.Trap door : It is new jargon for Backdoor Programs or Backdoor Virus in Software field. A trap
door is a secret entry point into a program that allows someone that is aware of the trap door to gain
access without going through the usual security access procedures.
889.Trojan horses : One of the most insidious types of Trojan horse is a program that claims to rid your
computer of viruses but instead introduces viruses onto your computer. The term comes from the Greek
story of the Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans,
ostensibly as a peace offering.
890.Worms : A computer worm is a standalone malware computer program that replicates itself in
order to spread to other computers. Often, it uses a computer network to spread itself, relying on
security failures on the target computer to access it.
891.Logic bombs : A logic bomb is a piece of code inserted into an operating system or software
application that implements a malicious function after a certain amount of time, or specific conditions
are met. Logic bombs are often used with viruses, worms, and trojan horses to time them to do
maximum damage before being noticed.
892.Physical threats to information systems fall into two broad categories – extreme environmental
events and adverse physical plant conditions.
893.Extreme environmental events include earthquake, fire, flood, electrical storms and excessive heat
and humidity.
894.Adverse physical plant conditions may arise from breach of physical security measures, power
failures or surges, air conditioning malfunction, water leaks, static electricity and dust.
895.A program containing a virus that is introduced into an information system may affect the
availability, confidentiality and integrity of that system by overloading the system, changing the list of
authorised users of certain parts of the system or altering data or information in the system.
897.Protection of personal data and privacy and of intellectual property may serve to enhance the
security of information systems.
898.The principles of the guidelines(e.g. The Proportionality Principle and the Ethics Principle) and
those of the OECD Guidelines on the Protection of Privacy and Trans border Flows of Personal Data
give guidance in achieving compatible realisation of the goals of security of information systems and
protection of personal data and privacy.
Page | 95
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
899.Intellectual property in information systems is intangible, may cross borders virtually
imperceptibly, and may be vulnerable to theft by the effort of one finger in a matter of seconds without
taking the original and without leaving a trace.
901.Harmonization of technical security standards will help to prevent data and information islands and
other barriers to data and information flows.
902.Lack of an informed and balanced understanding of users' needs may create a significant risk of
“off-target” technology standardization.
903.In countries where the doctrine of ubiquity(a crime is committed where one of its elements takes
place) is not acknowledged, difficulties arise as to the application of national computer crime laws.
904.Mutual assistance agreements, extradition laws, recognition and reciprocity provisions, transfer of
proceedings and other international co-operation in matters relating to the security of information
systems may facilitate assistance to other countries in their investigations.
905.Computer records, like any other documents, may present two issues. The first is authentication.
The second issue that common law systems must address with respect to any document is whether it
contains hearsay. This pertains not to the form of the document (whether electronic data or
handwritten) but to its content.
907.A preventive measure is a risk control that avoids or deters the occurrence of an undesirable
event. Passwords, key cards, badges, contingency plans, policies, firewalls and encryption are
examples of preventive measures.
908.A detective measure is a risk control that identifies the occurrence of an undesirable event.
Visitor logs, audit trails, motion sensors, closed-circuit TV and security reviews are examples of
detective controls.
909.A recovery measure is a risk control that restores the integrity, availability and confidentiality of
information assets to their expected state. Examples-fault tolerance, backup and disaster recovery
plans.
Page | 96
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
910.In 1990, the USA National Research Council published Computers at Risk(CAR)(1), a landmark
book that emphasized the urgent need for the nation to focus attention on information security.
917.The CAR report cites the Building Code and the Underwriter's Laboratory as examples of GASSP
in other fields. It also recommends building on the experience captured by using the TCSEC, the TNI
and the ITSEC documents to create a broader set of criteria that will drive a more flexible process for
evaluating single-vendor and conglomerate systems.
919.Information System : The term “information system” describes the organized collection,
processing, transmission, and dissemination or information in accordance with defined procedures,
whether automated or manual.
920.Information Security Principles : The term “Information Security Principles” includes principles,
standards, conventions and mechanisms. Three categories (pervasive, broad functional, and detailed)
are used to collect, discuss, and organize security principles. The broad functional and detailed security
principles are divided into principles for information security practitioners and information processing
products.
921.System : The term “system” is used as an umbrella term for the hardware, software, physical,
administrative, and organizational issues that need to be considered when addressing the security of an
organization's information resources. It implies that the GASSP address the broadest definition of
information security.
Page | 97
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
922.AIS : Automated Information System
924.The term system is intended to be equivalent in scope of the terms IT, AIS, ADPE etc.
927.Broad functional Principles : subordinate to one or more of the Pervasive Principles, are more
numerous and specific, guide the development of more Detailed Principles, and change only when
reflecting major developments in technology or other affecting issues.
928.Detailed Principles : subordinate to one or more of the Broad Functional Principles, numerous,
specific, emergent and change frequently as technology and other affecting issues evolve.
929.The Pervasive Principles address the following properties of information :- i) Confidentiality,
ii)Integrity and iii)Availability
930.The Pervasive Principles provide general guidance to establish and maintain the security of
information. These principles form the basis of Broad Functional Principles and Detailed Principles.
932.The Pervasive Principles are founded on the Guidelines for Security of Information Systems,
developed by the Information Computer and Communications Policy(ICCP) Committee and endorsed
and published by the Organization for Economic Co-operation and Development(OECD).
933.Each Pervasive Principle is presented in the following format : i)GASSP Statement, ii) Rationale
and iii)Example.
934.Pervasive Principles :-
i)Accountability Principle
ii)Awareness Principle
iii)Ethics Principle
iv)Multi-disciplinary Principle
v)Proportionality Principle
vi)Integration Principle
vii)Timeliness Principle
Page | 98
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
viii)Assessment Principle
ix)Equity Principle
937.The BFP are derived from the PP that represent the conceptual goals of information security.
940.The concept of “accountability” refers to the accepting of responsibility by all relevant parties or
entities.
944.Unintentional or intentional physical threats : power outage, equipment failure, fire, proximity of
potentially toxic or explosive industrial facilities and transportation infrastructures, local crime, and a
wide array of accidents that could “exploit” unrecognized or inadequately addressed vulnerabilities of
the physical environment.
945.Owner's conservative rule :Owners should assume that others would treat their assets as belonging
to the public domain. Therefore, they should explicitly declare (in reasonably visible ways) the
Page | 99
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
products of their efforts and their property to be either private or public.
946.User's conservative rule : Assume that any tangible or intangible item belongs to somebody else
unless an explicit declaration or convention identifies it as being in the public domain or authorized for
your use.
947.The Detailed Security Principles specifically address methods of achieving compliance with Broad
Functional Principles with respect to existing environments and available technology.
CHAPTER-14-CONTROL
949. CAAT : Computer Assisted Audit Techniques.
950.'Threats' are agents that occur independent of the systems and cause risk.
951.Common threats :-
i)Power loss
ii)Communication loss
iii)Data integrity loss
iv)Accidental errors
v)Computer virus
vi)Unauthorised action by employees.
vii)Attempted unauthorised system access by outsiders.
viii)Natural disasters
ix)Theft or destruction of computing resource.
x)Destruction of data
xi)Abuse of access privilege by authorised user.
xii)Successful unauthorized system access by outsider.
xiii)Non-disaster downtime
xiv)Fire
xv)Earthquakes
951.The only effective way to counter IT related risks & threats are to have a system of controls.
952.A control is in place to protect equipment from physical or technical unauthorized entry or
compromise.
953.Control : A control is defined as preventive, detective or compensatory depending upon its design
Page | 100
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
and purpose of implementation.
954.Classification of controls :-
Controls can be classified into :-
a)Preventive controls – instructions placed on a source document to prevent the clerk from filling it up
incorrectly.
b)Detective controls – an input program that identifies incorrect data entered into the system via a
terminal.
c)Corrective controls – a program that uses special codes that enable it to correct data corrupted
because of noise on a communications line.
958.Boundary controls :-
a)Access controls
b)Cryptography
c)PIN, digital signatures, & plastic cards
d)Audit trial controls
e)Existence controls
959.Input controls :-
a)Data input methods
b)Batch controls
c)Validation of data/instructions input
d)Audit trial controls
e)Existence controls
Page | 101
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
960.Communication controls :-
a)Exposures in communication systems
b)Controls over physical components
c)Communication line error controls
d)Flow controls
e)Topological controls
f)Controls over subversive threats.
g)Internetworking controls
h)Communication architecture controls
i)Audit trial controls
j)Existence controls
961.Processing controls :-
a)Processor controls
b)Real memory controls
c)Virtual controls
d)Audit controls
e)Existence controls
962.Database controls :-
a)Access controls
b)Integrity controls
c)Concurrency controls
d)Data-base cryptographic controls
e)File handling controls
f)Audit trial controls
g)Existence controls
963.Output controls :-
a)Inference controls
b)Batch output production and distribution controls
c)Batch report design controls
d)On line output production and distribution controls
e)Audit trails/Activity logs
f)Existence controls
964.Boundary sub-system establishes the interface between the user of a computer system and
computer system itself.
965.Boundary controls are being performed in the initial hands hand-shaking procedures with the
operating system when the terminal is switched on or when at an ATM user inserts card and keys in
Page | 102
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
PIN.
967.Access control : AC in simple terms means to exclude anyone else from using the system who is
not authorized.
968.Simulated computers is a virtual machine. In such circumstances the ISA auditor has two concerns
:-
a)Prevent unauthorized access to and use of computer systems.
b)Access controls chosen whether adequate to safeguard assets & maintain integrity of data.
970.An access control mechanism processes users request for resources in three steps viz :-
i)Identification
ii)Authentication
iii)Authorisation
972.During the authentication process, user must be sure they are interacting with authentic access
control mechanism because of a threat of masquerades, or better known as Trojan Horse.
973.Public key cryptography is way of overcoming mitigating the problems of Trojan Horse.
974.Access control mechanism must couple users with resources they are permitted to use. Resources
are classified into 4 types. Types of action privilege :-
i)Hardware (terminals/printers/hard disk)
ii)Software
iii)Commodity (process time, storage space)
Page | 103
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
iv)Data (files, groups, data items)
977.Discretionary access control policy :-Users are permitted to access control mechanism & user can
choose whether to share their files with other users or restrict access to themselves. Two threats arise
here – Trojan horse and problems from authorization dynamics.
978.Mandatory access control :-Both users & resources are assigned fixed security attributes. Only
system administrator can change the security attribute.
979.Closed environment means more effective control so the audit approach can be suitably adjusted.
980.Cryptology is a science of codes and incorporates the study of cryptography and cryptanalysis.
981.Auditor first encounters cryptographic controls in the boundary sub-system. They are then
encountered in communication controls and then in database controls.
982.Cryptographic controls protect the privacy of data and prevent unauthorized modification of data.
987.Longer PINs are difficult to break but adds to the overheads. Hence a compromise is to use short
PIN and by restricting the number of attempts to log-in makes it difficult to break.
Page | 104
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
989.Local PIN validation : It can be either offline or online. In online method the terminal transmits the
PIN to host computer of the institution for verification. In offline method the terminal itself validates
the entered PIN. The disadvantage over here is that the terminal must have a master key under which
PINs are encrypted. This increases the risk to exposures. To minimise this Smart Cards are used.
990.Smart cards have an embedded microprocessor which contains encrypted PIN and encryption key.
991.Interchange PIN validation : Here PIN validation is done by an institution other than the PIN issuer
who is a participant in the EFTS.
992.PIN must be encrypted before transmission. Cipher generation must be unique for each
transmission. Alternatively a different cryptographic key can be used for each transmission.
993.PIN processing : The only processing is encryption/decryption of PIN and comparison of entered
PIN with reference PIN.
995.Digital signatures : It refers to a string of 0's and 1's to authenticate the user.
997.Audit Trail Controls :- ATC attempt to ensure that a chronological record of all events that have
incurred in a system is maintained.
998.ATC is needed to :-
i)answer queries
ii)fulfil statutory requirements
iii)deter irregularities
iv)detect the consequence of error
v)allow system monitoring and tuning.
999.The audit trail is the primary source of building a profile of past behaviour. Such a profile is
required to monitor users and determine whether his current behaviour conforms to past behaviour.
Page | 105
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1000.There are two types of audit trails.
1003.In boundary sub-systems, audit trails are analysed either manually or by automated analyses to
detect control weakness.
1004.Accounting audit trail in boundary sub-systems will include the following data :-
i)Identity of would be user
ii)Authentication information supplied
iii)Resources requested
iv)Action privileges requested
v)Terminal identifier
vi)Start & finish times.
vii)Number of sign up attempts
viii)Resources provided/denied
ix)Action privileges allowed/denied
1005.Public audit trails are an important control in systems that use digital signatures for authentication
purposes. Three events should be recorded in the public audit trail and recorded by key server.
i)Registration of public key
ii)Registration of signatures
iii)Notification of key compromises.
1006.Accounting audit trail in boundary sub-systems will in most cases serve as an operation audit trail
also.
1007.Existence controls – These controls attempts to ensure the ongoing availability of all the system
resources. In boundary sub-systems the existence controls are limited to repeating the sign on process
i e. the user is asked to try once again.
1008.Input controls : Input sub-system is the next stage in the flow of data after boundary control sub-
system. The components of an input sub-system are responsible for bringing I) data and ii)instructions
into an application system.
1009.From an IS Auditor's point of view input controls are critical for 3 reasons :-
i)Largest number of controls exists in the input sub-system and hence more time is spent in assessing
Page | 106
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
its reliability.
ii)Input sub-system involves substantial routine human intervention and hence is more error prone.
iii)Input sub-system is often the target of frauds.
1010.Data input methods :-Data input can be done through direct entry or through a recording medium.
Examples of direct entry devices of data are keyboard, touch screen mice, video, sound etc.
1011.Data input through recording medium involves direct reading through devices like OC, MICR,
ATM etc or through key-boarding from a source document.
1012.Batch controls – is a method of control over data capture and data entry activities.
1013.Batching is the process of grouping together transactions that bear the same type of relationships
to each other.
1014.There are two types of batches :- i)Physical batch and ii)Logical batch.
1015.Physical batches are groups of transactions that constitute a physical unit eg source documents
obtained via post are grouped together to form a physical batch.
1016.Logical batches are groups of transactions bound together on logical basis eg where different
clerks use the same terminal for data entry, the input program logically groups transactions entered on
the basis of the clerks' identification number.
1017.To exercise batch control, two documents are required – i)batch cover sheet and ii)batch control
register.
1020.Controls to check the validity of input data are exercised at four levels :-
i)Field checks
ii)Record checks
iii)Batch checks
Page | 107
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
iv)File checks
1025.Audit Trail – AT in a input sub-system maintains chronology of events from the time data is
captured and entered into application system until the time they are deemed valid and passed on to
other sub-system.
1026.Accounting AT in an input sub-system must record the origin, contents and timing of transaction
which results in data input.
1029.There are three types of transmission impairment – Attenuation, Delay distortion and Noise.
1030.Attenuation is the weakening of a signal that occurs as it traverses a medium. As in the case of
Page | 108
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
analog signal amplifiers are used to boost the amplitude and in digital signals repeaters are used to
boost the signal strength periodically as the signal traverses the medium.
1031.Delay distortion occurs when a signal is transmitted through bounded media through twisted pair
wire, co-axial cable and optical fibre.
1032.Noise is the random electric signals that degrade performance in the transmission medium.
1036.Cross talk occurs on account of coupling of signal paths. This happens when bounded media are
placed too close to each other.
1037.Impulse noise arises on account of lightning, faulty switching gear and poor contacts.
1038.The primary components in a communication sub-system are – transmission media, hardware and
software.
1039.Transmission media – twisted pair, wire, co-axial cables, optical fibre, microwave etc.
1041.Software- packet switching software, data compression software, polling software etc.
1042.In a subversive attack on the communication sub-system an intruder attempts to violate the
integrity of some component in the sub-system e.g. invasive or inductive taps could be installed on
telephone lines.
1045.Passive attacks can involve reading the message contents and thereby violating privacy of the
Page | 109
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
data. Alternatively it may involve doing a traffic analysis (examining the length and frequency of
traffic) to gain insight into the types of message being sent.
1046.Active attacks can be categorized into seven types of attacks – insert, delete, modify, alter,
duplicate, deny and establish spurious association.
1047.Among the commonly used communication media it is seen that optical fibre is the best media for
transmission.
1048.The advantages of a private line are that it can absorb the overheads better while implementing
the controls over data transmission and secondly it can be better conditioned to limit the effects of
attenuation, distortion and noise.
1051.All calls to the dial-up access system are connected to the port protection device, where it
undergoes various authentication procedures before the call is connected to the host system (dial up
access system).
Page | 110
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1059.Concentrators are devices that use switching technologies.
1061.In circuit switching, temporary connections are established between input/output channels to
transmit messages.
1062.In packet switching, messages are broken into packets which are individually sent along different
paths.
1063.In message switching, messages are sent in totality to a concentration point and stored there until
such time the connection is established to transmit the message in full.
1064.Multiplexor and concentration techniques affect the reliability of the system in the following
ways :-
i)Making more channel capacity available for control purposes.
ii)Providing alternative paths for messages if one path fails.
iii)Making it more difficult for wire tappers to disentangle the myriad of messages passing over
communication lines.
1066.Line errors are detected by loop(echo) check, parity check and cycle redundancy check.
1067.Loop(echo) check : returning a copy of message to a sender to determine whether it is the same
message sent.
1068.Parity check : adding redundant bits to a message that are a function of other bits in the message.
1069.Cycle redundancy check : attaching the remainder obtained by treating message block as a binary
number and then dividing it by a primary binary number.
1070.Forward error correcting codes : correction done at receiving end and is the more commonly used
being the less costlier method.
1071.Retransmission of data in error : correction done by the sender and retransmitted-this is more
costlier and under certain circumstances impractical.
Page | 111
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1072.Flow controls : FC is essentially matching the flow of data between two nodes having different
capacity e.g. flow of data from mainframe to minicomputers.
1073.Stop & wait method : send data frame by frame and wait for receiver's readiness response to send
the next data frame. This method is inefficient on account of the communication channel being unused,
when data frames are being processed by the receiver.
1074.Sliding window method : Enables simultaneous transmission and processing of data called sliding
window on account of shrinking and expanding of frames in the windows of receiver/sender while
transmitting data.
1075.Topological controls – the control on flow of data between several nodes varies according to the
different topologies. They are bus, tree, ring, star and mesh.
1076.Bus topology : As they are fairly robust encryption controls to protect the privacy of data is
enough.
1080.Mesh topology : Used in WAN, therefore third parties are involved and hence the need for
encryption controls.
1081.Encryption : link encryption, end to end encryption, stream cipher, error propagation code,
message authentication code, message sequence number and request response mechanism.
1083.End to end encryption : data traverses from sender to receiver independently of the nodes through
which data traverses i.e. the data is not decrypted until it reaches the receiver. In other words the
intermediate nodes are not in possession of cryptographic key for decrypting the data.
1084.Stream cipher – clear text is transformed on a bit by bit basis under control of a stream of key
bits. Key bit stream is made from the function of an initialization value, an encryption key and a
generated cipher text.
1085.Block cipher – fixed length blocks of clear text are transformed under a constant fixed length key.
Page | 112
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1086.Error propagation code – Such a code is sensitive to the order of bits in a message and any change
in the order of blocks is very likely to be detected.
1087. Message Authentication Code(MAC) : used in EFTS. MAC is an encrypted check sum appended
to the message. This is then recalculated by the receiver to check that messages have not been altered.
1088.Message Sequence Number : which is used to detect the attack on the order of messages that are
transmitted.
1089.Request Response Mechanism : identifies an attack because of denial of message due to deletion
of message or due to delay of message. Essentially this mechanism involves obtaining
acknowledgement from the receiver periodically through a timer system.
1095.Router – it performs all functions of a bridge in addition connects heterogeneous network and
directs traffic.
1096.Gateway- its primary function is to perform protocol conversion to allow different types of
communication architecture to communicate with one another.
1097.EFTS fund transfer messages are sent through high security high cost sub-network.
1098.Administrative messages are sent through a low cost low security sub-network.
1099.The International Standard Organization(ISO) has proposed the OSI architecture for
standardization.
1100.The architecture has seven layers of functions each of which has associated controls. They are
physical, data link, network, transport, session, presentation, application.
1101.Physical-A hardware layer specifying both the mechanical features (transmission media and
Page | 113
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
connectors), and electromagnetic features(voltage, signal, strength, signalling method, amplification,
modulation) of the connection between devices and the transmission medium.
1104.Channel access control method – meaning method specifying protocol for accessing
communication channel between competing nodes in a network.
1105.Link encryption is the method of control employed in this layer after the message is subjected to
error control and flow control.
1106.Network-Routing of message packet from source to destination decided in this layer. Ensures
correct routing of message through the network.
1107.Transport – Ensures reliable end to end message delivery. Multiplexing and end to end encryption
control measures employed here.
1109.Checkpoint mechanism here provides for recovery of data by retransmitting from the last
checkpoint.
1111.Application – Provides service like file sharing, file transfer, mail services, directory services.
Database concurrency and deadlock controls employed here.
1112.From an audit point of view, a layered approach will help them in organizing the examination and
evaluation of controls in a communication sub-system.
1113.Audit trail is the communication sub-system is a chronology of events from the time of dispatch
of the message to the time of receipt of message.
Page | 114
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1115.EBCDIC – Extended Binary Coded Decimal Interchange Code.
1117.The processing sub-system is responsible for computing, sorting, classifying and summarizing
data.
1118.Controls to reduce expected losses from errors and irregularities associated with the CPU can be
categorized into four types :-
i)Error detection and corrections.
ii)Multiple execution states
iii)Timing control
iv)Component replication
1122.There are two types of state of the program – supervisor state and problem state.
1123.Supervisor state – which is for the privileged user, such as the operating system that allows any
instruction to be executed.
1124.Problem state – which applies to user programs in which only a restricted set of instructions can
be used.
1125.Real memory comprises the fixed amount of primary storage in which programs or data must
reside for them to be executed or referenced by the CPU.
1126.Two types of controls are used to control expected losses from errors and irregularities associated
with real memory :-
i)Error detection and correction.
ii)Access controls
1128.Hamming code is also a parity based check and is so called after their developer Richard
Hamming.
Page | 115
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1129.Parity check detects only errors in odd numbers or bits.
1131.Access controls-The other method to control errors in real memory is to place access controls in
the form of boundary registers (a hardware protection mechanism).
1132.Virtual memory exists when the addressable storage space(required memory) is larger than the
real memory.
1134.The database sub-system is responsible for defining, creating, modifying, deleting and reading
data in an information system.
1140.Two types of data are maintained in database systems. Declarative data and procedural data.
1141.Declarative data – describes the static aspect of the real world objects and the association between
these objects. The example of payroll file and a personnel file showing therein name of employee, pay
rate, designation, job duties etc best illustrates the declarative type of data.
1142.Procedural data – Such data describes the dynamic aspect of the real world objects and the
association between these objects.
1143.Knowledge base – The combination of declarative data and procedural data is known as
Page | 116
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
knowledge base.
1144.Data is plural of datum(information) which are stored in the form of bits and bytes in electronic
memory of the computers.
1145.Data files – are files that contain binary data and store database information.
1148.Metadata – describes how and when and by whom a particular set of data was collected and how
the data is formatted. Metadata is administrative information and is essential for understanding
information stored in database.
1149.Data warehouses are huge databases containing collection of data designed to support
management decision making. The term data warehousing generally refers to combining many different
databases across an entire enterprise.
1150.Data Mart is a database, or collection of databases, designed to help managers make strategic
decisions about their business. Data marts are usually smaller and focus on a particular subject or
department.
1151.Database controls:-
i)Access controls
ii)Integrity controls
iii)Concurrency controls
iv)Audit trail controls
v)Existence controls
1152.Database controls focus on access controls, maintaining integrity of data and preventing integrity
violation.
1153.Access controls in the database sub-system like in boundary controls are either discretionary or
mandatory.
1154.Discretionary access controls are exercised by system administrators or data owners to restrict the
access to the data base and the action privileges associated with the database. Restrictions may be
i)name dependent, ii) content dependent, iii)context dependent and iv)history dependent.
1155.Mandatory access controls are exercised by system administrators by assigning security attributes
Page | 117
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
to data, which can not be changed by database users.
1156.In a DBMS, integrity constraints are used to maintain accuracy, completeness and uniqueness of
instances of constructs used within the data modelling approach.
1157.When application software uses the database, update and report protocols are used to protect
the integrity of the database.
1158.Update protocol includes sequence checking the order of transaction files/master files, ensuring
processing of all records by using correct end of file processing protocols, processing multiple
transactions in a single record in the correct order and posting monetary transactions which are not
matched with a master record into a suspense account.
1159.Report protocol includes printing control data in an internal table (these are standing data
which are used to perform various functions, eg in a billing program there may be an internal table of
price or in a payroll program, the internal table of pay rates) periodically, printing run to run control
totals and printing suspense entries.
1160.When two processes are allowed concurrent access to a data item there could be a violation of
data integrity.
1161.Concurrency controls are used to overcome the problem of deadlock in a shared data resource or
in a distributed database.
1162.Deadlock-A situation where two processes are waiting for each other to release the data that the
other needs.
1163.Two phase locking is the most widely used solution to resolve the problem of deadlock.
1164.Database cryptographic controls are used to protect the integrity of data sorted in a database.
1166.To protect the integrity of data from unauthorized access cryptographic key is to be used.
1167.Existence controls include backup and recovery strategy. Some methods of such strategy are
grandfather, father, son strategy, dual recording and mirroring, dumping, logging, residual dumping etc.
Page | 118
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
iii)The ways in which data will be prepared and routed to users.
1170.The output controls can be examined from four different angles-inference controls, controls
over the production and distribution of batch output, batch report design controls and controls
over the production and distribution of online reports.
1171.Inference controls are used in the output system to prevent compromise of statistical database.
1173. Positive compromise :- whereby users determine that a person have a particular attribute eg Eric
is an alcoholic.
1174.Negative compromise : whereby users determine that a person does not have a particular attribute
eg Eric is not an alcoholic.
1175.Exact compromise : whereby users determine the precise value of an attribute possessed by a
person e.g. Eric draws a salary of Rs.20,000/- p.m.
1176.Approximate compromise :-whereby users within some range the value of an attribute possessed
by a person eg Eric draws a salary in the range of Rs.15,000/- to Rs.20,000/-
1178.Restriction controls – which limits the set of response provided to users upon users query thereby
protecting the confidentiality of data of persons in the database.
1179.Perturbation controls – which introduces some type of noise into the statistical calculations based
on records retrieved from database. This will result in information loss causing bias (difference
Page | 119
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
between average value of perturbed statistics and average value of true statistics) or inconsistency in
the results obtained.
1180.Batch output production and distribution controls – Controls to be exercised at each phase depend
upon the cost/benefit ratio.
1182.With the advancement of technology, enterprises have been experiencing increasing complexity
of technology employing cost effective solutions like internet, cloud computing for their operations.
This has led to a significant increase in the threats to enterprise information.
1183.Effective computer security is result of appropriate tuning of various controls which comprise
management controls, application controls, operational controls and administrative controls.
1184.Policy refers to a set of specific security rules for specific category of systems eg firewall policy,
e-mail policy etc.
1185.Hence the IS Security Policy acts as the documentation of the management's strategy, directives
and decisions relating to the computer security.
1186.COBIT lays down detailed statements for a structured approach to the process of IT planning and
organization.
1187.The Planning and Organization Domain of COBIT have been explained in detail in (i)Security
Policies, procedures and controls and (ii)Management and control framework.
1189.In Information Technology, the Incident is an occurrence where a service or component fails to
provide a feature or service that it was designed to deliver.
1190.All security incidents or violations of security policies should be brought to the notice of the
CISO of a bank.
Page | 120
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1191.CERT-In : Computer Emergency Response Team-India
1193.To determine the risk, a bank can evaluate the likelihood associated with the threat agent, attack
vector, and security weakness and combine it with an estimate of the technical and business impact to
an organization. Together, these factors determine the overall risk.
1194.VaR : is a statistic that measure and quantifies the level of financial risk within a firm portfolio or
position over a specific time frame.
1195.Access to the database prompt must be restricted only to the database administrator.
1196.MTM – Mark to market is a measure of the fair value of accounts that change over time, such as
assets and liabilities. MTM aims to provide a realistic appraisal of an institution's or company's current
financial situation.
1197.Multi-tier application architecture needs to be considered for relevant critical systems like internet
banking systems which differentiate session control, presentation logic, server side input validation,
business logic and database access.
NETWORK SECURITY
1198.Protection against growing cyber threats requires multiple layers of defences, known as defence
in depth.
1199.Defence in depth for most organizations should at least consider two areas namely (a)Protecting
the enclave boundaries or Perimeter (b)Protecting the computing environment.
1200.The enclave boundary is the point at which an organization's network interacts with the Internet.
1213.An effective approach to secure a large network involves dividing the network into logical
security domains.
Page | 121
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1215.Typical perimeter controls include firewalls that operate at different network layers, malicious
code prevention, outbound filtering, intrusion detection and prevention devices, and controls over
infrastructure services such as DNS.
1216.The main purpose of a firewall is for an access control. By limiting inbound(from the Internet to
the internal network) and outbound communications(from the internal network to the Internet), various
attack vectors can be reduced.
1217.Firewalls may provide additional services like Network Address Translation(NAT) and Virtual
Private Network Gateway(VPNG).
1218.Financial institutions have four primary firewall types from which to choose – packet filtering,
stateful inspection, proxy servers and application-level firewalls.
1219.A firewall policy states management's expectation for how a firewall should function and is a
component of the overall security management framework.
1220.Firewalls are potentially vulnerable to attacks including spoofing trusted IP addresses, denial of
service by overloading the firewall with excessive requests or malformed packets, sniffing of data that
is being transmitted outside the network, hostile code embedded in legitimate HTTP, SMTP, or other
traffic that meet all firewall rules etc.
1222.To use a Network IDS(NIDS) effectively, an institution should have a sound understanding of the
detection capability and the effect of placement, tuning, and other network defences on the detection
capability.
1223.A weakness in the signature-based detection method is that a signature must exist for an alert to
be generated. Signatures are written to either capture known exploits, or to alert to suspected
vulnerabilities.
1224.The anomaly-based detection method generally detects deviation from a baseline. The baseline
can be either protocol-based, or behaviour-based.
1225.The protocol-based baseline detects differences between the detected packets for a given protocol
and the Internet's RFC (Request for Comment) pertaining to that protocol. For example, a header field
could exceed the RFC established expected size.
1226.Tuning refers to the creation of signatures and alert filters that can distinguish between normal
network traffic and potentially malicious traffic apart form involving creation and implementation of
Page | 122
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
different alerting and logging actions based on the severity of the perceived attack.
1228.Decryption is a device-specific feature that may not be incorporated into all NIDS units.
1229.All NIDS detection methods result in false positives (alerts where no attack exists) and false
negatives (no alert when an attack does take place)
1233.NIPS are an access control mechanism that allow or disallow access based on an analysis of
packet headers and packet payloads.
1234.Firewalls typically allow only the traffic necessary for business purposes, or only “known good”
traffic.
1235.IPS units contain a “white list” of IP addresses that should never be blocked. The list helps ensure
that an attacker can not achieve a denial of service by spoofing the IP of a critical host.
1236.Quarantining a device protects the network from potentially malicious code or actions. Typically,
a device connecting to a security domain is queried for conformance to the domain's security policy. If
the device does not conform, it is placed in a restricted part of the network until it does conform.
1237.Split DNS where one firewalled DNS server serves public domain information to the outside and
does not perform recursive queries.
1239.Configuration management begins with well-tested and documented security baselines for various
systems. There need to be documented security baselines for all types of information systems.
1240.If backdoors or vendor connections do exist in critical systems, strong authentication must be
implemented to ensure secure communications.
1241.Establishing critical “Red Teams” to identify and evaluate possible attack scenarios. There is a
need to feed information resulting from the “Red Team” evaluation into risk management processes to
Page | 123
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
assess the information and establish appropriate protection strategies.
1242.The organizations should at least consider two areas namely (a)protecting the enclave boundaries
or perimeter and (b)protecting the computing environment.
1243.Banks manage risks through prudent business practices, contractual arrangements with third
parties, obtaining insurance coverage and use of appropriate security mechanisms.
1244.Policies are management instructions indicating a course of action, a guiding principle, or an
appropriate procedure, which is expedient, prudent, or advantageous.
1245.A policy statement describes only the general means for addressing a specific problem.
1246.Procedures are specific operational steps or manual methods that workers must employ to achieve
a certain goal.
1247.Policies are higher-level requirement statements than “standards”, although both types of
management instructions require compliance.
1248.Standards would for example define the number of secret key bits required in an encryption
algorithm such as SSL a widespread internet encryption protocol.
1249.Policies on the other hand would simply define the need to use an approved encryption process
when sensitive information is sent over public networks such as the Internet.
1250.The latest twin-sister of SSL is TLS and there are often referred together as SSL/TLS protocol.
SSL is fast being replaced by TLS. In fact, TLS v 1.0 is often considered SSL v 3.1
1251.SSL = Secure Socket Layer
1252.TLS = Transport Layer Security
1253.At the corporate level, the CISO would be responsible for Information System Security.
1254.CISO -Chief Information Systems Security Officer
1255.The Information Systems Security Managers/Officers should be adequately trained on
Information System Security standards like ISO/IEC 27001 and should be encouraged to pursue
courses in Information security/Audit such as CISSP/CISM/CISA/CFE and other internationally
acclaimed certifications.
Page | 124
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1256.ISO/IEC 27001 is the best-known standard in the family providing requirements for an ISMS,
whereas ISO 27002 is the code of practice of information security management.
1257.ISMS – Information Security Management System.
1258.Each information access control system should have one or more Information Systems Security
Administrator(s), appointed to ensure that the access control procedures are being monitored and
enforced continuously.
1259.The activities of the ISSA have to be reviewed by an independent party such as Audit department,
for the purpose, on a routine basis.
1260.ISSA-Information Systems Security Administrator
1261.The custodian of information is generally responsible for the processing and storage of the
information.
1262.Authentication devices – Passwords, Secure cards, PINs etc.
1263.The Information Security Officer is responsible for working with user management, owners,
custodians, and users to develop and implement prudent security policies, procedures, and controls,
subject to the approval of Counsel.
1264.Large departments with significant Confidential Information may have a departmental
Information Security Liaison.
1265.Security policies are high-level laws of the land regarding a security infrastructure. They are not
procedures. Procedures tell how to implement security policies.
1266.The person being held responsible for security policies could be the Director of Information
Security, the Chief Security Officer, the Director of Information Technology, the Chief Information
Officer, or a knowledgeable employee appointed to be the information security officer.
1267.Security is typically distributed, and security mechanisms should be built into all layers of the
enterprise infrastructure. Security policies should describe the rules of the road for the following types
of technology systems :-
i)Encryption mechanisms
ii)Access control devices
iii)Authentication systems
iv)Virtual Private Networks(VPN)
v)Firewalls
vi)Messaging systems
vii)Anti-virus systems
viii)Websites
Page | 125
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
ix)Gateways
x) Mission critical applications
xi)End-user desktops
xii)DNS servers
xiii)Routers and switches.
1268.Security controls are mechanisms put into place to enforce security policies.
1269.Security Definition-All security policies should include a well-defined security vision for an
organization. The security vision should be clear and concise and convey to the readers the intent of the
policy.
1270.Enforcement-This section should clearly identify how the policy will be enforced and how
security breaches and/or misconduct will be handled.
1271.The Chief Information Officer(CIO) and the Information Systems Security Officer(ISSO)
typically have the primary responsibility for implementing the policy and ensuring compliance.
1272.A good security policy should also include information that identifies how security profiles will
be applied uniformly across common devices eg servers, workstations, routers, switches, firewalls,
proxy servers etc.
1273.If your agency does not have a need to host Internet or Intranet based applications then do not
install Microsoft IIS.
1274.If you have a need to host HTML services, but do not have a requirement for allowing FTP, then
disable it.
1275.Random and scheduled audits should be conducted and may include :-
i)Password auditing using password cracking utilities such as LC3(Windows) and PW Dump(Unix and
Windows).
ii)Auditing user accounts database for active old accounts(persons who left the agency).
iii)Penetration testing to check for vulnerabilities using technical assessment tools such as ISS and
Nessus.
iv)Social Engineering techniques to determine if you can get a username or password from a staff
member.
v)Simulate (off hours) network failure and evaluate your incident response team‟s performance and
readiness.
vi)Test your back-up recovery procedures.
vii)Use Tripwire or similar product to monitor your critical binary files.
viii)Configure your Server OS to audit all events and monitor several times a day for suspicious
activity.
ix)Use a port scanner(Nmap, Nessus etc) within your network to determine if your system
Page | 126
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
administrators catch the traffic and take appropriate action.
Page | 127
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1281.Emergency Access – Procedures must be documented to address – Authorization, Implementation
and Revocation.
1283.Confidential information must never be stored on mobile computing devices (laptops, Personal
Digital Assistants(PDA), smart phones, tablet PCs etc) unless they have the following minimum
security requirements implemented :
i)Power-on passwords
ii)Auto logoff or screen saver with passwords, and
iii)Encryption of stored data or other acceptable safeguards approved by Information Security Officer.
1286.Any system that includes a basic set of system programs called an operating system. The most
important program in the set is called the kernel. It is loaded into memory when the system boots
and contains many critical procedures that are needed for the system to operate.
1288.Real-time operating system : This OS is most often found in robotic machinery and scientific
devices.
1289.Single-user, single task system : This type of OS is used by devices such as a PDA or other
miniature computers.
1290.Single-user, multitasking system. This type of OS is most familiar because it includes most
Microsoft Windows Systems. In this OS, a user can open multiple programs and jump back and forth
between applications as required.
Page | 128
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1291.Multi-user system – A true multi-user operating system allows many users to access the
computer‟s resources simultaneously. A common example of this type of OS is Linux.
1297.Examples of public information may include organization‟s events calendars, class schedules,
minutes of meetings, and material posted to the organization‟s web pages.
1298.Incident Handling refers to those practices, technologies and/or services used to respond to
suspected or known breaches to security safeguards.
1299.Industry best practices suggest that organizations who adopt both proactive and reactive means to
address incident handling are better able to limit the negative implications of incidents. Examples of
proactive activities include establishing communication mechanisms to report incidents and to
disseminate incident alerts and identifying technical experts who can provide emergency assistance if
needed. Examples of reactive activity include blocking or aborting computer processes, temporarily
denying user access and deploying inoculation software.
1300.Intrusion Detection System(IDS) have emerged to help detect perimeter breaches and intrusions.
1301.According to Gartner Research “Intrusion detection sounds like a good idea but alerts you only
that something is going on. It is not always so effective to just see the alarms going off” and not have
the tools to address the problem.
1302.Too often, however, the IDS bells ring, but with no effective means to respond and sort out all the
false positives, the IDS becomes white noise, and, ultimately, shelf-ware.-
1303.White Noise – WN is a specific kind of noise that involves randomized sound. It is the most
familiar of the various different kinds of “spectral light” that involve their own different power
distributions across a sound frequency spectrum. White noise is also known as Additive White
Page | 129
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
Gaussian Nose(AWGN).
1304.Shelfware : It is a slang term used to describe owning or licensing software that you don‟t
actually need or use.(eg it sits on a shelf).
1306.Hackers and malevolent insiders often cover their tracks by deleting event log and system files,
hiding their installed malware by renaming it with innocuous file extensions, cloaking created
backdoors and other similar techniques.
1307.Network-enabled computer forensics tools can quickly undelete files, locate hidden malware(even
if renamed) through file signature and hash analysis, find backdoors and other evidence, and make
complete bit-stream image backups of drives housing compromised data.
1308.As the target systems are not taken off-line, the key live data of the compromised system(open
ports, live registry, RAM dumps) can be easily captured and preserved.
1309.In June 2003, Gartner created a major stir in the information security industry when it issued a
research report calling into question the effectiveness of intrusion detection systems.
1310.The insider threat takes many forms, whether it is unauthorized access to customer privacy
information, theft of intellectual property and trade secrets, financial fraud, improper deletion of
computer files (as in the case of Arthur Anderson) or various employee policy violations such as email
harassment and internet pornography.
1311.The terms of defined industry best practices, ISO 17799 provides very detailed requirements for
incident response, internal investigations, and preservation and analysis of computer evidence
consistent with best practices and computer forensics protocols.
1312.An enterprise‟s overall security framework must, under ISO 17799, include an effective incident
response approach “to ensure a quick, effective and orderly response to security incidents”. An ISO
17799 compliant enterprise should employ the best methods and tools available to respond to breaches
or suspected breaches of its information security, and must collect and preserve the resulting evidence
in a forensically sound manner for investigation and reporting purposes.
1313.The “patch and proceed” methodology is not compliant with these regulations and standards for
two reasons. First, with the growing standardization of network-enabled computer forensics tools,
“patch and proceed” is simply no longer consistent with the best practice. Secondly, without the proper
response, collection and preservation of evidence, the internal and regulatory incident reporting
requirements under these regulations and standards can not be met.
Page | 130
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1314.A Covert Channel can expose information by some indirect and obscure means. It may be
activated by changing a parameter accessible by both secure and insecure elements of a computing
system, or by embedding information into a data stream.
1315.Trojan Code is designed to affect a system in a way that is not authorized and not readily noticed
and not required by the recipient or user of the program.
1316.Where Covert or Trojan code are a concern, the following should be considered :-
i)Buying programs only from a reputed source.
ii)Buying programs within source code so the code may be verified
iii)Using evaluated procedure
iv)Inspecting all source code before operational use.
v)Controlling access to and modification of code once installed.
vi)Use staff who have proven trust to work on key systems.
1318.An anti-virus software should run as an NLM on a file server. If this is not possible, the
workstations and file server should be scanned at the end of the business day or at least weekly once.
1319.If a virus is suspected of being present and the virus can not be identified or is identified as a
transmittable or “travelling” virus, the following procedure should be followed :-
i)The personal computer should be physically disconnected from a LAN.
ii)LAN should be physically isolated from other LANs and NET.
iii)All access and mail servers on a LAN should be shutdown.
iv)Users should be informed not to use their PC or any floppy disks in their possession.
vi)The Information Services Department Help Desk must be notified of the “possibility” of the
presence of a “travelling” virus on a LAN connected to NET. The Help Desk will electronically isolate
the LAN from NET. The Help Desk should then notify all NET LAN Administrators of the potential
problem and act as a coordinating office for information regarding the problem.
vii)All resources on the LAN should be scanned using Anti-virus software. Don‟t forget to scan
diskettes and standalone PC s that have shared resources or any contact with an infected LAN.
vii)All file servers should be scanned on an hourly basis until all scanning procedures are complete and
a clean bill of health is issued by the LAN Adminstrator.
Page | 131
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1320.FUD : Fear, Uncertainty and Doubt.
1321.Black Hat Hacker : A BHH is a person who attempts to find computer security vulnerabilities and
exploit them for personal financial gain and other malicious reasons.
1323.Vendor Bugs : VB are buffer overflows and other programming errors that result in users
executing the commands they are allowed to execute. Downloading and applying patches usually fix
vendor bugs.
1324.Poor Architecture : PA is the result of not properly factoring security into the design of how an
application works. These vulnerabilities are typically the hardest to fix because they require a major
network by the vendor. An example of poor architecture would be when a vendor utilizes a weak
form of encryption.
1326.Incorrect Usage : IU refers to building applications utilizing developer tools in ways that can be
used to break into a system. SQL INJECTION is an example of incorrect usage.
1327.Security in database has generally been ignored and the threat management of these applications
has been non-existent. The damage caused by a worm is dependent on several factors :-
i)The number of targets for a worm.
ii)The success rate of infection.
iii)The resilience of a worm.
1328.Databases are a critical piece of an organizations infrastructure and can not always be hidden
behind a firewall. The success rate of infection is critical to whether or not the worm is able to spread
through to other systems. For example, the Spida worm was effective because a large number of
Microsoft SQL Server databases have blank “sa” passwords. Those databases with non-blank
Page | 132
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
passwords were not infected.
1329.Databases are extremely complex beasts, and generic auditing, vulnerability assessment, and IDS
solutions just don‟t cut it.
1332.The ISO OSI Reference Model defines seven layers of communications types, and the interfaces
among them.
1335.DoS (Denial of Service) attacks are probably the nastiest, and most difficult to address. These are
the nastiest, because they are very easy to launch, difficult (sometimes impossible) to track, and it isn‟t
easy to refuse the requests of an attacker, without also refusing legitimate requests for a service.
1336.The premise of DoS attack is simple, send more requests to a machine than it can handle.
1338.There are two major categories among the destructive sorts of break-ins and attacks :-
i)Data diddling
ii)Data destruction
Page | 133
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1339.Data diddling :- It is a method adopted by computer criminals. DD is the changing of data before
or during entry into the computer system or altering the raw data just before it is processed by a
computer and then changing it back after the processing is completed. Using this technique the criminal
can manipulate the output and it is not so easy to identify. But using cyber forensic tools we can trace
out when the data was changed and changed it back to the original form.
1340.Firewall-A firewall is simply a group of components that collectively form a barrier between two
networks.
1341.In order to provide some level of separation between an organization‟s intranet and the internet,
firewalls have been employed.
1342.Bastion host – A general purpose computer used to control access between the internal(private)
network (intranet) and the Internet (or any other untrusted network). Typically, these are hosts running
a flavour of an Unix operating system that has been customized in order to reduce its functionality to
only what is necessary in order to support its functions. Many of the general purpose features have been
turned off, and in many cases, completely removed, in order to improve the security of a machine.
1343.Router :- A special purpose computer for connecting networks together. Routers also handle
certain functions, such as routing, or managing the traffic on the networks they connect.
1344.Demilitarized Zone(DMZ) : The DMZ is a critical part of a firewall. It is a network that is neither
part of the untrusted network, nor part of the trusted network. But this is a network that connects the
untrusted to the trusted. The importance of DMZ is tremendous; someone who breaks into your
network from the Internet should have to get through several layers in order to successfully do so.
Those layers are provided by various components within a DMZ.
1345.Proxy-This is the process of having one host act on behalf of another. A host that has the ability to
fetch documents from the Internet might be configured as a proxy server, and host on the intranet might
be configured to be proxy clients. In this situation, when a host on the intranet wishes to fetch the web
page, for example, the browser will make a connection to the proxy server, and request the given URL.
The proxy server will fetch the document, and return the result to the client. In this way, all hosts on the
intranet are able to access resources on the Internet without having the ability to directly talk to the
Internet.
1346.Firewalls:-
i)Application Gateways
ii)Packet Filtering
iii)Hybrid Systems
1347.Application Gateways :-The first firewall is application gateways, and are sometimes known as
Page | 134
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server.
This software runs at the application Layer of the ISO/OSI Reference Model, hence the name.
1348.Packet Filtering :- PF is a technique whereby routers have ACLs(Access Control Lists) turned on.
By default, a router will pass all traffic sent it, and will do so without any sort of restrictions.
Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you
allow the outside world to have to your internal entwork, and vice versa.
1349.Hybrid Systems :
1350.Firewall certifications : The certification of a firewall means nothing more than the fact that it can
be configured in such a way that it can pass a series of tests. Similarly, claims about meeting or
exceeding U.S. Department of Defence “Orange Book” standards, C-2, B-1 and such all simply mean
that an organization was able to configure a machine to pass a series of tests.
1351.Firewall : The term firewall refers to a number of components that collectively provide the
security of a system.
1352.Crypto Capable Routers :-A feature that is being built into some routers is the ability to session
encryption between specified routers. Because traffic travelling across the Internet can be seen by
people in the middle who have the resources(and time) to snoop around, these are advantageous for
providing connectivity between two sites, such that there can be secure routers.
1353.Virtual Private Networks :- Given the ubiquity of the Internet, and the considerable cost involved
in private leased lines, many organizations have been building VPNs(Virtual Private Networks).
1354.The disaster recovery is that part of a business resumption plan which ensures that the
information and the information processing facilities are restored to their normal operating conditions
as soon as possible after disruption.
1355.Emergency procedures, manual fall-back plans and resumption plans should be within the
responsibility of the owners of the appropriate business resources or processes involved.
1356.Fall back arrangements for alternative technical services, such as information processing and
communication facilities, should usually be the responsibility of the service providers.
1357.A variety of techniques should be used in order to provide assurance that the plan(s) will operate
in real life. They should include :-
i)Table top testing of various scenarios.
ii)Simulations particularly for training people in their post incident crisis management roles.
iii)Technical recovery testing i.e. ensuring information systems can be restored effectively.
Page | 135
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
iv)Testing recovery at an alternate site running business processes in parallel with recovery operations
away from the main site.
v)Tests of supplier facilities and services ensuring externally provided services and products will meet
the contracted commitment.
vi)Complete rehearsals i.e. testing that the organization, personnel, equipment, facilities and processes
can cope with interruptions.
1358.Several viruses, Trojans, and malware use email as the vehicle to propagate themselves
throughout the Internet.
1359.A few of the more recent worms were Code Red, Nimda, and Gonner.
1360.The black-hat community typically launches their 'zero day' and old exploits on the Internet via
IRC chat rooms, through Instant Messengers, and free Internet email providers(gmail, hotmail, yahoo
etc.).
1367.TCP/IP :This is functionality that occurs at the Network(IP) and Transport(TCP) layers in the
ISO/OSI Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix, OS/2,
MacOS, or Windows NT) can easily support applications (such as Netscape's Navigator) that uses the
network.
1368.Engineers and scientists from all over the world participate in the IETF (Internet Engineering
Task Force) working groups that design the protocols that make the Internet work. Their time is
typically donated by their companies, and the result is work that benefits everyone.
1369.IP : IP is a “network layer” protocol. This is the layer that allows the hosts to actually “talk” to
each other. Such things as carrying datagrams, mapping the Internet address (such as 10.2.3.4) to a
physical network address (such as 08:00:69:0a:ca:8f), and routing, which takes care of making sure that
all of the devices that have Internet connectivity can find the way to each other.
Page | 136
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1370.IP Spoofing : In computer networking, IP address spoofing or IP spoofing is the creation of
Internet Protocol packets with a false source IP address, for the purpose of impersonating another
computing system.
1371.IP Session Hijacking is relatively sophisticated attack, first described by Steve Bellovin.
1372.IP Session Hijacking is an attack whereby a user's session is taken over, being in the control of the
attacker. If the user was in the middle of email, the attacker is looking at the email, and then execute
any commands he wishes as the attacked user. The attacked user simply sees his session dropped, and
may simply login again, perhaps not even noticing that the attacker is still logged in and doing things.
1373.TCP is a transport-layer protocol. It needs to sit on top of a network-layer protocol, and was
designed to ride atop IP. Just as IP was designed to carry among other things, TCP packets. Because
TCP and IP were designed together and wherever you have one, you typically have the other, the entire
suite of Internet protocols are known collectively as “TCP/IP”.
IS AUDIT
1377.'The Working Group on Information Systems Security for the Banking and Financial Sector'
constituted by RBI enumerated that every Bank in the country should conduct “Information Systems
Audit as per the IS Security Policy' of the Bank.
1378.Information Systems Audit and IS Security Dept(Cell) prepare Information Systems Audit policy.
1379.The fundamental principle is that risk and controls are continuously evaluated by the
information/business owners, where necessary, with the support from IS Audit function.
1380.Information System Auditing is the process of collecting and evaluating evidence to to determine
whether computer system safeguards assets, maintains data integrity, allows organization goals to be
achieved effectively and uses resources efficiently.
Page | 137
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1382.The objective of the IS audit is to assess risks identified that an organization is exposed to in the
computerized environment.
1383.The IT facilities must be protected against all hazards (physical and environmental). The hazards
can be accidental hazards or intentional hazards or natural hazards.
1384.Data integrity includes the safeguarding of the information against intentional and unintentional
or unauthorized changes viz., addition, deletion, modification or alteration. The desired features of the
data are described hereunder :-
a)Accuracy
b)Confidentiality
c)Completeness
d)Reliability
e)Relevant
1385.Technology risks are controlled by General IS controls and business risks are controlled using
Application controls.
1386.The auditor must learn new skills to work effectively in a computerized environment. These new
skills are categorized in three broad areas :-
i)Understanding of computer concepts and system design.
ii)Understanding the functioning of Accounting Information System(AIS), an ability to identify new
risks and understand how the internal controls are mapped on to the computers to manage technology
and business risks.
iii)Knowledge of use of computers in audit.
1387.In the computerized environment accounting, records are kept in computer files which are of
categorized into three types, namely master file, parameter file and transaction file.
1388.There are two types of Transaction Processing Systems(TPS)-Batch processing and On-line
processing.
Page | 138
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
for the information systems.
1397.Physical controls including locks and key, biometric controls and environmental controls.
1398.Logical controls like access controls implemented by the operating systems, database
management
systems and utility software are implemented through sign-on procedures, audit trail etc.
1399.Administrative controls like separation of duties, security policy, procedures and standards,
disaster recovery and business continuity plans, information systems audit etc.
1400.Information systems audit :- is a process to collect and evaluate evidence to determine whether
the information systems safeguard assets, maintain data integrity, achieve organizational goals
effectively and consume resources efficiently.
1411.The common element between any manual audit and IS audit is data integrity.
1413.According COBIT, there are five resources that IT environment need to consider viz, people,
Page | 139
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
application systems, technology, data and facilities.
1414.The IS management function can be divided into four phases, like any other management function
:-
i)Management(which is equivalent for planning and organization)
ii)Implementation and deployment
iii)Directing and controls
iv)Audit and monitoring
1419.A business continuity plan begins with business impact analysis(BIA) and involves risk
evaluation and loss estimates for the outage.
1420.The operating system controls access at the directory and file level, while the database application
controls access at the record and field level.
1421.All users must get just-minimum-access which they need to do which has two aspects to it :-
First only authorized users should have access to IT resources based on their roles & responsibilities.
Second even authorized users should not have full access. The access should be need based. For this,
all operating systems have two types of facilities, namely, authentication and authorization.
Authentication allows only the authorized users to access the systems. Authorization, allows just-
minimum-access to the files and directory. To manage both these facilities in all operating systems
there is a facility called systems administration.
1423.Every database provides facilities to implement sign-on procedures (user identification and
authentication) and authorization mechanisms.
1423.Oracle is the most-commonly used RDBMS in India and world over, providing facilities to
implement access controls through sign-on procedures and authorization.
Page | 140
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1425.Application control primarily deals with the audit objects.
1428.ACL is the market leader in the arena of general audit software. The software provides the
facilities needed by an auditor to evaluate all the seven types of assertions made in any financial
statement.
1429.ACL Software offers tools to understand the quantitative features of the data as well as the
qualitative features of the data. Moreover, it provides facilities to conduct substantive testing.
1431.The audit organization or group has learned that to be successful it must generate an appropriate
internal audit infrastructure, tailor made audit approaches to each business unit within the company,
and create “over-the-top” results by focusing on four basic elements : people, processes, electronic
platforms, and focused collaboration with senior management.
1432.A diverse group of auditors brings several skill sets to audit areas that include project
management, manufacturing, supply management, and product marketing and sales.
1433.A team of two or three auditors will cover two or more major business processes during field
work that lasts up to three weeks.
1434.The overall goal within a group is to retain a small core of experienced auditors and to rotate the
balance to operating units after they have been in the audit group for approximately three years.
1435.Electronic audit platforms such as Lotus Notes to gain significant efficiencies is introduced.
1436.Metrics play a key role in successfully upgrading the audit group processes by measuring key
processes for improvement.
Page | 141
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
information in advance from audit customers.
ii)Fieldwork is more focused and is a accomplished in two to three weeks.
iii)A draft audit report will be completed at the end of fieldwork.
iv)Final audit reports, completed with management action plans, are issued less than 30 days after
fieldwork ends.
v)Primary audit work papers are electronic, streamlined, and completed within two weeks after field
work ends, secondary hard-copy work papers are strictly limited and for accessory purpose only.
1438.The auditors develop brief project descriptions and report on project status at quarterly quality
meetings.
1439.For the auditors who will be rotating to other parts of the company, an Internal Auditor Quality
Recognition Program, with achievement levels and corresponsing substantial cash awards, has been
developed.
1440.In the mid 1990s, Lotus Notes was used as a worldwide standard for groupware.
1441.Located within a group, the Internal Control Documetns database includes past audit reports,
audit follow-up analysis, audit report distribution lists, key document templates, presentations, minutes
of information sharing staff meetings, and other reference information.
1442.In addition, the auditors developed a kit of templetes for key audit documents. The kit includes
Word and Excel framework documents, such as audit engagement letters, audit reports, management
action plans replying to audit reports, auditor job performance evaluations, and the audit quality
questionnaire sent to customers following an audit.
1443.In conducting an audit there are five major phases- planning the audit, test of controls, tests of
transactions, tests of balances or overall results, and completion of an audit.
1445.HLSC for Review of Supervisory Processes for Commercial Banks was set up by RBI.
1446.SRM : Supervisory Relationship Manager
1447.In August 2011, RBI set up a High Level Steering Committee(HLSC) for Review of Supervisory
Processes for Commercial Banks. Major recommendations of the Committee :-
i)Objectives of supervision
ii)Approach to supervision-RBS
iii)Supervisory rating under RBS
iv)Thematic reviews
v)Consolidated supervision
Page | 142
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
vi)Jurisdiction of supervision
vii)Single point of supervisory contact
viii)Building of supervisory skills
1516.Planning execution of an audit :-This describes the steps of a planning process before IS Audit
starts execution of the plan :-
i)Documenting an audit plan
ii)Nature and extent of test of control
iii)Sampling techniques
iv)Standards and frameworks
v)Resource management
1517.RBI issued the “Guidance Note on Risk-based Internal Audit” in 2002 to all scheduled
Page | 143
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
commercial banks, introducing the system of “risk-based internal audit”.
1518.Under CAMELS inspection, a bank could attain high rating based on earnings, but it was taking
undue risks to achieve higher profitability, it could expose the bank to operational risks.
1519.RBS has brought uniformity in reporting that enables RBI assess and manage individual banks
based on its risk profile and capital levels.
1520.It should also be ensured that all systems, domains and processes, irrespective of their risk-levels,
are covered within a period of three years.
1522.RBS which focuses on evaluating both present and future risks, identifying incipient problems
and facilitates prompt intervention/early corrective aciton should replace the present compliance-based
and transaciton-testing approach(CAMELS) which is more in the nature of apoint in time assessment.
1448.The periodicity/intensity of on-site inspection of a bank would depend upon its position on the
Risk-Impact Index Matrix rather than its volume of business.
1523.Under the proposed RBS, the supervisory rating would be a reflection on the risk elements
(inherent business risks and effectiveness of control) and would not be an exercise in performance
evaluation as under the CAMELS rating Framework.
1524.The supervisory intervention including placing a bank under the Prompt Corrective Action(PCA)
framework, if required, would be based on the supervisory rating and the risk-impact score of a bank.
1525.The supervisor would increasingly use thematic reviews as a tool of supervision whereby review
of a particular product, market or practice using a specialized team would be made to assess risks
brewing within a sector at system level for enabling prompt actions/measures.
1527.The ITGI has also provided guidance on execution of assurance initiative in its “IT Assurance
Guide Using COBIT”.
Page | 144
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1529.Testing Control Design :-This section lists the different techniques that will be used in detailed
audit steps. Testing of controls is performed covering the main test objectives :-
i)Evaluation of control design.
ii)Confirmation that controls are in place within the operation.
iii)Assess the operational effectiveness of controls.
iv)Additionally, control efficiency could be tested.
1530.Five generic testing methods include enquire and confirm, inspect, compare actual with expected
findings, re-perform or re-calculate and review automated evidence collection through analyzing data
using computer assisted audit techniques and extracting exceptions or key transactions.
1531.CAAT – Computer Aided Automated Tools- IS Audit function needs to enhance the use of
CAATs, particularly for critical functions or processes carrying financial or regulatory or legal
implications.
1532.The extent to which CAATs can be used will depend on factors such as efficiency and
effectiveness of CAATs over manual techniques, time constraints, integrity of the Information System
and IT environment and level of audit risk.
1533.CAATs may be used in critical areas (like detection of revenue leakage, treasury functions,
assessing impact of control weaknesses, monitoring customer transactions under AML requirements
and generally in areas where a large volume of transactions are reported.
1534.CAATs may be used to perform the following audit procedures among others :-
i)Test of transactions and balances, such as recalculating interest.
ii)Analytical review procedures, such a identifying inconsistencies or significant fluctuations.
iii)Compliance test of general controls : testing set-up or configuration of the operating system, or
access procedures to the programme libraries.
iv)Sampling programmes to extract data for audit testing.
v)Compliance tests of application controls such as testing functioning of a programmed control.
vi)Re-calculating entries performed by the entity's accounting systems.
vii)Penetration testing.
1535.When Auditors IS believes that an organisation has accepted a level of residual risk that is
inappropriate for the organisation, they should discuss the matter with Internal Audit and Senior
Management.
1536.If the IS Auditors are not in agreement with the decision, regarding residual risk, IS Auditors and
Senior Management should report the matter to the Board, or Audit Committee, for resolution.
Page | 145
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1537.An audit summary memorandum should be prepared and address that conclusion regarding the
appropriateness of the going concern assumption and the effect, if any, on financial statements.
1542.The RBAF is a management document that explains how risk concepts are integrated into the
strategies and approaches used for managing programs that are funded through transfer payments.
1544.The departmental IRMF would be a primary source of reference or at least a starting point for risk
identification, assessment and management.
Page | 146
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1550.ASD – Alternative Service Delivery
1551.ASD arrangements - where another party delivers the funds to the end recipient on behalf of the
program manager, as this arrangement is inherently higher risk than direct delivery to the recipient.
1552.Audit risk factors – risk factors having to do with the possibility of the auditor drawing the wrong
conclusion – concluding that all is well when it is not or that all is not well when it in fact is.
1553.Recipient auditing should describe the process used for deciding on and planning recipient audits,
considering the following steps :-
i)Audit objectives
ii)Risk identification and assessment criteria.
iii)Risk factors rating
iv)Audit planning decisions
1555.Risk factors rating – Consider each audit risk factor and assign a rating. Calculate the overall risk
rating as LOW, MEDIUM or HIGH risk.
1556.The process for planning internal audits is risk-based and the responsibility of IA.
1557.Transfer payment program management should consult with IA as soon as the need for an RBAF
is identified in order to make arrangements for IA input to the relevant RBAF components.
1558.The PTP also required that management develop a Results-Based Management and
Accountability Framework(RMAF) to provide measurement and evaluation strategies for assessing the
performance of a transfer payment program.
1559.The RBAF and RMAF are complimentary documents that provide managers with the means and
measures for enhancing program monitoring and reporting.
1560.The links between performance and risk, including data collection elements(baseline data) and
control frameworks, should be considered at the beginning of the program lifecycle. This integrated
approach will assist in clearly identifying all objectives, the program context as well as potential
internal and external risks to the achievement of objectives.
1561.The RBAF must be “risk sensitive” and that the RMAF must be “performance sensitive”, i.e.
linking risk to the program outcomes and performance measurement strategies.
Page | 147
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1562.The Information Systems Audit and Control Association, Inc.(ISACA) sets forth this Code of
Professional Ethics to guide the professional and personal conduct of members of the Association
and/or its certification holders.
1563.Failure to comply with this Code of Professional Ethics can result in an investigation into a
member's or certification holder's conduct and, ultimately, in disciplinary measures.
1564.The specialized nature of information system(IS) auditing and the skills necessary to perform
such audits require standards that apply specifically to IS auditing. One of the goals of the Information
Systems Audit and Control Association (ISACA) is to advance globally applicable standards to meet its
vision.
1565.The framework for the IS Auditing Standards provides multiple levels of guidance. Standards
define mandatory requirements for IS auditing and reporting. They inform :-
i)IS auditors of the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics for IS auditors.
ii)Management and other interested parties of the professions expectations concerning the work of
practitioners.
iii)Holders of the Certified Information Systems Auditor(CISA) designation of requirements. Failure to
comply with these standards may result in an investigation into the CISA holder‟s conduct by the
ISACA Board of Directors or appropriate ISACA committee and ultimately in disciplinary action.
1566.COBIT provides a detailed set of controls and control techniques for the information systems
management environment.
1567.COBIT includes :-
i)Control objectives
ii)Control practices
iii)Audit guidelines
iv)Management guidelines
1569.Control practices-Practical rationales and “how to implement” guidance for the control
objectives.
1570.Audit guidelines-Guidelines for each control area on how to obtain an understanding, evaluate
each control, assess compliance and substantiate the risk of controls not being met.
Page | 148
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
continuous and proactive control self-assessment specifically focused on performance measurement, IT
control profiling, awareness and benchmarking.
1573.Maturity models such as CMM and maturity attributes provide for capability assessments and
benchmarking, helping management to measure control capability and to identify control gaps and
strategies for improvement. The CMM is a methodology used to develop and refine an organization's
software development process. The model describes a five-level evolutionary path of increasingly
organized and systematically more mature processes.
1574.COBIT guidance for the following processes should be considered relevant when performing the
audit :-
PO1-Define a strategic IT plan.
PO3-Determine technological direction.
PO8-Ensure compliance with external requirements.
PO9-Assess risk
A12-Acquire and maintain application software.
A13-Acquire and maintain technological infrastructure.
A14-Develop and maintain procedures.
A15-Install and accredit systems
A16-Manage changes
DS1-Define and manage service levels
DS2-Manage third-party services
DS3-Manage performance and capacity
DS4-Ensure continuous service
DS5-Ensure systems security
DS8-Assist and advise customers
DS10-Manage problems and incidents
DS11-Manage data
M1-Monitoring the process
M2-Assess internal control adequacy
1576.COBIT Standard 060 – Performance of audit work – states “During the course of the audit, the IS
auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The
audit findings and conclusions are to be supported by appropriate analysis and interpretation of this
evidence.
Page | 149
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1577.COBIT Standard 050 – Planning – states “The IS auditor should plan the information systems
audit coverage to address the audit objectives and to comply with applicable laws and professional
auditing standards”.
1578.COBIT Standard 030 – Professional ethics and standards – states “The IS auditor should exercise
due professional care, including observance of applicable professional auditing standards.
1581.CAATs include many types of tools and techniques, such as generalised audit software, utility
software, test data, application software tracing and mapping, and audit expert systems.
1583.The Information Technology Act, 2000 came into force on 17th October 2000.
1585.In the background the United Nations commissioned the UN Commission on International
Law(UNCITRAL) to draft a standardized and homogenous model law which could support the use of
information technology in trade and commerce i.e. electronic commerce in a broad sense. The draft that
was submitted in 1996 is known as the UNCITRAL Model law on Electronic Commerce, 1996.
1586.The IT Act, 2000, also made such consequential changes in the Indian Penal Code, the Indian
Evidence Act, 1872, The Banker's Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934.
The effect of all these was to officially recognize e-transactions.
Page | 150
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
iv)Facilitation of government transactions in an electronic form.
1588.The IT Act, 2000 deals with certain issues as Attribution of electronic messages – to link an
electronic message or transaction to its originator in a way that the originator is prevented from
repudiating it.
1589.The IT Act, 2000 deals with certain issues as legal status to Digital Signatures and Asymmetric
Cryptosystem i.e. legal recognition of signing in an digital form and usage of asymmetric cryptosystem
and the authorities reposed with the task of administering the Public Key Infrastructure(PKI).
1590.The Model Law recommends a functional equivalent approach to the issues involved in
achieving the objectives. The model law recognizes that the traditional paper based documentation
constitute the main hurdles to development and growth of electronic means of communication and
commerce.
1591.There are some basic differences between a paper based document say a printed purchase invoice
and an invoice generated by an Electronic Data Interchange(EDI) system. While the printed invoice is
readable by humans, the EDI invoice is in a machine-readable form till such time it is displayed on a
screen or printed out.
1592.The IT Act, 2000 is applicable to the entire geographic extent of the Union of India. As regards
contravention of offence committed by any person, it also extends outside India.
1593.The IT Act, 2000 does not specify the subject matters over which it has jurisdiction, but specifies
the subjects over which it has no jurisdiction, which are :-
i)Negotiable instruments
ii)Powers of attorney
iii)Trusts
iv)Any will including any kind of testamentary document or disposition.
v)Any contract for sale or conveyance of immovable property or any interest in such property.
1594.Section 81 of the IT Act, 2000 has an overriding effect. It is provided that any provisions in any
other Act, law or regulation, which are inconsistent with the provisions of the act, would be overridden.
1596.Asymmetric Cryptosystem means a system of a secure key pair consisting of a private key to
Page | 151
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
create a digital signature and a public key to verify the digital signature.
1597.Private Key means the key out of a key pair used to create a digital signature.
1598.Public Key means the key out of a key pair used to verify a digital signature.
1599.Key Pair means a private key and its mathematically related public key which are related to each
other in such a way that the public key can be used to verify the digital signature created by the private
key.
1600.Chapter 2 of the IT Act, 2000 consists of only one section 3 on which deals with Digital
Signatures. Sections 3 gives legal sanction to the concept of DS. The section also defines Hashing
function in an algorithm or translation of a sequence of bits into another sequence. The transformed
sequence is called the “hash result” and is generally smaller than the original sequence.
1602.Chapter V of the IT Act, 2000 consisting of sections 14 and 15 deals with secure digital
signatures and records.
1604.Section 15 of the IT Act, 2000 also merely provides the legal sanction for the popular methods of
creating and affixing digital signatures, i.e. the Public Key Infrastructure coupled with the Hashing
algorithms like MD-3 or MD-5.
1605.An electronic record is said to be secure from the time when a security procedure is applied on it
till such time the record is verified by its any other person.
1606.It may be recalled that the security procedure would be one which is prescribed by the
government under section 16 of the Act.
Page | 152
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1607.Chapter II of the Act consisting of sections 4 to 10 deals with the important substantive provisions
necessary for legal recognition of electronic documents(Section 4).
1609.Use of electronic records and digital signatures in government and its agencies(Section 6).
1612.Certain exceptions(Section 9)
1613.Certain powers granted to Central Government with regard to Digital Signatures(Section 10).
1614.Where any law requires that a document to be written, typewritten or in printed form, it shall be
enough if the document satisfies the following two conditions :-
i)It is made available or rendered in an electronic form and
ii)It is accessible so as to be available for future reference.
1615.Central and State Governments are authorized by sub-section 2 of section 6 to make rules to
prescribe the manner and format of electronic filing and the methods of payment of fee etc.
1618.Section 7 gives legal credence to electronic storage of records if such storage does not alter the
records.
1619.Section 8 empowers the Central and State Governments to publish all its documents under the
Page | 153
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
delegated powers under various legislation, in an electronic manner. Rules, regulations, orders, bye-
laws, notifications or other matters which are required to be published in the Official Gazettee, may
now be published in an electronic manner also. Such publication is called an “Electronic Gazette”.
1620.Section 9 covers this apprehension by providing that no person shall insist that any Government
are or agency(Ministries, Departments, Authorities or anybody controlled by the Government)
documents and records or money should be accepted electronically.
1623.Just like the Indian Contract Act, the IT Act also gives the sender and addressee to agree upon
their own rules. The rules laid down in the section 13 apply when such an agreement is absent.
1624.A key player in the Public Key Infrastructure is the Certifying Authority(CA).
1625.A CA is the person who has license to issue Digital Signature Certificate.
1626.As the act recognizes only an asymmetric key cryptosystem for securing electronic records, it is
imperative that the PKI must also be strengthened by adequate legislative support.
1627.Chapter 6 of the IT Act deals with the regulation of CA's through the appointment of the
Controller of CA's, the powers, duties and responsibilities of the Controller of CA's and the CA's.
1629.The CCA is appointed by the Central Government by an appropriate notification in the Official
Gazette.The Central Government may also appoint Deputy Controllers and Assistant Controllers as
required.
1630.The CCA shall be subject to the general control and directions of the Central Government and
shall discharge all the functions under the Act.
1631.The Deputy and Assistant Controllers shall be under the general supervision and control of the
CCA.
Page | 154
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1632.Functions of the CCA – The CCA is charged with the following functions under the Act :-
i)Supervision of Certifying Authorities
ii)Supervision of PKI and Digital Signatures
iii)Other general functions.
1633.Licence to issue Digital Signatures-A licence granted shall be valid only for the period specified
by the Central Government. It shall not be transferable or inheritable.
1634.An application for a licence shall be made in the prescribed form and with the following
enclosures :-
i)Certification Practice Statement
ii)Procedure statement for identification of applicant.
iii)Fees prescribed, however not exceeding Rs.25,000/-
iv)Any other document prescribed by the Central Government form time to time.
1636.The CPS is a very important document which contains the practices followed by the CA for the
issue, maintenance and revocation of Digital Signatures.
1637.The licence will be renewed by the Central Government on an application made in prescribed
form at least 45 days before expiry of the existing licence and on payment of fees not exceeding
Rs.5,000/-
1638.The CCA may suspend the licence for enquiry for a period not exceeding 10 days.
1639.The CCA may delegate any of his functions or powers to Deputy Controllers, Assistant
Controllers or other officers, such delegation to be in writing.
1640.Income tax authorities have quasi-judicial powers and under the Income Tax Act, the proceedings
of officers are deemed to be judicial proceedings and every income-tax authority shall be deemed to be
a Civil Court. Section 28 gives the same status to the CCA and his officers.
Page | 155
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
2.Duty to ensure compliance of the Act.
3.Duty to display licence.
4.Duty to surrender licence.
5.Duty to disclose information.
6.Duty to disclose revocation etc.
7.Duty to disclose certain material facts.
8.Duty to notify affected persons.
1642.Chapter VII of the IT Act 2000 consisting of sections 34-39 deals with Digital Signature
Certificates(DSC).
1645.The prescribed fee for DSC not exceeding Rs.25,000/- shall be paid to CA.
1647.A CA may issue a DSC after considering the particulars submitted and also making any additional
enquiries if necessary. However, the following must be ensured by a CA before issuing a DSC.
i)That the application holds a valid private key corresponding to a public key to be listed in the DSC.
ii)The applicant holds a private key which is capable of creating a Digital Signature.
iii)The public key listed in the DSC can be used to verify a digital signature affixed using the private
key of the applicant.
1648.A subscriber shall be deemed to have accepted a DSC if he authorizes its publication to one or
more persons or in any repository or acts in manner so as to suggest that he has accepted the DSC. E.g.
signs using the private key corresponding to the public key.
1650.Tampering with computer source code i.e. computer programs, commands, designs, layout and
program analysis – Imprisonment of up to 3 years and/or fine of up to Rs.2 lakhs.
Page | 156
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1651.Hacking computer systems – i.e. doing wilful act which will destroy or delete or alter any
information in a computer system - Imprisonment of up to 3 years and/or fine of up to Rs.2 lakhs.
1655.Attempted or actual access to protected systems. Protected systems may be declared so by the
appropriate Governments - imprisonment of up to 10 years and/or fine(amount not specified).
1657.Breach of confidentiality by officers and authorities under the Act - imprisonment of up to 2 years
and/or fine of up to Rs.1 lakh.
1658.Publishing false DSC or for fraudulent purposes - imprisonment of up to 2 years and/or fine of up
to Rs.1 lakh.
1660.Failure to file any return or furnish any information specified in regulations within time limit
specified-Penalty of up to Rs.5,000/- per day of failure.
1661.Failure to maintain books of account or records specified - Penalty of up to Rs.10,000/- per day
of failure.
1663.Section 43 of the IT Act 2000 provides that a person affected by the following actions of another
unauthorized person shall be entitled to a compensation not exceeding Rs.1 crore.
1664.Acts which are not covered under Section 43 will attract a residuary compensation of Rs.25,000/-
Page | 157
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
under Section 45.
1665.The Central Government has been empowered by Section 46 of the Act to appoint an
adjudication officer for the purposes of determining whether any person has committed an offence or
contravention under the Act. Such an officer shall be of the rank of Director or above in the Central
Government or equivalent rank in the state governments.
1666.The Adjudication Officer(AO) shall have the powers of a civil court and all proceedings shall be
deemed to be judicial proceedings under the Indian Penal Code 1860. The AO shall also be deemed to
be a civil court under the Code of Criminal Procedure, 1973.
1667.The AO shall consider the following factors before passing an order of compensation :-
i)The amount of unfair gain made by the offender as result of the offence or Act,
ii)The amount of loss caused to any person as a result of the default or Act and
iii)The repetitive nature of the default of Act.
1669.The CyAT shall consist of only one member who shall be called the Presiding Officer.
1670.The Presiding Officer shall either have been a judge of a High Court or a grade I member of the
Indian Legal Service for at least 3 years.
1671.All orders of the CCA and the AO shall be appealable before the CyAT.
1672.An appeal in prescribed form shall be filed within 45 days from the date of service of the order
against which the appeal is preferred.
1673.An appeal before the CyAT is not government by the procedure laid down in Code of Civil
Procedure, 1908.
1674.The CyAT shall have the powers of a Civil Court vested under the Code of Civil Procedure, 1908.
1675.All proceedings before the CyAT shall be deemed to be judicial proceedings under the Indian
Penal Code, 1860.
1676.Section 61 of the Act bars jurisdiction of civil courts over the matters, which fall under the
jurisdiction of an AO or the CyAT appointed.
1677.Any person aggrieved by an order of the CyAT may appeal within 60 days to the High Court form
the date of communication of the order under appeal.
Page | 158
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1678.The Information Technology(Amendment) Bill, 2006 amends the IT Act, 2000.
1679.The bill makes a company handling sensitive personal data liable to pay compensation up to Rs.5
crore, if it is negligent in implementing reasonable security measures with respect to such data.
1680.Offensive messages-Amendment made in 2008-It introduced the Section 66A which penalised
sending of “offensive messages”.
1681.It also introduced the Section 69, which gave authorities the power of “interception or monitoring
or decryption of any information through any computer resource”. It also introduced penalties for child
porn, cyber terrorism and voyeurism.
1682.Asymetric cryptosystem(AC)-An AC is one where different keys are employed for the operations
in the cryptosystem (e.g. encryption and decryption) and where one of the keys can be made public
without compromising the secrecy of the other key.
1683.Section 92 of the IT Act, 2000 makes amendments to the Indian Evidence Act, 1872 through the
Second Schedule of the Act.
1684.The following are the amendments made in the Indian Evidence Act by the IT Act, 2000 :-
i)New sections 65A & 65B regarding admissibility of electronic records.
ii)New sections 67A & 73A regarding proof of Digital Signatures.
iii)New sections 81A, 85A, 85B, 85C, 88A, 90A regarding certain additional presumptions regarding
electronic documents and related matters.
iv)New sections 22A & 47A regarding relevance oral evidence when electronic records are produced
and digital signatures.
v)Amendments to definitions of “record” to include electronic records.
1687.Section 73A provides that the admissible proofs of digital signatures is production of DSCs by
any person of the controller or a certifying authority.
Page | 159
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1688.New sections 81A, 85B, 85C, 88A, 90A regarding certain additional presumptions.
1691.Section 85B :-
Secure Electronic Records – Presumption that the secure record has not been altered since the time it
entered the secure status.
Secure digital signatures-Presumption that secured digital signature was affixed by its owner.
Records other than secure electronic records and digital signatures other than secure digital signatures-
No presumption as to authenticity and integrity.
1693.Section 88A:-
Electronic messages- Presumption that the information contained in an electronic message sent by
originator to the addressee through an e-mail server is the same as information fed into the originator's
computer.
Sender of electronic messages-No presumption as to sender of such messages.
1694.Section 90A-Electronic messages five years old produced from proper custody-Presumption that
digital signatures was affixed by its owner or authorized person.
1695.New Sections 22A and 47A regarding relevance of oral evidence when electronic records are
produced and when digital signatures are used.
1696.Section 22A provides that oral evidence shall be relevant and admissible in relation to a electronic
record only if the genuineness of such record has been questioned by either party. Simply stated,
electronic records will be conclusive evidence unless either party challenges its genuineness and proves
it.
1697.Section 47A provides that only when the court has to form an opinion about a digital signature,
the opinion of the Certifying Authority who has issued a DSC is relevant. In other words, if the digital
signature and its veracity are not challenged, the opinion of the certifying authority has no relevance.
1698.The word “record” appearing in section 35 shall be construed to be record or electronic record.
Page | 160
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1699.The term “documents” used in relation to definition of evidence in section 3 shall include
electronic documents.
1700.The phrase “entries in books of account” in section 34 shall include those maintained in an
electronic form.
1702.The fourth schedule to the Information Technology Act, 2000, inserts a new clause in section 58
of the Reserve Bank of India Act, 1934. Section 58 deals with the regulatory powers of our central
bank.
1704.The convention which established the WIPO, at Stockholm in 1967, agreed that Intellectual
Property shall include all rights relating to the following :-
i)Literary, artistic and scientific works
ii)Performances of performing artists, phonograms and broadcasts.
iii)Inventions in all fields of human endeavours.
iv)Scientific discoveries
v)Industrial designs
vi)Trade marks, service marks and commercial names and designations.
vii)Protection against unfair competition and all other rights resulting from intellectual activity in the
industrial, scientific, literacy or artistic field.
1705.Intellectual property as a layman would understand it, necessarily would include products or
creations of the mind. The intellectual property laws would thus aim at protecting or safeguarding the
creators by granting them certain time-limited rights to control the use of such creations. Such laws
collectively are called the Intellectual Property Laws.
1706.IPR is a collection of Patent, Copyright and Trade Mark Laws of each country, in addition to
various civil and criminal codes, which are termed as IPR laws.
1707.In India, most of the Intellectual Property Rights are covered by the Copyrights Act, 1957.
1709.There are some recognized active organizations in India which are working in the anti-piracy
field. These organizations are – SCRIPT, IPRS, PPL
Page | 161
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1710.SCRIPT – Society for Copyright Regulations of Indian Producers of Films & Television.
1713.The Copyrights Act, 1957 extends to the whole of India as per Section 1(2).
1714.Under certain circumstances the GOI is empowered to grant rights under the Act to the works of
certain international organizations as per Section 41.
1715.Section 42-certain powers to restrict the rights in works of foreign authors first published in India.
1716.Section 42A-Power to restrict rights of foreign broadcasting organizations and and performers.
1717.Copyright is an exclusive right, provided under the legislation of a particular country, to an author
or composer of an original work expressed and registered, to print, publish and sell copies of his work.
The Act defines the word “Copyright” to be an exclusively right subject to the provisions of this Act, to
do or authorize to do any of the various acts mentioned in sub-sections of section 14, in respect of a
work or any substantial part thereof.
1719.The Act has defined “Literary work” to include computer programmes, tables and compilations
including computer databases.
1720.“Computer” has been defined to include any electronic or similar device having information
processing facilities.
1721.“Computer programme” has been defined as a set of instructions expressed in words, codes,
schemes or in any other form, including a machine readable medium, capable of causing a computer to
perform a particular task or achieve a particular result.
1722.The act defines “broadcast” as communication to the public by any means like wireless diffusion,
whether in one or more of the forms of signs, sounds or visual images or by wire and includes a
rebroadcast.
Page | 162
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1723.Section 51 specifies under what circumstances shall the copyright be deemed to be infringed.
1724.Section 9 to 12 specify the basic administrative machinery for the purpose of the Act.
1725.There will be a copyright board to be constituted by the Government, which will have a chairman
and not more than fourteen other members.
1726.The chairman shall be a person who is or has been a Judge of a High Court, or is qualified for
appointment as a judge of a High Court.
1727.The Registrar of copyrights in a certain circumstances and the copyrights board will have the
status of a civil court (Section 74).
1729.Commitment of an offence has been described as “Any person who knowingly infringes or abets
the infringement of the copyright in a work or any other right conferred by this Act, except right
conferred by section 53A (Section 63).
1731.Short for digital rights management, a system for protecting the copyrights of data circulated via
the Internet or other digital media by enabling secure distribution and/or disabling illegal distribution of
the data.
1732.A DRM system protects intellectual property by either encrypting the data so that it can only be
accessed by authorized users or marking the content with a digital watermark or similar method so that
the content can not be freely distributed.
1734.Restrictive Licensing Agreements-The access to digital materials, copyright and public domain is
controlled. Some restrictive licenses are imposed on consumers as a condition of entering a website or
when downloading software.
Encryption, Scrambling of expressive material and embedding of a tag-This technology is designed to
control access and reproduction of information. This includes backup copies for personal use.
Page | 163
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1735.One of the oldest and least complicated DRM protection methods for the computer games is a
product key, a typically alphanumerical serial number used to represent a license to a particular piece
of software.
1737.E-DRM or ERM-is the application of DRM technology to the control of access to corporate
documents such as Microsoft Word, PDF, and AutoCAD files, emails, and intranet web pages rather
than to the control of consumer media.
1739.An early example of a DRM system is the CSS employed by the DVD Forum on film DVDs circa
1996.
1741.Metadata is used in media purchased from Apple‟s iTunes Store for DRM-free as well as DRM-
restricted versions of their music or videos. This information is included as MPEG standard metadata.
1742.Digital watermarks are features that are added during production or distribution. Digital
watermarks involve data that is arguably steganographically embedded within the audio or video data.
1743.Since the late-2000s the trend in media consumption has been towards renting content using
online streaming services.
1745.COBIT is designed to help three distinct audiences :-management, users and auditors.
1748.The CMM describes the principles and practices underlying software process maturity. It is
Page | 164
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
intended to help software organizations improve the maturity of their software processes in terms of an
evolution-chaotic processes to mature, disciplined software processes.
1750.Common features include practices that implement and institutionalize a key process area. These
five types of common features include:-
i)Commitment to perform
ii)Ability to perform
iii)Activities performed
iv)Measurement and analysis
v)Verifying implementation
1751.The balanced scorecard is a management system(not only measurement system) that enables
organizations to clarify their vision and strategy, and translate them into action.
1752.The balanced scorecard uses four perspectives, develops metrics, collects data and analyzes the
data relative to each of these perspectives. These are :-
i)Learning and growth
ii)Business process
iii)Customer
iv)Financial
1758.The key to success in SABSA methodology is to be business driven and business focused. The
business strategy, objectives, relationships, risks, constraints, and enables all to tell about what sort of
security architecture the organization needs. This analysis and description of the business itself is called
the “contextual security architecture”.
1759.SABSA uses a matrix of business drivers and attributes to describe the objectives of security from
an architectural perspective.
1760.BS7799(ISO 17799)/ISO 27002 : BS is the most widely recognized security standard in the
world. It evolved into BS EN ISO17799 in December 2000.
Page | 165
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
iii)Asset management
iv)Human resources security
v)Physical and environmental security
vi)Communications and operations management
vii)Access control
viii)Information security acquisition development and maintenance.
ix)Information security incident management.
x)Business continuity management
xi)Compliance
1762.Other approaches and methods exist that may be useful such as other ISO standards on
quality(ISO 9001:2000), Six Sigma, publications from NIST and ISF and the US FISMA.
1767.It may be useful to employ a combination of methods to describe the “desired state” to assist in
communications with others and as a way to crosscheck the objectives to make certain all relevant
elements are considered. For example, a combination of COBIT control objectives, CMM, balanced
scorecard and SABSA would make a powerful combination.
1768.Data migration is a set of activities that moves data from one or more legacy systems(or “source
systems”) to a new application. The purpose of data migration is to preserve core business knowledge
and make it accessible from a new application.
Page | 166
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
ii)Configuring the new application system.
iii)Importing to the database
iv)Cleansing
v)Test migrating the data.
vi)Fully migrating and deploying
1770.RBI latest key guidelines for debit & credit cards, online money transfers :-
i)International use of debit and credit cards.
ii)Second factor authentication for international transactions.
iii)NEFT, RTGS & IMPS payments.
a)Include customer induced caps on usage.
b)Monitoring and alerts.
c)Consider a dynamic factor of authentication for NEFT, RTGS & IMPS.
iv)International cards will have to be EMV Chip and PIN enabled.
v)Block card via SMS.
vi)Convert existing cards to EMV Chip.
vii)Transaction limit for magstripe international cards.
viii)Compliance norms for internet protocol based solutions.
1771.Banks should ensure that all acquiring infrastructure that is currently operational on IP(Internet
Protocol) based solutions are mandatorily made to go through PCI-DSS and PAA-DSS certification.
This should include acquirers, processors/aggregators and large merchants.
GLOSSARY
1772.In information technology, a backup, or the process of backing up, refers to the copying and
archiving of computer data so that it may be used to restore the original after a data loss event. The
youngest(or most recent file) is referred to as the “son” the prior file is called the “father” and the file
wto generaitons older is the “Grandfather”. This back-up methodology is frequently used to refer to
master files for financial applications. Also called, grandfather, father and son. It is a backup
rotation scheme in which three sets of backup media is defined viz. Daily, weekly and monthly.
1774.Data synchronization-DS is the process of establishing consistency among data from a source to
target data storage and vice versa and the continuous harmonization of the data over time. It is
fundamental to a wide variety of applications, including file synchronization and mobile device
synchronization.
Page | 167
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
1776.Gap analysis-A GA is a method of assessing the differences in performance between a business
information systems or software applications to determine whether business requirements are being met
and, if not, what steps should be taken to ensure they are met successfully.
1777.GETS-Acronym for the Govt. Emergency Telecom. Service card program. GETS cards provide
emergency access and priority processing for voice communications services in emergency situations.
GETS is a White House-directed emergency telephone service provided by a division of the
Department of Homeland Security. GETS uses enhancements based on existing commercial
technology.
1778.HVAC-Acronym for heating, ventilation, and air conditioning is the technology of indoor and
vehicular environmental comfort. Its goal is to provide thermal comfort and acceptable indoor air
quality.HVAC system design is a sub-discipline of mechanical engineering.
1779.Mirroring-A process that duplicates data to another location over a computer network in real time
or close to real time. In data storage, disk mirroring is the replication of logical disk volumes onto
separate physical hard disks in real time to ensure continuous availability. It is most commonly used in
RAID-1. A mirrored volume is a complete logical representation of separate volume copies.
1780.Reciprocal agreement-An agreement whereby two organizations with similar computer systems
agree to provide computer processing time for the other in the event one of the systems is rendered
inoperable. Processing time may be provided on a “best effort” or “as time available” basis.
1781.RPO-Recovery Point Objective. In Business Impact Analysis(BIA), RPO is one of the elements
of time factors accptable latency of data. This means that much time required re-building data which is
lost/not updated at the time of recovery of operations. RPO is measured in terms of time.
1782.Hot site – HS is a “proactive” strategy to keep servers and a live backup site up and running in the
event of a disaster. This allows for an immediate cutover in case of disaster primary site. A hot site is a
must for mission critical.
1783.Warm site- WS another strategy which is preventive in nature. WS allows to pre-install hardware
and pre-configure bandwidth needs. If disaster strikes, load software and data to restore business
systems.
1784.Cold site-CS another strategy where a CS is essentially just data centre space, power, and network
connectivity that's ready and waiting for whenever need it. If disaster strikes, engineer and logistical
support teams can readily help move required hardware into data centre and get back up and running.
1785.Routing-The process of moving information from its source to a destination. It is the process of
Page | 168
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
selecting best paths in a network. In the past, the term routing also meant forwarding network traffic
among networks. However, that latter function is better described as forwarding.
1787.T-1 Line – A special type of telephone line for digital communication only. Transmission system
1(T-1), was introduced in 1962 in the Bell system, and could transmit upto 24 telephone calls
simultaneously over a single transmission line of copper wire. The original transmission rate(1.544
Mbps) in the T1 line is in common use today in Internet service provider(ISP) connections to the
Internet.
1788.Vaulting-It is a process that periodically writes back-up information over a computer network
directly to the recovery site. It is one of the strategies recovery of planning.
Page | 169
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
INFORMATION SYSTEM FOR BANKER 14/07/19
RECOLLECTED QUESTIONS:
Caat
various controls
Seismic zone
Audit trail
Is audit policy
Stress testing
Sdlc
Tcp/ip
Poor architecture
Punishment for hacking
Oop language
Sniffing
Spoofing
System testing
2 questions from gassp
Iso 27001
Digital signature
Attenuation
Osi related questions,
Moore law
Modem/bridge which layer in osi.
Bcp
Upi
ATM ,which type of txn- online
Rtgs which type of txn- real time
Non impact printer (jet,line ,dot matrix,laser )
Rdbms - null value
Fastest ram,which type
Tcl command
Sql command
Cca
Various testing
Many to many relationship, and vendor to inventory.
Page | 170
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
Repeater , where is it placed
Emergey response team
Pervasive principle in gassp.
Tuning
Switching,types of switches ,which is unidirectional.
Wdm/fdm/tdm related questions
Page | 172
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
Which DB model used in CBS
Characteristics of a table
Many to Many relationship in DB
Simple ,self,outer join
Adaptive maintenance
Multiplexing
Packet switching
Full Duplex method
Bridge,router,switch,gateway
Diff between router and switch
Function of osi model layers 5 questions
Which protocol used in banking http,smtp,tcp/ip
Real time processing
Emergency response
Mirror site and reciprocal agreement
Trojan horse
E money
INFINET
CFMS
SFMS
Spoofing, piggybagging
Pervasive principle in GASSP
Classification of control
Boundary sub system
Audit trail
Attenuation
Types of noise (cross talk)
False positive and negative
Firewall
Intrusion detection systems and tuning
In what circumstances user ID and password will be given to user(emergency access)
Remote Access
OS tasks
Travelling virus procedure
Public and private key encryption
Page | 173
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
GLOSSORY:
COMPUTER TERMINOLOGY
Firewall: Software programme that restricts unauthorized access to data and acts as a security to private net-
work
Hard Disk: A device for storage of data fitted in the processor itself
Modem: Modulator & Demodulator: A device used for converting digital signals to analog signals & vice-versa
Virus: Vital Information Resources Under Seize: Software programme that slows down the working of a
computer or damages the data. Main source of virus is internet (other sources are floppy or CD)
Vaccine: Anti Virus Software programme used for preventing entry of virus or repairing the same
Digital Sign: Authentication of. electronic records by a subscriber by means of electronic method or procedure
Key used: For digital signatures, there is a pair of keys, private key & public key
Hacking: Knowingly concealing, destroying, altering any computer code used for computer network
Address: The location of a file. You can use addresses to find files on the Internet and your computer. Internet
IMPORTANT ABBREVIATIONS
• Al – Artificial intelligence ,
Bin – Binary
CC – Carbon Copy,
Page | 175
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
CAD – Computer Aided Design,
Processing
EXE - Executable
Page | 176
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
FAX - Far Away Xerox/ facsimile ,FDC - Floppy Disk Controller, FDD - Floppy Disk Drive ,FORTRAN - Formula
Translation, FS -
File System
Gb – Gigabit ,
GB – Gigabyte ,
GIF - Graphics Interchange Format,
GSM - Global System for Mobile Communication
Disclaimer
While every effort has been made by me to avoid errors or omissions in this publication,
any error ordiscrepancy noted may be brought to my notice throughr e-mail to ara-
vindss1988@gmail.com which shall be taken care of in the subsequent editions. It is al-
so suggested that toclarify any doubt colleagues should cross-check the facts, laws and
contents of this publication with original Govt. / RBI / Manu-
als/Circulars/Notifications/Memo/Spl Comm. of our bank.
Blog for updates: https://iibfadda.blogspot.com/
Page | 177
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
Page | 178
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT