Certificate SME

IIBF Certifications
Certificate Examination in
Information System Banker
(For Dec 2019 – IIBF & Other Exams)
(Updated up to 21.07.2019)
QUICK REVISION
24 HOURS SHORT NOTES BEFORE EXAM
Compiled by
Aravind S MBA, CAIIB
Page | 1
Facebook Group https://www.facebook.com/groups/iibfcertifications/
Email: aravindsss1988@gmail.com https://iibfadda.blogspot.com/ THANKS TO SRINIVAS SIR, VEN-
KAT
About Certificate Examination in Information System Banker
IIBF Certificate Examination
OBJECTIVE
The evolution of Information Technology (IT) affects the banking environment in many significant
ways. It has changed the banking practices and altered the ways in which systems should be controlled
and it has also increased the need for well educated banking professionals in the fields of Information
Systems (IS), governance, assurance, security and control.
In the information based banking environment, banking professionals who are technically competent in
IS, or IS specialists who understand security, control and banking operations, are in great demand for
IS audit careers. The IS specialist and the IS auditor must continuously receive training to upgrade their
knowledge, skills and abilities.
The Certified Information System Banker course has been specially designed to meet the needs of IS
professionals.
This comprehensive course aims :
(i) To develop functional expertise in the areas of system identification, development, implementation
and designing.
(ii) To develop expertise in computer security, implementation of threat prevention and detection sys-
tems, designing and testing risk mitigation strategies.
(iii) To develop skills for objective assessment of information system control, information privacy and
integrity.
(iv) To study the tools that provides assurance in the system by measuring against four essential princi-
ples: availability, security, integrity and maintainability.
(v) To aid the bank management in developing sound information system audit, control and security
functions by providing criteria for personal selection and development.
FOR WHOM
(i) Banking professionals who are technically competent in IS, or
(ii) IS specialists who understand security, control and banking operations, or
(iii) Any banker desiring to join the IS stream.
Page | 2
KAT
DIPLOMA IN INFORMATION SYSTEM AUDIT (DISA)
Candidates who clear all the following three Certificate examinations under the revised syllabus will be
given a "DIPLOMA IN INFORMATION SYSTEM AUDIT (DISA)" from May 2017 :
a) Certificate Examination in IT Security (Revised Syllabus)

b) Certificate Examination in Prevention of Cyber Crimes and Fraud Management (Revised Syllabus)
c) Certificate Examination in Information System Banker (Revised Syllabus)
Candidates who clear all the above three Certificates under revised syllabus will however have to apply
for DISA certificate by paying Rs.500/- plus taxes as applicable.
For candidates who have already cleared any or all the above three examinations under the old sylla-
bus, i.e. prior to May 2017 need to apply and clear the examination under revised syllabus to become
eligible for DISA Certificate.
ELIGIBILITY
1. Members and Non-Members of the Institute
2. Candidates must have passed the 12th standard examination in any discipline or its equivalent.
SUBJECT OF EXAMINATION
(1) Information System for Banks
PASSING CRITERIA:
Minimum marks for pass in the subject is 60 out of 100.
EXAMINA- For Members For Non-
TION FEES* : Members
Particulars
First attempt Rs.1,000/- * Rs.1,500/- *
Subsequent each Rs.1,000/- * Rs.1,500/- *
attempt
PROCEDURE FOR APPLYING FOR EXAMINATION
Application for examination should be registered online from the Institute‟s website www.iibf.org.in.
The schedule of examination and dates for registration will be published on IIBF website.
PROOF OF IDENTITY
Non-members applying for Institute‟s examinations / courses are required to attach / submit a copy of
any one of the following documents containing Name, Photo and
Signature at the time of registration of Examination Application. Application without the same shall be
liable to be rejected.
1) Photo I / Card issued by Employer or 2) PAN Card or 3) Driving Licencse or 4) Election Voter‟s I /
Card or 5) Passport 6) Aadhaar Card
STUDY MATERIAL / COURSEWARE

The Institute has developed a courseware to cover the syllabus. The courseware (book) for the subject/s
will be available at outlets of publisher/s. Please visit IIBF website www.iibf.org.in under the menu
Page | 3
KAT
“Exam Related” for details of book/s and address of publisher/s outlets. Candidates are advised to make
full use of the courseware. However, as banking and finance fields are dynamic, rules and regulations
witness rapid changes. Therefore, the courseware should not be considered as the only source of infor-
mation while preparing for the examinations. Candidates are advised to go through the updates put on
the IIBF website from time to time and go through Master Circulars / Master Directions issued by RBI
and publications of IIBF like IIBF Vision, Bank Quest, etc. All these sources are important from the
examination point of view. Candidates are also to visit the websites of organizations like RBI, SEBI,
BIS, IRDAI, FEDAI etc. besides going through other books & publications covering the subject / exam
concerned etc. Questions based on current developments relating to the subject / exam may also be
asked.
Cut-off Date of Guidelines / Important Developments for Examinations
The Institute has a practice of asking questions in each exam about the recent developments / guide-
lines issued by the regulator(s) in order to test if the candidates keep themselves abreast of the current
developments. However, there could be changes in the developments / guidelines from the date the
question papers are prepared and the dates of the actual examinations.
In order to address these issues effectively, it has been decided that:
(i) In respect of the examinations to be conducted by the Institute for the period February to July of a
calendar year, instructions / guidelines issued by the regulator(s) and important developments in bank-
ing and finance up to 31st December will only be considered for the purpose of inclusion in the ques-
tion papers".
(ii) In respect of the examinations to be conducted by the Institute for the period August to January of a
calendar year, instructions / guidelines issued by the regulator(s) and important developments in bank-
ing and finance up to 30th June will only be considered for the purpose of inclusion in the question pa-
pers
Page | 4
KAT
SYLLABUS
a) Technology in Banks
i) Banking Environment and Technology.
ii) Overview of Processing Infrastructure.
iii) Accounting Information System.
iv) Information Organisation and Management.
v) Risk associated with Technology Banking.
vi) Audit Function and Technology.
b) Technology - System, Development, Process, Implementation
I) Hardware Architecture.
ii) Software platforms - System design, development and maintenance.
iii) SDLC (Software Development lifecycle)
iv) Networking.
c) Security and Controls, Standards in Banking
i) Security - Overview of security, Architecture, Policy, Procedure, Implementation,

Monitoring.
ii) Controls - Physical Controls, IT controls, Application controls, Resources and
Tools.
iii) Standards - ISO, CMM, CoBIT, RBI guidelines.
d) Continuity of Business
i) Difference between CoB, BCP and DRP.
ii) CoB Plan, policy and procedures.

Page | 5
KAT
iii) Risk Management and Impact Analysis.
iv) Testing and implementation of CoB, BCP and DRP.
e) Overview of legal framework
i) ITAct, Intellectual Property Right, Copyright.
f) Security policies, procedures and controls
i) Management Control Framework.
ii) Development and review of security policies and controls standards.
iii) Compliance and incident handling.
iv) Network security.
v) Security implemented by operating system and databases, Hardware and Software.
vi) Network components.
g) S Review - Methodology and Approach
i) ISAudit as review of IS management function.
ii) Review of Human Resources Management Function, Technology Management Function, Data
Management Function, Application Management Function,
Facilities Management Function.

iii) Audit Standards.
iv) Audit Organisation and Management.
v) Audit in computerised environment.
vi) Risk based audit.
vii) Substantive and compliance review.
Page | 6
KAT
Use of CAAT‟s - use of general audit software
INDEX
S.No Contents Page No
01 MODULE A 008
02 MODULE B 029
03 MODULE C 066
04 MODULE D 085
05 MODULE E 090
06 0
07 0
08 Additional Information 064
09 Recollected Questions 170
10 Glossary 174
11
12
13
14
15
Page | 7
KAT
MODULE A-TECHNOLOGY IN BANKS
CHAPTER-1-BANKING ENVIRONMENT AND TECHNOLOGY

1.The first revolution was the Agrarian Revolution more than 7000 years ago when man started
farming as an activity for sustenance.
2.The second revolution was the Industrial Revolution in the 18th century which enabled man to
use machines for bulk production and faster economic growth.
3.Towards the middle of 20th Century, computers were developed as a means of expediting almost all
the functions which man was doing himself.
4.Computer and communication technology enabled the third revolution which is the Information
Revolution.
5.The Information Revolution has enabled the transformation of the world into a global village.
6.Book written by Thomas Friedman – The World is Flat.
7.The Information Technology can be described as : Input-->Process-->Output
8.AELPM : Advanced Electronic Ledger Posting Machines
9.TBA : Total Branch Automation
10.LAN : Local Area Network
11.The TBA based on LAN.
12.WAN : Wide Area Network
13.CBS : Core Banking Solution
14.ATM : Automated Teller Machine
15.The CBS and ATM networks based on WAN

Page | 8
KAT
16.The directives of the Central Vigilance Commission to achieve cent per cent computerisation before
31st December 2004.
17.DC : Data Centre
18.DR :Disaster Recovery
19.The terms like “Anytime” and “Anywhere” banking have become a reality by networking the
branches through CBS and WAN.
20.Alternative delivery channels – Internet Banking, Tele-Mobile-Banking and ATM network.
21.The Liberalisation era which dawned on the recommendations of the Narasimham Committee
launched the advent of new generation which led to a high level of service enabled by technology.
22.Innovation in technology and worldwide revolution in Information and Communication

Technology(ICT) emerged as dynamic sources of productivity growth.
23.'Core Banking' means the entire data & information of the customers alongwith the transactions get
centralized at a “Core Server” with all branches networked in the central server through a mesh of
leased data communication lines.
24.AAA : Anywhere, Anytime and Anyhow(through multiple delivery channel) Banking offered by
CBS
25. Benefits for the bank in CBS :-

i)Flexible, scalable and innovative technology infrastructure that will provide the business agility to
respond to the changing market dynamics.
ii)A customer centric infrastructure that enables bank to substantially increase existing customer service
levels with increased ability to attract new customers.
iii)Technology enables the bank to take care of the day-to-day operations allowing the employees to do
their core business, i.e. banking business as well as marketing their banking products.
iv)The bank can centralize many of its non-financial operations like generating statement of accounts,
cheque book requests, stop cheque instructions, back office operations like inward & outward clearing
etc.
26.VDI : Virtual Display Infrastructure
27.As the entire data of a bank resides at one place, viz the Data Centre(DC) there is concentration
Page | 9
KAT
risk.
28.To avoid concentration risk, another similar DC called the Disaster Recovery site(DR Site) is set up
in different seismic zone.
29.NAP : Network Aggregation Point
30.The branches are linked to both DC & DR through a web of communication lines. Redundancy is
provided at every stage in the form of a dial-up ISDN lines as a backup for leased lines, the city NAP
being connected to both DC & DR.
31.MIS : Management Information
32.BI : Business Intelligence
33.ERP : Enterprise Resource Planning
34.With the implementation of CBS, the bank should be in a position to have a 360 degree view of its
business as well as the customers.
35.UAT : User Acceptance Test
36.The steps involved in CBS implementation are as follows :-

i)Requirement study and gap analysis.
ii)Training the users and parameterization.
iii)User Acceptance Tests(UAT)
iv)Implementation & maintenance.
37.Requirement study and gap analysis : A proper study is to be done at this stage to identify the
requirements of bank vis-a-vis the functionality and features of software.
38.Training the users and Parameterization : The advantage would be that for any small additional
requirement or modification, there is no need to write or modify the code. User involvement is
necessary at the parameterization stage also. Therefore, with the parameterization, the system could be
expected to perform in accordance with the requirements of users.
39.UAT : User Acceptance Test. Testing is one of the most important phase before rolling the solutions
to production. After setting the parameters in the system, the functionalities should be tested against
test cases. The test cases are based on functional requirements.
40.Once the UAT is carried out successfully, the software is ready for installation. From Governance
Page | 10
KAT
and Security point of view, it has to be ensured that there are three distinct environment set ups :
i)Development/Customization
ii)Testing
iii)Live environment(also called production)
41.Migration to a centralized system has improved efficiency, availability and convenience of banking.
42.Before the advent of CBS, for any electronic based service of product, banks had to identify/develop
a software or system which could support that particular product or service. This resulted in banks
having a number of disparate and dispersed systems.
43.In CBS, the database is updated on-line in real time basis.
44.Proper disaster recovery mechanism gives many benefits to banks such as:-
i)The load between a Data Centre(DC) and Disaster Recovery(DR) servers are shared always
ii)The DR servers constantly get tested for their availability
iii)The network connecting bank branches to a DR centre also gets tested for its availability.
CHAPTER-2-OVERVIEW OF PROCESSING INFRASTRUCTURE

1.The dependency on technology has led to various challenges and issues like frequent changes or
obsolescence, multiplicity and complexity of Systems and Processes.
2.An IT Policy needs to be framed for secure management of IT Systems and processes, detailed
documentation in terms of procedure and guidelines. The policy is reviewed annually.
3.A working group constituted by RBI on Information Security, Electronic Banking, Technology Risk
Management and Cyber frauds submitted its report in January 2011.
4.The report of working group of RBI on Information Security, Electronic Banking, Technology Risk
Management and Cyber frauds has been published in April 2011.
5.As a latest development, RBI has started the process of setting up an IT Subsidiary in 2016.
6.The IT Subsidiary mainly deals with IT and Cyber Security, and IT Audit in all the RBI regulated
Financial Institutions in the Country.
7.IT strategy, as a framework, provides feedback to IT Operations on the services to be supported and
their underlying business processes and prioritisation of these services etc.
Page | 11
KAT
8.A well defined IT Strategy framework will assist IT Operations in supporting IT services as required
by the business and defined in OLA/SLAs.
9.IT Strategy processes provide guidelines that can be used by banks to design, develop, and implement
IT Operations not only as an organisational capability but as a strategic asset.
10.IT Operation Processes :

IT Strategy : a)Financial Management
b)Service Valuation
i)Provisioning value
ii)Service value potential
c)Portfolio Management
d)Demand Management
11.Financial Management :-It provides mechanism and techniques to IT operations to quantify in

financial terms, value of IT services it supports, value of assets underlying the provisioning of these
services, and qualification of operational forecasting.
12.Advantages in implementing Financial Management process are :-

i)Assists in decision-making
ii)Speed of changes
iii)Service Portfolio Management
iv)Financial compliance and control
v)Operational control
vi)Value capture and creation
13.Service Valuation :-It is the mechanism that can be considered by banks to quantify services, which
are available to customers(internal or external) and supported by IT operations in financial terms.
14.Financial Management uses Service Valuation to quantify financial terms, value of IT services
supported by IT operations.
15.Combined with Service Level Management, Service Valuation is the means to a mutual agreement
with business, regarding what a service is, what its components are, and its cost and worth.
16.Service Valuation will have two components, these being :

i)Provisioning Value
ii)Service Value Potential
17.Provisioning Value : The actual underlying cost of IT, related to provisioning a service, including all
Page | 12
KAT
fulfilment elements-tangibles and intangible. This cost element includes items such as :-
a)Hardware and software license cost
b)Annual maintenance fees for hardware and software
c)Personnel resources used in the support or maintenance of the services
d)Upgrades/service patches/enhancement patches
e)Utilities, data centre or other facilities charge
f)Taxes, capital or interest charges
g)Compliance costs.
18.Service Value Potential : SVP is the value-added component based on a customer's perception of
value from the service or expected marginal utility and warranty from using the services in comparison
with what is possible using the customer's own assets.
19.Portfolio Management : It provides guidelines that can be considered by banks for governing
investments in service management across an enterprise and managing them for value. Portfolio
management contains information for all existing services, as well as every proposed service those that
are in conceptual phase.
20.Demand Management : DM process provides guidelines which can be used by banks to understand
the business processes IT operations supports to identify , analyse, an codify patterns of business
activities to provide sufficient basic for capacity requirement.
21.PBA : Patterns of Business Activities
22.One of the very early and widely used Payment Processing System is the clearing of cheques.
23.STP : Straight Through Processing
24.STP : With the advent of technology, now many other new methods and products for payment and
settlement have evolved. It is now possible to have the transactions between the entities shown above
totally on an automated manner, without any manual intervention. These kinds of transactions, where
there is no manual intervention, are called Straight Through Processing.
25.Based on the payment system vision document, policies are framed and strategies devised to
implement them.
26.Safety, security, soundness and efficiency assume critical importance in RBI's policy.
27.Payment and Settlement Systems in India : Vision-2018 dated 23/06/2016
28.Previous payment system vision document of RBI is for the period 2012-15.
Page | 13
KAT
29.Under the Payments and Settlement System Act, 2007, any existing or proposed payment system
will have to obtain authorization from RBI.
30.Under the Payments and Settlement System Act, 2007, any existing or proposed payment system
will have to obtain authorization from RBI with effect from 12th August 2008.
31.Implementing grid based clearing, standardizing security features on cheque leaves to enable
Straight Through Processing(STP).
32.NECS – National Electronic Clearing Service
33.RECS – Regional Electronic Clearing Service
34.MICR – Magnetic Ink Character Recognition
35.India Pay, POS Switch and Mobile Payments Settlement Network were started by NPCI
36.ECS is an electronic mode of funds transfer from one bank account to another bank account.
37.ECS system involves exchange of files and data among banks in electronic form.
38.ECS system is used for transactions that are repetitive in nature, e.g. EMI, SIP etc.
39.ECS is used by institutions for making bulk payment of amounts towards distribution of dividend,
interest, salary, pension etc or for bulk collection of amounts towards telephone/electricity/water dues,
tax collections, loan instalment repayments, periodic investments in mutual funds etc.
40.ECS can be either ECS credit, where the originating bank sends credit entry for credit to large
number of beneficiaries having accounts with various bank branches.
41.ECS Debit, where the customer mandates the bank to pay towards utilities, EMI, SIP etc from
customer's account and one consolidated credit entry is passed to the beneficiary.
42.Re-run of ECS for failed ECS debits depends on bank's policy.
43.If an ECS fails or bounces, it will have the same fines/penalties that would have for a bounced
cheque.
44.ECS – Electronic Clearing Service
45.NECS – National Electronic Clearing Scheme
Page | 14
KAT
46.NECS has been launched in October 2008
47.On an average around 20 million ECS transactions are processed each month.
48.CTS – Cheque Truncation System
49.Cheque truncation is the process in which the physical movement of cheque within a bank,
between banks or between banks and the clearing house in curtailed or eliminated, being replaced in
whole or in part, by electronic records of their content(with or without the images) for further
processing and transmission.
50.The term truncate means to remove an original paper cheque from the cheque collection or return
process and send to a recipient, in lieu of such original paper cheque, a substitution cheque or, by
agreement, information relating to the original cheque(including data taken from the MICR line of the
original cheque or an electronic image of the original cheque), whether with or without subsequent
delivery of the original paper cheque.
51.In cheque truncation with the image, data on the MICR band, date of presentation, presenting bank,
etc is also sent.
52.Truncation brings along efficiency, cost reduction, speed and also minimizes frauds, losses etc that
associated with physical cheques.
53.In India, CTS has been implemented in National Capital Region(NCR) since 1st July, 2009.
54.Amendments to N.I.(amendments & misc provisions) Act 2002, provides legal status as :- A
“Cheque” is a bill of exchange drawn on a specified banker and not expressed to be payable otherwise
than on demand and it includes the the electronic image of a truncated cheque and a cheque in the
electronic form(section 6 of the act) and subsequent sections relevant to payment of such cheques
55.RTGS : Real Time Gross Settlement
56.NEFT : National Electronic Fund Transfer
57.RTGS/NEFT is electronic payment systems which were started in the year 2004.
58.RTGS/NEFT enable transfer/remittance of funds electronically across banks through a Straight

Through Process(STP) without any manual intervention.
59.DNS : Deferred Network System
Page | 15
KAT
60.NEFT is an electronic fund transfer system that operates on a Deferred Network System(DNS) basis
which settles transactions in batches. In DNS, the settlement takes place with all transactions received
till the particular cut-off time. These transactions netted (payable and receivables) in NEFT.
61.NEFT operates in hourly batches. There are 12 settlements from 8 am to 7 pm on week days and 6
settlements from 8 am to 1 pm on Saturdays.
61.In RTGS the transactions are settled individually. In the RTGS transactions are processed
continuously throughout the RTGS business hours.
62.RTGS is meant for inter bank transfer of funds as also for larger amounts > Rs.2 lakh per remittance
effective from April 2010.
63.RTGS settlement is managed by RBI through CCIL(Clearing Corporation of India Ltd.).
64.NEFT is mainly meant for B2B, B2C, C2C remittances. The remittances and relative messages are
pooled, transmitted in batch mode and settled periodically on a 'Net basis'.
65.There is no restriction on the minimum or maximum amount that can be remitted through NEFT.
66.Payment and settlement systems(including RTGS & NEFT) in India are regulated by the Payment
and Settlement Systems Act, 2007(PSS Act), legislated in December 2007.
67.NPCI has launched IMPS
68.NPCI : National Payment Corporation of India
69.IMPS: Immediate Payment Service
70.NPCI conducted successfully a pilot study on the mobile payment system with the banks like SBI,
BOI, UBI and ICICI in August 2010.
71.IMPS public launch happened on 22nd November 2010.
72.IMPS offers an instant, 24x7, interbank electronic fund transfer service through mobile phones.
73.IMPS is an emphatic tool to transfer money instantly within banks across India through mobile,
internet and ATM which is not only safe but also economical.
74.UPI : Unified Payment Interface
Page | 16
KAT
75.Introduced by NPCI in April 2016, the Unified Payment Interface is intended to enable peer-to-peer
immediate payment via a single click two factor authentication process.
76.AEPS : Aadhaar Enabled Payment System
77.UPI will use existing systems such as IMPS and AEPS to ensure seamless settlement across
accounts.
78.It would facilitate push(pay) and pull(receive) transactions and even work for over-the-counter or
barcode payments as well as for multiple recurring payments such as utility bills, school fees, other
subscriptions.
79.BBPS : Bharat Bill Payment System
80.BBPS is run by NPCI at behest of RBI, is an integrated bill payment system in India offering inter-
operable and accessible bill payment service to customers through a network of agents, enabling
multiple payment modes and providing instant confirmation of payment.
81.Based on the RBI's Payment system vision document, GOI enacted the Payment and Settlement Act,
2007(Act 51 of 2007). The Act received the assent of the President on 20th December 2007 and it came
into force w.e.f. 12th August 2008.
82.RBI is authorized to oversee payment and settlement system.
83.The Board for Regulation and Supervision of payment and settlement systems(BPSS) is the apex
body for regulation and supervision of payment systems in the country.
84.The general principles of BPSS of RBI are :

a)Transparency
b)International standards
c)Effective powers and capacity
d)Consistency and
e)Co-operation with other authorities
84.The RBI is authorized under the Act to constitute a Committee of its Central Board known as the
Board for Regulation and Supervision of payment and settlement systems(BPSS), to exercise its
powers and perform its functions and discharge its duties under this statute.
85.The Act also provides the legal basis for 'netting' and 'settlement finality'.
Page | 17
KAT
86.In India, other than the Real Time Gross Settlement(RTGS) system all other payment systems
function on a net settlement basis.
87.As banks move towards implementing CBS, a three Back Office structure can be implemented. This
comprises of :-
a)Branch Back Office(BBO)
b)City Back Office(CBO)
c)National Back Office(NBO)
88.The BBO is located within the branch premises, but preferably located in an area not visible to
customers.
89.The CBO is nothing but an expanded form of the Service Branch or Main Branch in each city,
which already handles certain activities such as clearing and payment of demand drafts.
90.The CBO would normally handle :-

Processing of outstation cheques for collection
a)Inward clearing
b)Outward clearing
c)Activities such as printing and mailing customer intimations
d)TDS deductions and remittances etc.
e)Validations of Account Opening formalities eg. KYC norms
f)Attending to non-financial instructions eg. Issuance of Cheque books, ATM cards and
Internet/Telebanking passwords.
g)Statement printing and mailing
h)Cash management responsibilities
91.The NBO will handle those back office activities that are optimally handled centrally at one location
for the Bank as a whole with a view to obtaining economies of scale.
92.The NBO need not be located in the Head Office of the Bank-ideally, the NBO should be in a low
cost location with good data communications and logistics facilities.
93.Ideally, the NBO should be in a low cost location with good data communications and logistics
facilities.
94.Ideally the Trade Finance Division should be at NBO.
95.The local clearing has to be handled only at CBO.
96.Activities proposed at the City Back Office(CBO):-
Page | 18
KAT
a)Inward clearing
b)Outward clearing instruments
c)Processing of upcountry cheques for collection
d)Account opening & scanning of signatures for new accounts.
e)Payment of demand drafts drawn on the city
f)Retail loan application processing
g)Document and PDC storage
h)ATM operations
i)Establishment
j)TDS(back office activities)
k)Printing
97.RLPC : Retail Loan Processing Cell
98.Activities proposed for the National Back Office(NBO):-

a)ATM/Debit/Credit card personalization and issuance
b)Interest rates, charges and forex rates updation
c)RTGS
d)Execution/monitoring of interest and charges
e)Quarter end batch jobs on the system
f)Periodic archival and purge of data
99.The BBO has to be within the branch premises, preferably in a location not visible to customers.
100.The logistics of paper cheque movement from the branches and physical proximity to the clearing
house would dictate the location of the CBO.
101.The NBO is typically located close to the Data Centre. However this is not mandatory-all the NBO
needs is a high speed link to the Data Centre.
Page | 19
KAT
CHAPTER-3-ACCOUNTING INFORMATION SYSTEM
102.AIS : Accounting Information System
103.An AIS is a system of collection, storage and processing of financial and accounting data that is
used by the decision makers and in banking it is being used by the different members of Senior
Management for taking appropriate decisions.
104.An AIS is generally a computer based method for tracking accounting activity in conjunction with
information technology resources.
105.In the computerized environment accounting records are kept in computer files, which are of three
types, namely (i)master file, (ii)parameter file and (iii)transaction file.
106.TPS : Transaction Processing Systems
107.TPS is actually AIS
108.Every transaction processing system has three components-input, processing and output.
109.GIGO : Garbage in Garbage out
110.There are two types of TSP – Batch processing and Online processing
101.Accounting information systems are composed of six main components :-

i)People
ii)Procedures and instructions
iii)Data
iv)Software application
v)Information technology infrastructure
vi)Internal controls and security measures
102.Today accounting information systems are more commonly sold as prebuilt software packages
from vendors such as Microsoft, Sage Group, SAP and Oracle, where it is configured and
customized to match organization's business processes.
103.ERP=Enterprise Resource Planning
Page | 20
KAT
104.In ERP system such an accounting information system is built as a module integrated into a suite
of applications that can include manufacturing, supply chain, human resources.
105.With the ubiquity of ERP for business, the term “accounting information system” has become
much less about pure accounting (financial or managerial) and more about tracking processes across all
domains of business.
106.Modern AIS typically follows a multi tier architecture separating the

i)Presentations to the user,
ii)Applications processing and
iii)Data management in distinct layers
107.The Presentation Layer manages how the information is displayed and viewed by functional
users of the system(through mobile devices, web browsers or client application).
108.The application Layer retrieves the raw data held in the database layer, processes it based on the
configured business logic and passes it onto the presentation layer to display to the users.
109.Reporting is major tool for organizations to accurately see summarized, timely information used
for decision making and financial reporting.
110.Consolidation is one of the greatest hallmarks of reporting as people do not have to look through
enormous number of transactions.
111.The steps necessary to implement a successful accounting information system are as follows :-
i)Detailed Requirement Analysis
ii)Systems Design
iii)Documentation
iv)Testing
v)Training
vi)Data Conversion
vii)Launch
viii)Support
Page | 21
KAT
CHAPTER-4-INFORMATION ORGANIZATION AND MANAGEMENT
112.The term “MIS” arose to describe such applications providing with information about, and other
data that would help in managing the performance and to enable the Senior Management to take
appropriate planning for the growth of the banks.
113.ERP : Enterprise Resource Planning
114.EPM : Enterprise Performance Management
115.SCM : Supply Chain Management
116.CRM : Customer Relationship Management
117.Third era (Client/Server) : Computers on a common network were able to access shared
information on a server.
118.Fourth era(Enterprise) : Enabled by high speed networks, tied all aspects of the business enterprise
together offering rich information access encompassing the complete management structure.
119.Fifth and latest era (Cloud computing) : Information systems employs networking technology to
deliver applications as well as data storage independent of the configuration, location or nature of the
hardware.
120.MIS : involve three primary resources – people, technology, and information or decision making.
121.The development and use of MIS has certain fundamental concepts which are the information
concept, the information management concept, the information system concept and the management
information concept.
122.Langemo in 1980 defines Information Management as the organization-wise capability of creating,

maintaining, retrieving and making immediately available the right information, in the right place, at
the right time, in hands of the right people, at the lowest cost, in the best media, for use in decision
making.
123.Best in 1988 defines Information Management as the economic, efficient and effective co-
ordination of the production, control, storage and retrieval and dissemination of information from
Page | 22
KAT
external and internal sources, in order to improve the performance of the organization.
124.Information System is a system for accepting data/information as a raw material and through one
or more transmutation processes, generating information as a product.
125.Information System comprises the functional elements which relate to an organization and its
environments :- perception, recording, processing, transmission, storage, retrieval, presentation and
decision making.
126.Perception : Initial entry of data whether captured or generated, into an organization.
127.Recording : Physical capture of data.
128.Processing : Transformation according to the “specific” needs of an organization.
129.Transmission : the flows which occur in an information system.
130.Storage : Presupposes some expected future use.
131.Retrieval : Access for recorded data.
132.Presentation : Reporting, communication
133.Decision making : A controversial inclusion, except to the extent that the information system
engages in decision making that concerns itself.
134.Planning, directing, and controlling are the essential ingredients for “management”.
135.The processing of data into information and communicating the resulting information to the user is
the key function of MIS.
136.Users in banks constantly require various reports for (i) Monitoring purposes, (ii) analytical and
(iii)Action oriented.
137.SQL : Structured Query Language
138.Data Warehouse is a relational database that is designed for query and analysis rather than for
transaction processing. It is the main repository of an organization's historical data, its corporate
memory.
139.A data warehouse contains the raw material for management's decision support system.
Page | 23
KAT
140.A data warehouse can be defined as a single, complete and consistent store of data from various
sources, which facilitates providing information to the end-users in the form required by them to be
used in the context of business.
141.While operational systems are optimized for simplicity and speed of modification through heavy
use of database normalization and an entity-relationship model – Online Transaction
Processing(OLTP).
142.The data warehouse is optimized for reporting and analysis – Online Analytical
Processing(OLAP).
143.In setting up the Data Warehouse, three distinct steps are involved. They are called
ETL(Extraction, Transformation & Loading)
144.Data Transformation involves converting data from the source systems in a consistent, managed
and well understood manner. This involves integration, conversion and summarization.
145.In Data Warehouse, the following three strategies are considered :-

(i)Loading data already achieved
(ii)Loading data from the existing applications
(iii)Incrementing data from the on-line processing systems.
146.DW is static in nature.
147.DW provide historical and factual position, analytics, for marketing, customer acquisition, business
growth etc. It enables Data Mining capabilities.
148.There are many advantages of using a data warehouse, some of them are :-
(i)Enhances end-user access to a wide variety of data.
(ii)Business decision makers can obtain various kinds of trend reports e.g. the item with the most sales
in a particular area/country for the last two years.
149.Online Analytical Processing answers many of the questions relating to the trends, growth,
customer segmentation etc in a bank.
150.Transaction Processing is primarily enabled for facilitating transactions through the various
delivery channels.
Page | 24
KAT
151.Transaction processing vis-a-vis analytical processing :-
Characteristic OLTP OLAP

Objective Record transactions, update Analyse
Time period Current, data is dynamic Current, historic, static data
System requirements Fast response, enterprise wise Response need not be fast;
access access to only a few
Type of data Detailed Summarized form
152.The functions of management can be grouped into five areas :- planning, decision making,
organization and coordinating, leadership and motivation and control.
153.The characteristics of MIS in practice include :-

i)An information focus, designed for managers in an organization;
ii)Structured information flow
iii)An integration of data processing jobs by business function, such as production of MIS, personnel
MIS and so on; and
iv)Inquiry and report generation, usually with a database.
154.ADF : Automated Data Flow
155.Common end state : the state of complete automation for submission of returns without any manual
intervention.
156.There are four key processes for 'common end state'....

i)data acquisition
ii)data integration and storage
iii)data conversion and
iv)data submission
157.CDR : Central Depository Resource
Page | 25
KAT
CHAPTER-5-RISK ASSOCIATED WITH TECHNOLOGY IN BANKING
158.Given the increasing reliance of customers on electronic delivery channels to conduct transactions,
any security related issues have the potential to undermine public confidence in the use of e-banking
channels and lead to reputation risks to Banks.
158.Inadequate technology implementation can also induce strategic risks in terms of strategic
decision making based on inaccurate data/information.
159.Compliance risk is also an outcome in the event of non-adherence to any regulatory or legal
requirements arising out of the use of I.T. These issues ultimately have the potential to impact the
safety and soundness of a bank and in extreme cases may lead to systemic crisis.
160.The Risk Management Principles fall into three broad and often overlapping, categories of issues
that are grouped to provide clarity : Board and Management Oversight, Security Controls; and Legal
and Reputational Risk Management.
161.The Board of Directors and Senior Management are responsible for developing the institution's
business strategy.
162.The activities of fraud prevention, monitoring, investigation reporting and awareness creation
should be owned and carried out by an independent fraud risk management group in the bank. The
group should be adequately staffed and headed by senior official of the bank, not below the rank of
General Manager/DGM.
163.Fraud review councils should meet at least every quarter to review fraud trends and preventive
steps taken that are specific to that business function group.
164.No new products or process should be introduced or modified in a bank without the approval of
control groups like compliance, audit and fraud risk management groups.
165.Banks should put in place automated systems for detection of frauds based on advanced statistical
algorithms and fraud detection techniques.
166.In case of credit card frauds, some banks follow the practice of reporting the frauds net of
chargeback credit received while other reports the amount of original transactions.
167.In a shared ATM network scenario, when the cards of one bank is used to perpetrate a fraud
through another bank's ATM, it is the bank acquiring that should report the fraud. The acquiring bank
Page | 26
KAT
should solicit the help of the issuing bank in recovery of the money.
CHAPTER-6-AUDIT FUNCTION AND TECHNOLOGY

168.Auditing is a systematic and independent examination of information systems environments to
ascertain whether the objectives, set out to be achieved, have been met or not.
169.Auditing is also described as a continuous search for compliance.
170.An Audit Charter/Audit Policy : is a document which guides and directs the activities of the
internal audit function, should also be governed by the same Audit Policy.
171.The audit policy should be documented to contain a clear description of its mandate, purpose,
authority and accountability(of relevant members/officials in respect of IS Audit i.e. IS Auditors, audit
management and the audit committee) and the relevant operating principles.
172.An audit charter/audit policy should be approved by the Board of Directors.
173.IS Audit Policy/Charter should be subjected to an annual review.
174.The IS Auditor should consider establishing a quality assurance process e.g. interviews, customer
satisfaction surveys, assignment performance surveys etc.
175.Banks need to carry out IS Audit planning using the Risk Based Audit Approach(RBAA).
176.The RBAA approach involves aspects like IT operational risk assessment methodology, defining
the IS Audit, Universe, scoping and planning the audit, execution and follow up activities.
177.The IS Audit Universe : can be built around the four types of IT resources and various IT processes
like application systems, information of data, infrastructure(technology and facilities like
hardware, operating systems, database management systems, networking, multimedia etc. and the
environment that houses and supports them that enable the processing of the applications) and people
(internal or outsourced) personnel required to plan, organize, acquire, implement, support, monitor and
evaluate the information systems and services.
178.The IS Auditor must define, adopt and follow a suitable risk assessment methodology.
179.The IS Audit Head is responsible for the annual IS Audit Plan which is required to be prepared
based on the scope document and risk assessment.
Page | 27
KAT
180.IT governance, information security governance related aspects, critical IT General controls like,
data centre controls and process and critical business applications/systems having financial compliance,
implications including MIS and regulatory reporting systems and customer access points(like delivery
channels) need to be audited at least once a year(or more frequently, if warranted by risk assessment).
181.CAAT : Computer Aided Audit Tools
182.CAAT : may be used effectively in areas such as detection of revenue leakage, assessing impact of
control weaknesses monitoring customer transactions under AML requirements and generally in areas
where a large volume and value of transactions are reported.
183.Suitable “read only” access rights should be provided to the auditors for enabling use of CAATs.
184.In order to provide assurance to management and regulators, banks are required to conduct a
quality assurance at least once in every three years, on the Banks Internal Audit including IS Audit
function to validate the approach and practices adopted by them in the discharging their responsibilities
as laid out in an Audit Policy.
185.Accreditation and empanelment of IS Audit qualifications/certifications and IS Audit vendors/firms

can be considered by the Govt. of India.
186.A far advanced IS Audit is also regularly conducted for various critical IT units including Bank's
Data Centre and Disaster Recovery Site(DC & DRS).
Page | 28
KAT
MODULE-B -TECHNOLOGY-SYSTEM, DEVELOPMENT,
PROCESS, IMPLEMENTATION
CHAPTER-7-HARDWARE ARCHITECTURE
187.Computers can be generally divided into two i.e. Small Computer and Large Computers.
188.Small Computer – Micro computer or Personal Computer(PC)
189.Large Computers – Workstation, Servers, Main Frame Computer and Super Computer
190.Personal Computer(PC) – A PC refers to any independent(stand-alone) computer that is fully

equipped with a central processing unit, memory, storage, software and other utilities.
191.Today single user computers are basically categorized as Apple Macintoshes and PCs.
192.The principal characteristics of personal computers are that they are single-user systems and are
based on microprocessors.
193.High-end models of Macintosh and PC offer the same computing power and graphics capability as
low-end workstations by Sun Microsystems, Hewlett-Packard and DEC.
194.Because of the shape of Desktop Model, these computers are generally limited to three internal
mass storage devices.
195. Desktop Models designed to be very small are sometimes referred to as slim line models or thin
clients.
196.A Notebook Computer also known as laptop computer.
197. Notebook Computers use a variety of techniques, known as flat-panel technologies to produce a
lightweight and non-bulky display screen.
198.Hand-held computers are designed to cater to applications, which require mobility, smart card
interface and modem connectivity. These devices, in addition to normal features also have finger print
reading devices, so that even illiterate persons can also be served.
Page | 29
KAT
199.The field of PDA was pioneered by Apple Computer, which introduced the Newton Message Pad
in 1993.
200.The Indian Govt. has come out with a very cost-effective tablet PC called Akash. It is targeted at
the student community. It is priced at about Rs.2500/- per piece, which is less than one-tenth of the
price of a commercial tablet PC.
201.Workstation – It is a type of computer used for engineering applications(CAD/CAM), desktop

publishing, software development and other types of applications that require a moderate amount of
computing power and relatively high quality graphic capabilities.
202.Workstations have both disk drive and diskless.
203.The most common operating systems for workstations are UNIX and Windows NT.
204.Minicomputer- is a medium or moderate sized computer.
205.In terms of power, minicomputers are in between mainframes and microcomputers.
206.The trend towards minicomputers was started by HP and DEC in the early 1970s.
207.In general a minicomputer is multi processing system capable of supporting upto 200 users
simultaneously.
208.Mainframe – a mainframe computer is a large and fast computer with superior data processing
capabilities.
209.IBM led the development of mainframe computers during the late 1950s
210.Mainframe computers are usually installed in very large organizations such as military service and
weather bureaus.
211.The term mainframe originally referred to a cabinet containing the central processor unit or
“mainframe” of a room-filling Stone Age batch machine.
212.The main difference between a super computer and a mainframe is that a supercomputer channels
all its power into executing a few programs as fast as possible, whereas a mainframe uses its power to
execute many programs concurrently.
213.Supercomputer – They are usually used to deal with complicated computations e.g. weather
Page | 30
KAT
forecasting and scientific research requiring massive calculations within a short period of time. Other
uses are scientific simulations, animated graphics, fluid dynamic calculations, nuclear energy research,
electronic design and analysis of geological data e.g. in petrochemical prospecting.
214.Input output devices – The I/O devices form the bridge between the user and the central processing
unit.
215.The most common keyboards are :-

i)101 key enhanced keyboard
ii)104 key windows keyboard
iii)82 key apple standard keyboard
iv)108 key apple extended keyboard
216.A typical keyboard has four basic types of keys :-

i)Typing keys
ii)Numeric keypad
iii)Function keys
iv)Control keys
217.Smart card – A smart card is a small electronic device about the size of a credit card that contains
electronic memory and possibly an embedded Integrated Circuit(IC).
218.Smart cards containing an IC are sometimes called Integrated Circuit Cards(ICCs)
219.Smart cards are used for a variety of purposes including storing a patient's medical records, storing
digital cash and generating network ID.
210.Pen – A Pen computer is a computer that utilizes an electronic pen(called a stylus) rather than a
keyboard for input.
211.Stylus – It is a pointer, a drawing device shaped like a pen. It can be used with a digitizing tablet or
touch screen.
212.CRT : Cathode Ray Tube
213.LCD : Liquid Crystal Display
214.LED : Light Emitting Diode
215.Most desktop monitors use a CRT, while portable computing devices such as laptops incorporate
Page | 31
KAT
LCD, LED, gas plasma or other image protection technology.
216.If the CRT monitor has a refresh rate of 72 Hertz(Hz), then it cycles through all the pixels from top
to bottom 72 times a second.
217.Refresh rates are very important because they control flicker.
218.Lower refresh rates can lead to flicker and thereby headaches and eystrain.
219.Televisions have a lower refresh rate than most computer monitors. To help adjust the flicker rate,
a technique called interlacing is used.
220.Interlacing : This means the electron gun in the television's CRT will scan through the odd rows
from top to bottom and then start again with the even rows. The phosphors hold the light long enough
so that the human eyes are tricked into thinking that all the lines are being drawn together.
221.A tape is a magnetically coated strip of plastic on which the data can be encoded. Tapes are
sequential-access media.
222.Disks are random-access media because a disk drive can access any point at random without
passing through intervening points.
223.Tapes are sometimes called Streamers or Streaming Tapes.
224.Floppy drive – A floppy disk is made from a thin piece of plastic coated with a magnetic material
on both sides. The tracks are arranged in concentric rings.
225.The floppy disk rotates at a speed of 300 revolutions per minute.
226.There are two standard sizes for floppy disks : 3.5 inches and 5.25 inches in diameter with
capacities of 1.44 MB and 1.2 MB respectively.
227.Floppy disks, still find their applications for accessing data of one computer on a second computer
when the two computers are not networked, bootable diskettes to update the BIOS on a personal
computer and software recovery after a system crash or a virus attack.
228.Hard disks were invented in the 1950s.
229.Hard disk is an airtight sealed units, consisting of a number of metallic disks mounted on a spindle,
which rotates at a speed of about 3600-7200 RPM.
Page | 32
KAT
230.Data can be written to or read from a hard disk twenty times faster than from a floppy.
231.Storage capacities of these devices range from 10 MB to 40 GB and even beyond.
232.CD-ROM : Compact Disk Read-Only Memory
233.CD-ROM can store upto 650 MB to 700 MB and are used for distribution of massive quantities of
data (e.g. encyclopedias, document archiving, manuals, statistics, software packages) at relatively low
cost.
234.Spin rate : The spin rate is the rotation speed of the disk and it influences the information retrieval
speed(access time).
235.CD-ROMs nowadays come with rotation speed compatibility upto 16x.
236.DVD : Digital Versatile Disks.
237.Much like a regular CD, DVD uses a laser to read microscopic pits on a disc to gather information
and translate it into music, video or information.
238.The microscopic pits are made smaller and placed much closer together to achieve a stunning 4.7
gigabytes on a single layer of the new DVD disc.
239.CD-ROM retrieves data at 900 KB per second.
240.DVD data is retrieved at 1385 KB per second.
241.Double layer, double sided DVD disc can store an amazing amount of 17 gigabytes of information
which is more than the storage of 11,800 floppy discs.
242.OCR : Optical Character Recognition.
243.Flatbed scanners, sheet-fed scanners, hand-held scanners, drum scanners are some of the popular
types of scanners.
244.DQP : Draft Quality Printer. Size-9 pin
245.NLQ : Near Letter Quality. Size – 24 pin
246.Disadvantage of Dot Matrix Printers is that the speed of printing about 300 characters/second is
low.
Page | 33
KAT
247.Inkjet Printer : A typical Inkjet Printer or Bubble Jet Printer head has 64 or 128 tiny nozzles, and
all of them can simultaneously fire a droplet.
248.The advantage of the Inkjet Printers are that the print quality is high and the print speed is faster –
500 characters/second.
249.The advantages of laser printers : Extremely high print quality(resolution from 300 dpi upto 2000
dpi for commercial printers), a wide selection of type fonts, quiet printing because they are non-
impact. Very fast (400 to 500 pages/minute produced by commercial laser printers) although the low-
end lasers used with PCs can only print about 8-10 pages/minute.
250.In a Microcomputer, the entire CPU is contained on a tiny chip called a microprocessor.
251.Every CPU has at least two basic parts, the control unit and the arithmetic logic unit(ALU).
252.Upward compatibility : Usually when a new CPU is developed, the instruction set has all the same
commands as its predecessor plus some new ones. This allows software written or a particular CPU to
work on computers with newer processors of the same family – a design strategy known as upward
compatibility.
253.Downward or backward compatibility : When a new hardware device or piece of software can
interact with all the same equipment and software its predecessor could, it is said to have downward or
backward compatibility.
254.The latest Intel processor named Intel Core i73960X Extreme edition, consists of 6 core, has a
processor speed of 3.90 GHz, with 15 MB of Cache memory.
255.Clock Speed – The clock speed is the speed at which the processor executes instructions. Clock
speed is measured in megahertz(MHz)-which is a million cycles per second.
256.Super scalar – Some micro processors are super scalar, which means that they can execute more
than one instruction per clock cycle.
257.Cache : Processors incorporate their own internal cache memory. The cache acts as temporary
memory and boosts processing power significantly.
258.The cache that comes with the processor is called Level One(L 1) cache.
259.The L 1 cache is divided into 2 sections – one for data, the other for instructions.
Page | 34
KAT
260.Secondary cache – Level Two(L 2) cache.
261.To overcome the slow performance of L2 cache, newer chips (Pentium II and Pentium III) house
the L2 cache in a cartridge along with the CPU.
262.System Memory – Just like the human brain, which helps to determine what to do and when,
computers need blocks of space that it can address from time to time to help in processing arithmetical
and logical operations and also hold programs and data being manipulated. This area is called memory.
263.Moore's Law – It is a rule of thumb in the history of computer hardware. According to this law, the
number of transistors that can be placed inexpensively in an integrated circuit doubles once in two
years.
264.Mr. Gordon Moore – Co-founder of Intel.
265.Intel – The largest chip maker in the world.
266.The distance between two transistors has shrunk now to almost 30 nano-meters.
267.RAM – The memory system constructed with metal oxide semi conductor storage elements that
can be changed is called a RAM.
268.DRAM – Dynamic Random-Access-Memory
269.FPM – Fast Page Mode
270.FPM DRAM was used in most computers until EDORAM came along.
271.EDO – Extended Data Out
271.EDODRAM - Extended Data Out Dynamic Random-Access-Memory
272. EDODRAM is slightly faster than FPM
273.One variation called burst EDO (BEDO) DRAM assumes that the next data address to be requested
by the CPU follows the current one so it sends that also.
274.SDRAM – Synchronous Dynamic Random-Access-Memory
275.SDRAM can synchronize itself with the clock that controls the CPU.
Page | 35
KAT
276.RDRAM – Rambus Dynamic Random-Access-Memory
277.RDRAM sends data down a high-band width “channel” 10 times faster than standard DRAM.
278.SRAM – Static Random-Access-Memory
279.SRAM is used mainly in a special area of memory called a cache.
280.Some dynamic RAM memory circuits include built-in “refresh circuits” to relieve the computer.
281.ROM : Read Only Memory
282.One set of instructions found in ROM is called the ROM-BIOS.
283.ROM-BIOS :Read Only Memory Basic Input Output Services.
284.ROM may be used for code converter, function generator and character generators.
285.In IBM personal computer, a PC with 2 MB of RAM is capable of running Microsoft Windows
operating system, even though the program actually occupies 10 MB of disk storage space.
286.The moment the user launches a program or double-clicks an application icon, the microprocessor
of the computer loads the program file from the hard disk into the memory of RAM.
Page | 36
KAT
CHAPTER-8-SOFTWARE PLATFORMS
287.A computer system can be divided into four components :
i)Hardware
ii)Operating System
iii)Application Programs
iv)Users
288.The hardware includes the CPU, memory, and input/output devices.
289.The application programs include compilers, database systems, video games, and business
programs.
290.The application programs include compilers, database systems, video games, and business
programs.
291.In a computer there are four main resources. They being, the processor, the main memory(RAM),
all I/O devices and the information that is stored in the computer.
292.Operating systems provide four management schemes. They being Job Management, Memory
Management, Device Management and Information Management.
293.Present day OS are – Mainframe OS, Multi-user OS, Single-user(PC-based) OS, Network OS,
Distributed OS and Real time OS.
294.Programs that are frequently required by the system during normal processing operations are
termed as Utility Programs.
295.Distributed system is a programming infrastructure, which allows the use of a collection of

workstations as a single integrated system. It is composed of a number of autonomous processors,
storage devices, and database, which interactively co-operate in order to achieve a common goal.
296.Advantages of distributed systems :-

i)For improving availability and reliability through replication, performance through parallelism and in
addition, flexibility, expansion and scalability of resources.
ii)Higher performance
iii)Resource sharing
Page | 37
KAT
iv)Scalability
v)Reliability
296.Scalability-Modular structure makes it easier to add or replace processors and resources.
297.Reliability – Replication of processors and resources yields fault tolerance.
298.First generation languages : The machine code represents the first generation language. These are
machine dependent and are written in strings of 1s and 0s.
299.The second generation languages were developed in the late 1950s and early 1960s.
300.Assembly level languages belong to the second generation languages.
301.In second generation languages instruction codes are written in mnemonics.
302.The mnemonics are MOV, ADD, SUB, NOP, JMP.
303.The assembly language code is converted to machine code by a program called an assembler.
304.The third generation languages are called modern or structured programming languages.
305. The third generation languages are characterized by strong procedural and data structuring
capabilites.
306.Typical examples of 3rd generation languages are BASIC, COBOL, FORTRAN, PASCAL and C.
307.In order to convert a 3rd generation language statement into machine executable code, one uses a
programming language compiler/interpreter.
308.Fourth generation languages, like all artificial languages contain a distinct syntax for control and
data structure representation.
309.The fourth-generation languages combine procedural and non-procedural characteristics.
310. The fourth-generation languages include query languages, program generators and application
generators.
311.Programming languages based on artificial intelligence are termed as fifth generation languages.
312.Object oriented languages – With technical development in the field of object technologies,
Page | 38
KAT
specialized programming languages to handle the features of objects were developed. Such
programming languages were termed as OOL. Typical examples are Small talk, C++ and Java.
313.Codd's rules-Codd's 12 rules are a set of rules proposed by Edgar F. Codd, a pioneer of the
relational model for databases, designed to define what is required from a database management system
in order for it to be considered relational i.e. a relational database management system.
314.A Database Management System(DBMS) is essentially a collection of interrelated data and a set of
programs to access this data. This collection is called a Database.
315.The primary objective of a DBMS is to provide a convenient environment to retrieve and store
database information.
316.A database system consists of two parts. Database Management System and Database Application.
317.DBMS is the program that organizers and maintains the information whereas the Database
Application is the program that lets us view, retrieve and update information stored in the DBMS.
318.DBMS offers the following services :-

i)Data definition
ii)Data maintenance
iii)Data manipulation
iv)Data display
v)Data integrity
319.Data definition-It is a method of data definition and storage.
320.Data maintenance-It checks whether each record has fields containing all information about one
particular item.
321.Data manipulation-Allows data in the database to be inserted, updated, deleted and stored.
322.Data display-This service helps to view the data.
323.Data integrity-This ensures the accuracy of the data.
324.DBMS can control user access at the following levels :-

i)User and database
ii)Program and database
iii)Transaction and database
Page | 39
KAT
iv)Program and datafield
v)User and transaction
vi)User and datafield
325.Advantages of DBMS :-
i)Data independence for application system.
ii)Ease of support and flexibility in meeting changed data requirements.
iii)Transaction processing efficiency.
iv)Reduces data redundancy.
v)Maximises data consistency.
vi)Minimises maintenance cost through data sharing.
vii)Offers an opportunity to enforce data/programming standards.
viii)Offers an opportunity to enforce data security.
ix)Provides for stored data integrity checks.
x)Facilitates terminal users ad hoc access to data, especially designed query language/application
generators.
326.The functional concepts of a database system include :-

i)File manager
ii)Database manager
iii)Query processor
iv)DML pre-compiler
v)DDL compiler
vi)Data files
vii)Data dictionary
viii)Indices
327.File manager-Manages the allocation of space on disk storage and the data structures used to
represent information stored.
328.Database manager-Provides the interface between the low-level data stored in the database and
the application programs and queries submitted to the system.
329.Query processor-Translates statements in a query language to low-level instructions that the

database manager understands. In addition, the query processor attempts to transform a user's request
into an equivalent but more efficient for, thus finding a goods strategy for executing query.
330.DML pre-compiler-Converts DML statements, embedded in an application program to normal

procedure calls in the host language. The pre-compiler must interact with the query processor to
generate the appropriate code.
Page | 40
KAT
331.DDL compiler-Converts DDL statements to a set of table containing metadata or “data about data”.
332.Data files – which store the database itself
333.Data dictionary-which stores metadata concerning the structure of the database.
334.Indices-which provides fast access to data items holding particular values.
335.Sophisticated users interact with the system without writing programmes.
336.Sophisticated users form their requests in a database query language.
337.Query of sophisticated users is submitted to a query processor whose function is to take a DML
statement and break it down into instructions that the database manager understands.
338.Specialised users-Specialised database applications are computer-aided design systems, knowledge

base and expert systems, systems that store data with complex data types(e.g. Graphics data and audio
data), and environment-modelling systems.
339.Naive users-Unsophisticated users interact with the system by invoking a permanent application
programme written previously.
340.There are four common database models :-

i)File management system
ii)Hierarchical database system
iii)Network database system
iv)Relational database system
341.File Management System(FMS): The FMS was the first method used to store data in a
computerized database. In this system, the data item is stored sequentially in one large file.
342.A File Management System or a File Manager is a software used for creating, retrieving and
manipulating files.
343.An index file contains a subset of the data files based on one or more key fields.
344.The necessity for establishing a relationship among records and the need for an easier and quicker
way to access record led to the development of another model called the Hierarchical Database Model.
345.Drawbacks of File Management System(FMS):-

i)Data redundancy
Page | 41
KAT
ii)Lack of data integrity
iii)Lack of programme independence
346.Data redundancy : Data redundancy means that the same data fields appear in many different file
and often in different formats. Thus separate files tend to repeat some of the data.
347.Hierarchical model : This model was introduced in the Information Management System(MIS)
developed by IBM in 1968.
348.A hierarchical tree structure has the following characteristics :-

i)The top most stratum of the tree has only one node called the Root.
ii)Relationship between the nodes are called Branches.
iii)Every node of the tree has only one parent with the exception of root that has no parent.
iv)A node can have any number of child nodes.
v)No loops or cycles are permitted.
349.Drawbacks of hierarchical model :-

i)The hierarchical structure is not flexible enough to represent all the relationship proportions which
occur in the real world.
ii)It can not determine the overall data model for an enterprise because of the non-availability of actual
data at the time of designing the data model.
iii)It can not represent the 'many-to-many' relationship.
350.Network model:- Network model is an improvement over the hierarchical model.
351.A network is a graph and can be used to represent a data scheme. It consists of nodes connected
together by edges.
352.Hierarchical model vs Network model :-

i)There can be more than one edge between a given pair of nodes.
ii)There is no concept of root node.
iii)A node can have more than one parent node.
353.When applied to database technology, nodes of a network represent record types and edges
connecting the nodes represent the relationship between them. In their most general form edges can
represent 1:1, 1:N and N:M relationship.
354.Plex Structures permit one to represent many-to-many associations.
355.Dr. E.F. Codd proposed the Relational Model.
Page | 42
KAT
356.Relational model has acquired wide prominence and in fact, most of the Database Management
Systems(DBMS) adopted the relational model today.
357.Characteristics of a table :-
i)No two rows can be identical.
ii)All entries in a column belong to the same category.
iii)Ordering of rows and columns is insignificant.
iv)A row can have n number of columns. In that case, the row is termed as one of n-tuple.
358.Codd's rules for a Relational Data Model :-

Dr. E.F. Codd proposed twelve rules for a Relational data model which are explained below :-
i)The information rule
ii)The rule of Guaranteed Access
iii)The Systematic Treatment of Null Values
iv)The Database Description rule
v)Comprehensive Data Sub Language
vi)The View Updating rule
vii)The Insert and Update rule
viii)The Physical Independence rule
ix)The Logical Data Independence rule
x)The Integrity Independence rule
xi)The Distribution rule
xii)The Non-Subversion rule
359.The information rule : All information is explicitly and logically represented in tables as data
values.
360.The rule of Guaranteed Access : Every item of data must be logically found with the help of a
table name, primary key value and column name. Primary key condition prevents the entry of
duplicate and null values.
361.The systematic treatment of null values : The RDBMS must be able to support null values(these
values are different from zeroes and spaces) to represent missing or inapplicable information. Null
values for all data types must be the same.
362.The database description rule : The same logical structure must be used for both description of
database and definition of data. These are accessible to users with appropriate authority and are stored
in the data dictionary.
363.Comprehensive data sub language : The RDBMS must support the following criteria according
to this rule-Data definition, View definition, Data manipulation, Integrity constraints, Authorisation and
Page | 43
KAT
Transaction management operations.
364.The view updating rule : All views that are theoretically updateable must also be updateable by
the system.
365.The insert and update rule : A single operand must hold good for all retrieval, update, delete and
insert activities. This rule implies that all the data manipulation commands must be operational on sets
of rows in a relation rather than on a single row.
366.The physical independence rule : Application programs must remain unimpaired when any
changes are made in storage representation or access methods.
367.The logical data independence rule : The changes that are made should not affect the user's
ability to work with the data. The change can lead to splitting the table into many more tables.
368.The integrity independence rule : The integrity constraints should be stored in the system
catalogue or in the database as a table.
369.The distribution rule : The system must be able to access or manipulate data that is distributed in
other systems.
370.The non-subversion rule : This rule states that different levels of the language can not subvert or
bypass the integrity rules and constraints. To state it simply, if a RDBMS supports a lower level
language then it should not bypass any integrity constraints defined in the higher level.
371.Normalization : The purpose of normalization is to decompose large tables into smaller ones so
that they can be easily managed. The problems of addition, modification and deletion anomalies are
also taken care off.
372.The main types of normal forms are First, Second, Third, Boyce-Codd, Fourth and Fifth.
373.In practice, normalization stops with the third level.
374.First Normal Form : Unnormalised tables converted into a tabular form and keys are identified.
375.Second Normal Form : Identification of data items, which are fully dependent and partially
dependent on the key. Tables are then decomposed into smaller ones.
376.Third Normal Form : Identification of transitive dependencies between non-key attributes and their
removal.
Page | 44
KAT
377.Boyce-Codd Normal Form : Problems that arise from overlapping composite keys are removed.
378.Fourth Normal Form : Takes care of problems arising from multi valued dependencies.
379.Administrative tasks : Formulating database schemas, designing database, backing up data,

granting privileges and defining user roles.
380.The major task of developing, designing and maintaining the database is entrusted to a Database
Administrator.
381.A Database Administrator(DBA) has to perform the following activities :-

i)Interact with the top management and acquire the necessary hardware and software.
ii)Interact with people in various divisions of the organization to identify the data elements.
iii)Identify the type of relationship exists between the data elements.
iv)Choose proper data model.
v)Design the data dictionary by discussing with the users and application programmers.
vi)Decide the user access privileges.
vii)Determine the way in which the data is physically represented in the database.
viii)Determine the methods for updating data and backups.
ix)Implement methods to enforce data integrity and security.
x)Choose methods to keep abreast with the emerging technologies in databases.
382.The architecture of a Database Management System includes the following :-

i)External schema
ii)Conceptual schema
iii)Internal schema
383.External schema – This is the outermost layer of the database.
384.Conceptual schema – This provides the overall logical view of the entire database.
385.Internal schema – It describes the physical representation of the data in the database.
386.DDL – Data Definition Language.
387.DML – Data Manipulation Language.
388.DDL – It permits one to declare records, links, fields and keys. It also provides description
facilities of the various entities and their connections to DBMS.
Page | 45
KAT
389.DML – It helps in operating i.e. inserting, deleting, modifying and the like on the data in the
database.
390.Two important DML that are in widely used are Structured Query Language(SQL) and Query
Language(QUEL).
391.Data dictionary : The data dictionary holds on the information about the data stored in the
database.
392.Data dictionary specifies :-

i)The way the data is defined
ii)Types of data present
iii)Relationship among various entities
iv)The representation formats
v)Keys for the database
vi)Access rules for every user
vii)People accessing the data
392.Data Item or Entity : The indivisible part of a database is generally referred to as a Data Item or
Entity.
393.Database are :-
i)One-to-one : Here each entity has only one association. Eg. Employee and Employee ID.
ii)One-to-many : Here, one entity has many associations. Eg. Designation-Employee relationship.
iii)Many-to-many : Here, each entity has many associations. Eg. Vendor-Inventory Items.
394.Database : A database is a program that stores, manipulates, and expresses data. It is a collection
of data that is related to each other.
395.We can use a database when :-

i)The information is large and unmanageable
ii)We want to maintain records for ongoing use
iii)The information is subject to many changes
iv)We want to generate reports based on the information.
396.Database security : It ensures that only an authorised person has the right to access the right data.
There are two issues in ensuring this
i)'Right people' (or the authorised user) is one who has the privilege of accessing the database.
ii)'Right access to the right data' : Though certain users are allowed to interact with the database, certain
rights have to be restricted.
Page | 46
KAT
397.Authentication – The process of determining the right person to interact with the data in the
database is called Authentication.
398.Authorisation and Access Control – The process of determining the privileges to be given to the
user is known as Authorisation and Access Control.
399.Accidental loss of data consistency may result from :-

i)Crashes during transaction processing
ii)Anomalies caused by concurrent access to the database
iii)Anomalies caused by the distribution of data over several computers.
iv)A logical error that violates the assumption that transactions preserve the database consistency
constraints.
400.Malicious access of database could result from :-

i)Unauthorized reading of data
ii)Unauthorized modification of data
iii)Unauthorized destruction of data
401.Various types of database users :-

i)Application programmers
ii)Sophisticated users
iii)Specialised users
iv)Naive users
402.Application programmers-They interact with system through DML calls.
403.Sophisticated users-They form requests in a database query language
404.Specialised users-These users write specialized database applications that do not fit into the
traditional data processing framework.
405.Naive users-They invoke permanent application programs written previously. This group includes
people accessing database over the web, bank tellers, clerical staff and the like.
406.Functions of a database administrator include:-

i)Schema definition
ii)Storage structure and access method definition
iii)Schema and physical organization modification
iv)Granting user authority to access the database
v)Specifying integrity constraints
vi)Acting as a link with users
Page | 47
KAT
vii)Monitoring performance and responding to changes in requirements.
407.Authentication :-It is the process of checking whether a user operating upon the database has the
right to do so.
408.In order to allow only authenticated users to interact with a database, password protection is
necessary. This can be done by associating with the sub-schema of a schema.
409.Authenticity of the users can be verified by :-

i)Magnetic film badges
ii)Fingerprints
410.Magnetic film badges:-These check the stored pattern against the one entered by the user. The
user is allowed to access the data only if both match.
411.The basic model for accessing control usually involves three things – Subjects, Objects and Access
rights.
412.Subject-The user of the database is called a Subject.
413.Object-An item for which right have to be granted is known as the Object.
414.Access Rights-The access permissions to read or write are called as Access Rights.
415.Access rights could be structured by treating them as – Flat and Hierarchical
416.Under the flat-scheme, access rights are independent and stand alone.
417.In a hierarchical scheme, the possession of certain access right may imply the possession of the
rights subordinates to it(i.e possession of rights are governed by an order of hierarchy).
418.A user may have several forms of authorization on parts of database. Among these are :-
i)Read authorization
ii)Insert authorization
iii)Update authorization
iv)Delete authorization
v)Index authorization
vi)Resource authorization
vii)Alteration authorization
viii)Drop authorization
Page | 48
KAT
419.Read authorization-It allows reading, but not modification of data.
420.Insert authorization-It allows insertion of new data, but not modification of existing data.
421.Update authorization-It allows modification, but not deletion of data.
422.Delete authorization-It allows deletion of data.
423.Index authorization-Allows the creation and deletion of indices.
424.Resource authorization-Allows the creation of new relations.
425.Alteration authorization-Allows the addition or deletion of attributes in a relation.
426.Drop authorization-Allows the deletion of relations.
427.SQL – Structured Query Language
428.SQL is the de facto language used to communicate with databases. ANSI defines it is the standard
language for relational database management systems.
429.ANSI-American National Standards Institute
430.Commercial DBMS software of Oracle, Sybase, Microsoft SQL Server, Access, Ingres etc use
SQL.
431.The language of SQL are broadly classified into three broad categories. They being -
i)Data Definition Language(DDL)
ii)Data Manipulation Language(DML)
III)Transaction Control Language(TCL)
432.The following are operators supported by SQL :

i)Arithmetic operators
ii)Comparison operators
iii)Logical operators
433.Comparison operators(CO): Cos are used in conditions to compare one expression with another.
The comparison operators are =, not equal to, >, <, >=, <= etc.
434.Logical operators(LO) : A LO is used to combine the result of 2 conditions to produce a single

result. The LOs are AND, NOT and OR.
Page | 49
KAT
435.Join Operator(JO) :A JO is used to combine the data from multiple tables. It is actually
performed by the where clause which combines the specified rows of the table.
436.There are three different types of join. They being Simple join, Self join, Outer join.
437.Simple join : It retrieves rows from two tables having a common column and is further classified
into equi-join and non-equi-join.
438.Equi-join : A join which is based on equalities is called an equi-join.
439.Non-equi-join : A non-equi-join specifies the relationship between columns belonging to different

tables by making use of relational operators other than =.
440.Self join : Joining of a table to itself is known as a self-join i.e. it joins one row in a table to
another.
441.Outer join : The outer join extends the result of a simple join. It returns all the rows returned by
the simple join as well as those rows from one table that do not match any row from the other table.
The symbol (+) represents outer join.
CHAPTER-9-SYSTEM DEVELOPMENT LIFE CYCLE
442.The characteristics for systems are :-

i)Any system is self sustaining and complete in all respects.
ii)Components of a system interact with one another.
iii)All of them are goal seeking
iv)They transform inputs to generate the predetermined outputs.
v)Systems suffer entropy.
vi)No system is 100% efficient.
443.Entropy : Entropy refers to the inherent tendencies in systems to fail over passage of time or use.
The systems approach must necessarily deal with the entropy and manage it effectively.
444.System may be classified as :-

i)Natural or man made
ii)Closed or open
iii)Conceptual or physical
445.Natural or man made : While a natural system is one that is found in nature, a man-made system
Page | 50
KAT
is artificial.
446.Closed or open : A closed system in one which does not interact with the outside environment,
whereas an open system is one which has interface with the external environment.
447.Conceptual or physical : A conceptual system is abstract in nature. One may not be able to
directly experience the system. A physical system in one whose components exists in a real world.
448.People and personnel involved in the system development effort :-

i)Top management
ii)User
iii)Project steering committee
iv)Project sponsor
v)Systems development management
vi)Project Manager
vii)Project team
viii)System Analyst
ix)Programmers
x)Module leader or Team leader.
xi)Database administrator
xii)Domain, technology and documentation specialists.
xiii)Quality assurance
xiv)Security officer or security team.
449.System Analyst : whose main responsibility is to interview the users in understanding their
requirements.
450.Programmers : who are the builders of the system. They are responsible for converting designs
into program code.
451.Database Administrator(DBA) : The DBA has primary responsibility of designing the data sets
required for the project.
452.The Domain or functional specialist : is a person who is an expert on the business area for which
the system is developed.
453.Quality Assurance(QA) : lays down the standards for the development project. QA is responsible
for measurement and comparison of deliverables and results against the standards set.
454.Delineation of Scope : Here the boundaries of the system are defined so as to develop the software
solution.
Page | 51
KAT
455.A DFD(Data Flow Diagram) consists of four elements :-
i)Data flow
ii)Process
iii)Data stores
iv)External entity
456.Data flow – represented by arrow
457.Process – represented by bubble or circle
458.Data stores-represented by parallel lines or open rectangles.
459.External entity- represented by a square.
460.A DFD is always read from top to bottom or left to right.
461.SRS-System Requirements Specification
462.A SRS is prepared by the System Analyst.
463.Architectural Design- Deals with the hierarchy of modules and sub-modules. All major modules,
their functions and scope, interface of modules and data received and released by each module are
identified at this step.
464.Physical Design- Type of hardware and operating systems to be used, network architecture,
processing method(whether batch, online or real time), frequency of inputs and outputs and period end
cycles are addressed during physical design.
465.A good program must have the following characteristics :-

i)Accuracy
ii)Reliability
iii)Robustness
iv)Efficiency
v)Usability
vi)Maintainability
466.Software Testing is a process under controlled environment in order to verify that the software
meets its design specifications. Two broad categories of testing are :-
i)Unit Testing and
ii)System Testing
Page | 52
KAT
467.Unit Testing-refers to the testing of individual modules or units in the software.
468.The tests that are conducted in unit testing are :-

i)Functional test
ii)Performance test
iii)Stress or volume test
iv)Structural or logic test
469.System testing is a testing process where a collection of programs is integrated into the final
system and tested.
470.System test involves two types of testing :-

i)Integration testing and
ii)Acceptance testing
471.Bottom up integration testing – follows the traditional method of testing where individual units
are tested first, then sub-systems and finally the system as a whole.
472.Top down integration testing-The testing of the main routine is attempted first. Once the program
coding of all modules are complete, the incomplete program code with logical end points called Stubs
are replaced by real modules and tested again.
473.Stubs-the incomplete program code with logical end points called Stubs.
474.Acceptance testing-is the final stage of testing where the user is required to work on the system and
be satisfied as to the functional and operational completeness of the system.
475.Four kinds of software implementation are available :-

i)Direct Implementation
ii)Parallel Implementation
iii)Phased Implementation
iv)Pilot Implementation
476.Direct Implementation-also called Abrupt Change-over of adhoc implementation. A specific

data is determined on which the old system would be suspended and the new system takes over.
477.Parallel Implementation-where the new system is started with the old system running in a
parallel manner. The results of the new system are compared with those of the old system on a
continuous basis. Once the new system is found to be better, then the old system is discarded.
Page | 53
KAT
478.Phased Implementation-where the entire business process is divided into manageable units and
the new system is implemented in these units one by one.
479.Pilot implementation-where a small non-critical unit of the business process is selected and the
new system implemented.
480.The first stage in maintenance would be a Post Implementation Review.
481.The major models of the software engineering process are :-

i)The waterfall model(conventional SDLC model)
ii)Prototyping
iii)Incremental model
iv)The spiral model
482.Reliable software has a long Mean Time Between Failures(MTBF).
483.The approaches on the design phase are :-

i)The object model
ii)The dynamic model
iii)The functional model
484.On project planning, software engineering presents methods for :-

i)Software size estimation
ii)Software complexity analysis
485.Software size estimation :-Methods of Lines of Code(LOC), Function Point Analysis(FP),

Constructive Cost Model(COCOMO).
486.Software complexity analysis:-On complexity analysis, various metrics such as Halstead's

method, McCabe's method are available.
487.Coding:-One of the prime goals of software engineering is to automate the process of coding.
There are two ways of doing the same.
i)By Algebraic specification
ii)Usage of Computer Aided Software Engineering(CASE) tools.
488.The following are the methods for formal specifications:-

i)Finite State Machines
ii)Petri Nets
Page | 54
KAT
CHAPTER-10-COMPUTER NETWORKS
489.Computer network means the interconnection of one or more computers through :-

i)the use of satellite, microwave, terrestrial line or other communication media and
ii)terminals or a complex consisting of two or more interconnected computers whether or not the
interconnection is continuously maintained.
490.WAN : Wide Area Networks
491.A WAN covers a large geographic area with various communication facilities such as long distance
telephone service, satellite transmission, and under-sea cables.
492.Examples of WANs are interstate banking networks and airline reservation systems.
493.WANs typically operate at lower link speeds(about 2 Mbps).
494.In WAN channels are of relatively low capacity(measuring through put in kilobits per second, k
bits).
495.In WAN channels are relatively error-prone(eg, a bit error rate of 1 in 105 bits transmitted).
496.LAN : Local Area Networks
497.A typical LAN connects as many as hundred or so micro computers that are located in a relatively
small area, such as a building or several adjacent buildings.
498.LANs use high-speed media 1 Mbps to 1 Gbps or more and are mostly privately owned and
operated.
499.In LAN, channels are relatively high capacity(measuring throughput in mega bits per second,
Mbits/s).
500.Channels are relatively error free (eg, a bit error rate of 1 in 109 bits transmitted).
501.MAN : Metropolitan Area Network
502.The term MAN is sometimes used to refer to networks which connect systems or local area
networks within a metropolitan area (roughly 40 kms in length from one point to another).
Page | 55
KAT
503.MANs are based on fiber optic transmission technology and provide high speed (10 Mbps or so),
interconnection between sites.
504.A MAN can support both data and voice, cable television networks are examples of MANs that
distribute television signals.
505.Signal- A signal is generally defined as a function, which conveys information about a physical
system, usually about its state or behaviour.
506.Signals have the attributes :- Amplitude and Frequency
507.Amplitude : It refers to value of the signal at any point on the wave. It also refers to the vertical
distance of a given point in the graph from the horizontal axis.
508.Frequency : This indicates the number of cycles a signal completes in one seconds.
509.A unit of measurement is Hertz(Hz).
510. Frequency is always inversely proportional to time.
511.Phase : Phase is the position on the wave at a given point of time. This is in terms of the angle it
makes on the wave form cycle.
512.The phase angle of a complete waveform is taken to be 360 degrees.
513.Phase difference : The difference between the angles of two wave articles at a particular instant of
time is known as phase difference.
514.There are two types of signals – Analog signals and Digital signals.
515.Analog signal-An analog signal is one in which the amplitude varies continuously with time. If the
speech of a human being is picturised as a signal, it is an analog signal.
516.Digital signal-If the information is represented only in discrete states, then the signal is termed as
digital signal. If the number of discrete states is only two, then it is called as a binary signal.
517.Multiplexing-It is the technique of sending multiple signals on a single carrier at the same time.
518.There are three basic multiplexing techniques-TDM, FDM and WDM.
Page | 56
KAT
519.TDM-Time Division Multiplexing
520.FDM-Frequency Division Multiplexing
521.WDM-Wave Division Multiplexing
522.TDM-In TDM time is the basis for multiplexing. This is a technique where a short time slot is
allotted to each of the users(equipment) who wish to use the common channel. Each user uses time slot
in turn on the basis of time, and then the sequence is repeated. One example for TDM is the traffic
signal.
523.FDM-It is a scheme where numerous signals are assigned different sub-channels within the main
channel. A guard-bank is used to separate the channels and ensure that they do not interfere with one
another. A typical example of FDM is the cable television.
524.WDM-It is a form of frequency division multiplexing specifically for packing many optical carrier
signals into a single optical fibre.
525.Switching Technologies- ST refer to the establishment of communication path between the sender
and the receiver. The various STs available today are :-
i)Circuit switching
ii)Message switching
iii)Packet switching
a)Datagram
b)Virtual circuit
526.Circuit Switching-CS is a type of communication in which a permanent circuit is established for

the entire duration of the transmission. Eg-telephone system. CS networks are ideal for real-time data
transmissions and are sometimes called connection-oriented networks.
527.Message Switching-MS also called store-and-forward communication. Here no physical path is

established in advance between the sender and the receiver.
528.Packet Switching-PS is similar to message switching. Here the entire message is split into small
units called packets. Each packet has three important portions-Header, Body and Footer.
529.Header-The header holds information about the data contained in the packet. The contents are
Length of the packet, Packet number, Destination address and Originating address.
530.Body-This is the actual data that is contained in the packet that is delivered to the destination.
Page | 57
KAT
531.Footer-The portion of packet that holds control information for error checking.
532.There are two basic approaches to packet switching-Virtual circuit and Datagram.
533.VCI-Virtual Circuit Identifier.
534.The most common forms of virtual circuit networks are X.25 and frame relay, which are
commonly used for public data networks(PDN).
535.Datagram-In this approach, each packet is treated as an independent entity and its header contains
full information about the destination of the packet. The intermediate nodes examine the header of the
packet and decide on the node for the packet to be sent so that it reaches its destination.
536.The main implementation of datagram is in the internet, which uses the IP network protocol.
537.Data is transmitted over a channel in three different modes-simplex, half-duplex and full-duplex.
538.Simplex-In simplex communication, data transmission is always unidirectional. Letters, radio,

television and pagers are typical examples of simplex communications.
539.Half-duplex: In half-duplex communication, facilities exist to send and receive, but only one
activity, either send or receive is possible at a time. Examples- walkie-talkies, internet surfing etc.
540.Full-duplex-In full-duplex communication, data can travel in both directions simultaneously.

Example-Telephone system where one can hear and speak simultaneously.
541.There are two methods of communications, viz, asynchronous transmission and synchronous
transmission.
542.Asynchronous transmission-Also termed as start-stop communication, any communication

between devices of dissimilar speeds will be as asynchronous one.
543.The basic characteristics of an asynchronous communication system are :-

i)Sender and the receiver have independent transmit and receive clocks.
ii)Simple interface and inexpensive to implement.
iii)Limited data rate, typically less than 64 kbps.
iv)Requires start and stop bits which provides byte timing.
v)Increased overhead.
vi)Parity often used to validate correct reception.
Page | 58
KAT
544.Synchronous communication-In SC, the clock of the receiver is synchronized with the clock of the
transmitter. On account of this, higher data transmission rates are possible.
545.The characteristics of SC are-

i)Synchronization between the clocks of the transmitter and receiver.
ii)More complex interface.
iii)Supported by high data rates.
iv)Used in communication between computer and telephony networks.
546.Topology – refers to the way computers are connected physically.
547.We have the following basic topologies :-

1.Mesh (completely interconnected)
2.Star
3.Tree
4.Bus
5.Ring
6.Irregular
548.Mesh topology – Here every node is physically connected to every other node.
549.The primary advantage of Mesh topology is that it is highly fault tolerant; when one node fails,
traffic can easily be diverted to other nodes.
550.The main disadvantages of Mesh topology is

a)Requires more cabling
b)Complex topologies. Difficult to set up and maintain. To illustrate, if there are 'n' nodes in the system,
total number of connections emanating from every node is(n-1) and the total number of connection in
the system is (n*(n-1)/2).
c)Difficult to introduce or remove nodes from the system as it necessitates rewiring.
d)Expensive maintenance.
551.Star Topology-Earlier referred to as ARCNET.
552.ARCNET-Attached Resource Computer Network.
553.In a star topology, there exists a central hub to which each and every node is connected. This
necessitates drawing a separate cable from each and every node to the central hub. All inter-node data
transmission has to pass through the hub.
554.Advantages of Star Topology :-
Page | 59
KAT
a)Easy to troubleshoot
b)Cabling types can be mixed
c)Easy to install and wire
d)No disruptions to the network and some nodes are down.
e)No disruptions to the network when connecting or removing devices.
555. Disadvantages of Star Topology :-

a)Hubs become a single point of failure.
b)Cabling more expensive on account of individual cables being drawn from nodes to the hubs.
c)More expensive than bus topology on account of the cost of the hubs.
d)The capacity of the hub determines the number of nodes that can be connected.
556.Tree Topology :-A tree topology is also called as expandable star topology.
557.Tree topology consists of groups of star-configured machines connected to one another by the use
of a device called hubs.
558.There are two types of hubs viz active hubs and passive hubs.
559.Active hubs need electric power and have the ability to drive other hubs and nodes.
560.However passive hubs can not drive hubs and are used to connect machines.
561.The connection between active hub and active hub and between active hub and passive hub is
permitted.
562.The connection between passive hub and active hub and between passive hub and passive hub is
not permitted.
563.Advantages of a tree topology :-

a)Point-to-point wiring for individual segments.
b)Supported by several hardware and software vendors.
564.Disadvantages of a tree topology :-

a)The type of cabling used limits the overall length of each segment.
b)If the backbone line breaks, the entire segment goes down.
c)More difficult to configure and wire than other topologies.
565.Bus Topology:-In a bus topology, a single cable also called the backbone runs through the entire
network connecting all the workstation, servers, printers and other devices on the network. The cable
runs from device to device by using “tee” connectors that plug into the network adapter cards. A device
Page | 60
KAT
wanting to communicate with another device on the network sends a broadcast message onto the wire
that all other devices see, but only the intended recipient actually accepts and processes the message.
566.The network speed in Bus Topology is 10 megabits per second.
567.Advantages of Bus Topology :-

a)Less expensive compared to star topology due to less cabling and no network hubs.
b)Good for smaller networks not requiring higher speeds.
c)Networks can be extended by usage of repeaters.
d)Easy to install
568.Disadvantages of Bus Topology :-

a)Limited in size and speed
b)One bad connector or failure of the backbone cable shuts down the entire network.
c)Difficult to troubleshoot
d)Addition of nodes negatively affects the performance of the whole network, and if there is a lot of
traffic throughput decreases rapidly.
569.Ring Topology – In a ring network, every device has exactly two neighbours for communication
purposes. All messages travel through a ring in the same direction (effectively either 'clockwise' or
'anti-clockwise'). A token, or a small data packet, is continuously passed around the network. Whenever
a device needs to transmit, it holds the token. Whoever holds the token has the right to communicate.
570.Token networks have the physical cabling of a star technology and the logical function of a ring
through use of MAU.
571.MAU-Multi Access Units.
572.Advantages of Ring Topology :-

a)Every device gets an opportunity to transmit.
b)Performs better than a star topology under heavy network load.
c)Can create much larger network using Token Ring.
573.Disadvantages of Ring Topology :-

a)One malfunctioning workstation or bad port in the MAU can create problems for the entire network.
b)Movement, additions and changes of devices can affect the network.
c)Network adapter cards and MAU's are much more expensive than Ethernet cards and hubs.
574.Irregular topology-A topology that does not fit in any of the Mesh, Star, Tree, Bus or Ring methods
mentioned above is called an irregular topology.
Page | 61
KAT
575.The main considerations to be borne in mind when choosing a topology are – Money, Length of
cable, Future growth, Cable type.
576.There are two categories of networking devices-Intra-networking devices and inter-networking

devices.
577.Intra-networking devices-Repeaters and Bridges
578.Inter-networking devices-Routers and Gateways.
579.Attenuation-As signals travel through the network, they become weak and distorted. This process
is called attenuation.
580.To solve the problem of attenuation, repeaters are used.
581.The main function of a repeater is to receive incoming signals (a packet of data), regenerate the
signals to their original strength, and retransmit them.
582.For a repeater to be used, both the network segments must be identical. E.g. Ethernet-to-Ethernet
or Token Ring-to-Token Ring.
583.Bridges-A Bridge is an intra-networking device that is used either to extend or to segment the
networks.
584.Since bridges are concerned with the addresses of individual machines, they operate at the Datalink
layer and Physical layer.
585.Bridges are also used to join dissimilar media such as UTP cabling and fibre optic cabling, and to
join different network architectures such as Token Ring and Ethernet.
586.UTP-Unshielded Twisted Pair.
587.Bridges are of two major types viz. Local bridges and remote bridges.
588.Primarily, three types of bridging methodologies are employed viz transparent, spanning tree and
source routing.
589.Router-A router is an inter-networking device that is used to extend or segment networks by

forwarding packets from one logical network to another.
590.The purpose of router is to connect nodes across an inter-network regardless of the Physical layer
Page | 62
KAT
and Datalink layer protocol that is used.
591.Routers are hardware and topology independent.
592.Routers are not aware of the type of medium or frame that is being used(Ethernet, Token Ring,
FDDI, X.25 and the like).
593.Routing protocols are RIP, IGRP and OSPF.

RIP-Routing Information Protocol
IGRP-Interior Gateway Routing Protocol
OSPF-Open Shortest Path First.
594.Brouter-It is a network device that has the capabilities of both a bridge and a router.
595.Usually, a brouter will act as a router for one protocol(eg TCP/IP and a bridge for all other
protocols(eg IPX/SPX).
IPX-Inter-network Packet Exchange
SPX-Sequenced Packet Exchange
596.Gateway-Gateways are a broad category of network components that allow communication

between different networking architectures and different protocols.
597.A gateway might translate protocols to allow transparent communications between IPX based
systems and systems based on TCP/IP, SNA, or Apple Talk.
598.IPX-Inter-network Packer Exchange
599.SNA-Systems Network Architecture.
600.Every protocol has three important components viz syntax, semantics and timing.
601.Syntax-which deals with the format of data.
602.Semantics-which refers to the meaning of various portions of the data.
603.Timing-which focus on when data should be sent and how fast.
604.For software developers to build software products based on protocols it is essential that standards
be developed. To this end, various regulatory bodies are involved in development of standards. They
are ISO, ITU, ANSI, IEEE, EIA.
Page | 63
KAT
605.ISO-Internal Standards Organisation
606.ITU-International Telecommunications Union
607.ANSI-American National Standards Institute
608.IEEE-Institute of Electrical and Electronic Engineers
609.EIA-Electronic Industries Association.
610.The ISO developed a seven layer model for computer network. The model is known as ISO, OSI
reference model.
611.OSI-Open Systems Interconnection.
612.The seven layers of the OSI reference model are as follows :-

i)Layer 7 : The Application layer
ii)Layer 6 : The Presentation layer
iii)Layer 5 : The Session layer
iv)Layer 4 : The Transport layer
v)Layer 3 : The Network layer
vi)Layer 2 : The Datalink layer
vii)Layer 1 : The Physical layer
613.The Applications, Presentation and Session layers mainly focus on applications and are more user-
oriented.
614.The Network, Datalink and Physical layer focus more on hardware(network support) and how to
move data from source to destination.
615.The Transport layer acts as a bridge between the lower layers, which are more concerned with
hardware and upper layers, which are more user-oriented.
616.The main functions of the application layer is :-

i)Provide facilities/interfaces to run application programs.
ii)Create a network virtual terminal
iii)Perform file transfer operations
iv)Provide facility for e-mail
v)Directory lookup facility
617.The main functions of the presentation layer is :-
Page | 64
KAT
i)Data format conversion.
ii)Encryption
iii)Data Compression
iv)Validating user log-on ids and passwords
618.The main tasks of a session layer are :-

i)Management of dialogue control
ii)Token management
iii)Insertion of checkpoints
iv)Synchronisation
619.The main functions of the transport layer is :-

i)Segmentation and reassembly
ii)End-to-end message delivery
iii)Connection control
iv)Flow control
620.The main tasks of a network layer are :-

i)Routing
ii)Congestion control
iii)Logical addressing
iv)Address transformation
621.The main tasks of a datalink layer are :-

i)Error control
ii)Flow control
iii)Creation of frames
622.TCP-Transmission Control Protocol
623.IP-Internet Protocol
624.OSI is a seven layered standard, but TCP/IP is a four layered protocol stack.
625.TCP/IP-Application, Transport, Internet and Link
626.OSI Model-Application, Presentation, Session, Transport, Network, Data Link, Physical
627.TCP/IP Protocol is nicknamed as 'the language of internet'.
Page | 65
KAT
MODULE-C-COMMUNITY OF BUSINESS
CHAPTER-11-BUSINESS CONTINUITY & DISASTER RECOVERY
PLANNING
628.BCP-Business Continuity Plan is a plan containing set of procedures to ensure the continuity of the
critical banking operations in spite of disruptions caused by natural/man-made disasters/catastrophe.
629.DRP-Disaster Recovery Plan is a plan containing set of procedures to restore the information
processing facility of applications/data that critical from customer point of view.
630.The difference between BCP and DRP :- BCP refers to set of procedures to provide continuity of
various business activities such as production facilities, critical operations, marketing facilities,
purchase facilities, stores activities and information processing facilities. DRP is only pertaining to
Information Processing Facility(IPF).
631.BCPs generally cover most or all of an organisation's critical business processes and operations.
632.As part of the business continuity process and organisation will normally develop a series of DRPs.
633.The most well-known example of a DRP is the Information Technology(IT) DRP.
634.Banking applications shall have to be ranked based on the recovery window time available for
recovery(service breach tolerance time) from the customer point of view and degree of automation.
635.Ranking of banking applications are :-

i)Critical systems
ii)Vital systems
iii)Non-critical systems
636.Critical Systems : CS are the systems, which can not be substituted, by manual systems and
tolerance time for them is near zero for disruptions to business operations. Eg. online transactions, m-
commerce/e-commerce transactions, internet banking & ATM operations, Treasury/Forex operations
etc.)
637.Vital Systems : VS are the systems, which can be substituted by manual systems only for a brief
period and tolerance time is relatively more than critical systems and less than non-critical systems. Eg.
Opening/closing of SB A/c, Current a/c, Deposits a/c etc changes to KYC fields etc.
638.Non-critical Systems : NCS are the systems, which can be substituted, by manual systems for a
Page | 66
KAT
very long period and do not impact the operations. Even it these systems are not available for some
reasonable period, it may not have adverse impact/serious consequences. Eg. Disbursement in non-
priority loans, suit filed accounts operations, MIS information for business etc.
639.Processing systems categories are :-

i)Batch processing
ii)On-line processing
iii)Real time processing
640.Batch processing-BP systems are the systems wherein transactions are manually recorded over a
period of time and then updated in computer file in one stroke batch by batch. Eg. Payroll.
641.Online Processing- OP systems are the systems wherein transactions are effected through computer
but updations to various computer files are made at random intervals of time. Eg.ATM transaction
updations from one city to another city as done in the present days in Indian environment.
642.Real time Processing-RP systems are the systems wherein transaction is initiated through
computer and also various updations are instantly carried out. Eg. Payments & receipts and remittances
in the nature of SWIFT, NEFT, RTGS, IMPS etc.
643.Major threats includes disaster events and catastrophe events.
644.Hybrid threat – Fire and power failure.
645.Minor threat-Disk crash, network failure, corruption of application software, virus attack on some
data/application files.
646.Major threat-Destruction of substantial IPF(Information Processing Facility) facilities due to

threats like fire, earthquake etc.
647.Catastrophe-Destruction of all IPF facilities due to threat like prolonged fire and high intensive
earthquake etc.
648.Disaster Life Cycle has got four stages :-

i)Preparatory procedures
ii)Emergency response
iii)Interim processing
iv)Relocation
649.Preparatory procedures-indicate preparation activities before the occurrence of the disaster. These
Page | 67
KAT
activities helps to reduce the impact of the disaster in case it occurs.
650.Emergency response-refers to activities that are carried out during or immediately after disaster.
These activities include evacuation of human beings, shut down of network computers, cut off of
power, removal of files etc.
651.Interim processing-refers to activities that are to be undertaken to continue the business

immediately after disaster until normal processing capability is restored. These activities include
packing of backup file in off-site, transportation of the same to alternative site like, hot site/warm
site/cold site, installation of systems software, application software, uploading of data etc.
652.Relocation-refers to activities needed to restore processing capabilities to its normal condition.
653.Components of DRP are :-

i)Emergency plan
ii)Backup plan
iii)Recovery plan
iv)Test plan
654.All Emergency plan, Backup plan, Recovery plan and Test plans are part of the preparatory
procedure face of disaster life cycle.
655.Emergency plan deals with :-

a)Communication team
b)Emergency action team
c)Damage assessment team
d)Emergency management team
656.Backup Plan-The following resources are to be backed up in the off sight :-

a)Master and transaction files
b)Application program files
c)System software files
d)System/operation manuals
e)Telephone contact list
f)Pre-printed stationery and numbered documents
g)Supplies
h)A copy of BCP
i)List of names of hardware vendors
657.In batch processing data files in CD/Floppy/DATs can be sent to off site on daily basis.
Page | 68
KAT
658.In online processing data can be sent by on-line file transfer at periodical intervals.
659.In real time processing data are to be transferred online instantly from on site to off site on
transaction-to-transaction basis.
660.RAID-Redundant Array of Inexpensive Disks
661.Concept of RAID is used to have backup of contents of entire hard disk in alternative disks.
662.Recovery Plan-This plan deals with choosing the best recovery strategy out of the following
alternatives :-
a)Mirror site(duplicate processing facility)
b)Hot site
c)Warm site
d)Cold site
e)Mobile site
f)Reciprocal agreement
663.Mirror Site- MS is a site wherein backup of all the processing facilities are maintained. Restoration
is readily possible. This site contains the backup of the following :-
a)Master and transaction files
b)Application program files
c)System software files
d)System/operation manuals
e)Telephone contact list
f)Pre-printed stationery and numbered documents
g)Supplies
h)A copy of BCP
i)All hardware items
j)Networking facilities
664.Hot site is a site wherein the following facilities are provided :-

a)System software files
b)All hardware items
c)Networking facilities
d)Building with electrical connections
e)IS personnel
665.Restoration time is less in the case of hot site.
666.Warm site is a site wherein the following facilities are provided :-
Page | 69
KAT
a)Some system software files
b)Some hardware items
c)Some networking facilities
d)Building with electrical connections
667.Restoration time in the case of warm site is relatively high.
668.Cold site is a site wherein the following facilities are provided :-

a)Building with electrical connections, air conditioner etc.
669.Restoration time in the case of cold site is relatively very high.
670.Mobile site is a heavy vehicle installed with minimum computer operation facilities wherein the
following facilities are provided :-
a)Some system software files
b)Some hardware items
c)Some networking facilities
671.Restoration time in the case of mobile site is less than warm site.
672.Reciprocal Agreement : RA is an arrangement wherein two different companies under the same
industry mutually agree for providing the respective information processing facilities to the other
company affected by disaster.
673.Reciprocal Agreement is a least costly method.
674.There are some disadvantages in Reciprocal Agreement. They are as under :-

a)Confidentiality of data especially in the hands of competitor company.
b)Hardware and operation facilities would become incompatible over a period of time.
c)IS personnel changes likely to take place over a period of time and hence operation may not be easily
restorable.
675.Contracts with various service providers :-The following points have to be considered in executing
the agreement with service provider providing facilities of hot site/cold site/warm site:-
a)Number of subscribers
b)Priority amongst subscribers
c)Usage period limitation
d)Insurance of resources of the organisation when using the recovery site.
e)Permission for conducting simulation test.
Page | 70
KAT
This plan involves the following teams :-
a)Off site team
b)Transportation team
c)Hardware engineers team
d)System programmers team
e)Application programmers team
f)Data team
g)Emergency operation team
h)Security team
i)Network recovery team
j)Administrative support team
676.Selection of recovery alternatives-Ideal selections can be as under :-

Critical systems : Mirror site or off site plus hot site.
Vital systems : Off site + hot site
Non-critical systems : Off site + Warm site + Hardware acquisition
Non-critical systems : Off site + Cold site + Hardware acquisition
677.Relocation-After interim processing period the information processing facilities will have to be
finally shifted to original or nearby original location wherein disaster occurred. The following teams
handle these jobs :-
a)Salvage team
b)Relocation team
678.Salvage team- is responsible to handle the insurance matters and also to decide the place of
relocation.
679.Relocation team-is responsible to shift the processing facilities from interim recovery sites to final
place of relocation.
680.Salvage team-is responsible to handle the insurance matters and also to decide the place of
relocation.
681.Relocation team-is responsible to shift the processing facilities from interim recovery sites to final
place of relocation.
682.Test plan involves three stages as under :-

a)Pre-testing stage
b)Testing stage
c)Post-testing stage
Page | 71
KAT
683.Types of testing are as under :-
a)Paper testing
b)Action test(dynamic test)
684.Paper test includes checklist test and structured walkthrough.
685.Checklist test- is a paper test carried out by team leaders and team members to find out the
completeness of action items to be carried out by each team member. Here detailed procedures are not
considered for review.
686.Structured walkthrough- is a paper test carried out by team leaders and team members to find out
the completeness of detailed procedures of action items to be carried out by each team members. Here
various stages of every item of checklist are considered for testing.
687.Action test-includes preparedness test(phased simulation test), parallel test and full interruption
test.
688.Under preparedness test disaster scenario-is simulated in phased manner. For instance total disk
crash scenario can be simulated and the actions of relevant teams can be observed and tested. Second
example is connectivity failure scenario can be simulated and the actions of the relevant team can be
observed.
689.Parallel test – is a test carried out in recovery site without disturbing the data processing systems in
on site, i.e. testing in recovery site is carried out without simulating any types of disaster scenario in on
site.
690.Full interruption test-is carried out to find out the operational capability of recovery procedures by
simulating a total disaster scenario. Organisation should take adequate care to prevent the simulation to
turnout to be a real disaster.
691.The following resources/areas can be insured :-

a)Hardware
b)Storage media
c)Valuable papers and records
d)Media under transportation
e)Extra expense insurance
f)Business interruption insurance
g)Covers against malpractices, errors and omissions(fidelity)
692.The backups should be consistent and current. Various types of backups include :-
Page | 72
KAT
i)On-line backups at alternative recovery site branches/locations say hot sites.
ii)Daily day end backups on tapes/floppies/DATs/CDs say cold backups.
iii)Incremental backups, say warm backups.
iv)Weekly backups, monthly backups, year end backups and milestone backups.
v)Purge backups, trouble shooting backups.
693.DRP for every category of branch has to be maintained i.e. separate DRP should be in place in
respect of each and every category of following branches :-
a)Centrally computerised fully networked banks
b)Fully networked banks with distributed computing
c)Banks offering Internet Banking, POS connectivity etc.
d)ATMs including SWADHAN
e)Local area networked and wide area networked administrative offices.
f)Fully computerised branches.
g)Partially computerised branches.
h)ALPM branches
i)PC based branches
j)Banks at different stages of SDLC
k)Corporate e-mail systems.
694.DRP :-
i)Regional Office – nearby Regional Offices.
ii)Zonal Office – nearby Zonal Offices.
iii)Head Office-nearby Zonal Offices or separate locations.
695.Where the place has only one branch of the bank, offsite backups are to be stored in the nearest
bank by hiring a locker.
696.BCP-Business Continuity Planning
697.BCP is the process whereby financial institutions ensure the maintenance or recovery of
operations, including services to customers, when confronted with adverse events such as natural
disasters, technological failures, human error, or terrorism.
698.The objectives of a BCP are :-

i)Minimize financial loss to the institution
ii)Continue to serve customers and financial market participants.
iii)Mitigate the negative effects. Disruptions can have on an institutions' strategic plans, reputation,
operations, liquidity, credit quality, market position.
iv)Ability to remain in compliance with applicable laws and regulations.
Page | 73
KAT
699.The following points guide a process-oriented approach to business continuity planning:-
i)Business Impact Analysis(BIA)
ii)Risk assessment
iii)Risk management
iv)Risk monitoring
700.Disaster Planning- basically is a planning and implementation process which ensures that business
and data will survive an unforeseen calamity and ensure systems and business can work efficiently
even when during incidents beyond normal contract adversely affect the business.
701.There are basically three levels of Disaster Recovery Strategies-

i)Cold Site Replication
ii)Warm Site Replication
iii)Hot Site Replication
702.Cold Site Replication-This is basically an entry level solution where the recovery time may be as
much as 10 days but for a medium sized bank are typically between 5-7 days.
703.Cold Site Replication is lowest cost solution.
704.Warm Site Replication-This is a good initial level solution for a medium sized branch where the
recovery time generally is between one hour to 8 hours extending sometimes to 24 hours.
705.Warm Site Replication is medium cost solution.
706.Hot Site Replication is a high end solution for business which can not even stop for seconds.
Recovery times can be as low as a minute extending to 10 minutes.
707.Hot Site Replication is higher cost solution.
708.Business Impact Analysis-Business continuity planning depends on a clear understanding of

business processes and data, and associated risks. The business continuity process formalizes
procedures to :-
i)Identify important business processes, data and technology infrastructure.
ii)Identify associated risks and impact.
iii)Develop scenarios and business continuity strategies.
709.For our Software Development Cycle version management we use Microsoft Visual Source Safe
among other freeware utilities.
Page | 74
KAT
710.Technical staff-Programmers, administrators and operators
711.Executive managers-Emergency decision makers
712.Facilities managers-Power cooling, cabling
713.Human resources-staff issues and needs
714.Business units-Business processes
715.External organizations-Outsourcers, Telco's and suppliers.
716.Senior management and the board of directors are responsible for identifying, assessing,
prioritizing, managing and controlling risks.
717.A financial institution's board of directors and senior management are responsible for :-
a)i)Allocating sufficient resources and knowledgeable personnel to develop the BCP.
ii)Setting policy by determining how the institution will manage and control identified risks.
iii)Reviewing BCP test results.
iv)Approving the BCP on an annual basis.
v)Ensuring the BCP is kept up-to-date and employees are trained and aware of their role in its
implementation.
b)Facilities
c)Logistics
d)Testing
e)Assessments
718.Taking a comprehensive view, we recognize that people, process and technology play prominent
roles in all business continuity programs. In this regard, we assess and define acceptable levels of risk
covering policies, technology architectures, facilities, access controls, processes, organization and
personnel.
719.Key deliverables for BC Assessments include :-

i)Critical asset profiles covering business processes, information and other business continuity policy
assessments.
ii)Risk analysis with identifiable threats and vulnerabilities.
iii)Business impact analysis
iv)Disaster recovery assessments
v)Descriptions of enhancement and alternatives with cost/benefit analysis
vi)High-level work breakdown structures to implement enhancements.
Page | 75
KAT
710.Building Business Continuity Programmes:-Typical deliverables may include :-
i)Business continuity and disaster recovery policies.
ii)High-availability architectures covering applications architectures, database architectures, network
architectures, server configurations, storage architectures, management systems architectures.
iii)Facility plans covering N+X designs
iv)Business continuity processes covering change management, production acceptance, intrusion
detection, intrusion response, user access management, backup and recovery, and disaster recovery and
v)Organization structures, functional descriptions and training plans.
711.Managing Business Continuity Programs-Key deliverables may include, among others:-

i)Disaster preparation
ii)Disaster response and recovery
iii)Ongoing business continuity assessments and audits
iv)Business continuity and disaster awareness education and
v)Disaster recovery testing
712.Firms that play significant roles in critical financial markets are those that participate in sufficient
volume or value such that their failure to perform critical activities by the end of the business day could
present systemic risk.
713.A financial institution's business continuity planning process should reflect the following
objectives:-
i)Business continuity planning is about maintaining, resuming, and recovering the business, not just the
recovery of the technology.
ii)The planning process should be conducted on an enterprise-wide basis.
iii)A through business impact analysis and risk assessment is the foundation of an effective BCP.
iv)The effectiveness of a BCP can only be validated through testing or practical application.
v)The BCP and test results should be subjected to an independent audit and reviewed by the board of
directors.
vi)A BCP should be periodically updated to reflect and respond to changes in the financial institution or
its service providers.
714.BIA-Business Impact Analysis
715.The institution's first step in developing a BCP is to perform a BIA.
716.BIA is the foundation over which the entire BCP is developed.
717.BIA is identification of business impacts over period of disruption(from the time of disruption).
Page | 76
KAT
718.A BIA is the first step in developing a BCP. It should include :-
i)Identification of the potential impact of uncontrolled, non-specific events on the institution's business
processes and its customers;
ii)Consideration of all departments and business functions, not just data processing; and
iii)Estimation of maximum allowable downtime and acceptable levels of data, operations, and financial
losses.
719.Gap Analysis:-A GA is a methodical comparison of what types of plans the institution(or business
line) needs to maintain, resume, or recover normal business operations in the event of a disruption,
versus what the existing BCP provides. The difference between the two highlights additional risk
exposure that management and the board need to address in BCP development.
720.The risk assessment considers:-

i)The impact of various business disruption scenarios on both the institution and its customers.
ii)The probability of occurrence based, eg. on a rating system of high, medium, and low
iii)The loss impact on information services, technology, personnel, facilities, and service providers
from both internal and external sources.
iv)The safety of critical processing documents and vital records and
v)A broad range of possible business disruptions, including natural, technical, and human threats.
721.The risk assessment is the second step in developing a BCP. It should include:-
i)A prioritizing of potential business disruptions based upon severity and likelihood of occurrence.
ii)A gap analysis comparing the institution's existing BCP, if any, to what is necessary to achieve
recovery time and point objectives and
iii)An analysis of threats based upon the impact on the institution, its customers, and the financial
markets, not just the nature of the threat.
722.In addition to documenting BCPs, other policies, standards and practices should address continuity
and availability considerations. These include Systems Development Life Cycle(“SDLC”), change
control, and data synchronization.
723.As part of the SDLC process, management should incorporate business continuity considerations
into project plans.
724.During the development and acquisition of new systems, SDLC standards and project plans should
address, at a minimum, issues such as :
i)Business unit requirements for resumption and recovery alternatives.
ii)Information on back up and storage
iii)Hardware and software requirements at recovery locations
iv)BCP and documentation maintenance
v)Disaster recovery testing and
Page | 77
KAT
vi)Staffing and facilities
725.Insurance is by no means a substitute for an effective BCP, since its primary objective is not the
recovery of the business. eg, insurance cannot reimburse an institution for damage to its reputation.
726.Especially since September 11th, the need for a comprehensive disaster recovery plan has become a
priority for many organizations.
727.Management should ensure recovery testing is conducted at least annually, or more frequently,
depending on the operating environment and criticality of the applications and business functions.
728.The validation requires the participation of appropriate business, operations, and technology staff.
Plan assumptions requiring validation include :-
i)Criticality of services
ii)Volume of transactions
iii)Inter-ralationships among business functions.
iv)Selecting the business continuity planning strategy related to use of facilities and other outages and
v)Availability and adequacy of resources required to provide the planned service level, such as the time
required to establish facilities, obtain backup files, or reconstruct documents.
729.Tabletop/Mini-drill : A tabletop/mini-drill is somewhat more involved than an orientation/walk-

through because the participants choose a specific event scenario and apply the BCP to it. It includes :-
i)Practice and validation of specific functional response capability.
ii)Focus on demonstration of knowledge and skills, as well as team interaction and decision-making
capability.
iii)Role playing with simulated response at alternate locations/facilities to act out critical steps,
recognize difficulties, and resolve problems in a non-threatening environment.
iv)Mobilization of all or some of the crisis management/response team to practice proper coordination
and
v)Varying degrees of actual, as opposed to simulated, notification and resource mobilization to
reinforce the content and logic of the plan.
730.Full Scale Testing-Full-scale testing is the most comprehensive type of test. In a full-scale test, the
institution implements all or portions of its BCP by processing data and transactions using backup
media at the recovery site. It involves :-
i)Validation of crisis response functions
ii)Demonstration of knowledge and skills, as well as management response and decision -making
capability.
iii)On-the-scene execution of coordination and decision-making roles.
iv)Actual, as opposed to simulated, notifications, mobilization of resources, and communication of
decisions.
Page | 78
KAT
v)Activities conducted at actual response locations or facilities.
vi)Enterprise-wide participation and interaction of internal and external management response teams
with full involvement of external organizations.
vii)Actual processing of data utilizing backup media and
viii)Exercises generally extending over a longer period of time to allow issues to fully evolve as they
would in a crisis, and allow realistic role-play of all the involved groups.
731.A BCP is a “living” document.
732.Changing in concert with changes in the business activities it supports. Senior management, the
planning team or coordinator, team members, internal audit, and the board of directors should review
the plan at least annually.
733.Testing of Infrastructure-Testing the operating systems and utilities.
734.Testing of Application level-Testing of all critical applications.
735.Integrated testing-Data transfer between applications.
736.Stress testing-Testing the complete environment and workload.
737.TSP-Technical Service Provider
738.When testing with the critical service providers, determine whether management considered
testing :-
i)From the institution's primary location to the TSPs' alternative location.
ii)From the institution's alternative location to the TSPs' primary location and
iii)From the institution's alternative location to the TSPs' alternative location.
739.Determine if institution management has assessed the adequacy of the TSP's business continuity
program through their vendor management program e.g. contract requirements, SAS 70 reviews.
740.Crisis Management is a systematic response to unexpected events that threaten the people, property
and operating continuity of the organization. It is a formal response to any event that threatens the
financial and operational stability of an organization.
741.Backup Generation-A methodology for creating and storing backup files whereby the youngest(or
most recent file) is referred to as the “son”, the prior file is called the “father” and the file two
generations older is the “grandfather”. This backup methodology is frequently used to refer to master
files for financial applications.
Page | 79
KAT
742.BCP-A comprehensive written plan to maintain or resume business in the event of a disruption.
743.BIA-The process of identifying the potential impact of uncontrolled, non-specific events on an

institution's business processes.
744.Capital financial markets:-Financial markets whose operations are critical to the U.S economy,
including markets for fed funds, foreign exchange, commercial paper, and Govt, corporate and
mortgage-backed securities.
745.Data synchronization:-The comparison and reconciliation of interdependent data files at the same
time so that they contain the same information.
746.Disaster recovery plan:-A plan that describes the process to recover from major processing
interruptions.
747.Emergency plan:-The steps to be followed during and immediately after an emergency such as a
fire, tornado, bomb threat etc.
748.Encryption:-The conversion of information into a code or cipher.
749.FEMA:-Federal Emergency Management Agency.
750.Gap analysis-A comparison that identifies the difference between actual and desired outcomes.
751.GETS-Govt. Emergency Telecom. Service card program. GETS cards provide emergency access
and priority processing for voice communications services in emergency situations.
752.HVAC-Heating, ventilation and air-conditioning.
753.Media-Physical objects that store data, such as paper, hard disk drives, tapes, and compact
disks(CDs).
754.Mirroring-A process that duplicates data to another location over a computer network in real time
or close to real time.
755.Object program-A program that has been translated into machine-language and is ready to be
run(i.e. executed) by the computer.
756.PBX-Private Branch Exchange.
757.Reciprocal agreement-An agreement whereby two organizations with similar computer systems
Page | 80
KAT
agree to provide computer processing time for the other in the event one of the systems is rendered
inoperable. Processing time may be provided on a “best effort” or “as time available” basis.
758.Recovery point objectives :-The amount of data that can be lost without severely impacting the
recovery of operations.
759.Recovery site-An alternate location for processing information(and possibly conducting business)
in an emergency. Usually distinguished as “hot” sites that are fully configured centres with compatible
computer equipment and “cold” sites that are operational computer centres without the computer
equipment.
760.Recovery time objectives-The period of time that a process can be inoperable.
751.Recovery vendors-Organizations that provide recovery sites and support services for a fee.
752.Routing-The process of moving information from its source to a destination.
753.Server-A computer or other device that manages a network service. Eg. print server, a device that
manages network printing.
754.Source program-A program written in a programming language(such as C, Pascal, or COBOL). A

compiler translates the source code into a machine-language object program.
755.SDLC-System Development Life Cycle.
756.SDLC-A written strategy or plan for the development and modification of computer systems,
including initial approvals, development documentation, testing plans and results, and approval and
documentation of subsequent modifications.
757.T-1 line-A special type of telephone line for digital communication only.
758.UPS-Un-interruptible power supply. A collection of batteries that provide electrical power for a
limited period of time.
759.Utility programs-A program used to configure or maintain systems, or to make changes to stored or
transmitted data.
760.Vaulting-It is a process that periodically writes backup information over a computer network
directly to the recovery site.
761.Given Government regulations to control ozone depletion, halon fire suppression systems are being
Page | 81
KAT
replaced with alternative fire suppressant systems.
762. Alternative fire suppressant systems utilize clean agents and include Inergen, FM-200, FE-13, and
carbon-dioxide. Dry pipe sprinkler systems should be used, which activate upon detection of a fire and
fill the pipe with water only when required, thereby minimizing the risk of water damage from burst
pipes.
763.When a third party performs services on behalf of the institution, increased levels of credit,
liquidity, transaction, and reputation risk can result.
764.When contracting with third-party providers for recovery services, institutions should consider :-
i)Staffing
ii)Processing Time Availability
iii)Access Rights
iv)Hardware and Software
v)Security Controls
vi)Testing
vii)Confidentiality of Data
viii)Telecommunications
ix)Reciprocal Agreements
x)Space
xi)Paper Files and Forms
xii)Printing Capacity/Capability
xiii)Contacts
765.IGESSCI-Inter agency Guidelines Establishing Standards for Safeguarding Customer Information.
766.The technology components that should be addressed in an effective BCP include :-

i)Hardware-mainframe, network, end-user;
ii)Software-applications, operating systems, utilities;
iii)Communications(network and telecommunications);
iv)Data files and vital records;
v)Office equipment
767.Large institutions that operate critical real-time processing operations or critical high-volume
processing activities should consider mirroring or vaulting.
768.Smaller, less complex institutions may contract for a “mobile hot site” i.e. a trailer outfitted with
the necessary computer hardware that is towed to a predetermined location in the event of a disruption
and connected to a power source.
Page | 82
KAT
769.Duplicate Facilities/Split Operations(“active/active” model)-under this scenario, two or more
separate, active sites provide inherent backup to one another.
770.Cold Site-Cold sites are locations that are part of a longer-term recovery strategy. A cold site
provides a backup location without equipment, but with power, air conditioning, heat, electrical,
network and telephone wiring, and raised flooring.
771.Tertiary Location-Some financial institutions have identified the need to have a third location or a
“backup to the backup”.
772.Some financial institutions enter into agreements, commonly referred to as “Reciprocal

Agreements”, with other institutions to provide equipment backup.
773.The frequency of file back-up also depends on the criticality of the application and data.
774.Critical data should be backed up using the multiple generation i.e. 'grandfather-father-son' etc.
method and rotated to an off-site location at least daily.
775.Online/real-time or high volume systems may necessitate one aggressive backup methods such as
mirroring or electronic vaulting at a separate processing facility to ensure appropriate back up of
operations, as an alternative to backup tape storage.
776.Remote journaling is the process of recording transaction logs or journals at a remote location.
These logs and journals are used to recover transaction and database changes since the most recent
back up.
777.Software back up for all hardware platforms consists of three basic areas :-operating system
software, application software, and utility software.
778.The operating system software should be backed up with at least two copies of the current version.
779.When determining an alternate processing site, management should consider scalability, in the
event a long-term disaster becomes a reality.
780.Risk monitoring ensures a BCP is viable through testing, independent review, and periodic
updating.
781.Management should ensure recovery testing is conducted at least annually, or more frequently,
depending on the operating environment and criticality of the applications and business functions.
782.The Business Impact Analysis(BIA) determines the recovery point objectives and recovery time
Page | 83
KAT
objectives, which then help determine the appropriate recovery strategy.
783.Validation of Assumptions :-Plan assumptions requiring validation include :-

i)Criticality of services
ii)Volume of transactions
iii)Interrelationships among business functions
iv)Selecting the business continuity planning strategy related to use of facilities and other outages and
v)Availability and adequacy of resources required to provide the planned service level, such as the time
required to establish facilities, obtain backup files, or reconstruct documents.
784.A tabletop/mini-drill is somewhat more involved than an orientation/walk through because the
participants choose a specific event scenario and apply the BCP to it.
785.Functional Testing : FT is the first type that involves the actual mobilization of personnel at other
sites in an attempt to establish communications and coordination as set forth in the BCP.
786.Full Scale Testing : FST is the most comprehensive type of test. In a full-scale test, the institution
implements all or portions of its BCP by processing data and transactions using backup media at the
recovery site.
787.The participation of maximum number of personnel in a BCP test increases awareness, buy-in, and
ownership in achieving successful BCP implementation.
788.A BCP is a “living” document, changing in concert with changes in the business activities it
supports.
Page | 84
KAT
MODULE-D-OVERVIEW OF LEGAL FRAMEWORK
CHAPTER-12-ONLINE TRANSACTIONS-CONCEPTS, EMERGING TRENDS
AND LEGAL IMPLICATIONS
789.Traditional Money or Central Bank Money : Money or currencies of sovereign countries issued by
the banks of issue in their respective countries, has been accepted widely as a medium of exchange/
settlement, a value store and a unit of accounting.
790.Electronic Money or E-Money : An electronic store of monetary value on a technical device used
for making payments to undertakings other than the issuer without necessarily involving bank accounts
in the transaction, but acting as a prepaid bearer instrument.
791.RBI has to be geared up to meet the challenges posed by E-Money to the economy. These effects
include :-
i)Effect on exchange rate
ii)Effect on money supply
iii)Financial stability
792.Characteristics of E-Money :-
i)Value
ii)Exchange
iii)Storage
iv)Robustness
793.In 1995, the RBI had set up the Committee for Proposing Legislation on Electronic Funds Transfer
and other Electronic Payments under the Chair of Smt. K. S. Shere.
794.The Shere Committee had recommended a set of EFT Regulations by the Reserve Bank under the
RBI Act, 1934.
795.The Shere Committee amended the Bankers' Books Evidence Act, 1881 as short-term measures.
Page | 85
KAT
796.The Shere Committee had recommended promotion of a few acts like the Electronic Funds
Transfer Act, the Computer Misuse and Data Protection Act etc as long-term measures.
797.As per Shere Committee recommendations, the following legal corrective actions are taken :-
i)Enactment of the Information Technology Act, 2000 along with the consequential amendments to the
Bankers Book Evidence Act and the Reserve Bank of India Act.
ii)Amendment to the Negotiable Instruments Act.
797.Amendments in Bankers Book Evidence Act, the Reserve Bank of India Act and the Negotiable
Instruments Act brought legal standing to the following issues affecting funds transfer and payments in
electronic means :-
i)Encryption of messages transmitted over PSTN lines.
ii)Admission of electronic files as evidence and preservation of records.
iii)Cheque Truncation
iv)Need for Regulation/Legislation on Netting.
798.Liabilities accepted under multi-purpose pre-paid cards are in the nature of demand liabilities and
hence, banks may be preferred as issuers of e-money.
799.E-monetization : Conversion of real money into E-Money.
800.Minimum prudential requirements for operations of e-money scheme :-

i)Prudential supervision
ii)Solid and transparent legal arrangements
iii)Technical security
iv)Protection against criminal abuse
v)Monetary statistics reporting
vi)Redeem ability
vii)Reserve requirements
801.Secure websites – Like 56 bit or 128 bit.
802.PSBs under the aegis of IBA have established a Shared Payment Network System(SPNS) of ATM
termed SWADHAN in Mumbai.
803.Smart Cards or Stored Value Cards represent a relatively new payment technology. These are
prepaid cards and represent the new electronic Money(E-Money) or Purse.
804.Smart Card : A smart card is a credit card sized plastic card which has an integrated circuit with a
micro-processor chip embedded in it. This technology enables storage of electronic information on a
card that can be used to make purchases.
Page | 86
KAT
805.Contact Smart Card : A contact smart card requires insertion into a smart card reader or a terminal
called a Card Acceptance Device. These cards have a contact plate(typically gold plated) on the face,
which makes an electrical connector.
806.Contact less card : A Contact less card has an antenna coil and chip embedded within the card and
hence requires close proximity to a reader equipped with an antenna.
807.Smart card based payment systems developed for the banks by IDRBT in association with the
Reserve Bank, IIT, banks and a few vendors have established inter-operability between different
technologies and standard of cards, card readers and clearing and settlement system.
808.Technical standards for cards and card readers have been formulated by IDRBT incorporating best
international practices.
809.IDRBT : Institute for Development and Research in Banking Technology.
810.INFINET : The Indian Financial Network. The INFINET is the communication backbone for the
Indian Banking and Financial Sector.
811.The INFINET is a Closed User Group(CUG) Network for the exclusive use of Member Banks and
Financial Institutions.
812.The INFINET uses a blend of communication technologies such as VSATs and Terrestrial Leased
Lines.
813.The INFINET consists of over 2000 VSATs located in 300 cities of the country and utilizes one
full transponder of 36 MHz on INSAT 3B.
814.The INFINET is primarily a TCP/IP based network.
815.The following systems which will be based on the INFINET would enable banks to optimize their
deployment of funds as well as effect electronic payments and settlements :
a)Real Time Gross Settlement System(RTGS)
b)Negotiated Dealing System(NDS) and Securities Services System(SSS) (for the settlement of Govt
Securities in a Delivery versus Payment mode)
c)Centralized Funds Management System(CFMS)
d)The Structured Financial Messaging Solution(SFMS)
816.Gross settlement reduces the risk significantly, as transactions are settled one by one on a bilateral
basis in a real time mode.
Page | 87
KAT
817.PVP : Payment Versus Payment
818.Payment Versus Payment(PVP) are especially relevant in cross currency transactions.
819.DNS : Deferred Net Settlement
820.Wide Area Satellite based Closed User Group network, providing the communication backbone to
the proposed Integrated National Payments System.
821.Gross settlement in a real time mode eliminates credit and liquidity risks.
822.Various levels of security – Access security, 128 bit cryptography, firewall, certification etc.
823.The RTGSS system is based on the concept of the 'Y' topology.
824.The RTGSS provides for continuous(i.e in real time) processing and settlement of funds transfers.
The entire system is based on the concept of the 'Y' topology, which ensures that payment messages
emanate from a sending bank and are received by the RBI through an intermediate processor-the Inter-
Bank Funds Transfer Processor(IFTP)-with the beneficiary bank receiving the intimation of credit from
the settlement account processor combined with the IFTP.
825.First in First Out(FIFO) would be the base for the queuing mechanism for the Indian RTGS
system.
826.There would essentially be two sets of queues in RTGS system.
827.The SFMS was launched on December 14, 2001 at the IDRBT.
828.CFMS : Centralized Funds Management System
829.SFMS allows integration of the bank's corporate intranet into its own interfaces.
830.SITPRO : Simplification of International Trade Procedures Board of the United Kingdom.
831.The SITPRO of the UK has formulated a series of questions to be addressed before rules on the
subject of paperless credit can be formulated. These include :-
i)The functions of documentary credit.
ii)Data requirements necessary for a successful documentary credit transaction.
iii)Information flow requirements to assess responsibilities of all contracting parties.
iv)The extent to which electronic messages can replace paper documents.
Page | 88
KAT
v)Security measures required to ensure the authenticity and uniqueness of messages which would
trigger payment.
832.The SITPRO model maps the process of paperless credit into various stages in the creation of a
documentary credit line. These stages are :-
i)Issuance of credit
ii)Amendment of credit
iii)Submission of documents, and
iv)Payment
833.The SITPRO model uses the standard UN/EDIFACT messages governing EDI.
834.UN/EDIFACT : United Nations Electronic Data Interchange for Administration, Commerce and
Transport.
Page | 89
KAT
MODEL-E -SECURITY & CONTROL STANDARD IN BANKING
CHAPTED-13-SECURITY
835.Some where during the early 1970s, as part of defence strategies to protect the vast information
resources from damage due to war, the ARPA project was launched and this led accidentally to the birth
of the Internet.
836.An exposure results from the threat materialising due to a vulnerability.
837.Vulnerabilities may exist in any component of technology such as hardware, operating systems,
application, communications, networking.
838.Risk is an essential part of return.
839.IS Risk Management is a continuous process which involves a structured approach for mitigation
of risks due to use of information technology, comprising of a Risk Assessment Process followed by a
Controls Assessment and initiation of corrective steps to mitigate the risks.
840.Some of the components involved in IS Risk Management are given below :-

a)Identification of Enterprise IS Resources
b)Identification of Threat to IS Resources
c)Determination of the probability of occurrence of such threats.
d)Identification of the vulnerabilities in IS Resources and Environment.
e)Determination of the Exposure
f) Determination of the Risk Profile comprised on Acceptable Risks and Residual Risks.
g)Evaluation of controls to mitigate the Acceptable Risks.
h)Institution of controls for mitigation of risks.
841.The perspectives of security of information can be understood on the basis of three broad
perspectives viz, Confidentiality, Integrity and Availability.
842.Confidentiality : Information should be disclosed only to authorized persons and for authorized
purposes. Any unauthorized disclosure can be detrimental to the interests of the enterprise.
843.Integrity : The accuracy and completeness of information is usually assumed or taken for granted.
Any violation of integrity of information value can be detrimental to the decision making and reliance
on the information.
844.Availability : Information should be available when required for purposes of business. With
Page | 90
KAT
Information Technology, the vulnerability of availability of information systems that deliver
information is very high due to technical and other reasons.
845.Besides confidentiality, integrity and availability, COBIT recognizes certain other factors like
effectiveness, efficiency, compliance and reliability of information.
846.Generally Information Systems Security is appropriately understood as a technical issue as against

a techno-managerial issue.
847.Various factors of security – technical, organizational, managerial, operational and administrative.

848.The Organisation for Economic Co-operation and Development have formulated guidelines on
Computer Security. These principles have identified the following key controls :-
Information Systems Security :
1.should support the mission of the organization.
2.should form an integral element of sound management.
3.should be cost effective.
4.involves responsibilities in this regard being made explicit.
5.involves system owners having security responsibilities outside their own organizations.
6.requires a comprehensive and integrated approach.
7.should be periodically reassessed.
8.is constrained by societal factors.
849.While responsibility is generally used to indicate a relationship between the expected results and
persons, accountability refers to the ability to bind people for their actions.
850.The OECD guidelines :-

i)Accountability
ii)Awareness
iii)Ethics
iv)Multidisciplinary
v)Proportionality
vi)Integration
vii)Timeliness
vii)Reassessment
viii)Democracy
851.Computer Security should be appropriate and proportionate to the business of the organisation, the
degree of dependence on such systems and the cost of not having security.
852.Computer security responsibilities should be integrated into the internal control framework of the
organization.
Page | 91
KAT
853.The internal control model recommended by the Committee of Sponsoring organizations of the
Treadway Commission provides guidance on the key components of internal control and how they
contribute towards effective control in an organization.
854.COSO : Committee of Sponsoring Organizations of the Treadway Commission (Internal Control

Framework).
855.The COSO Framework of Internal Control :-

i)Control Environment
ii)Risk Assessment
iii)Control Activities
iv)Information
v)Communication
vi)Monitoring
856.There should also be a mechanism to record at least all failed login attempts as good detective
control.
857.Anti-virus software may be installed on all terminals of the organization, an improper setting at the
firewall or server with respect to e-mail can result in a compromise.
858.Biometrics which work on the principles of identification of characteristics exclusive to the

identity of a person are used for controlling access to sensitive systems e.g. finger print, retina
scanning, voice recognition etc.
859.Effective computer security is result of appropriate tuning of various controls which comprise
management controls, application controls, operational controls and administrative controls.
860.Policy refers to a set of specific security rules for specific category of systems e.g. firewall policy,
e-mail policy etc.
861.COBIT : Control objective on information and related technology.
862.ISACA : Information systems audit and control association.
863.Policies, standards, guidelines and procedures provide an overall approach to computer security
from a broader perspective to finer details.
Page | 92
KAT
864.A good computer security policy should address the following aspects :-
i)Objective and purpose
ii)Scope of the policy
iii)Accountability
iv)Compliance
865.COBIT is a product of Information Systems Audit and Control Foundation and the IT Governance
Institute.
APPENDIX-I-OECD GUIDELINES FOR THE SECURITY OF INFORMATION SYSTEMS
866.OECD : Organisation for economic cooperation and development.
867.OECD Headquarters : Paris, France
868.Data : means a representation of facts, concepts or instructions in a formalised manner suitable for
communication, interpretation or processing by human beings or by automatic means.
869.Information : is the meaning assigned to data by means of conventions applied to that data.
870.Information systems : means computers, communication facilities, computer and communication

networks and data and information that may be stored, processed, retrieved or transmitted by them,
including programs, specifications and procedures for their operation, use and maintenance.
871.Availability : means the characteristic of data, information and information systems being
accessible and usable on a timely basis in the required manner.
872.Confidentiality : means the characteristic of data and information being disclosed only to
authorised persons, entities and processes at authorised times and in the authorised manner.
873.Integrity : means the characteristic of data and information being accurate and complete and the
preservation of accuracy and completeness.
874.OECD Security Principles :-

1.Accountability
2.Awareness
3.Ethics
4.Multidisciplinary
5.Proportionality
6.Integration
7.Timeliness
Page | 93
KAT
8.Reassessment
9.Democracy
875.In October 1988, the Committee for information, computer and communications policy(ICCP) of
the OECD approved the preparation by the OECD Secretariat of a study on the subject of security of
information systems.
876.The report on security of information systems entitled Information Network Security was
submitted to the ICCP Committee in October 1989.
877.Based upon the advice of the experts, the ICCP Committee, in March 1990 approved the creation
of a Group of Experts to draft guidelines for the security of information systems.
878.The Group of Experts was chaired by the Hon. Michael Kirby, President of the Court of Appeal,
Supreme Court of New South Wales, Australia.
879.The Secretariat of the Information, Computer Technology and Industry drafted the
recommendation, the guidelines and explanatory memorandum, based upon the deliberations of the
Expert Group at its meetings.
880.OECD membership encompasses North America, the Pacific region and Europe.
881.A computer, a computer program and data constitute basic elements of an information system.
882.Communication networks include data communication , telephone and facsimile.
883.The software may be installed in the computer or stored on magnetic, optical or other media.
884.Experience in other sectors involving new technologies with the potential for serious harm reveals
a three-part challenge :-
i)developing and implementing the technology.
ii)providing for avoiding and meeting the failures of the technology.
iii)and gaining public support and approval of use of the technology.
885.The air transport industry has been successful in implementing safety techniques and requirements.
886.Security of information systems is the protection of availability, confidentiality and integrity.
887.Viruses, often introduced into the system via infected software, parasites, trap doors, trojan horses,
worms, and logic bombs are some of the technical means used to disrupt, distort or destroy normal
system functions.
Page | 94
KAT
888.Trap door : It is new jargon for Backdoor Programs or Backdoor Virus in Software field. A trap
door is a secret entry point into a program that allows someone that is aware of the trap door to gain
access without going through the usual security access procedures.
889.Trojan horses : One of the most insidious types of Trojan horse is a program that claims to rid your
computer of viruses but instead introduces viruses onto your computer. The term comes from the Greek
story of the Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans,
ostensibly as a peace offering.
890.Worms : A computer worm is a standalone malware computer program that replicates itself in
order to spread to other computers. Often, it uses a computer network to spread itself, relying on
security failures on the target computer to access it.
891.Logic bombs : A logic bomb is a piece of code inserted into an operating system or software
application that implements a malicious function after a certain amount of time, or specific conditions
are met. Logic bombs are often used with viruses, worms, and trojan horses to time them to do
maximum damage before being noticed.
892.Physical threats to information systems fall into two broad categories – extreme environmental
events and adverse physical plant conditions.
893.Extreme environmental events include earthquake, fire, flood, electrical storms and excessive heat
and humidity.
894.Adverse physical plant conditions may arise from breach of physical security measures, power
failures or surges, air conditioning malfunction, water leaks, static electricity and dust.
895.A program containing a virus that is introduced into an information system may affect the
availability, confidentiality and integrity of that system by overloading the system, changing the list of
authorised users of certain parts of the system or altering data or information in the system.
896.Disclosure of proprietary information may damage an organisation's competitive position.
897.Protection of personal data and privacy and of intellectual property may serve to enhance the
security of information systems.
898.The principles of the guidelines(e.g. The Proportionality Principle and the Ethics Principle) and
those of the OECD Guidelines on the Protection of Privacy and Trans border Flows of Personal Data
give guidance in achieving compatible realisation of the goals of security of information systems and
protection of personal data and privacy.
Page | 95
KAT
899.Intellectual property in information systems is intangible, may cross borders virtually
imperceptibly, and may be vulnerable to theft by the effort of one finger in a matter of seconds without
taking the original and without leaving a trace.
900.The Reassessment Principle recognizes that information systems are dynamic.
901.Harmonization of technical security standards will help to prevent data and information islands and
other barriers to data and information flows.
902.Lack of an informed and balanced understanding of users' needs may create a significant risk of
“off-target” technology standardization.
903.In countries where the doctrine of ubiquity(a crime is committed where one of its elements takes
place) is not acknowledged, difficulties arise as to the application of national computer crime laws.
904.Mutual assistance agreements, extradition laws, recognition and reciprocity provisions, transfer of
proceedings and other international co-operation in matters relating to the security of information
systems may facilitate assistance to other countries in their investigations.
905.Computer records, like any other documents, may present two issues. The first is authentication.
The second issue that common law systems must address with respect to any document is whether it
contains hearsay. This pertains not to the form of the document (whether electronic data or
handwritten) but to its content.
APPENDIX-2-GENERALLY-ACCEPTED SYSTEM SECURITY PRINCIPLES (GASSP)

VERSION 2.0
906.Information security is a combination of preventive, detective, and recovery measures.
907.A preventive measure is a risk control that avoids or deters the occurrence of an undesirable
event. Passwords, key cards, badges, contingency plans, policies, firewalls and encryption are
examples of preventive measures.
908.A detective measure is a risk control that identifies the occurrence of an undesirable event.
Visitor logs, audit trails, motion sensors, closed-circuit TV and security reviews are examples of
detective controls.
909.A recovery measure is a risk control that restores the integrity, availability and confidentiality of
information assets to their expected state. Examples-fault tolerance, backup and disaster recovery
plans.
Page | 96
KAT
910.In 1990, the USA National Research Council published Computers at Risk(CAR)(1), a landmark
book that emphasized the urgent need for the nation to focus attention on information security.
911.Recommendation 1 – Promulgation of a comprehensive set of Generally Accepted System Security

Principles, referred to originally as GASSP, that would provide a clear articulation of essential features,
assurances, and practices.
912.GAAP : Generally Accepted Accounting Practices

913.TCSEC : Trusted Computer System Evaluation Criteria
914.TNI : Trusted Network Interpretation
915.ITSEC : Information Technology Security Evaluation Criteria
916.The CAR report proposes the GAAP as a model for GASSP.
917.The CAR report cites the Building Code and the Underwriter's Laboratory as examples of GASSP
in other fields. It also recommends building on the experience captured by using the TCSEC, the TNI
and the ITSEC documents to create a broader set of criteria that will drive a more flexible process for
evaluating single-vendor and conglomerate systems.
918.Information : The term “information” applies to any storage, communication, or receipt of

knowledge, such as fact, data, or opinions, including numerical, graphic, or narrative forms, whether
oral or maintained in any medium.
919.Information System : The term “information system” describes the organized collection,
processing, transmission, and dissemination or information in accordance with defined procedures,
whether automated or manual.
920.Information Security Principles : The term “Information Security Principles” includes principles,
standards, conventions and mechanisms. Three categories (pervasive, broad functional, and detailed)
are used to collect, discuss, and organize security principles. The broad functional and detailed security
principles are divided into principles for information security practitioners and information processing
products.
921.System : The term “system” is used as an umbrella term for the hardware, software, physical,
administrative, and organizational issues that need to be considered when addressing the security of an
organization's information resources. It implies that the GASSP address the broadest definition of
information security.
Page | 97
KAT
922.AIS : Automated Information System
923.ADPE : Automated Data Processing Element.
924.The term system is intended to be equivalent in scope of the terms IT, AIS, ADPE etc.
925.Candidate principles are organized in a three-level hierarchy. The hierarchy is comprised of

Pervasive Principles, Broad Functional Principles and Detailed Principles.
926.Pervasive Principles : few in number, fundamental in nature, and rarely changing
927.Broad functional Principles : subordinate to one or more of the Pervasive Principles, are more
numerous and specific, guide the development of more Detailed Principles, and change only when
reflecting major developments in technology or other affecting issues.
928.Detailed Principles : subordinate to one or more of the Broad Functional Principles, numerous,
specific, emergent and change frequently as technology and other affecting issues evolve.
929.The Pervasive Principles address the following properties of information :- i) Confidentiality,
ii)Integrity and iii)Availability
930.The Pervasive Principles provide general guidance to establish and maintain the security of
information. These principles form the basis of Broad Functional Principles and Detailed Principles.
931.Security of information is achieved through the preservation of appropriate confidentiality,

integrity and availability.
932.The Pervasive Principles are founded on the Guidelines for Security of Information Systems,
developed by the Information Computer and Communications Policy(ICCP) Committee and endorsed
and published by the Organization for Economic Co-operation and Development(OECD).
933.Each Pervasive Principle is presented in the following format : i)GASSP Statement, ii) Rationale
and iii)Example.
934.Pervasive Principles :-
i)Accountability Principle
ii)Awareness Principle
iii)Ethics Principle
iv)Multi-disciplinary Principle
v)Proportionality Principle
vi)Integration Principle
vii)Timeliness Principle
Page | 98
KAT
viii)Assessment Principle
ix)Equity Principle
935.BFP : Broad Functional Principles
936.PP : Pervasive Principles
937.The BFP are derived from the PP that represent the conceptual goals of information security.
938.Each BFP is presented in the following manner :-

i)BFP Title
ii)Statement of BFP
iii)Rationale
iv)Example
939.Trojan Horse-A logic bomb
940.The concept of “accountability” refers to the accepting of responsibility by all relevant parties or
entities.
941.The information asset attributes include :-

i)Identity
ii)Ownership
iii)Custody
iv)Content
v)Value (ideally expressed in monetary terms) of the confidentiality, availability, and integrity of the
information assets.
vi)Sensitivity (which relates directly to confidentiality), and
vii)Criticality (which relates directly to availability and integrity).
942.MRP : Materials Requirements Planning
943.Natural disaster threats : earthquake, flood, hurricane, tornado, landslides etc.
944.Unintentional or intentional physical threats : power outage, equipment failure, fire, proximity of
potentially toxic or explosive industrial facilities and transportation infrastructures, local crime, and a
wide array of accidents that could “exploit” unrecognized or inadequately addressed vulnerabilities of
the physical environment.
945.Owner's conservative rule :Owners should assume that others would treat their assets as belonging
to the public domain. Therefore, they should explicitly declare (in reasonably visible ways) the
Page | 99
KAT
products of their efforts and their property to be either private or public.
946.User's conservative rule : Assume that any tangible or intangible item belongs to somebody else
unless an explicit declaration or convention identifies it as being in the public domain or authorized for
your use.
947.The Detailed Security Principles specifically address methods of achieving compliance with Broad
Functional Principles with respect to existing environments and available technology.
948. DSP : Detailed Security Principles
CHAPTER-14-CONTROL
949. CAAT : Computer Assisted Audit Techniques.
950.'Threats' are agents that occur independent of the systems and cause risk.
951.Common threats :-
i)Power loss
ii)Communication loss
iii)Data integrity loss
iv)Accidental errors
v)Computer virus
vi)Unauthorised action by employees.
vii)Attempted unauthorised system access by outsiders.
viii)Natural disasters
ix)Theft or destruction of computing resource.
x)Destruction of data
xi)Abuse of access privilege by authorised user.
xii)Successful unauthorized system access by outsider.
xiii)Non-disaster downtime
xiv)Fire
xv)Earthquakes
951.The only effective way to counter IT related risks & threats are to have a system of controls.
952.A control is in place to protect equipment from physical or technical unauthorized entry or
compromise.
953.Control : A control is defined as preventive, detective or compensatory depending upon its design
Page | 100
KAT
and purpose of implementation.
954.Classification of controls :-
Controls can be classified into :-
a)Preventive controls – instructions placed on a source document to prevent the clerk from filling it up
incorrectly.
b)Detective controls – an input program that identifies incorrect data entered into the system via a
terminal.
c)Corrective controls – a program that uses special codes that enable it to correct data corrupted
because of noise on a communications line.
955.Objective of application system controls :-

i)Safeguard IS assets
ii)Maintain data integrity
iii)Achieve their objectives (of application systems)
iv)Process data as per the business logic.
956.The IS Auditor evaluates the application controls for two reasons :-

i)To rely on these controls for determining the extent of testing to be done.
ii)To test the hypothesis about strength/weakness of specific application controls.
957.Areas of Application Controls :-
i)Boundary controls
ii)Input controls
iii)Communication controls
iv)Processing controls
v)Database controls
vi)Output controls
958.Boundary controls :-
a)Access controls
b)Cryptography
c)PIN, digital signatures, & plastic cards
d)Audit trial controls
e)Existence controls
959.Input controls :-
a)Data input methods
b)Batch controls
c)Validation of data/instructions input
d)Audit trial controls
Page | 101
KAT
960.Communication controls :-
a)Exposures in communication systems
b)Controls over physical components
c)Communication line error controls
d)Flow controls
e)Topological controls
f)Controls over subversive threats.
g)Internetworking controls
h)Communication architecture controls
i)Audit trial controls
j)Existence controls
961.Processing controls :-
a)Processor controls
b)Real memory controls
c)Virtual controls
d)Audit controls
962.Database controls :-
a)Access controls
b)Integrity controls
c)Concurrency controls
d)Data-base cryptographic controls
e)File handling controls
f)Audit trial controls
g)Existence controls
963.Output controls :-
a)Inference controls
b)Batch output production and distribution controls
c)Batch report design controls
d)On line output production and distribution controls
e)Audit trails/Activity logs
f)Existence controls
964.Boundary sub-system establishes the interface between the user of a computer system and
computer system itself.
965.Boundary controls are being performed in the initial hands hand-shaking procedures with the
operating system when the terminal is switched on or when at an ATM user inserts card and keys in
Page | 102
KAT
PIN.
966.Boundary sub-system controls have 3 major purposes :-

a)Establish the identity and authority of user of system.
b)Establish the identity and authority of resources i.e. computer system.
c)Restrict the action taken by user to a set of authorized actions.
967.Access control : AC in simple terms means to exclude anyone else from using the system who is
not authorized.
968.Simulated computers is a virtual machine. In such circumstances the ISA auditor has two concerns
:-
a)Prevent unauthorized access to and use of computer systems.
b)Access controls chosen whether adequate to safeguard assets & maintain integrity of data.
969.Motivation for access controls :-

i)Resource sharing
ii)Virtual machine
iii)Need for isolation
iv)Need for access control
970.An access control mechanism processes users request for resources in three steps viz :-
i)Identification
ii)Authentication
iii)Authorisation
971.The user can provide 3 classes of authentication information :-

i)Remembered information – Name, A/c No., Password, PIN
ii)Possessed objects – Badge, Plastic card, Key
iii)Personal characteristics – Finger print, voice print, signature
972.During the authentication process, user must be sure they are interacting with authentic access
control mechanism because of a threat of masquerades, or better known as Trojan Horse.
973.Public key cryptography is way of overcoming mitigating the problems of Trojan Horse.
974.Access control mechanism must couple users with resources they are permitted to use. Resources
are classified into 4 types. Types of action privilege :-
i)Hardware (terminals/printers/hard disk)
ii)Software
iii)Commodity (process time, storage space)
Page | 103
KAT
iv)Data (files, groups, data items)
975.Action privileges assigned to a user depends on

i)User's authority level and
ii)Type of resource requested for use.
976.Types of access control policy :-

i)Discretionary access control policy
ii)Mandatory access control
977.Discretionary access control policy :-Users are permitted to access control mechanism & user can
choose whether to share their files with other users or restrict access to themselves. Two threats arise
here – Trojan horse and problems from authorization dynamics.
978.Mandatory access control :-Both users & resources are assigned fixed security attributes. Only
system administrator can change the security attribute.
979.Closed environment means more effective control so the audit approach can be suitably adjusted.
980.Cryptology is a science of codes and incorporates the study of cryptography and cryptanalysis.
981.Auditor first encounters cryptographic controls in the boundary sub-system. They are then
encountered in communication controls and then in database controls.
982.Cryptographic controls protect the privacy of data and prevent unauthorized modification of data.
983.PINs and digital signatures are important means of authenticating people.
984.Plastic cards are means of identifying people.
985.EFTS : Electronic Funds Transfer System
986.Methods of PIN generation :-

i)Derived PIN generated by organisation based on customers account number.
ii)Random number of fixed length generated by the organisation as PIN.
iii)Customer selected PIN.
987.Longer PINs are difficult to break but adds to the overheads. Hence a compromise is to use short
PIN and by restricting the number of attempts to log-in makes it difficult to break.
988.There are two types of PIN validation.
Page | 104
KAT
989.Local PIN validation : It can be either offline or online. In online method the terminal transmits the
PIN to host computer of the institution for verification. In offline method the terminal itself validates
the entered PIN. The disadvantage over here is that the terminal must have a master key under which
PINs are encrypted. This increases the risk to exposures. To minimise this Smart Cards are used.
990.Smart cards have an embedded microprocessor which contains encrypted PIN and encryption key.
991.Interchange PIN validation : Here PIN validation is done by an institution other than the PIN issuer
who is a participant in the EFTS.
992.PIN must be encrypted before transmission. Cipher generation must be unique for each
transmission. Alternatively a different cryptographic key can be used for each transmission.
993.PIN processing : The only processing is encryption/decryption of PIN and comparison of entered
PIN with reference PIN.
994.PIN Storage : To be stored in encrypted form as part of audit trail.
995.Digital signatures : It refers to a string of 0's and 1's to authenticate the user.
996.Issue of cards : There are three control measures in this area :-

i)Pre mail to detect invalid addresses.
ii)Registered mail to be sent to high risk areas having history of pilferage of cards.
iii)Postal authorities to be notified in case of large number of cards.
997.Audit Trail Controls :- ATC attempt to ensure that a chronological record of all events that have
incurred in a system is maintained.
998.ATC is needed to :-
i)answer queries
ii)fulfil statutory requirements
iii)deter irregularities
iv)detect the consequence of error
v)allow system monitoring and tuning.
999.The audit trail is the primary source of building a profile of past behaviour. Such a profile is
required to monitor users and determine whether his current behaviour conforms to past behaviour.
Page | 105
KAT
1000.There are two types of audit trails.
1001.Accounting audit trails – showing records of attempted or actual resource consumption.
1002.Operations audit trails – showing records of attempted or actual resource consumption.
1003.In boundary sub-systems, audit trails are analysed either manually or by automated analyses to
detect control weakness.
1004.Accounting audit trail in boundary sub-systems will include the following data :-
i)Identity of would be user
ii)Authentication information supplied
iii)Resources requested
iv)Action privileges requested
v)Terminal identifier
vi)Start & finish times.
vii)Number of sign up attempts
viii)Resources provided/denied
ix)Action privileges allowed/denied
1005.Public audit trails are an important control in systems that use digital signatures for authentication
purposes. Three events should be recorded in the public audit trail and recorded by key server.
i)Registration of public key
ii)Registration of signatures
iii)Notification of key compromises.
1006.Accounting audit trail in boundary sub-systems will in most cases serve as an operation audit trail
also.
1007.Existence controls – These controls attempts to ensure the ongoing availability of all the system
resources. In boundary sub-systems the existence controls are limited to repeating the sign on process
i e. the user is asked to try once again.
1008.Input controls : Input sub-system is the next stage in the flow of data after boundary control sub-
system. The components of an input sub-system are responsible for bringing I) data and ii)instructions
into an application system.
1009.From an IS Auditor's point of view input controls are critical for 3 reasons :-
i)Largest number of controls exists in the input sub-system and hence more time is spent in assessing
Page | 106
KAT
its reliability.
ii)Input sub-system involves substantial routine human intervention and hence is more error prone.
iii)Input sub-system is often the target of frauds.
1010.Data input methods :-Data input can be done through direct entry or through a recording medium.
Examples of direct entry devices of data are keyboard, touch screen mice, video, sound etc.
1011.Data input through recording medium involves direct reading through devices like OC, MICR,
ATM etc or through key-boarding from a source document.
1012.Batch controls – is a method of control over data capture and data entry activities.
1013.Batching is the process of grouping together transactions that bear the same type of relationships
to each other.
1014.There are two types of batches :- i)Physical batch and ii)Logical batch.
1015.Physical batches are groups of transactions that constitute a physical unit eg source documents
obtained via post are grouped together to form a physical batch.
1016.Logical batches are groups of transactions bound together on logical basis eg where different
clerks use the same terminal for data entry, the input program logically groups transactions entered on
the basis of the clerks' identification number.
1017.To exercise batch control, two documents are required – i)batch cover sheet and ii)batch control
register.
1018.To identify errors, 3 types of control totals are used :–

i) Monetary totals (sum of monetary value is compared)
ii) Hash totals (sum of any code on a document in a batch is compared)
iii) Document/record counts(sum of number of document or records is compared)
1019.Four procedures to handle errors are :-

i)Reject only transactions with errors.
ii)Reject whole batch
iii)Accept batch in suspense pending correction.
iv)Accept batch but flag errors in transactions for identification enabling subsequent error correction.
1020.Controls to check the validity of input data are exercised at four levels :-
i)Field checks
ii)Record checks
iii)Batch checks
Page | 107
KAT
iv)File checks
1021.Field checks can be applied for :-

i)Missing data/blanks
ii)Alpha/numeric checks
iii)Range checks
1022.Record checks can be applied for :-

i)Reasonableness
ii)Valid sign-numeric
iii)Sequence checks
1023.Batch checks can be performed by :-

i)Control total check
ii)Batch serial nos. check
iii)Sequence check
1024.File check can be applied for :-

i)Internal label checks
ii)Generation number checks
iii)Retention data checks
1025.Audit Trail – AT in a input sub-system maintains chronology of events from the time data is
captured and entered into application system until the time they are deemed valid and passed on to
other sub-system.
1026.Accounting AT in an input sub-system must record the origin, contents and timing of transaction
which results in data input.
1027.Operation AT in an input sub-system is an important means of improving the effectiveness and

efficiency of the sub-system.
1028.Communication sub-system faces 3 major types of exposures :-

i)Transmission impairments can cause differences between the data sent and the data received.
ii)Data can be lost or destroyed through component failure.
iii)Hostile party could seek to subvert data that is transmitted through the sub-system.
1029.There are three types of transmission impairment – Attenuation, Delay distortion and Noise.
1030.Attenuation is the weakening of a signal that occurs as it traverses a medium. As in the case of
Page | 108
KAT
analog signal amplifiers are used to boost the amplitude and in digital signals repeaters are used to
boost the signal strength periodically as the signal traverses the medium.
1031.Delay distortion occurs when a signal is transmitted through bounded media through twisted pair
wire, co-axial cable and optical fibre.
1032.Noise is the random electric signals that degrade performance in the transmission medium.
1033.Noise are of 4 types :-

i)White noise
ii)Inter-modulation noise
iii)Cross talk
iv)Impulse noise
1034.White Noise is on account of rise in temperature.
1035.Intermodulation noise is on account of component malfunctioning.
1036.Cross talk occurs on account of coupling of signal paths. This happens when bounded media are
placed too close to each other.
1037.Impulse noise arises on account of lightning, faulty switching gear and poor contacts.
1038.The primary components in a communication sub-system are – transmission media, hardware and
software.
1039.Transmission media – twisted pair, wire, co-axial cables, optical fibre, microwave etc.
1040.Hardware – ports, modems, amplifiers, repeaters, multiplexes, switches etc.
1041.Software- packet switching software, data compression software, polling software etc.
1042.In a subversive attack on the communication sub-system an intruder attempts to violate the
integrity of some component in the sub-system e.g. invasive or inductive taps could be installed on
telephone lines.
1043.Invasive taps enables the intruder to read and modify data.
1044.Inductive taps enables the intruder to read only.
1045.Passive attacks can involve reading the message contents and thereby violating privacy of the
Page | 109
KAT
data. Alternatively it may involve doing a traffic analysis (examining the length and frequency of
traffic) to gain insight into the types of message being sent.
1046.Active attacks can be categorized into seven types of attacks – insert, delete, modify, alter,
duplicate, deny and establish spurious association.
1047.Among the commonly used communication media it is seen that optical fibre is the best media for
transmission.
1048.The advantages of a private line are that it can absorb the overheads better while implementing
the controls over data transmission and secondly it can be better conditioned to limit the effects of
attenuation, distortion and noise.
1049.Modem converts digital to analog signal and vice versa.
1050.Modem mitigates exposures associated with transmission in 3 ways :-

i)Increases speed and thereby reducing overheads associated with controls.
ii)Reduces line errors occurring on account of distortion through a process called equalization.
1051.All calls to the dial-up access system are connected to the port protection device, where it
undergoes various authentication procedures before the call is connected to the host system (dial up
access system).
1052.The security functions performed by port protection devices are :-

i)Permit users to make connection to host computer system only through authorized telephone
numbers.
ii)Eliminate telltale modem tone that auto dialer routines can detect.
iii)Enforce password protection to the host system.
iv)Maintain audit trail of all successful and unsuccessful attempts.
1053.Multiplexers are devices to share resources.
1054.FDM : Frequency Division Multiplexing
1055.TDM : Time Division Multiplexing
1056.The two common multiplexing techniques are FDM and TDM.
1057.FDM divides bandwidth to smaller bandwidth to be used as independent frequency channel.
1058.TDM assigns fixed time slots to the user.
Page | 110
KAT
1059.Concentrators are devices that use switching technologies.
1060.The three methods of switching technologies are :-

i)Circuit switching
ii)Packet switching and
iii)Message switching
1061.In circuit switching, temporary connections are established between input/output channels to
transmit messages.
1062.In packet switching, messages are broken into packets which are individually sent along different
paths.
1063.In message switching, messages are sent in totality to a concentration point and stored there until
such time the connection is established to transmit the message in full.
1064.Multiplexor and concentration techniques affect the reliability of the system in the following
ways :-
i)Making more channel capacity available for control purposes.
ii)Providing alternative paths for messages if one path fails.
iii)Making it more difficult for wire tappers to disentangle the myriad of messages passing over
communication lines.
1065.Transmission impairment occurs due to attenuation, delay distortion and noise.
1066.Line errors are detected by loop(echo) check, parity check and cycle redundancy check.
1067.Loop(echo) check : returning a copy of message to a sender to determine whether it is the same
message sent.
1068.Parity check : adding redundant bits to a message that are a function of other bits in the message.
1069.Cycle redundancy check : attaching the remainder obtained by treating message block as a binary
number and then dividing it by a primary binary number.
1070.Forward error correcting codes : correction done at receiving end and is the more commonly used
being the less costlier method.
1071.Retransmission of data in error : correction done by the sender and retransmitted-this is more
costlier and under certain circumstances impractical.
Page | 111
KAT
1072.Flow controls : FC is essentially matching the flow of data between two nodes having different
capacity e.g. flow of data from mainframe to minicomputers.
1073.Stop & wait method : send data frame by frame and wait for receiver's readiness response to send
the next data frame. This method is inefficient on account of the communication channel being unused,
when data frames are being processed by the receiver.
1074.Sliding window method : Enables simultaneous transmission and processing of data called sliding
window on account of shrinking and expanding of frames in the windows of receiver/sender while
transmitting data.
1075.Topological controls – the control on flow of data between several nodes varies according to the
different topologies. They are bus, tree, ring, star and mesh.
1076.Bus topology : As they are fairly robust encryption controls to protect the privacy of data is
enough.
1077.Tree topology : Same as in bus topology.
1078.Ring topology : Repeaters to have bypass modes and encryption controls.
1079.Star topology : Reliability and security of Hub is critical here.
1080.Mesh topology : Used in WAN, therefore third parties are involved and hence the need for
encryption controls.
1081.Encryption : link encryption, end to end encryption, stream cipher, error propagation code,
message authentication code, message sequence number and request response mechanism.
1082.Link encryption : data traverses through nodes in a network.
1083.End to end encryption : data traverses from sender to receiver independently of the nodes through
which data traverses i.e. the data is not decrypted until it reaches the receiver. In other words the
intermediate nodes are not in possession of cryptographic key for decrypting the data.
1084.Stream cipher – clear text is transformed on a bit by bit basis under control of a stream of key
bits. Key bit stream is made from the function of an initialization value, an encryption key and a
generated cipher text.
1085.Block cipher – fixed length blocks of clear text are transformed under a constant fixed length key.
Page | 112
KAT
1086.Error propagation code – Such a code is sensitive to the order of bits in a message and any change
in the order of blocks is very likely to be detected.
1087. Message Authentication Code(MAC) : used in EFTS. MAC is an encrypted check sum appended
to the message. This is then recalculated by the receiver to check that messages have not been altered.
1088.Message Sequence Number : which is used to detect the attack on the order of messages that are
transmitted.
1089.Request Response Mechanism : identifies an attack because of denial of message due to deletion
of message or due to delay of message. Essentially this mechanism involves obtaining
acknowledgement from the receiver periodically through a timer system.
1090.Internetworking is the process of connecting two or more communication networks.
1091.The overall set of interconnected networks is called an internet.
1092.An individual network is called a sub-network.
1093.Three types of devices connect sub-networks- bridge, router and gateway.
1094.Bridge – it connects similar networks.
1095.Router – it performs all functions of a bridge in addition connects heterogeneous network and
directs traffic.
1096.Gateway- its primary function is to perform protocol conversion to allow different types of
communication architecture to communicate with one another.
1097.EFTS fund transfer messages are sent through high security high cost sub-network.
1098.Administrative messages are sent through a low cost low security sub-network.
1099.The International Standard Organization(ISO) has proposed the OSI architecture for
standardization.
1100.The architecture has seven layers of functions each of which has associated controls. They are
physical, data link, network, transport, session, presentation, application.
1101.Physical-A hardware layer specifying both the mechanical features (transmission media and
Page | 113
KAT
connectors), and electromagnetic features(voltage, signal, strength, signalling method, amplification,
modulation) of the connection between devices and the transmission medium.
1102.The network topology is an example of the physical layer.
1103.Data link – Primarily a hardware layer.
1104.Channel access control method – meaning method specifying protocol for accessing
communication channel between competing nodes in a network.
1105.Link encryption is the method of control employed in this layer after the message is subjected to
error control and flow control.
1106.Network-Routing of message packet from source to destination decided in this layer. Ensures
correct routing of message through the network.
1107.Transport – Ensures reliable end to end message delivery. Multiplexing and end to end encryption
control measures employed here.
1108.Session – Establishes, maintains and drop(terminate) sessions identification and authentication

done here.
1109.Checkpoint mechanism here provides for recovery of data by retransmitting from the last
checkpoint.
1110.Presentation – Controls how data appears on a screen by transforming data to a standardized

application format (changing format from ASCII/EBCDIC) encryption and data compression employed
here.
1111.Application – Provides service like file sharing, file transfer, mail services, directory services.
Database concurrency and deadlock controls employed here.
1112.From an audit point of view, a layered approach will help them in organizing the examination and
evaluation of controls in a communication sub-system.
1113.Audit trail is the communication sub-system is a chronology of events from the time of dispatch
of the message to the time of receipt of message.
1114.Audit trail is particularly important in a paperless EDI system to resolve disputes.
Page | 114
KAT
1115.EBCDIC – Extended Binary Coded Decimal Interchange Code.
1116.ASCII – American Standard Code for Information Interchange.
1117.The processing sub-system is responsible for computing, sorting, classifying and summarizing
data.
1118.Controls to reduce expected losses from errors and irregularities associated with the CPU can be
categorized into four types :-
i)Error detection and corrections.
ii)Multiple execution states
iii)Timing control
iv)Component replication
1119.The failure may be transient, intermittent or permanent.
1120.Transient-Errors which disappear after some time.
1121.Intermittent – Errors which recur periodically
1122.There are two types of state of the program – supervisor state and problem state.
1123.Supervisor state – which is for the privileged user, such as the operating system that allows any
instruction to be executed.
1124.Problem state – which applies to user programs in which only a restricted set of instructions can
be used.
1125.Real memory comprises the fixed amount of primary storage in which programs or data must
reside for them to be executed or referenced by the CPU.
1126.Two types of controls are used to control expected losses from errors and irregularities associated
with real memory :-
i)Error detection and correction.
ii)Access controls
1127.Error detection is done by parity check and hamming code.
1128.Hamming code is also a parity based check and is so called after their developer Richard
Hamming.
Page | 115
KAT
1129.Parity check detects only errors in odd numbers or bits.
1130.Hamming code can detect and correct errors in real memory.
1131.Access controls-The other method to control errors in real memory is to place access controls in
the form of boundary registers (a hardware protection mechanism).
1132.Virtual memory exists when the addressable storage space(required memory) is larger than the
real memory.
1133.Two types of controls are exercised over virtual memory :-

i)The addressing mechanism checks to see that the memory reference is within the bounds of the
block(virtual memory allocated to the process).
ii)The access control mechanism should check that the action and the process wants to undertake is
within the allowed set of privileges.
1134.The database sub-system is responsible for defining, creating, modifying, deleting and reading
data in an information system.
1135.Traditional databases are organized by fields, records and files.
1136.A field is a single piece of information.
1137.A record is one complete set of fields.
1138.A file is a collection of records.
1139.An alternative concept in database design is known as Hypertext.
1140.Two types of data are maintained in database systems. Declarative data and procedural data.
1141.Declarative data – describes the static aspect of the real world objects and the association between
these objects. The example of payroll file and a personnel file showing therein name of employee, pay
rate, designation, job duties etc best illustrates the declarative type of data.
1142.Procedural data – Such data describes the dynamic aspect of the real world objects and the
association between these objects.
1143.Knowledge base – The combination of declarative data and procedural data is known as
Page | 116
KAT
knowledge base.
1144.Data is plural of datum(information) which are stored in the form of bits and bytes in electronic
memory of the computers.
1145.Data files – are files that contain binary data and store database information.
1146.Data index files are files that identify unique records.
1147.Data dictionary are files that defines basic organization of a database.
1148.Metadata – describes how and when and by whom a particular set of data was collected and how
the data is formatted. Metadata is administrative information and is essential for understanding
information stored in database.
1149.Data warehouses are huge databases containing collection of data designed to support
management decision making. The term data warehousing generally refers to combining many different
databases across an entire enterprise.
1150.Data Mart is a database, or collection of databases, designed to help managers make strategic
decisions about their business. Data marts are usually smaller and focus on a particular subject or
department.
1151.Database controls:-
i)Access controls
ii)Integrity controls
iii)Concurrency controls
iv)Audit trail controls
v)Existence controls
1152.Database controls focus on access controls, maintaining integrity of data and preventing integrity
violation.
1153.Access controls in the database sub-system like in boundary controls are either discretionary or
mandatory.
1154.Discretionary access controls are exercised by system administrators or data owners to restrict the
access to the data base and the action privileges associated with the database. Restrictions may be
i)name dependent, ii) content dependent, iii)context dependent and iv)history dependent.
1155.Mandatory access controls are exercised by system administrators by assigning security attributes
Page | 117
KAT
to data, which can not be changed by database users.
1156.In a DBMS, integrity constraints are used to maintain accuracy, completeness and uniqueness of
instances of constructs used within the data modelling approach.
1157.When application software uses the database, update and report protocols are used to protect
the integrity of the database.
1158.Update protocol includes sequence checking the order of transaction files/master files, ensuring
processing of all records by using correct end of file processing protocols, processing multiple
transactions in a single record in the correct order and posting monetary transactions which are not
matched with a master record into a suspense account.
1159.Report protocol includes printing control data in an internal table (these are standing data
which are used to perform various functions, eg in a billing program there may be an internal table of
price or in a payroll program, the internal table of pay rates) periodically, printing run to run control
totals and printing suspense entries.
1160.When two processes are allowed concurrent access to a data item there could be a violation of
data integrity.
1161.Concurrency controls are used to overcome the problem of deadlock in a shared data resource or
in a distributed database.
1162.Deadlock-A situation where two processes are waiting for each other to release the data that the
other needs.
1163.Two phase locking is the most widely used solution to resolve the problem of deadlock.
1164.Database cryptographic controls are used to protect the integrity of data sorted in a database.
1165.The primary method of encryption used is the block encryption method.
1166.To protect the integrity of data from unauthorized access cryptographic key is to be used.
1167.Existence controls include backup and recovery strategy. Some methods of such strategy are
grandfather, father, son strategy, dual recording and mirroring, dumping, logging, residual dumping etc.
1168.The main functions of the output sub-system are to :-

i)Determine the content of data that will be provided to users.
ii)The ways in which the data will be formatted and presented to users and
Page | 118
KAT
iii)The ways in which data will be prepared and routed to users.
1169.The major components in the output sub-system are :-

i)Software and personnel that determine the content, format and timeliness of data to be provided to
users.
ii)The various hardware devices used to present the formatted data to users (printers, terminals voice
synthesizers etc.)
1170.The output controls can be examined from four different angles-inference controls, controls
over the production and distribution of batch output, batch report design controls and controls
over the production and distribution of online reports.
1171.Inference controls are used in the output system to prevent compromise of statistical database.
1172.Compromise can be of four types :-

i)Positive compromise
ii)Negative compromise
iii)Exact compromise
iv)Approximate compromise
1173. Positive compromise :- whereby users determine that a person have a particular attribute eg Eric
is an alcoholic.
1174.Negative compromise : whereby users determine that a person does not have a particular attribute
eg Eric is not an alcoholic.
1175.Exact compromise : whereby users determine the precise value of an attribute possessed by a
person e.g. Eric draws a salary of Rs.20,000/- p.m.
1176.Approximate compromise :-whereby users within some range the value of an attribute possessed
by a person eg Eric draws a salary in the range of Rs.15,000/- to Rs.20,000/-
1177.Inference controls are use to prevent compromises of two types -

i)restriction controls
ii)perturbation controls
1178.Restriction controls – which limits the set of response provided to users upon users query thereby
protecting the confidentiality of data of persons in the database.
1179.Perturbation controls – which introduces some type of noise into the statistical calculations based
on records retrieved from database. This will result in information loss causing bias (difference
Page | 119
KAT
between average value of perturbed statistics and average value of true statistics) or inconsistency in
the results obtained.
1180.Batch output production and distribution controls – Controls to be exercised at each phase depend
upon the cost/benefit ratio.
SECURITIES POLICIES, PROCEDURE AND CONTROLS
1181.The overall objective of Information Security is to protect confidentiality, Integrity and

Availability of that information which is organization's property.
1182.With the advancement of technology, enterprises have been experiencing increasing complexity
of technology employing cost effective solutions like internet, cloud computing for their operations.
This has led to a significant increase in the threats to enterprise information.
1183.Effective computer security is result of appropriate tuning of various controls which comprise
management controls, application controls, operational controls and administrative controls.
1184.Policy refers to a set of specific security rules for specific category of systems eg firewall policy,
e-mail policy etc.
1185.Hence the IS Security Policy acts as the documentation of the management's strategy, directives
and decisions relating to the computer security.
1186.COBIT lays down detailed statements for a structured approach to the process of IT planning and
organization.
1187.The Planning and Organization Domain of COBIT have been explained in detail in (i)Security
Policies, procedures and controls and (ii)Management and control framework.
COMPLIANCE AND INCIDENT HANDLING
1188.An incident is an unplanned interruption to an IT service, or the reduction in the quality of an IT

service.
1189.In Information Technology, the Incident is an occurrence where a service or component fails to
provide a feature or service that it was designed to deliver.
1190.All security incidents or violations of security policies should be brought to the notice of the
CISO of a bank.
Page | 120
KAT
1191.CERT-In : Computer Emergency Response Team-India
1192.ERM : Enterprise resource management.
1193.To determine the risk, a bank can evaluate the likelihood associated with the threat agent, attack
vector, and security weakness and combine it with an estimate of the technical and business impact to
an organization. Together, these factors determine the overall risk.
1194.VaR : is a statistic that measure and quantifies the level of financial risk within a firm portfolio or
position over a specific time frame.
1195.Access to the database prompt must be restricted only to the database administrator.
1196.MTM – Mark to market is a measure of the fair value of accounts that change over time, such as
assets and liabilities. MTM aims to provide a realistic appraisal of an institution's or company's current
financial situation.
1197.Multi-tier application architecture needs to be considered for relevant critical systems like internet
banking systems which differentiate session control, presentation logic, server side input validation,
business logic and database access.
NETWORK SECURITY
1198.Protection against growing cyber threats requires multiple layers of defences, known as defence
in depth.
1199.Defence in depth for most organizations should at least consider two areas namely (a)Protecting
the enclave boundaries or Perimeter (b)Protecting the computing environment.
1200.The enclave boundary is the point at which an organization's network interacts with the Internet.
1211.IDS – Intrusion Detection Systems.
1212.NIPS – Network Intrusion Prevention Systems.
1213.An effective approach to secure a large network involves dividing the network into logical
security domains.
1214.Security domains are bounded by perimeters.
Page | 121
KAT
1215.Typical perimeter controls include firewalls that operate at different network layers, malicious
code prevention, outbound filtering, intrusion detection and prevention devices, and controls over
infrastructure services such as DNS.
1216.The main purpose of a firewall is for an access control. By limiting inbound(from the Internet to
the internal network) and outbound communications(from the internal network to the Internet), various
attack vectors can be reduced.
1217.Firewalls may provide additional services like Network Address Translation(NAT) and Virtual
Private Network Gateway(VPNG).
1218.Financial institutions have four primary firewall types from which to choose – packet filtering,
stateful inspection, proxy servers and application-level firewalls.
1219.A firewall policy states management's expectation for how a firewall should function and is a
component of the overall security management framework.
1220.Firewalls are potentially vulnerable to attacks including spoofing trusted IP addresses, denial of
service by overloading the firewall with excessive requests or malformed packets, sniffing of data that
is being transmitted outside the network, hostile code embedded in legitimate HTTP, SMTP, or other
traffic that meet all firewall rules etc.
1221.The goal of an IDS is to identify network traffic in near real time.
1222.To use a Network IDS(NIDS) effectively, an institution should have a sound understanding of the
detection capability and the effect of placement, tuning, and other network defences on the detection
capability.
1223.A weakness in the signature-based detection method is that a signature must exist for an alert to
be generated. Signatures are written to either capture known exploits, or to alert to suspected
vulnerabilities.
1224.The anomaly-based detection method generally detects deviation from a baseline. The baseline
can be either protocol-based, or behaviour-based.
1225.The protocol-based baseline detects differences between the detected packets for a given protocol
and the Internet's RFC (Request for Comment) pertaining to that protocol. For example, a header field
could exceed the RFC established expected size.
1226.Tuning refers to the creation of signatures and alert filters that can distinguish between normal
network traffic and potentially malicious traffic apart form involving creation and implementation of
Page | 122
KAT
different alerting and logging actions based on the severity of the perceived attack.
1227.Encryption poses a potential limitation for a NIDS.
1228.Decryption is a device-specific feature that may not be incorporated into all NIDS units.
1229.All NIDS detection methods result in false positives (alerts where no attack exists) and false
negatives (no alert when an attack does take place)
1230.False positives - alerts where no attack exists.
1231.False negatives - no alert when an attack does take place.
1232.NIPS – Network Intrusion Prevention Systems.
1233.NIPS are an access control mechanism that allow or disallow access based on an analysis of
packet headers and packet payloads.
1234.Firewalls typically allow only the traffic necessary for business purposes, or only “known good”
traffic.
1235.IPS units contain a “white list” of IP addresses that should never be blocked. The list helps ensure
that an attacker can not achieve a denial of service by spoofing the IP of a critical host.
1236.Quarantining a device protects the network from potentially malicious code or actions. Typically,
a device connecting to a security domain is queried for conformance to the domain's security policy. If
the device does not conform, it is placed in a restricted part of the network until it does conform.
1237.Split DNS where one firewalled DNS server serves public domain information to the outside and
does not perform recursive queries.
1238.DMZ – Demilitarized Zone.
1239.Configuration management begins with well-tested and documented security baselines for various
systems. There need to be documented security baselines for all types of information systems.
1240.If backdoors or vendor connections do exist in critical systems, strong authentication must be
implemented to ensure secure communications.
1241.Establishing critical “Red Teams” to identify and evaluate possible attack scenarios. There is a
need to feed information resulting from the “Red Team” evaluation into risk management processes to
Page | 123
KAT
assess the information and establish appropriate protection strategies.
1242.The organizations should at least consider two areas namely (a)protecting the enclave boundaries
or perimeter and (b)protecting the computing environment.
INFORMATION SECURITY AND IS AUDIT

INFORMATION SECURITY
1243.Banks manage risks through prudent business practices, contractual arrangements with third
parties, obtaining insurance coverage and use of appropriate security mechanisms.
1244.Policies are management instructions indicating a course of action, a guiding principle, or an
appropriate procedure, which is expedient, prudent, or advantageous.
1245.A policy statement describes only the general means for addressing a specific problem.
1246.Procedures are specific operational steps or manual methods that workers must employ to achieve
a certain goal.
1247.Policies are higher-level requirement statements than “standards”, although both types of
management instructions require compliance.
1248.Standards would for example define the number of secret key bits required in an encryption
algorithm such as SSL a widespread internet encryption protocol.
1249.Policies on the other hand would simply define the need to use an approved encryption process
when sensitive information is sent over public networks such as the Internet.
1250.The latest twin-sister of SSL is TLS and there are often referred together as SSL/TLS protocol.
SSL is fast being replaced by TLS. In fact, TLS v 1.0 is often considered SSL v 3.1
1251.SSL = Secure Socket Layer
1252.TLS = Transport Layer Security
1253.At the corporate level, the CISO would be responsible for Information System Security.
1254.CISO -Chief Information Systems Security Officer
1255.The Information Systems Security Managers/Officers should be adequately trained on
Information System Security standards like ISO/IEC 27001 and should be encouraged to pursue
courses in Information security/Audit such as CISSP/CISM/CISA/CFE and other internationally
acclaimed certifications.
Page | 124
KAT
1256.ISO/IEC 27001 is the best-known standard in the family providing requirements for an ISMS,
whereas ISO 27002 is the code of practice of information security management.
1257.ISMS – Information Security Management System.
1258.Each information access control system should have one or more Information Systems Security
Administrator(s), appointed to ensure that the access control procedures are being monitored and
enforced continuously.
1259.The activities of the ISSA have to be reviewed by an independent party such as Audit department,
for the purpose, on a routine basis.
1260.ISSA-Information Systems Security Administrator
1261.The custodian of information is generally responsible for the processing and storage of the
information.
1262.Authentication devices – Passwords, Secure cards, PINs etc.
1263.The Information Security Officer is responsible for working with user management, owners,
custodians, and users to develop and implement prudent security policies, procedures, and controls,
subject to the approval of Counsel.
1264.Large departments with significant Confidential Information may have a departmental
Information Security Liaison.
1265.Security policies are high-level laws of the land regarding a security infrastructure. They are not
procedures. Procedures tell how to implement security policies.
1266.The person being held responsible for security policies could be the Director of Information
Security, the Chief Security Officer, the Director of Information Technology, the Chief Information
Officer, or a knowledgeable employee appointed to be the information security officer.
1267.Security is typically distributed, and security mechanisms should be built into all layers of the
enterprise infrastructure. Security policies should describe the rules of the road for the following types
of technology systems :-
i)Encryption mechanisms
ii)Access control devices
iii)Authentication systems
iv)Virtual Private Networks(VPN)
v)Firewalls
vi)Messaging systems
vii)Anti-virus systems
viii)Websites
Page | 125
KAT
ix)Gateways
x) Mission critical applications
xi)End-user desktops
xii)DNS servers
xiii)Routers and switches.
1268.Security controls are mechanisms put into place to enforce security policies.
1269.Security Definition-All security policies should include a well-defined security vision for an
organization. The security vision should be clear and concise and convey to the readers the intent of the
policy.
1270.Enforcement-This section should clearly identify how the policy will be enforced and how
security breaches and/or misconduct will be handled.
1271.The Chief Information Officer(CIO) and the Information Systems Security Officer(ISSO)
typically have the primary responsibility for implementing the policy and ensuring compliance.
1272.A good security policy should also include information that identifies how security profiles will
be applied uniformly across common devices eg servers, workstations, routers, switches, firewalls,
proxy servers etc.
1273.If your agency does not have a need to host Internet or Intranet based applications then do not
install Microsoft IIS.
1274.If you have a need to host HTML services, but do not have a requirement for allowing FTP, then
disable it.
1275.Random and scheduled audits should be conducted and may include :-
i)Password auditing using password cracking utilities such as LC3(Windows) and PW Dump(Unix and
Windows).
ii)Auditing user accounts database for active old accounts(persons who left the agency).
iii)Penetration testing to check for vulnerabilities using technical assessment tools such as ISS and
Nessus.
iv)Social Engineering techniques to determine if you can get a username or password from a staff
member.
v)Simulate (off hours) network failure and evaluate your incident response team‟s performance and
readiness.
vi)Test your back-up recovery procedures.
vii)Use Tripwire or similar product to monitor your critical binary files.
viii)Configure your Server OS to audit all events and monitor several times a day for suspicious
activity.
ix)Use a port scanner(Nmap, Nessus etc) within your network to determine if your system
Page | 126
KAT
administrators catch the traffic and take appropriate action.
1276.Administrative Security Policy :-

i)Users must change their passwords on regular basis.
ii)A designated employee should securely maintain a master list of passwords.
iii)End-users will update their virus signatures at least once a week.
iv)Users will not e-mail passwords across the corporate infrastructure.
v)Users must use a card-key to enter data centre.
vi)Employees shall not use dial-out modems from their desktops.
vii)All users must read, sign and abide by end-user security policies.
viii)Users will report suspicious network activity to security officer.
ix)The security officer will manage and respond to all security incidents.
x)Company information marked Proprietary must be used only for legitimate business purposes.
1277.Technical Security Policy :-

i)Servers will be configured to expire passwords once every quarter.
ii)Anti-virus software will be installed and properly configured on all user desktops.
iii)A card-key system will be installed at every data centre entrance.
iv)All data and information must be assigned a custodial owner.
v)All access control systems must be monitored for compliance.
vi)Online penetration tests should be conducted twice a year.
vii)Accounts must initiate a lock out after four unsuccessful attempts to login.
viii)Encryption is used to prevent access to sensitive and proprietary information.
ix)Incoming attachments must be scanned for viruses on the boundary server.
x)Passwords must be at least 8 characters long and include upper and lower case characters and
at least one numeric character and one special character. A „brute force‟ tool which may crack a 4
character passwords in just 4 seconds, takes about 10 years to crack an 8 character password.
1278.Virus protection-Wherever possible a multi-layered approach should be used(desktops, servers,

gateways etc) that ensure all electronic files are appropriately scanned for viruses. Users are not
authorized to turn off or disable virus-checking systems.
1279.Authorization-Access will be granted on a “need to know” or “minimum necessary” basis and

must be authorized by the immediate information owner or user management with the assistance of the
Information Security Officer.
1280.Identification/Authentication : An automatic timeout re-authentication must be required after a

certain period of no activity. The maximum 15 minutes unless the department user(s) has a business
reason for a longer period, as approved by the Information Security Officer. The user must log off or
secure the system when leaving it.
Page | 127
KAT
1281.Emergency Access – Procedures must be documented to address – Authorization, Implementation
and Revocation.
1282.Information Disposal-Information disposal must be consistent with established departmental

records retention schedules. The disposal of information must ensure the continued protection of
confidential information. Hard copy(paper and microfilm/fiche) must be shredded before being
discarded or confidentially recycled. Magnetic media(floppy disks, hard drives, zip disks, etc.) must be
erased with a degaussing device or disk “wiping” software before being discarded or reused. CD ROM
Disks must be defaced or broken in half before being discarded.
1283.Confidential information must never be stored on mobile computing devices (laptops, Personal
Digital Assistants(PDA), smart phones, tablet PCs etc) unless they have the following minimum
security requirements implemented :
i)Power-on passwords
ii)Auto logoff or screen saver with passwords, and
iii)Encryption of stored data or other acceptable safeguards approved by Information Security Officer.
1284.Passwords – Automated password policy techniques to require a minimum of eight characters,

use of a combination of symbols, alpha characters and numerals and a mixture of uppercase and
lowercase. Users should be required to change their passwords at least quarterly.
1285.BIOS – Basic Input Output System
1286.Any system that includes a basic set of system programs called an operating system. The most
important program in the set is called the kernel. It is loaded into memory when the system boots
and contains many critical procedures that are needed for the system to operate.
1287.OS Functions : In short the OS must provide two main functions :-

i)It must manage the resources available to the computer system.
ii)It must provide a reliable, stable, secure, and consistent interface for applications to access a
computer‟s resources.
1288.Real-time operating system : This OS is most often found in robotic machinery and scientific
devices.
1289.Single-user, single task system : This type of OS is used by devices such as a PDA or other
miniature computers.
1290.Single-user, multitasking system. This type of OS is most familiar because it includes most
Microsoft Windows Systems. In this OS, a user can open multiple programs and jump back and forth
between applications as required.
Page | 128
KAT
1291.Multi-user system – A true multi-user operating system allows many users to access the
computer‟s resources simultaneously. A common example of this type of OS is Linux.
1292.OS Tasks – Processor management, memory management, device management, storage

management, application management, user interface.
1293.API – Application Programming Interface.
1294.GUI – Graphical User Interface.
1295.Classification is used to promote proper controls for safeguarding the confidentiality of

information.
1296.Confidential information is information that is protected by State or Federal Statute.
1297.Examples of public information may include organization‟s events calendars, class schedules,
minutes of meetings, and material posted to the organization‟s web pages.
1298.Incident Handling refers to those practices, technologies and/or services used to respond to
suspected or known breaches to security safeguards.
1299.Industry best practices suggest that organizations who adopt both proactive and reactive means to
address incident handling are better able to limit the negative implications of incidents. Examples of
proactive activities include establishing communication mechanisms to report incidents and to
disseminate incident alerts and identifying technical experts who can provide emergency assistance if
needed. Examples of reactive activity include blocking or aborting computer processes, temporarily
denying user access and deploying inoculation software.
1300.Intrusion Detection System(IDS) have emerged to help detect perimeter breaches and intrusions.
1301.According to Gartner Research “Intrusion detection sounds like a good idea but alerts you only
that something is going on. It is not always so effective to just see the alarms going off” and not have
the tools to address the problem.
1302.Too often, however, the IDS bells ring, but with no effective means to respond and sort out all the
false positives, the IDS becomes white noise, and, ultimately, shelf-ware.-
1303.White Noise – WN is a specific kind of noise that involves randomized sound. It is the most
familiar of the various different kinds of “spectral light” that involve their own different power
distributions across a sound frequency spectrum. White noise is also known as Additive White
Page | 129
KAT
Gaussian Nose(AWGN).
1304.Shelfware : It is a slang term used to describe owning or licensing software that you don‟t
actually need or use.(eg it sits on a shelf).
1305.CIRT – Computer Incident Response Team)
1306.Hackers and malevolent insiders often cover their tracks by deleting event log and system files,
hiding their installed malware by renaming it with innocuous file extensions, cloaking created
backdoors and other similar techniques.
1307.Network-enabled computer forensics tools can quickly undelete files, locate hidden malware(even
if renamed) through file signature and hash analysis, find backdoors and other evidence, and make
complete bit-stream image backups of drives housing compromised data.
1308.As the target systems are not taken off-line, the key live data of the compromised system(open
ports, live registry, RAM dumps) can be easily captured and preserved.
1309.In June 2003, Gartner created a major stir in the information security industry when it issued a
research report calling into question the effectiveness of intrusion detection systems.
1310.The insider threat takes many forms, whether it is unauthorized access to customer privacy
information, theft of intellectual property and trade secrets, financial fraud, improper deletion of
computer files (as in the case of Arthur Anderson) or various employee policy violations such as email
harassment and internet pornography.
1311.The terms of defined industry best practices, ISO 17799 provides very detailed requirements for
incident response, internal investigations, and preservation and analysis of computer evidence
consistent with best practices and computer forensics protocols.
1312.An enterprise‟s overall security framework must, under ISO 17799, include an effective incident
response approach “to ensure a quick, effective and orderly response to security incidents”. An ISO
17799 compliant enterprise should employ the best methods and tools available to respond to breaches
or suspected breaches of its information security, and must collect and preserve the resulting evidence
in a forensically sound manner for investigation and reporting purposes.
1313.The “patch and proceed” methodology is not compliant with these regulations and standards for
two reasons. First, with the growing standardization of network-enabled computer forensics tools,
“patch and proceed” is simply no longer consistent with the best practice. Secondly, without the proper
response, collection and preservation of evidence, the internal and regulatory incident reporting
requirements under these regulations and standards can not be met.
Page | 130
KAT
1314.A Covert Channel can expose information by some indirect and obscure means. It may be
activated by changing a parameter accessible by both secure and insecure elements of a computing
system, or by embedding information into a data stream.
1315.Trojan Code is designed to affect a system in a way that is not authorized and not readily noticed
and not required by the recipient or user of the program.
1316.Where Covert or Trojan code are a concern, the following should be considered :-
i)Buying programs only from a reputed source.
ii)Buying programs within source code so the code may be verified
iii)Using evaluated procedure
iv)Inspecting all source code before operational use.
v)Controlling access to and modification of code once installed.
vi)Use staff who have proven trust to work on key systems.
1317.When software development is outsourced, the following points should be considered :-

i)Licensing arrangements, code ownership and intellectual property rights.
ii)Certification of the quality and accuracy of the work carried out.
iii)Escrow arrangements in the event of failure of the third party.
iv)Rights to access for audit purpose about the quality and accuracy of work done.
v)Contractual requirements for quality of code.
vi)Testing before installation to detect Trojan code.
1318.An anti-virus software should run as an NLM on a file server. If this is not possible, the
workstations and file server should be scanned at the end of the business day or at least weekly once.
1319.If a virus is suspected of being present and the virus can not be identified or is identified as a
transmittable or “travelling” virus, the following procedure should be followed :-
i)The personal computer should be physically disconnected from a LAN.
ii)LAN should be physically isolated from other LANs and NET.
iii)All access and mail servers on a LAN should be shutdown.
iv)Users should be informed not to use their PC or any floppy disks in their possession.
vi)The Information Services Department Help Desk must be notified of the “possibility” of the
presence of a “travelling” virus on a LAN connected to NET. The Help Desk will electronically isolate
the LAN from NET. The Help Desk should then notify all NET LAN Administrators of the potential
problem and act as a coordinating office for information regarding the problem.
vii)All resources on the LAN should be scanned using Anti-virus software. Don‟t forget to scan
diskettes and standalone PC s that have shared resources or any contact with an infected LAN.
vii)All file servers should be scanned on an hourly basis until all scanning procedures are complete and
a clean bill of health is issued by the LAN Adminstrator.
Page | 131
KAT
1320.FUD : Fear, Uncertainty and Doubt.
1321.Black Hat Hacker : A BHH is a person who attempts to find computer security vulnerabilities and
exploit them for personal financial gain and other malicious reasons.
1322.In order to understand vulnerabilities, we should start by describing various classes of

vulnerabilities :-
i)Vendor bugs
ii)Poor architecture
iii)Misconfigurations
iv)Incorrect usage
1323.Vendor Bugs : VB are buffer overflows and other programming errors that result in users
executing the commands they are allowed to execute. Downloading and applying patches usually fix
vendor bugs.
1324.Poor Architecture : PA is the result of not properly factoring security into the design of how an
application works. These vulnerabilities are typically the hardest to fix because they require a major
network by the vendor. An example of poor architecture would be when a vendor utilizes a weak
form of encryption.
1325.Misconfigurations : It is caused by not properly locking down databases. Many of the

configuration options of databases can be set in a way that compromises security. Some of these
parameters are set insecurely by default. Most are not a problem unless you unsuspectingly change the
configuration. An example of this in Oracle is the REMOTE_OS_AUTHENT parameter. By setting
REMOTE_OS_AUTHENT to true, you are allowing unauthenticated users to connect to your database.
1326.Incorrect Usage : IU refers to building applications utilizing developer tools in ways that can be
used to break into a system. SQL INJECTION is an example of incorrect usage.
1327.Security in database has generally been ignored and the threat management of these applications
has been non-existent. The damage caused by a worm is dependent on several factors :-
i)The number of targets for a worm.
ii)The success rate of infection.
iii)The resilience of a worm.
1328.Databases are a critical piece of an organizations infrastructure and can not always be hidden
behind a firewall. The success rate of infection is critical to whether or not the worm is able to spread
through to other systems. For example, the Spida worm was effective because a large number of
Microsoft SQL Server databases have blank “sa” passwords. Those databases with non-blank
Page | 132
KAT
passwords were not infected.
1329.Databases are extremely complex beasts, and generic auditing, vulnerability assessment, and IDS
solutions just don‟t cut it.
1330.ISO – International Standards Organization
1331.OSI – Open Systems Interconnect
1332.The ISO OSI Reference Model defines seven layers of communications types, and the interfaces
among them.
1333.The 7 layers of ISO/OSI Reference Model – Application, Presentation, Session, Transport,

Network, Data Link and Physical
1334.Types and sources of network threats :-

i)Denial of Service
ii)Unauthorized access
iii)Executing commands illicitly
iv)Executing commands illicitly
v)Confidentiality breaches
vi)Destructive behaviour
1335.DoS (Denial of Service) attacks are probably the nastiest, and most difficult to address. These are
the nastiest, because they are very easy to launch, difficult (sometimes impossible) to track, and it isn‟t
easy to refuse the requests of an attacker, without also refusing legitimate requests for a service.
1336.The premise of DoS attack is simple, send more requests to a machine than it can handle.
1337.The risk of being stung by a Denial of Service attack may be reduced by :-

i)Not running your visible-to-the-world servers at a level too close to capacity.
ii)Using packet filtering to prevent obviously forged packets from entering into your network address
space.
iii)Obviously forged packets would include those that claim to come from your own hosts, addresses
reserved for private networks as defined in RFC 1918, and the loopback network (127.0.0.0).
iv)Keeping up-to-date on security-related patches for your hosts‟ operating systems.
1338.There are two major categories among the destructive sorts of break-ins and attacks :-
i)Data diddling
ii)Data destruction
Page | 133
KAT
1339.Data diddling :- It is a method adopted by computer criminals. DD is the changing of data before
or during entry into the computer system or altering the raw data just before it is processed by a
computer and then changing it back after the processing is completed. Using this technique the criminal
can manipulate the output and it is not so easy to identify. But using cyber forensic tools we can trace
out when the data was changed and changed it back to the original form.
1340.Firewall-A firewall is simply a group of components that collectively form a barrier between two
networks.
1341.In order to provide some level of separation between an organization‟s intranet and the internet,
firewalls have been employed.
1342.Bastion host – A general purpose computer used to control access between the internal(private)
network (intranet) and the Internet (or any other untrusted network). Typically, these are hosts running
a flavour of an Unix operating system that has been customized in order to reduce its functionality to
only what is necessary in order to support its functions. Many of the general purpose features have been
turned off, and in many cases, completely removed, in order to improve the security of a machine.
1343.Router :- A special purpose computer for connecting networks together. Routers also handle
certain functions, such as routing, or managing the traffic on the networks they connect.
1344.Demilitarized Zone(DMZ) : The DMZ is a critical part of a firewall. It is a network that is neither
part of the untrusted network, nor part of the trusted network. But this is a network that connects the
untrusted to the trusted. The importance of DMZ is tremendous; someone who breaks into your
network from the Internet should have to get through several layers in order to successfully do so.
Those layers are provided by various components within a DMZ.
1345.Proxy-This is the process of having one host act on behalf of another. A host that has the ability to
fetch documents from the Internet might be configured as a proxy server, and host on the intranet might
be configured to be proxy clients. In this situation, when a host on the intranet wishes to fetch the web
page, for example, the browser will make a connection to the proxy server, and request the given URL.
The proxy server will fetch the document, and return the result to the client. In this way, all hosts on the
intranet are able to access resources on the Internet without having the ability to directly talk to the
Internet.
1346.Firewalls:-
i)Application Gateways
ii)Packet Filtering
iii)Hybrid Systems
1347.Application Gateways :-The first firewall is application gateways, and are sometimes known as
Page | 134
KAT
proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server.
This software runs at the application Layer of the ISO/OSI Reference Model, hence the name.
1348.Packet Filtering :- PF is a technique whereby routers have ACLs(Access Control Lists) turned on.
By default, a router will pass all traffic sent it, and will do so without any sort of restrictions.
Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you
allow the outside world to have to your internal entwork, and vice versa.
1349.Hybrid Systems :
1350.Firewall certifications : The certification of a firewall means nothing more than the fact that it can
be configured in such a way that it can pass a series of tests. Similarly, claims about meeting or
exceeding U.S. Department of Defence “Orange Book” standards, C-2, B-1 and such all simply mean
that an organization was able to configure a machine to pass a series of tests.
1351.Firewall : The term firewall refers to a number of components that collectively provide the
security of a system.
1352.Crypto Capable Routers :-A feature that is being built into some routers is the ability to session
encryption between specified routers. Because traffic travelling across the Internet can be seen by
people in the middle who have the resources(and time) to snoop around, these are advantageous for
providing connectivity between two sites, such that there can be secure routers.
1353.Virtual Private Networks :- Given the ubiquity of the Internet, and the considerable cost involved
in private leased lines, many organizations have been building VPNs(Virtual Private Networks).
1354.The disaster recovery is that part of a business resumption plan which ensures that the
information and the information processing facilities are restored to their normal operating conditions
as soon as possible after disruption.
1355.Emergency procedures, manual fall-back plans and resumption plans should be within the
responsibility of the owners of the appropriate business resources or processes involved.
1356.Fall back arrangements for alternative technical services, such as information processing and
communication facilities, should usually be the responsibility of the service providers.
1357.A variety of techniques should be used in order to provide assurance that the plan(s) will operate
in real life. They should include :-
i)Table top testing of various scenarios.
ii)Simulations particularly for training people in their post incident crisis management roles.
iii)Technical recovery testing i.e. ensuring information systems can be restored effectively.
Page | 135
KAT
iv)Testing recovery at an alternate site running business processes in parallel with recovery operations
away from the main site.
v)Tests of supplier facilities and services ensuring externally provided services and products will meet
the contracted commitment.
vi)Complete rehearsals i.e. testing that the organization, personnel, equipment, facilities and processes
can cope with interruptions.
1358.Several viruses, Trojans, and malware use email as the vehicle to propagate themselves
throughout the Internet.
1359.A few of the more recent worms were Code Red, Nimda, and Gonner.
1360.The black-hat community typically launches their 'zero day' and old exploits on the Internet via
IRC chat rooms, through Instant Messengers, and free Internet email providers(gmail, hotmail, yahoo
etc.).
1361.The Internet is the world's largest network of networks.
1362.The Internet is network of networks-not a network of hosts.
1363.ISP : Internet Service Provider
1364.Packets = Small datagrams.
1365.TCP/IP – The language of the Internet.
1366.TCP/IP – Transport Control Protocol/Internet Protocol
1367.TCP/IP :This is functionality that occurs at the Network(IP) and Transport(TCP) layers in the
ISO/OSI Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix, OS/2,
MacOS, or Windows NT) can easily support applications (such as Netscape's Navigator) that uses the
network.
1368.Engineers and scientists from all over the world participate in the IETF (Internet Engineering
Task Force) working groups that design the protocols that make the Internet work. Their time is
typically donated by their companies, and the result is work that benefits everyone.
1369.IP : IP is a “network layer” protocol. This is the layer that allows the hosts to actually “talk” to
each other. Such things as carrying datagrams, mapping the Internet address (such as 10.2.3.4) to a
physical network address (such as 08:00:69:0a:ca:8f), and routing, which takes care of making sure that
all of the devices that have Internet connectivity can find the way to each other.
Page | 136
KAT
1370.IP Spoofing : In computer networking, IP address spoofing or IP spoofing is the creation of
Internet Protocol packets with a false source IP address, for the purpose of impersonating another
computing system.
1371.IP Session Hijacking is relatively sophisticated attack, first described by Steve Bellovin.
1372.IP Session Hijacking is an attack whereby a user's session is taken over, being in the control of the
attacker. If the user was in the middle of email, the attacker is looking at the email, and then execute
any commands he wishes as the attacked user. The attacked user simply sees his session dropped, and
may simply login again, perhaps not even noticing that the attacker is still logged in and doing things.
1373.TCP is a transport-layer protocol. It needs to sit on top of a network-layer protocol, and was
designed to ride atop IP. Just as IP was designed to carry among other things, TCP packets. Because
TCP and IP were designed together and wherever you have one, you typically have the other, the entire
suite of Internet protocols are known collectively as “TCP/IP”.
1374.UDP : User Datagram Protocol.
1375.CERT : Computer Emergency Response Team
1376.CIAC : Confederation of International Accreditation Commission.
IS AUDIT
1377.'The Working Group on Information Systems Security for the Banking and Financial Sector'
constituted by RBI enumerated that every Bank in the country should conduct “Information Systems
Audit as per the IS Security Policy' of the Bank.
1378.Information Systems Audit and IS Security Dept(Cell) prepare Information Systems Audit policy.
1379.The fundamental principle is that risk and controls are continuously evaluated by the
information/business owners, where necessary, with the support from IS Audit function.
1380.Information System Auditing is the process of collecting and evaluating evidence to to determine
whether computer system safeguards assets, maintains data integrity, allows organization goals to be
achieved effectively and uses resources efficiently.
1381.Auditing is also described as a continuous evaluation for compliance.
Page | 137
KAT
1382.The objective of the IS audit is to assess risks identified that an organization is exposed to in the
computerized environment.
1383.The IT facilities must be protected against all hazards (physical and environmental). The hazards
can be accidental hazards or intentional hazards or natural hazards.
1384.Data integrity includes the safeguarding of the information against intentional and unintentional
or unauthorized changes viz., addition, deletion, modification or alteration. The desired features of the
data are described hereunder :-
a)Accuracy
b)Confidentiality
c)Completeness
d)Reliability
e)Relevant
1385.Technology risks are controlled by General IS controls and business risks are controlled using
Application controls.
1386.The auditor must learn new skills to work effectively in a computerized environment. These new
skills are categorized in three broad areas :-
i)Understanding of computer concepts and system design.
ii)Understanding the functioning of Accounting Information System(AIS), an ability to identify new
risks and understand how the internal controls are mapped on to the computers to manage technology
and business risks.
iii)Knowledge of use of computers in audit.
1387.In the computerized environment accounting, records are kept in computer files which are of
categorized into three types, namely master file, parameter file and transaction file.
1388.There are two types of Transaction Processing Systems(TPS)-Batch processing and On-line
processing.
1389.COBIT(Control Objectives for Information Technology) is an internal control framework

established by ISACA for an information system. COBIT can be applied to the Accounting Information
System. To apply the COBIT framework an organization should :-
i)Define the information system architecture
ii)Frame security policies
iii)Conduct technology risk assessment
iv)Take steps to manage technology risk like designing appropriate audit trails, providing systems,
software security, having a business continuity plan, managing IS resources like data, applications and
facilities, periodically assessing the adequacy of internal controls and obtaining independent assurance
Page | 138
KAT
for the information systems.
1390.IFAC – International Federation of Accountants.
1391.AICPA -American Institute of Certified Public Accountants.
1392.ISACA -Information Systems Audit and Control Association.
1393.Security is a control structure established to maintain confidentiality, integrity and availability of

data, application systems and other resources.
1394.Accountability- means clear apportionment of duties, responsibilities and accountability in an

organization, creation of security awareness in the organization, cost-effective implementation of
information security, integrated efforts to implement security, periodic assessment of security needs and
timely implementation of security controls.
1395.Information security is implemented using a combination of General IS controls and application

controls.
1396.General IS controls include implementation of security policy, procedures and standards,

implementation of security using systems software, business continuity plan and information system
audit.
1397.Physical controls including locks and key, biometric controls and environmental controls.
1398.Logical controls like access controls implemented by the operating systems, database
management
systems and utility software are implemented through sign-on procedures, audit trail etc.
1399.Administrative controls like separation of duties, security policy, procedures and standards,
disaster recovery and business continuity plans, information systems audit etc.
1400.Information systems audit :- is a process to collect and evaluate evidence to determine whether
the information systems safeguard assets, maintain data integrity, achieve organizational goals
effectively and consume resources efficiently.
1411.The common element between any manual audit and IS audit is data integrity.
1412.IS audit evaluates the IS management function.
1413.According COBIT, there are five resources that IT environment need to consider viz, people,
Page | 139
KAT
application systems, technology, data and facilities.
1414.The IS management function can be divided into four phases, like any other management function
:-
i)Management(which is equivalent for planning and organization)
ii)Implementation and deployment
iii)Directing and controls
iv)Audit and monitoring
1415.The heart of IS audit is the system audit.
1416.System audit is a subject of skills acquisition and not knowledge acquisition.
1417.Security serves three purposes – confidentiality, integrity and availability.
1418.Availability risk is one of the major technology risks.
1419.A business continuity plan begins with business impact analysis(BIA) and involves risk
evaluation and loss estimates for the outage.
1420.The operating system controls access at the directory and file level, while the database application
controls access at the record and field level.
1421.All users must get just-minimum-access which they need to do which has two aspects to it :-
First only authorized users should have access to IT resources based on their roles & responsibilities.
Second even authorized users should not have full access. The access should be need based. For this,
all operating systems have two types of facilities, namely, authentication and authorization.
Authentication allows only the authorized users to access the systems. Authorization, allows just-
minimum-access to the files and directory. To manage both these facilities in all operating systems
there is a facility called systems administration.
1422.Database provides two important features-data sharing and data independence.
1423.Every database provides facilities to implement sign-on procedures (user identification and
authentication) and authorization mechanisms.
1423.Oracle is the most-commonly used RDBMS in India and world over, providing facilities to
implement access controls through sign-on procedures and authorization.
1424.Authorization is implemented through object ownership, granting of privileges, and creation of

roles and assignment of roles to the users.
Page | 140
KAT
1425.Application control primarily deals with the audit objects.
1426.Application controls can be divided into :-

i)Validation of input
ii)Authorization of input
iii)Completeness of input
iv)Accuracy of input
1427.ACL : Access Control List
1428.ACL is the market leader in the arena of general audit software. The software provides the
facilities needed by an auditor to evaluate all the seven types of assertions made in any financial
statement.
1429.ACL Software offers tools to understand the quantitative features of the data as well as the
qualitative features of the data. Moreover, it provides facilities to conduct substantive testing.
1430.ACL has an excellent feature ot create a command log.
1431.The audit organization or group has learned that to be successful it must generate an appropriate
internal audit infrastructure, tailor made audit approaches to each business unit within the company,
and create “over-the-top” results by focusing on four basic elements : people, processes, electronic
platforms, and focused collaboration with senior management.
1432.A diverse group of auditors brings several skill sets to audit areas that include project
management, manufacturing, supply management, and product marketing and sales.
1433.A team of two or three auditors will cover two or more major business processes during field
work that lasts up to three weeks.
1434.The overall goal within a group is to retain a small core of experienced auditors and to rotate the
balance to operating units after they have been in the audit group for approximately three years.
1435.Electronic audit platforms such as Lotus Notes to gain significant efficiencies is introduced.
1436.Metrics play a key role in successfully upgrading the audit group processes by measuring key
processes for improvement.
1437.Other results of introducing metrics include :-

i)Audit planning has become more current and focused since auditors began requiring specific
Page | 141
KAT
information in advance from audit customers.
ii)Fieldwork is more focused and is a accomplished in two to three weeks.
iii)A draft audit report will be completed at the end of fieldwork.
iv)Final audit reports, completed with management action plans, are issued less than 30 days after
fieldwork ends.
v)Primary audit work papers are electronic, streamlined, and completed within two weeks after field
work ends, secondary hard-copy work papers are strictly limited and for accessory purpose only.
1438.The auditors develop brief project descriptions and report on project status at quarterly quality
meetings.
1439.For the auditors who will be rotating to other parts of the company, an Internal Auditor Quality
Recognition Program, with achievement levels and corresponsing substantial cash awards, has been
developed.
1440.In the mid 1990s, Lotus Notes was used as a worldwide standard for groupware.
1441.Located within a group, the Internal Control Documetns database includes past audit reports,
audit follow-up analysis, audit report distribution lists, key document templates, presentations, minutes
of information sharing staff meetings, and other reference information.
1442.In addition, the auditors developed a kit of templetes for key audit documents. The kit includes
Word and Excel framework documents, such as audit engagement letters, audit reports, management
action plans replying to audit reports, auditor job performance evaluations, and the audit quality
questionnaire sent to customers following an audit.
1443.In conducting an audit there are five major phases- planning the audit, test of controls, tests of
transactions, tests of balances or overall results, and completion of an audit.
1444.HLSC : High Level Steering Committee
1445.HLSC for Review of Supervisory Processes for Commercial Banks was set up by RBI.
1446.SRM : Supervisory Relationship Manager
1447.In August 2011, RBI set up a High Level Steering Committee(HLSC) for Review of Supervisory
Processes for Commercial Banks. Major recommendations of the Committee :-
i)Objectives of supervision
ii)Approach to supervision-RBS
iii)Supervisory rating under RBS
iv)Thematic reviews
v)Consolidated supervision
Page | 142
KAT
vi)Jurisdiction of supervision
vii)Single point of supervisory contact
viii)Building of supervisory skills
1448.RBIA – Risk Based Internal Audit
1449.RBIA approach helps in planning the IS Audit.
1500.RBIA includes the following components :-

Adopting a suitable IT Risk Assessment Methodology-used to examine auditable units in the IS audit
universe and select areas for review to include in the IS Annual Plan that have the greatest risk
exposure.
1511.Steps in suitable IT Risk Assessment Methodology :-

i)System characterisation
ii)Threat identification
iii)Vulnerability identification
iv)Control analysis
v)Likelihood determination
vi)Impact analysis
vii)Risk determination
1512.As a part of RBIA, planning the IS Audit involves the following :-

i)Defining the IS audit universe
ii)Scoping for IS audit
iii)Planning execution of an audit.
1513.Scoping for IS Audit:-This addresses the scoping requirements and includes :-

i)Defining control objectives and activities
ii)Considering materiality
iii)Building a fraud risk perspective
1516.Planning execution of an audit :-This describes the steps of a planning process before IS Audit
starts execution of the plan :-
i)Documenting an audit plan
ii)Nature and extent of test of control
iii)Sampling techniques
iv)Standards and frameworks
v)Resource management
1517.RBI issued the “Guidance Note on Risk-based Internal Audit” in 2002 to all scheduled
Page | 143
KAT
commercial banks, introducing the system of “risk-based internal audit”.
1518.Under CAMELS inspection, a bank could attain high rating based on earnings, but it was taking
undue risks to achieve higher profitability, it could expose the bank to operational risks.
1519.RBS has brought uniformity in reporting that enables RBI assess and manage individual banks
based on its risk profile and capital levels.
1520.It should also be ensured that all systems, domains and processes, irrespective of their risk-levels,
are covered within a period of three years.
1521.RBS – Risk Based Supervision.
1522.RBS which focuses on evaluating both present and future risks, identifying incipient problems
and facilitates prompt intervention/early corrective aciton should replace the present compliance-based
and transaciton-testing approach(CAMELS) which is more in the nature of apoint in time assessment.
1448.The periodicity/intensity of on-site inspection of a bank would depend upon its position on the
Risk-Impact Index Matrix rather than its volume of business.
1523.Under the proposed RBS, the supervisory rating would be a reflection on the risk elements
(inherent business risks and effectiveness of control) and would not be an exercise in performance
evaluation as under the CAMELS rating Framework.
1524.The supervisory intervention including placing a bank under the Prompt Corrective Action(PCA)
framework, if required, would be based on the supervisory rating and the risk-impact score of a bank.
1525.The supervisor would increasingly use thematic reviews as a tool of supervision whereby review
of a particular product, market or practice using a specialized team would be made to assess risks
brewing within a sector at system level for enabling prompt actions/measures.
1526.Report of the committee on computer audit dated 02/04/2002 :-

i)Defining control objectives and activities, IT control objectives, based on well-known frameworks
can be included in the scope.
ii)Materiality
1527.The ITGI has also provided guidance on execution of assurance initiative in its “IT Assurance
Guide Using COBIT”.
1528.RACI – Responsible, Accountable, Consulted and Informed.
Page | 144
KAT
1529.Testing Control Design :-This section lists the different techniques that will be used in detailed
audit steps. Testing of controls is performed covering the main test objectives :-
i)Evaluation of control design.
ii)Confirmation that controls are in place within the operation.
iii)Assess the operational effectiveness of controls.
iv)Additionally, control efficiency could be tested.
1530.Five generic testing methods include enquire and confirm, inspect, compare actual with expected
findings, re-perform or re-calculate and review automated evidence collection through analyzing data
using computer assisted audit techniques and extracting exceptions or key transactions.
1531.CAAT – Computer Aided Automated Tools- IS Audit function needs to enhance the use of
CAATs, particularly for critical functions or processes carrying financial or regulatory or legal
implications.
1532.The extent to which CAATs can be used will depend on factors such as efficiency and
effectiveness of CAATs over manual techniques, time constraints, integrity of the Information System
and IT environment and level of audit risk.
1533.CAATs may be used in critical areas (like detection of revenue leakage, treasury functions,
assessing impact of control weaknesses, monitoring customer transactions under AML requirements
and generally in areas where a large volume of transactions are reported.
1534.CAATs may be used to perform the following audit procedures among others :-
i)Test of transactions and balances, such as recalculating interest.
ii)Analytical review procedures, such a identifying inconsistencies or significant fluctuations.
iii)Compliance test of general controls : testing set-up or configuration of the operating system, or
access procedures to the programme libraries.
iv)Sampling programmes to extract data for audit testing.
v)Compliance tests of application controls such as testing functioning of a programmed control.
vi)Re-calculating entries performed by the entity's accounting systems.
vii)Penetration testing.
1535.When Auditors IS believes that an organisation has accepted a level of residual risk that is
inappropriate for the organisation, they should discuss the matter with Internal Audit and Senior
Management.
1536.If the IS Auditors are not in agreement with the decision, regarding residual risk, IS Auditors and
Senior Management should report the matter to the Board, or Audit Committee, for resolution.
Page | 145
KAT
1537.An audit summary memorandum should be prepared and address that conclusion regarding the
appropriateness of the going concern assumption and the effect, if any, on financial statements.
1538.Treasury Board of Canada Secretariat(TBS) acknowledged the importance and benefits of

systematic risk management as a strategic investment in the attainment of overall business objectives
and demonstration of good governance.
1539.RBIA – Risk Based Internal Auditing
1540.According to Institute of Internal Auditors(IIA), risk based internal auditing(RBIA) is a

methodology that links internal auditing to an organisation's overall risk management framework.
RBIA allows internal audit to provide assurance to the board that risk management processes are
managing risks effectively, in relation to the risk appetite.
1541.RBAF – Risk Based Audit Focus
1542.The RBAF is a management document that explains how risk concepts are integrated into the
strategies and approaches used for managing programs that are funded through transfer payments.
1543.IRMF – Integrated Risk Management Framework
1544.The departmental IRMF would be a primary source of reference or at least a starting point for risk
identification, assessment and management.
1545.The Risk Assessment and Management Summary should include :-

i)A methodology section which explains the risk definition and model.
ii)A brief description of the process steps followed.
iii)The identification of parties involved in the process.
iv)A risk matrix to explain the criteria and define the levels of impact and likelihood.
1546.Transfer payment life cycle- selection, administration, delivery and reporting.
1547.RMAF – Results-based Management and Accountability Framework.
1548.Recipient Auditing – RA is often the only effective way to establish :-

i)That funds were used for intended purposes
ii)Compliance with terms and conditions and
iii)Reliability of results data.
1549.RA is applicable to contribution agreements due to their conditional nature.
Page | 146
KAT
1550.ASD – Alternative Service Delivery
1551.ASD arrangements - where another party delivers the funds to the end recipient on behalf of the
program manager, as this arrangement is inherently higher risk than direct delivery to the recipient.
1552.Audit risk factors – risk factors having to do with the possibility of the auditor drawing the wrong
conclusion – concluding that all is well when it is not or that all is not well when it in fact is.
1553.Recipient auditing should describe the process used for deciding on and planning recipient audits,
considering the following steps :-
i)Audit objectives
ii)Risk identification and assessment criteria.
iii)Risk factors rating
iv)Audit planning decisions
1554.Risk identification and assessment criteria-Development of a risk-based matrix and criteria to

analyse the level of risk associated with recipients of contributions.
1555.Risk factors rating – Consider each audit risk factor and assign a rating. Calculate the overall risk
rating as LOW, MEDIUM or HIGH risk.
1556.The process for planning internal audits is risk-based and the responsibility of IA.
1557.Transfer payment program management should consult with IA as soon as the need for an RBAF
is identified in order to make arrangements for IA input to the relevant RBAF components.
1558.The PTP also required that management develop a Results-Based Management and
Accountability Framework(RMAF) to provide measurement and evaluation strategies for assessing the
performance of a transfer payment program.
1559.The RBAF and RMAF are complimentary documents that provide managers with the means and
measures for enhancing program monitoring and reporting.
1560.The links between performance and risk, including data collection elements(baseline data) and
control frameworks, should be considered at the beginning of the program lifecycle. This integrated
approach will assist in clearly identifying all objectives, the program context as well as potential
internal and external risks to the achievement of objectives.
1561.The RBAF must be “risk sensitive” and that the RMAF must be “performance sensitive”, i.e.
linking risk to the program outcomes and performance measurement strategies.
Page | 147
KAT
1562.The Information Systems Audit and Control Association, Inc.(ISACA) sets forth this Code of
Professional Ethics to guide the professional and personal conduct of members of the Association
and/or its certification holders.
1563.Failure to comply with this Code of Professional Ethics can result in an investigation into a
member's or certification holder's conduct and, ultimately, in disciplinary measures.
1564.The specialized nature of information system(IS) auditing and the skills necessary to perform
such audits require standards that apply specifically to IS auditing. One of the goals of the Information
Systems Audit and Control Association (ISACA) is to advance globally applicable standards to meet its
vision.
1565.The framework for the IS Auditing Standards provides multiple levels of guidance. Standards
define mandatory requirements for IS auditing and reporting. They inform :-
i)IS auditors of the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics for IS auditors.
ii)Management and other interested parties of the professions expectations concerning the work of
practitioners.
iii)Holders of the Certified Information Systems Auditor(CISA) designation of requirements. Failure to
comply with these standards may result in an investigation into the CISA holder‟s conduct by the
ISACA Board of Directors or appropriate ISACA committee and ultimately in disciplinary action.
1566.COBIT provides a detailed set of controls and control techniques for the information systems
management environment.
1567.COBIT includes :-
i)Control objectives
ii)Control practices
iii)Audit guidelines
iv)Management guidelines
1568.Control objectives-High-level and detailed generic statements of minimum good control.
1569.Control practices-Practical rationales and “how to implement” guidance for the control
objectives.
1570.Audit guidelines-Guidelines for each control area on how to obtain an understanding, evaluate
each control, assess compliance and substantiate the risk of controls not being met.
1571.Management guidelines-Guidance on how to assess and improve IT process performance, using

maturity models, metrics and critical success factors. It provides a management-oriented framework for
Page | 148
KAT
continuous and proactive control self-assessment specifically focused on performance measurement, IT
control profiling, awareness and benchmarking.
1572.CMM : Capability Maturity Model.
1573.Maturity models such as CMM and maturity attributes provide for capability assessments and
benchmarking, helping management to measure control capability and to identify control gaps and
strategies for improvement. The CMM is a methodology used to develop and refine an organization's
software development process. The model describes a five-level evolutionary path of increasingly
organized and systematically more mature processes.
1574.COBIT guidance for the following processes should be considered relevant when performing the
audit :-
PO1-Define a strategic IT plan.
PO3-Determine technological direction.
PO8-Ensure compliance with external requirements.
PO9-Assess risk
A12-Acquire and maintain application software.
A13-Acquire and maintain technological infrastructure.
A14-Develop and maintain procedures.
A15-Install and accredit systems
A16-Manage changes
DS1-Define and manage service levels
DS2-Manage third-party services
DS3-Manage performance and capacity
DS4-Ensure continuous service
DS5-Ensure systems security
DS8-Assist and advise customers
DS10-Manage problems and incidents
DS11-Manage data
M1-Monitoring the process
M2-Assess internal control adequacy
1575.The information criteria most relevant to an Internet Banking audit are :-

Primary :-confidentiality, integrity, availability, compliance and reliability
Secondary :- effectiveness and efficiency
1576.COBIT Standard 060 – Performance of audit work – states “During the course of the audit, the IS
auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The
audit findings and conclusions are to be supported by appropriate analysis and interpretation of this
evidence.
Page | 149
KAT
1577.COBIT Standard 050 – Planning – states “The IS auditor should plan the information systems
audit coverage to address the audit objectives and to comply with applicable laws and professional
auditing standards”.
1578.COBIT Standard 030 – Professional ethics and standards – states “The IS auditor should exercise
due professional care, including observance of applicable professional auditing standards.
1579.CAAT – Computer Assisted Audit Techniques
1580.CAATs are important tools for the IS auditor in performing audits.
1581.CAATs include many types of tools and techniques, such as generalised audit software, utility
software, test data, application software tracing and mapping, and audit expert systems.
1582.CAATs may be used in performing various audit procedures including :-

i)Test of details fo transactions and balances
ii)Analytical review procedures
iii)Compliance test of IS general controls
iv)Compliance tests of IS application controls
v)Penetration testing
INFORMATION TECHNOLOGY ACTS, STANDARDS & GUIDELINES
1583.The Information Technology Act, 2000 came into force on 17th October 2000.
1584.UNCITRAL – UN Commission on International Trade Law.
1585.In the background the United Nations commissioned the UN Commission on International
Law(UNCITRAL) to draft a standardized and homogenous model law which could support the use of
information technology in trade and commerce i.e. electronic commerce in a broad sense. The draft that
was submitted in 1996 is known as the UNCITRAL Model law on Electronic Commerce, 1996.
1586.The IT Act, 2000, also made such consequential changes in the Indian Penal Code, the Indian
Evidence Act, 1872, The Banker's Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934.
The effect of all these was to officially recognize e-transactions.
1587.The objectives of the IT Act, 2000 may be classified into four :-

i)Facilitation to electronic commerce transactions.
ii)Facilitation of electronic filing of documents with administrative wings of the government.
iii)Maintenance of records in an electronic form.
Page | 150
KAT
iv)Facilitation of government transactions in an electronic form.
1588.The IT Act, 2000 deals with certain issues as Attribution of electronic messages – to link an
electronic message or transaction to its originator in a way that the originator is prevented from
repudiating it.
1589.The IT Act, 2000 deals with certain issues as legal status to Digital Signatures and Asymmetric
Cryptosystem i.e. legal recognition of signing in an digital form and usage of asymmetric cryptosystem
and the authorities reposed with the task of administering the Public Key Infrastructure(PKI).
1590.The Model Law recommends a functional equivalent approach to the issues involved in
achieving the objectives. The model law recognizes that the traditional paper based documentation
constitute the main hurdles to development and growth of electronic means of communication and
commerce.
1591.There are some basic differences between a paper based document say a printed purchase invoice
and an invoice generated by an Electronic Data Interchange(EDI) system. While the printed invoice is
readable by humans, the EDI invoice is in a machine-readable form till such time it is displayed on a
screen or printed out.
1592.The IT Act, 2000 is applicable to the entire geographic extent of the Union of India. As regards
contravention of offence committed by any person, it also extends outside India.
1593.The IT Act, 2000 does not specify the subject matters over which it has jurisdiction, but specifies
the subjects over which it has no jurisdiction, which are :-
i)Negotiable instruments
ii)Powers of attorney
iii)Trusts
iv)Any will including any kind of testamentary document or disposition.
v)Any contract for sale or conveyance of immovable property or any interest in such property.
1594.Section 81 of the IT Act, 2000 has an overriding effect. It is provided that any provisions in any
other Act, law or regulation, which are inconsistent with the provisions of the act, would be overridden.
1595.A computer resource means :-

i)A computer
ii)A computer system
iii)A computer network
iv)A computer database or software.
1596.Asymmetric Cryptosystem means a system of a secure key pair consisting of a private key to
Page | 151
KAT
create a digital signature and a public key to verify the digital signature.
1597.Private Key means the key out of a key pair used to create a digital signature.
1598.Public Key means the key out of a key pair used to verify a digital signature.
1599.Key Pair means a private key and its mathematically related public key which are related to each
other in such a way that the public key can be used to verify the digital signature created by the private
key.
1600.Chapter 2 of the IT Act, 2000 consists of only one section 3 on which deals with Digital
Signatures. Sections 3 gives legal sanction to the concept of DS. The section also defines Hashing
function in an algorithm or translation of a sequence of bits into another sequence. The transformed
sequence is called the “hash result” and is generally smaller than the original sequence.
1601.The algorithm must satisfy two conditions to be an acceptable one :-

i)It must be computationally infeasible to reconstruct or derive the original record from the has result
and
ii)Two electronic records must not produce the same hash result.
1602.Chapter V of the IT Act, 2000 consisting of sections 14 and 15 deals with secure digital
signatures and records.
1603.A digital signature is said to be secure when :-

i)A security procedure agreed among the parties is applied on it to verify whether at the time of affixing
the digital signature
ii)The same was unique to the subscriber
iii)Identification of the subscriber was possible
iv)It was created under or using methods under the exclusive control of the subscriber and
v)The signature could be linked to the electronic record to which it relates in such a manner that
altering the record would invalidate the signature.
1604.Section 15 of the IT Act, 2000 also merely provides the legal sanction for the popular methods of
creating and affixing digital signatures, i.e. the Public Key Infrastructure coupled with the Hashing
algorithms like MD-3 or MD-5.
1605.An electronic record is said to be secure from the time when a security procedure is applied on it
till such time the record is verified by its any other person.
1606.It may be recalled that the security procedure would be one which is prescribed by the
government under section 16 of the Act.
Page | 152
KAT
1607.Chapter II of the Act consisting of sections 4 to 10 deals with the important substantive provisions
necessary for legal recognition of electronic documents(Section 4).
1608.Legal recognition to use of digital signatures(Section 5).
1609.Use of electronic records and digital signatures in government and its agencies(Section 6).
1610.Storage and retention of electronic documents(Section 7)
1611.Publication of electronic gazettes(Section 8)
1612.Certain exceptions(Section 9)
1613.Certain powers granted to Central Government with regard to Digital Signatures(Section 10).
1614.Where any law requires that a document to be written, typewritten or in printed form, it shall be
enough if the document satisfies the following two conditions :-
i)It is made available or rendered in an electronic form and
ii)It is accessible so as to be available for future reference.
1615.Central and State Governments are authorized by sub-section 2 of section 6 to make rules to
prescribe the manner and format of electronic filing and the methods of payment of fee etc.
1616.Section 7 allows retention to be in an electronic form if it satisfies the following conditions :-

i)it is accessible so as to be available for future reference.
ii)The record is retained in the same format in which it was originally.
iii)It can be demonstrated that the record represents the information contained in the original record.
iv)Details which help in identification of origin of the record, the time and date of its dispatch or
receipt are available within the record.
1617.There are two exceptions to the requirements of Section 7

i)They do not apply to any information which is generated automatically for the purpose of receiving or
sending the record.
ii)The entire section does not apply to provision of any law which requires the retention of documents,
records and information in an electronic format.
1618.Section 7 gives legal credence to electronic storage of records if such storage does not alter the
records.
1619.Section 8 empowers the Central and State Governments to publish all its documents under the
Page | 153
KAT
delegated powers under various legislation, in an electronic manner. Rules, regulations, orders, bye-
laws, notifications or other matters which are required to be published in the Official Gazettee, may
now be published in an electronic manner also. Such publication is called an “Electronic Gazette”.
1620.Section 9 covers this apprehension by providing that no person shall insist that any Government
are or agency(Ministries, Departments, Authorities or anybody controlled by the Government)
documents and records or money should be accepted electronically.
1621.Acknowledgement of records – Section 12 cover three possible situations :-

i)Where no particular method of acknowledgement has been specified or agreed with the addressee, by
the originator.
ii)Where the originator has specified that the record he sent will be binding on him only if
acknowledgement is made and
iii)Where originator has not specified the requirement of acknowledgement.
1622.Time is the essence of contract.
1623.Just like the Indian Contract Act, the IT Act also gives the sender and addressee to agree upon
their own rules. The rules laid down in the section 13 apply when such an agreement is absent.
1624.A key player in the Public Key Infrastructure is the Certifying Authority(CA).
1625.A CA is the person who has license to issue Digital Signature Certificate.
1626.As the act recognizes only an asymmetric key cryptosystem for securing electronic records, it is
imperative that the PKI must also be strengthened by adequate legislative support.
1627.Chapter 6 of the IT Act deals with the regulation of CA's through the appointment of the
Controller of CA's, the powers, duties and responsibilities of the Controller of CA's and the CA's.
1628.CCA : Controller of Certifying Authorities.
1629.The CCA is appointed by the Central Government by an appropriate notification in the Official
Gazette.The Central Government may also appoint Deputy Controllers and Assistant Controllers as
required.
1630.The CCA shall be subject to the general control and directions of the Central Government and
shall discharge all the functions under the Act.
1631.The Deputy and Assistant Controllers shall be under the general supervision and control of the
CCA.
Page | 154
KAT
1632.Functions of the CCA – The CCA is charged with the following functions under the Act :-
i)Supervision of Certifying Authorities
ii)Supervision of PKI and Digital Signatures
iii)Other general functions.
1633.Licence to issue Digital Signatures-A licence granted shall be valid only for the period specified
by the Central Government. It shall not be transferable or inheritable.
1634.An application for a licence shall be made in the prescribed form and with the following
enclosures :-
i)Certification Practice Statement
ii)Procedure statement for identification of applicant.
iii)Fees prescribed, however not exceeding Rs.25,000/-
iv)Any other document prescribed by the Central Government form time to time.
1635.CPS – Certification Practice Statement
1636.The CPS is a very important document which contains the practices followed by the CA for the
issue, maintenance and revocation of Digital Signatures.
1637.The licence will be renewed by the Central Government on an application made in prescribed
form at least 45 days before expiry of the existing licence and on payment of fees not exceeding
Rs.5,000/-
1638.The CCA may suspend the licence for enquiry for a period not exceeding 10 days.
1639.The CCA may delegate any of his functions or powers to Deputy Controllers, Assistant
Controllers or other officers, such delegation to be in writing.
1640.Income tax authorities have quasi-judicial powers and under the Income Tax Act, the proceedings
of officers are deemed to be judicial proceedings and every income-tax authority shall be deemed to be
a Civil Court. Section 28 gives the same status to the CCA and his officers.
1641.Duties of Certifying Authorities(CA) :-

1.Duty to follow certain procedures; every CA shall
a)Use hardware, software and procedures which will render the system secure from intrusion and
misuse.
b)Provide reliable services which are suited for the intended use of such services.
c)Adhere to security procedures to ensure privacy and confidentiality of Digital Signatures.
d)Adhere to standards that are set by the CCA or under any regulation under the Act.
Page | 155
KAT
2.Duty to ensure compliance of the Act.
3.Duty to display licence.
4.Duty to surrender licence.
5.Duty to disclose information.
6.Duty to disclose revocation etc.
7.Duty to disclose certain material facts.
8.Duty to notify affected persons.
1642.Chapter VII of the IT Act 2000 consisting of sections 34-39 deals with Digital Signature
Certificates(DSC).
1643.A certifying authority is authorized to issue DSC.
1644.Any person may make an application to a CA for issue of a DSC.
1645.The prescribed fee for DSC not exceeding Rs.25,000/- shall be paid to CA.
1646.Applications for DSC must be accompanied by a CPS or a statement containing prescribed

particulars.
1647.A CA may issue a DSC after considering the particulars submitted and also making any additional
enquiries if necessary. However, the following must be ensured by a CA before issuing a DSC.
i)That the application holds a valid private key corresponding to a public key to be listed in the DSC.
ii)The applicant holds a private key which is capable of creating a Digital Signature.
iii)The public key listed in the DSC can be used to verify a digital signature affixed using the private
key of the applicant.
1648.A subscriber shall be deemed to have accepted a DSC if he authorizes its publication to one or
more persons or in any repository or acts in manner so as to suggest that he has accepted the DSC. E.g.
signs using the private key corresponding to the public key.
1649.Every subscriber is charged with two primary duties :-

a)As soon as the DSC has been accepted by the subscriber, he shall generate the key pair by applying
the security procedure.
b)He shall exercise reasonable control over the private key and take all steps to prevent its disclosure to
unauthorized persons.
c)He shall communicate forthwith to the CA, the compromise of his private key.
1650.Tampering with computer source code i.e. computer programs, commands, designs, layout and
program analysis – Imprisonment of up to 3 years and/or fine of up to Rs.2 lakhs.
Page | 156
KAT
1651.Hacking computer systems – i.e. doing wilful act which will destroy or delete or alter any
information in a computer system - Imprisonment of up to 3 years and/or fine of up to Rs.2 lakhs.
1652.Publishing obscene information in electronic form:-

– First conviction- imprisonment of up to 5 years and/or fine of up to Rs.1 lakh.
– Second conviction-imprisonment of up to 10 years and/or fine of up to Rs.2 lakh.
1653.Contravention of any directions given by CCA - imprisonment of up to 3 years and/or fine of up

to Rs.2 lakh.
1654.Contravention of any directions given by CCA for decryption of information in public or

sovereign interest or for any assistance in connection with such decryption - imprisonment of up to 7
years.
1655.Attempted or actual access to protected systems. Protected systems may be declared so by the
appropriate Governments - imprisonment of up to 10 years and/or fine(amount not specified).
1656.Misrepresentation of material facts – for acquiring license or DSC - imprisonment of up to 2

years and/or fine of up to Rs.1 lakh.
1657.Breach of confidentiality by officers and authorities under the Act - imprisonment of up to 2 years
and/or fine of up to Rs.1 lakh.
1658.Publishing false DSC or for fraudulent purposes - imprisonment of up to 2 years and/or fine of up
to Rs.1 lakh.
1659.Failure to furnish document, return or report to CCA or CA – Penalty of up to Rs.1.5 lakhs.
1660.Failure to file any return or furnish any information specified in regulations within time limit
specified-Penalty of up to Rs.5,000/- per day of failure.
1661.Failure to maintain books of account or records specified - Penalty of up to Rs.10,000/- per day
of failure.
1662.Residuary penalty – offences and contraventions not specifically mentioned – Penalty of up to

Rs.25,000/-
1663.Section 43 of the IT Act 2000 provides that a person affected by the following actions of another
unauthorized person shall be entitled to a compensation not exceeding Rs.1 crore.
1664.Acts which are not covered under Section 43 will attract a residuary compensation of Rs.25,000/-
Page | 157
KAT
under Section 45.
1665.The Central Government has been empowered by Section 46 of the Act to appoint an
adjudication officer for the purposes of determining whether any person has committed an offence or
contravention under the Act. Such an officer shall be of the rank of Director or above in the Central
Government or equivalent rank in the state governments.
1666.The Adjudication Officer(AO) shall have the powers of a civil court and all proceedings shall be
deemed to be judicial proceedings under the Indian Penal Code 1860. The AO shall also be deemed to
be a civil court under the Code of Criminal Procedure, 1973.
1667.The AO shall consider the following factors before passing an order of compensation :-
i)The amount of unfair gain made by the offender as result of the offence or Act,
ii)The amount of loss caused to any person as a result of the default or Act and
iii)The repetitive nature of the default of Act.
1668.CyAT – Cyber Appellate Tribunal
1669.The CyAT shall consist of only one member who shall be called the Presiding Officer.
1670.The Presiding Officer shall either have been a judge of a High Court or a grade I member of the
Indian Legal Service for at least 3 years.
1671.All orders of the CCA and the AO shall be appealable before the CyAT.
1672.An appeal in prescribed form shall be filed within 45 days from the date of service of the order
against which the appeal is preferred.
1673.An appeal before the CyAT is not government by the procedure laid down in Code of Civil
Procedure, 1908.
1674.The CyAT shall have the powers of a Civil Court vested under the Code of Civil Procedure, 1908.
1675.All proceedings before the CyAT shall be deemed to be judicial proceedings under the Indian
Penal Code, 1860.
1676.Section 61 of the Act bars jurisdiction of civil courts over the matters, which fall under the
jurisdiction of an AO or the CyAT appointed.
1677.Any person aggrieved by an order of the CyAT may appeal within 60 days to the High Court form
the date of communication of the order under appeal.
Page | 158
KAT
1678.The Information Technology(Amendment) Bill, 2006 amends the IT Act, 2000.
1679.The bill makes a company handling sensitive personal data liable to pay compensation up to Rs.5
crore, if it is negligent in implementing reasonable security measures with respect to such data.
1680.Offensive messages-Amendment made in 2008-It introduced the Section 66A which penalised
sending of “offensive messages”.
1681.It also introduced the Section 69, which gave authorities the power of “interception or monitoring
or decryption of any information through any computer resource”. It also introduced penalties for child
porn, cyber terrorism and voyeurism.
1682.Asymetric cryptosystem(AC)-An AC is one where different keys are employed for the operations
in the cryptosystem (e.g. encryption and decryption) and where one of the keys can be made public
without compromising the secrecy of the other key.
1683.Section 92 of the IT Act, 2000 makes amendments to the Indian Evidence Act, 1872 through the
Second Schedule of the Act.
1684.The following are the amendments made in the Indian Evidence Act by the IT Act, 2000 :-
i)New sections 65A & 65B regarding admissibility of electronic records.
ii)New sections 67A & 73A regarding proof of Digital Signatures.
iii)New sections 81A, 85A, 85B, 85C, 88A, 90A regarding certain additional presumptions regarding
electronic documents and related matters.
iv)New sections 22A & 47A regarding relevance oral evidence when electronic records are produced
and digital signatures.
v)Amendments to definitions of “record” to include electronic records.
1685.New sections 65A and 65B regarding admissibility of electronic records :-

Section 65A provides for proof of electronic records to be made in the manner provided in section 65B,
Section 65B provides for information contained in electronic records to be deemed as documents.
1686.New sections 67A & 73A regarding proof of Digital Signatures :-

Section 67A provided that the onus of proof of digital signatures is on the person who alleges that a
person has affixed his digital signature i.e. it is for the person claiming that the other party has affixed
his digital signature to prove so.
1687.Section 73A provides that the admissible proofs of digital signatures is production of DSCs by
any person of the controller or a certifying authority.
Page | 159
KAT
1688.New sections 81A, 85B, 85C, 88A, 90A regarding certain additional presumptions.
1689.Section 81A-Electronic Gazettes-Genuineness of electronic gazette if maintained in the form

required by law. And produced from proper custody.
1690.Section 85A-Electronic Agreements-Agreements purporting to contain digital signatures were in

fact concluded by affixing the same.
1691.Section 85B :-
Secure Electronic Records – Presumption that the secure record has not been altered since the time it
entered the secure status.
Secure digital signatures-Presumption that secured digital signature was affixed by its owner.
Records other than secure electronic records and digital signatures other than secure digital signatures-
No presumption as to authenticity and integrity.
1692.Section 85C-DSCs-Presumption as to correctness of information listed in the certificate if the

certificate has been accepted by the subscriber.
1693.Section 88A:-
Electronic messages- Presumption that the information contained in an electronic message sent by
originator to the addressee through an e-mail server is the same as information fed into the originator's
computer.
Sender of electronic messages-No presumption as to sender of such messages.
1694.Section 90A-Electronic messages five years old produced from proper custody-Presumption that
digital signatures was affixed by its owner or authorized person.
1695.New Sections 22A and 47A regarding relevance of oral evidence when electronic records are
produced and when digital signatures are used.
1696.Section 22A provides that oral evidence shall be relevant and admissible in relation to a electronic
record only if the genuineness of such record has been questioned by either party. Simply stated,
electronic records will be conclusive evidence unless either party challenges its genuineness and proves
it.
1697.Section 47A provides that only when the court has to form an opinion about a digital signature,
the opinion of the Certifying Authority who has issued a DSC is relevant. In other words, if the digital
signature and its veracity are not challenged, the opinion of the certifying authority has no relevance.
1698.The word “record” appearing in section 35 shall be construed to be record or electronic record.
Page | 160
KAT
1699.The term “documents” used in relation to definition of evidence in section 3 shall include
electronic documents.
1700.The phrase “entries in books of account” in section 34 shall include those maintained in an
electronic form.
1701.The phrase “Oral or Documentary” in Section 17 shall be substituted as “Oral or Documentary or

contained in Electronic form”.
1702.The fourth schedule to the Information Technology Act, 2000, inserts a new clause in section 58
of the Reserve Bank of India Act, 1934. Section 58 deals with the regulatory powers of our central
bank.
1703.WIPO-World Intellectual Property Organisation
1704.The convention which established the WIPO, at Stockholm in 1967, agreed that Intellectual
Property shall include all rights relating to the following :-
i)Literary, artistic and scientific works
ii)Performances of performing artists, phonograms and broadcasts.
iii)Inventions in all fields of human endeavours.
iv)Scientific discoveries
v)Industrial designs
vi)Trade marks, service marks and commercial names and designations.
vii)Protection against unfair competition and all other rights resulting from intellectual activity in the
industrial, scientific, literacy or artistic field.
1705.Intellectual property as a layman would understand it, necessarily would include products or
creations of the mind. The intellectual property laws would thus aim at protecting or safeguarding the
creators by granting them certain time-limited rights to control the use of such creations. Such laws
collectively are called the Intellectual Property Laws.
1706.IPR is a collection of Patent, Copyright and Trade Mark Laws of each country, in addition to
various civil and criminal codes, which are termed as IPR laws.
1707.In India, most of the Intellectual Property Rights are covered by the Copyrights Act, 1957.
1708.BPO- Business Processes Outsourcing
1709.There are some recognized active organizations in India which are working in the anti-piracy
field. These organizations are – SCRIPT, IPRS, PPL
Page | 161
KAT
1710.SCRIPT – Society for Copyright Regulations of Indian Producers of Films & Television.
1711.IPRS-Indian Performing Rights Society Limited.
1712.PPL-Phonographic Performance Limited.
1713.The Copyrights Act, 1957 extends to the whole of India as per Section 1(2).
1714.Under certain circumstances the GOI is empowered to grant rights under the Act to the works of
certain international organizations as per Section 41.
1715.Section 42-certain powers to restrict the rights in works of foreign authors first published in India.
1716.Section 42A-Power to restrict rights of foreign broadcasting organizations and and performers.
1717.Copyright is an exclusive right, provided under the legislation of a particular country, to an author
or composer of an original work expressed and registered, to print, publish and sell copies of his work.
The Act defines the word “Copyright” to be an exclusively right subject to the provisions of this Act, to
do or authorize to do any of the various acts mentioned in sub-sections of section 14, in respect of a
work or any substantial part thereof.
1718.The works considered in “Copyright” are :-

i)literary, dramatic or musical work
ii)computer programme
iii)artistic work
iv)cinematographic film
v)sound recording
1719.The Act has defined “Literary work” to include computer programmes, tables and compilations
including computer databases.
1720.“Computer” has been defined to include any electronic or similar device having information
processing facilities.
1721.“Computer programme” has been defined as a set of instructions expressed in words, codes,
schemes or in any other form, including a machine readable medium, capable of causing a computer to
perform a particular task or achieve a particular result.
1722.The act defines “broadcast” as communication to the public by any means like wireless diffusion,
whether in one or more of the forms of signs, sounds or visual images or by wire and includes a
rebroadcast.
Page | 162
KAT
1723.Section 51 specifies under what circumstances shall the copyright be deemed to be infringed.
1724.Section 9 to 12 specify the basic administrative machinery for the purpose of the Act.
1725.There will be a copyright board to be constituted by the Government, which will have a chairman
and not more than fourteen other members.
1726.The chairman shall be a person who is or has been a Judge of a High Court, or is qualified for
appointment as a judge of a High Court.
1727.The Registrar of copyrights in a certain circumstances and the copyrights board will have the
status of a civil court (Section 74).
1728.Chapter X consisting of sections 44 to 49 relates to the formalities as regards the registrations of

copyrights.
1729.Commitment of an offence has been described as “Any person who knowingly infringes or abets
the infringement of the copyright in a work or any other right conferred by this Act, except right
conferred by section 53A (Section 63).
1730.DRM – Digital Rights Management
1731.Short for digital rights management, a system for protecting the copyrights of data circulated via
the Internet or other digital media by enabling secure distribution and/or disabling illegal distribution of
the data.
1732.A DRM system protects intellectual property by either encrypting the data so that it can only be
accessed by authorized users or marking the content with a digital watermark or similar method so that
the content can not be freely distributed.
1733.Common DRM techniques :-

i)Restrictive Licensing Agreements
ii)Encryption, Scrambling of expressive material and embedding of a tag.
1734.Restrictive Licensing Agreements-The access to digital materials, copyright and public domain is
controlled. Some restrictive licenses are imposed on consumers as a condition of entering a website or
when downloading software.
Encryption, Scrambling of expressive material and embedding of a tag-This technology is designed to
control access and reproduction of information. This includes backup copies for personal use.
Page | 163
KAT
1735.One of the oldest and least complicated DRM protection methods for the computer games is a
product key, a typically alphanumerical serial number used to represent a license to a particular piece
of software.
1736.E-DRM or ERM-Enterprise digital rights management
1737.E-DRM or ERM-is the application of DRM technology to the control of access to corporate
documents such as Microsoft Word, PDF, and AutoCAD files, emails, and intranet web pages rather
than to the control of consumer media.
1738.CSS-Content Scrambling System.
1739.An early example of a DRM system is the CSS employed by the DVD Forum on film DVDs circa
1996.
1740.CSS uses an encryption algorithm to encrypt content on the DVD disc.
1741.Metadata is used in media purchased from Apple‟s iTunes Store for DRM-free as well as DRM-
restricted versions of their music or videos. This information is included as MPEG standard metadata.
1742.Digital watermarks are features that are added during production or distribution. Digital
watermarks involve data that is arguably steganographically embedded within the audio or video data.
1743.Since the late-2000s the trend in media consumption has been towards renting content using
online streaming services.
1744.Online streaming services:-

Spotify – for music
Netflix- for video content.
1745.COBIT is designed to help three distinct audiences :-management, users and auditors.
1746.COBIT starts by grouping IT processes into four broad groups :-

i)Plan and organize
ii)Acquire and implement
iii)Deliver and support
iv)Monitor and evaluate
1747.CMM-Capability Maturity Model
1748.The CMM describes the principles and practices underlying software process maturity. It is
Page | 164
KAT
intended to help software organizations improve the maturity of their software processes in terms of an
evolution-chaotic processes to mature, disciplined software processes.
1749.KPA-Key Process Areas

KPA identifies a cluster of related activities that, when performed collectively, achieve a set of goals
considered important.
1750.Common features include practices that implement and institutionalize a key process area. These
five types of common features include:-
i)Commitment to perform
ii)Ability to perform
iii)Activities performed
iv)Measurement and analysis
v)Verifying implementation
1751.The balanced scorecard is a management system(not only measurement system) that enables
organizations to clarify their vision and strategy, and translate them into action.
1752.The balanced scorecard uses four perspectives, develops metrics, collects data and analyzes the
data relative to each of these perspectives. These are :-
i)Learning and growth
ii)Business process
iii)Customer
iv)Financial
1753.SABSA-Sherwood Applied Business Security Architecture
1758.The key to success in SABSA methodology is to be business driven and business focused. The
business strategy, objectives, relationships, risks, constraints, and enables all to tell about what sort of
security architecture the organization needs. This analysis and description of the business itself is called
the “contextual security architecture”.
1759.SABSA uses a matrix of business drivers and attributes to describe the objectives of security from
an architectural perspective.
1760.BS7799(ISO 17799)/ISO 27002 : BS is the most widely recognized security standard in the
world. It evolved into BS EN ISO17799 in December 2000.
1761.The 11 major headings of ISO/IES 27002 are :-

i)Security policy
ii)Organizing information security
Page | 165
KAT
iii)Asset management
iv)Human resources security
v)Physical and environmental security
vi)Communications and operations management
vii)Access control
viii)Information security acquisition development and maintenance.
ix)Information security incident management.
x)Business continuity management
xi)Compliance
1762.Other approaches and methods exist that may be useful such as other ISO standards on
quality(ISO 9001:2000), Six Sigma, publications from NIST and ISF and the US FISMA.
1763.FISMA – Federal Information Security Management Act.
1764.GASSP-Generally Accepted Security System Principles
1765.GAISP-Generally Accepted Information Security Principles.
1766.The nine pervasive principles are :-

i)Accountability
ii)Awareness
iii)Ethics
iv)Multidisciplinary
v)Proportionality
vi)Integration
vii)Timeliness
viii)Assessment
ix)Equity
1767.It may be useful to employ a combination of methods to describe the “desired state” to assist in
communications with others and as a way to crosscheck the objectives to make certain all relevant
elements are considered. For example, a combination of COBIT control objectives, CMM, balanced
scorecard and SABSA would make a powerful combination.
1768.Data migration is a set of activities that moves data from one or more legacy systems(or “source
systems”) to a new application. The purpose of data migration is to preserve core business knowledge
and make it accessible from a new application.
1769.Data migration phases :-

i)Planning
Page | 166
KAT
ii)Configuring the new application system.
iii)Importing to the database
iv)Cleansing
v)Test migrating the data.
vi)Fully migrating and deploying
1770.RBI latest key guidelines for debit & credit cards, online money transfers :-
i)International use of debit and credit cards.
ii)Second factor authentication for international transactions.
iii)NEFT, RTGS & IMPS payments.
a)Include customer induced caps on usage.
b)Monitoring and alerts.
c)Consider a dynamic factor of authentication for NEFT, RTGS & IMPS.
iv)International cards will have to be EMV Chip and PIN enabled.
v)Block card via SMS.
vi)Convert existing cards to EMV Chip.
vii)Transaction limit for magstripe international cards.
viii)Compliance norms for internet protocol based solutions.
1771.Banks should ensure that all acquiring infrastructure that is currently operational on IP(Internet
Protocol) based solutions are mandatorily made to go through PCI-DSS and PAA-DSS certification.
This should include acquirers, processors/aggregators and large merchants.
GLOSSARY
1772.In information technology, a backup, or the process of backing up, refers to the copying and
archiving of computer data so that it may be used to restore the original after a data loss event. The
youngest(or most recent file) is referred to as the “son” the prior file is called the “father” and the file
wto generaitons older is the “Grandfather”. This back-up methodology is frequently used to refer to
master files for financial applications. Also called, grandfather, father and son. It is a backup
rotation scheme in which three sets of backup media is defined viz. Daily, weekly and monthly.
1773.BCP – Business Continuity Plan. Also called Business Resumption Plan.
1774.Data synchronization-DS is the process of establishing consistency among data from a source to
target data storage and vice versa and the continuous harmonization of the data over time. It is
fundamental to a wide variety of applications, including file synchronization and mobile device
synchronization.
1775.Encryption-The process of transforming plaintext into cipher text(unreadable by others with a

relevant key).
Page | 167
KAT
1776.Gap analysis-A GA is a method of assessing the differences in performance between a business
information systems or software applications to determine whether business requirements are being met
and, if not, what steps should be taken to ensure they are met successfully.
1777.GETS-Acronym for the Govt. Emergency Telecom. Service card program. GETS cards provide
emergency access and priority processing for voice communications services in emergency situations.
GETS is a White House-directed emergency telephone service provided by a division of the
Department of Homeland Security. GETS uses enhancements based on existing commercial
technology.
1778.HVAC-Acronym for heating, ventilation, and air conditioning is the technology of indoor and
vehicular environmental comfort. Its goal is to provide thermal comfort and acceptable indoor air
quality.HVAC system design is a sub-discipline of mechanical engineering.
1779.Mirroring-A process that duplicates data to another location over a computer network in real time
or close to real time. In data storage, disk mirroring is the replication of logical disk volumes onto
separate physical hard disks in real time to ensure continuous availability. It is most commonly used in
RAID-1. A mirrored volume is a complete logical representation of separate volume copies.
1780.Reciprocal agreement-An agreement whereby two organizations with similar computer systems
agree to provide computer processing time for the other in the event one of the systems is rendered
inoperable. Processing time may be provided on a “best effort” or “as time available” basis.
1781.RPO-Recovery Point Objective. In Business Impact Analysis(BIA), RPO is one of the elements
of time factors accptable latency of data. This means that much time required re-building data which is
lost/not updated at the time of recovery of operations. RPO is measured in terms of time.
1782.Hot site – HS is a “proactive” strategy to keep servers and a live backup site up and running in the
event of a disaster. This allows for an immediate cutover in case of disaster primary site. A hot site is a
must for mission critical.
1783.Warm site- WS another strategy which is preventive in nature. WS allows to pre-install hardware
and pre-configure bandwidth needs. If disaster strikes, load software and data to restore business
systems.
1784.Cold site-CS another strategy where a CS is essentially just data centre space, power, and network
connectivity that's ready and waiting for whenever need it. If disaster strikes, engineer and logistical
support teams can readily help move required hardware into data centre and get back up and running.
1785.Routing-The process of moving information from its source to a destination. It is the process of
Page | 168
KAT
selecting best paths in a network. In the past, the term routing also meant forwarding network traffic
among networks. However, that latter function is better described as forwarding.
1786.SDLC-System Development Life Cycle-An organized process of planning, developing, testing,

deploying and maintaining systems and applications and various methodologies used to do so.
Including initial approval and documentation. This is also known as “Application Development Life
Cycle(ADLC).
1787.T-1 Line – A special type of telephone line for digital communication only. Transmission system
1(T-1), was introduced in 1962 in the Bell system, and could transmit upto 24 telephone calls
simultaneously over a single transmission line of copper wire. The original transmission rate(1.544
Mbps) in the T1 line is in common use today in Internet service provider(ISP) connections to the
Internet.
1788.Vaulting-It is a process that periodically writes back-up information over a computer network
directly to the recovery site. It is one of the strategies recovery of planning.
Page | 169
KAT
INFORMATION SYSTEM FOR BANKER 14/07/19
RECOLLECTED QUESTIONS:
Caat
various controls
Seismic zone
Audit trail
Is audit policy
Stress testing
Sdlc
Tcp/ip
Poor architecture
Punishment for hacking
Oop language
Sniffing
Spoofing
System testing
2 questions from gassp
Iso 27001
Digital signature
Attenuation
Osi related questions,
Moore law
Modem/bridge which layer in osi.
Bcp
Upi
ATM ,which type of txn- online
Rtgs which type of txn- real time
Non impact printer (jet,line ,dot matrix,laser )
Rdbms - null value
Fastest ram,which type
Tcl command
Sql command
Cca
Various testing
Many to many relationship, and vendor to inventory.
Page | 170
KAT
Repeater , where is it placed
Emergey response team
Pervasive principle in gassp.
Tuning
Switching,types of switches ,which is unidirectional.
Wdm/fdm/tdm related questions
Topology related 2 questions

Mirror site ,hot site , etc related one question.
INFORMATION SYSTEM FOR BANKERS RECOLLECTED

13.01.2019
Each question carries 1 mark ( 100 questions )
Passing Mark 60
Moderate Difficulty
CyAT
CAA
Digital Signature
BCP
Digital forensics
Normalisation
Internal audit
DBA responsibility
Telecommunications system audit
Power off switches
Cyber terbunal judge or magistrate
DS reissuance
Central depository of DS
Audit trail significance
Bottom up methodology
Audit plan
BCP
IDS
Virtual keyboard
IFMS full from
EFT
RBIA
Inherent risk
Insider threat
Page | 171
KAT
IS Audit policy
Information security officer role
DBA responsibility
Stress testing
BCNF
Critical applications
Poor architecture system
SDLC
Prototyping model
RTO application
IT Act 2000
Punishment for copyright as per IT Act
Controller of Certifying Authorities operates the National Repository of Digital Signatures (NRDC)
Function of modem, which is not an OOP Lang. C C++ Java C#, questns abt DRP, Trojan horse, sniff-
ing, spoofing, availability, integrity, DBMS, preventive, corrective, detective controls, BCP
DDL DML DCL TCL commands, CA CCA-Digital certificates
Digital signature complete
Cyber apellate tribunal presiding officer
System testing
Compliance testing
Substantive testing
Telecom control
Db forms
Db commands
Risk based audit
It audit
Dba roles n resp
Prototyping model
Sdlc full
Interface testing
Rbeit ltd reg it subsidiary of rbi
Non repudiation
Bot stroke worm
Recollected questions
DR centre location
Data warehouse
Audit charter/policy
Is audit 5 -10 questions
RAM and cache memory
Static RAM
Metadata
Page | 172
KAT
Which DB model used in CBS
Characteristics of a table
Many to Many relationship in DB
Simple ,self,outer join
Adaptive maintenance
Multiplexing
Packet switching
Full Duplex method
Bridge,router,switch,gateway
Diff between router and switch
Function of osi model layers 5 questions
Which protocol used in banking http,smtp,tcp/ip
Real time processing
Emergency response
Mirror site and reciprocal agreement
Trojan horse
E money
INFINET
CFMS
SFMS
Spoofing, piggybagging
Pervasive principle in GASSP
Classification of control
Boundary sub system
Audit trail
Attenuation
Types of noise (cross talk)
False positive and negative
Firewall
Intrusion detection systems and tuning
In what circumstances user ID and password will be given to user(emergency access)
Remote Access
OS tasks
Travelling virus procedure
Public and private key encryption
Page | 173
KAT
GLOSSORY:
COMPUTER TERMINOLOGY
ATM: Automated Teller Machine '
SWIFT: Society for worldwide Interbank Financial Telecommunication
SFMS: Structured Financial Messaging System
OLTAS: Online Tax Accounting System
CBS: Centralized/ core Banking Solution
PIN: Personal Identification Number
LAN: Local Area Network (used in the same building)
MAN: Metropolitan Area Network (used in the same city)
WAN: Wide Area Network (used in different locations)
1DRBT: Institute for development & Research in Banking Technology
Banknet: Payment System Network established by RBI
NICNFT: National Informatics Centre Network (currency chest operation)
WWW: World Wide Web
HTTP: Hyper Text Transfer Protocol
URL: Uniform Resource Locator
VSAT: Very Small Aperture terminal
Firewall: Software programme that restricts unauthorized access to data and acts as a security to private net-
work
Booting: Starting of a computer
Hard Disk: A device for storage of data fitted in the processor itself
Modem: Modulator & Demodulator: A device used for converting digital signals to analog signals & vice-versa
Encryption: Changing the data into coded form

Page | 174
KAT
Decryption: Process of decoding the data
Virus: Vital Information Resources Under Seize: Software programme that slows down the working of a
computer or damages the data. Main source of virus is internet (other sources are floppy or CD)
Vaccine: Anti Virus Software programme used for preventing entry of virus or repairing the same
Digital Sign: Authentication of. electronic records by a subscriber by means of electronic method or procedure
Key used: For digital signatures, there is a pair of keys, private key & public key
RTGS: Real time Gross Settlement
ECS: Credit: One account debited, number of accounts credited
ECS: Debit: One account credited, number of accounts debited
Hacking: Knowingly concealing, destroying, altering any computer code used for computer network
Address: The location of a file. You can use addresses to find files on the Internet and your computer. Internet
addresses are also known as URLs.
IMPORTANT ABBREVIATIONS
• Al – Artificial intelligence ,
ALGOL – Algorithimic Language ,
ARP – Address resolution Protocol,
ASCII – American Standard
Code for Information Interchange
BINAC - Binary Automatic Computer,
BCC – Blind Carbon Copy ,
Bin – Binary
,BASIC - Beginner’s All-purpose Symbollic
Instruction Code, BIOS – Basic Input Output System,
Bit – Binary Digit, BSNL – Bharat Sanchar Nigam Limited.
CC – Carbon Copy,
Page | 175
KAT
CAD – Computer Aided Design,
COBOL – Common Business Oriented Language, CD – Compact Disc, CRT –
Cathode Ray Tube ,CDR – Compact Disc Recordable ,
CDROM – Compact Disc Read Only Memory,
CDRW – Compact Disc
Rewritable, CDR/W – Compact Disk Raed/Write
DBA – Data Base Administrator,
DBMS – Data Base Management System,
DNS – Domain Name System,
DPI – Dots Per Inch,
DRAM – Dynamic Random Access Memory,
DVD – Digital Video Disc/Digital Versatile Disc,
DVDR – DVD Recordable , DVDROM –
DVD Read Only Memory ,DVDRW –DVD Rewritable ,
DVR – Digital Video Recorder ,
DOS – Disk Operating System
• EBCDIC – Extended Binary Coded Decimal Interchange Code ,
e-Commerce – Electronic Commerce, EDP – Electronic Data
Processing
• EEPROM – Electronically Erasable Programmable Read Only Memory,
ELM/e-Mail – Electronic Mail, ENIAC - Electronic
Numerical Integrator and Computer
• EOF - End Of File
, EPROM - Erasable Programmable Read Only Memory,
EXE - Executable
Page | 176
KAT
FAX - Far Away Xerox/ facsimile ,FDC - Floppy Disk Controller, FDD - Floppy Disk Drive ,FORTRAN - Formula
Translation, FS -
File System
,FTP - File Transfer Protocol
Gb – Gigabit ,
GB – Gigabyte ,
GIF - Graphics Interchange Format,
GSM - Global System for Mobile Communication
Disclaimer
While every effort has been made by me to avoid errors or omissions in this publication,
any error ordiscrepancy noted may be brought to my notice throughr e-mail to ara-
vindss1988@gmail.com which shall be taken care of in the subsequent editions. It is al-
so suggested that toclarify any doubt colleagues should cross-check the facts, laws and
contents of this publication with original Govt. / RBI / Manu-
als/Circulars/Notifications/Memo/Spl Comm. of our bank.
Blog for updates: https://iibfadda.blogspot.com/
Page | 177
KAT
Page | 178
KAT

Certificate SME

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Certificate SME

Încărcat de

Drepturi de autor:

Formate disponibile

IIBF Certifications

24 HOURS SHORT NOTES BEFORE EXAM

Aravind S MBA, CAIIB

IIBF Certificate Examination

(ii) IS specialists who understand security, control and banking operations, or

(iii) Any banker desiring to join the IS stream.

a) Certificate Examination in IT Security (Revised Syllabus)

STUDY MATERIAL / COURSEWARE

i) Banking Environment and Technology.

ii) Overview of Processing Infrastructure.

iii) Accounting Information System.

iv) Information Organisation and Management.

v) Risk associated with Technology Banking.

vi) Audit Function and Technology.

b) Technology - System, Development, Process, Implementation

ii) Software platforms - System design, development and maintenance.

iii) SDLC (Software Development lifecycle)

c) Security and Controls, Standards in Banking

i) Security - Overview of security, Architecture, Policy, Procedure, Implementation,

ii) CoB Plan, policy and procedures.

iv) Testing and implementation of CoB, BCP and DRP.

e) Overview of legal framework

i) ITAct, Intellectual Property Right, Copyright.

f) Security policies, procedures and controls

i) Management Control Framework.

ii) Development and review of security policies and controls standards.

iii) Compliance and incident handling.

iv) Network security.

v) Security implemented by operating system and databases, Hardware and Software.

vi) Network components.

g) S Review - Methodology and Approach

i) ISAudit as review of IS management function.

Facilities Management Function.

iv) Audit Organisation and Management.

v) Audit in computerised environment.

vi) Risk based audit.

vii) Substantive and compliance review.

CHAPTER-1-BANKING ENVIRONMENT AND TECHNOLOGY

6.Book written by Thomas Friedman – The World is Flat.

7.The Information Technology can be described as : Input-->Process-->Output

8.AELPM : Advanced Electronic Ledger Posting Machines

9.TBA : Total Branch Automation

10.LAN : Local Area Network

11.The TBA based on LAN.

12.WAN : Wide Area Network

13.CBS : Core Banking Solution

14.ATM : Automated Teller Machine

15.The CBS and ATM networks based on WAN

17.DC : Data Centre

18.DR :Disaster Recovery

20.Alternative delivery channels – Internet Banking, Tele-Mobile-Banking and ATM network.

22.Innovation in technology and worldwide revolution in Information and Communication

25. Benefits for the bank in CBS :-

26.VDI : Virtual Display Infrastructure

29.NAP : Network Aggregation Point

31.MIS : Management Information

32.BI : Business Intelligence

33.ERP : Enterprise Resource Planning

35.UAT : User Acceptance Test

36.The steps involved in CBS implementation are as follows :-

43.In CBS, the database is updated on-line in real time basis.

CHAPTER-2-OVERVIEW OF PROCESSING INFRASTRUCTURE

10.IT Operation Processes :

11.Financial Management :-It provides mechanism and techniques to IT operations to quantify in