MICS

Suggested Answer
Roll No.

Maximum Marks - 100

Total No. of Questions - 6

Total No. of Printed Pages -11

Time Allowed - 3 Hours

Marks
Attempt all questions.
1.
Assume that you are appointed as the system analyst for the development of
generalized complete software package for a commercial bank.
a) Describe 5 functional areas of banks which should be addressed by the software
and why?
b) Discuss how different levels of management will be benefitted by the use of
software.

10
10

Answer of Q.N.1.a
One of the key jobs of system analyst is to understand the requirement clearly. While
developing a generalized complete software package for the commercial banks, system
analyst should know the functional areas of commercial banks. Here are few general
functional areas of commercial banks.
Deposit Collection
The most important function of commercial banks is to accept deposits from the public and
organization. Various sections of society, according to their needs and economic condition,
deposit their savings with the banks. The software should be able to handle the information
related with the personal details of depositor, amount collected on different time frame,
interest given. Deposit collection simultaneously connected to withdrawal. So the
information related with withdrawal should also be handled by software.
Giving Loans
The second important function of commercial banks is to advance loans to its customers.
Banks charge interest from the borrowers and this is the main source of their income. So
information of borrowers, collateral amount borrowed, interest rate, interest amount,
payment installment, penalties etc on time basis are the essential features that should be
available with the information system.
Investment of Funds
The banks invest their surplus funds in three types of securitiesGovernment securities,
other approved securities and other securities. Government securities include both, central
and state governments, such as treasury bills, national savings certificate etc. The
information management of such things will be another crucial area that software should be
able to address.

PQO

(2)
Human Resource Management
Human resource management of the bank is another important part of the commercial
banks. Hiring right man, placing on appropriate job, his/her remuneration and capacity
building are the key areas of human resource management. Moreover, information system is
mainly concerned with recruitment to retirement of human resource this included keeping
personal, academic and professional records of staffs. The software should be able to track
the performance of human resources so that it can be utilized in incentives and career
growth.
c) Customer Relationship Management
This is a novel concept in the field commercial banks to get connected with the customer
regularly even in the personal event of the customer so that they feel honored. CRM in
generally segregate the customer based on some criteria e.g. high business customer, most
loyal customer, new customer etc. This helps in the long term association of banks with its
client. By keeping personal dates e.g birthday, marriage anniversary bank can send some
gifts to the valuable customer to attract them. Simple wishes can also be made by email or
phone to let them know that bank is always with them.
(Notes: Other functional areas of commercial banks are also equally acceptable)
Answer of Q.N.1.b
Usually a commercial bank will have three level of management hierarchy named as:
1. Operational level
2. Middle Level and
3. Executive Level
These levels of management hierarchy have different level of duty and responsibility. To do their
job more effectively they need various types of information. Here is the description how
different level of management will be benefitted by the use of newly developed software
package.
Operational Level:
Operational level management does not set long term goals however they have everyday goals
and objective. They need information like personal details of customer, customers transactions,
daily amount of deposition, daily amount of withdraw etc. Such type of information will be
available on single click of computer. The main beauty of new softwarewill bethat such type of
information can simultaneously be accessed by large number of user from all branches.
Middle Level Management:
Supervisory levels are the bridges between executive level and operational level. Supervising
managers get implemented the work by the operational level staffs. With the help of the
computer based information system, the supervisors can track the progress of the operation, they
know who is responsible to which work, and what should be done to achieve the goal set by the
executive level management. In case of bank, they can get the information regarding the
weekly/monthly transaction of money: deposit and lending, interest etc. They can track the
valuable customers. They can track in which areas there is lending. They can get the information
in which areas the loan to be minimized or in which areas the loan to be increased. Besides this,
with the implementation of new software the middle level management can get the information
accounting and finance, pay roll and human resources etc.
Executive level Management:
Executive level management mainly responsible to make the long term effective decision, they
are responsible to set the long term goal of the organization and to make the policy level decision
to achieve such goal. For example, they set the goals like the profit of 5 years, position of the
bank in 10 years, expansion of the bank in various geographical areas and national and
international collaborations. To do such type of decision they need the information like: last 5
YZF
P.T.O.

(3)
years performance of the bank, comparative performance of other banks, supports of the
employees etc. These types of information will be provided by software on click.
2.
a)
b)
c)
d)

Explain IT strategy planning.

Compare Decision Support System with Executive Information System.
What do you mean by Computer aided software engineering (CASE).
Discuss the steps involved in the Payment Process using credit cards.

5
5
5
5

Answer of Q.N.2.a
A plan is a predetermined course of action to be taken in the future. It is a document containing
the details of how the action will be executed, and it is made against a time scale. The goats and
the objectives that a plan is supposed to achieve are the pre-requisites of plan. The setting of the
goals and the objectives is the primary task of the Management without which planning cannot
begin.
Planning involves a chain of decisions, one dependent on the other, since it deals with a long
term period. A successful implementation of a plan means the execution of these decisions in a
right manner one after another. Planning, in terms of future, can be long-range or short-range.
Long-range planning is for a period of five years or more, while short-range planning is for one
year at the most. The long-range planning is more concerned about the business as a whole, and
deals with subjects like the growth and the rate of growth, the direction of business, establishing
some position in the business world by way of a corporate image, a business share and so on. On
the other hand, short-range planning is more concerned with the attainment of the business
results of the year. It could also be in terms of action by certain business tasks, such as launching
of a new product, starting a manufacturing facility, completing the project, achieving
intermediate milestones on the way to the attainment of goals. The goals relate to long-term
planning and the objectives relate to the short-term planning. There is a hierarchy of objectives
which together take the company to the attainment of goals. The plans, therefore, relate to the
objectives when they are short-range and to goals when they are the long-range. Long-range
planning deals with resource selection, its acquisition and allocation. It deals with the technology
and not with the methods or the procedures. It talks about the strategy of achieving the goals.
The right strategy improves the chances of success tremendously. At the same time, a wrong
strategy means a failure in achieving the goals. Corporate business planning deals with the
corporate business goals and objectives. The business may be a manufacturing or a service; it
may deal with the industry or trade; may operate in a public or a private sector; may be national
or international business. Corporate business planning is a necessity in all cases. Though the
corporate business planning deals with a company, its universe is beyond the company. The
corporate business plan considers the world trends in the business, the industry, the technology,
the international markets, the national priorities, the competitors, the business plans, the
corporate strengths and the weaknesses for preparing a corporate plan. Planning, therefore, is a
complex exercise of steering the company through the complexities, the difficulties, the
inhibitions and the uncertainties towards the attainment of goals and objectives.

YZF

P.T.O.

(4)
Answer of Q.N.2.b
Decision Support System (DSS)
1. Decision Support system can be defined as
ainformation system that provides tools to
mangers to assist them in solving semistructured and unstructured problems in their
own.

Executive Information System (EIS)

1. Executive information system is a tool
provided to the executive body, which
provides direct and online access to the
timely, accurate and relevant information in
a useful and navigable format.

2. DSS itself does not make any decision rather

it provides analysis and all the possible results
so that managers can make the decision on his
own.
3. Thus DSS is a support to the human decision
making process instead of being a decision
maker.
4.DSS can be made access to the limited person
in the organization. It is accessible to only those
persons who are in decision making position.

2. Executive Information systems get the

input from the reports of supervisory level
system. EIS also can have access to other
decision support system.
3. EIS can be helpful for decision making,
analysis, policy and strategy formulation.
4. EIS is mainly accessible to top level
management of the organization.

Answer of Q.N.2.c
Computer-aided software engineering (CASE)sometimes called computer-aided systems
engineeringprovides software tools to automate the methodologies we have just described to
reduce the amount of repetitive work the developer needs to do. CASE tools also facilitate the
creation of clear documentation and the coordination of team development efforts. Team
members can share their work easily by accessing each others files to review or modify what has
been done. Modest productivity benefits can also be achieved if the tools are used properly. Many
CASE tools are PC-based, with powerful graphical capabilities.
CASE tools provide automated graphics facilities for producing charts and diagrams, screen and
report generators, data dictionaries, extensive reporting facilities, analysis and checking tools,
code generators, and documentation generators. In general, CASE tools try to increase
productivity and quality by doing the following:

Enforce a standard development methodology and design discipline

Improve communication between users and technical specialists
Organize and correlate design components and provide rapid access to them using a
design repository
Automate tedious and error-prone portions of analysis and design
Automate code generation and testing and control rollout
CASE tools automatically tie data elements to the processes where they are used. If a data flow
diagram is changed from one process to another, the elements in the data dictionary would be
altered automatically to reflect the change in the diagram. CASE tools also contain features for
validating design diagrams and specifications. CASE tools thus support iterative design by
automating revisions and changes and providing prototyping facilities. A CASE information
repository stores all the information defined by the analysts during the project. The repository
includes data flow diagrams, structure charts, entity-relationship diagrams, UML diagrams, data
definitions, process specifications, screen and report formats, notes and comments and test results.
Answer of Q.N.2.d
YZF

P.T.O.

(5)
The process steps involved in the payment process using credit cards are listed as below:
1. The consumer contacts an issuing card bank and opens a credit card account. They are
issued a credit card with a unique account number and a credit line (which is how much
they are allowed to spend on the account).
2. Consumer provides the credit card information to pay for the transaction whenever
s/he wants to purchase any goods or services from a merchant.
3. The merchant takes the credit card information provided by the consumer and
attempts to validate it through tests and checks and sends it to the acquiring bank to find
out if the consumer has money available on the credit card to make the purchase. There
should be some communication mechanisms between the POS of merchant and acquiring
bank.
4. The acquiring bank routes a request through the card association physical network to
the issuing bank to see if funds are available on the consumers credit card.
5. The issuing bank checks the consumers credit line and if funds are available they will
set aside the amount of money that the order requires for payment. This money is
reserved only it has not changed hands, and is not the merchants money yet. At this
point a reply is sent back through the card association network to the acquiring bank, then
back to the merchant to let them know the status of the request for funds.
3.
a) What is client/server? What are benefits of client/server computing?
(2.5+2.5=5)
b) Explain the steps involved in prototyping development and also discuss the
advantages of prototyping development.
(2.5+2.5=5)
c) What is the sole purpose of an Information System (IS) Audit? What is the role
of an IS Auditor?
(2.5+2.5=5)
Answer of Q.N.3.a
The terms server refers to running program on networked computer that accepts requests from
the programs running on other computers to perform a service and respond appropriately. The
requesting processes are referred to as client.
Benefits of client/server computing
Client/server computing provides easier access to corporate's internal and
external data.
It reduces costs of processing dramatically
The maintenance cost of program is low
It provides an infrastructure that enables business processes to be
reengineered for strategic benefit
It gives control to users of their own applications at their own locations.
It reduces the operating costs of information system department.

Answer of Q.N.3.b
The steps involved in prototyping development are as follows:
YZF

P.T.O.

(6)
Working in manageable modules
Build the initial prototype rapidly
Modifying the prototype successive iterations.
Stress and user Interface

Advantages of prototyping
Prototyping makes the development process faster and easier for system
analysts, especially where end users requirements are hard to define.
It is used for both small and large applications.
It provides the potential for changing the system early in its development.
Prototype systems afford opportunity to observe and jointly examine
information use.
Prototype systems may, by being experimental, create a culture of change,
adaption and learning.
Answer of Q.N.3.c
The sole purpose of an Information system audit
The sole purpose of an Information system audit is to evaluate and review the adequacy of
automated information systems to meet processing needs, to evaluate the adequacy of internal
controls, and to ensure that assets controlled by those systems are adequately safeguarded.
Role of an IS Auditor
The Information System (IS) auditor is responsible for establishing control objectives that
reduce or eliminate potential exposure to control risks. After the objectives of the audit have
been established, the auditor must review the audit subject and evaluate the results of the
review to find out areas that need some improvement. IS auditor should submit a report to the
management, recommending actions that will provide a reasonable level of control over the
assets of the entity.
4.
a) Why ERP is a popular in modern business? How an organization can benefit
with its use?

b) Explain about the essential features of a good e-commerce website.

Answer of Q.N.4.a
Enterprises Resource planning is a cross functional enterprises system driven by an integrated
suite of software modules that supports the basic internal business process of a company. ERP
gives a company an integrated real-time view of its core business processes such as production,
order processing, an inventory management, accounting and finance, marketing and sales and
human resource. Thus instead of using separate modules the ERP gives the integrated view of all
business activity in real time which help in enhancing quality and efficiency of the organization,
decreased operating costs, helps in decision making and provides the business agility. Thus ERP
is a popular in the modern business these days.
The benefit of the ERP can be summarized as:
Provides the real time view of all business activity of the organization and its
interconnections.
YZF
P.T.O.

(7)
Reduce paper documents by providing the computer online formats.
Improves timeliness of information by permitting posting daily instead of monthly.
Provides the greater accuracy of information.
Improved cost control.
Better monitoring and quicker resolution of queries.
Enable quick response to change in business operations and market conditions.
Helps to achieve competitive advantage by improving its business process.
Provides a unified customer database usable by all applications.
Improves information access and management throughout the enterprise.

Answer of Q.N.4.b
Some features that should be available in a e-commerce website for its effective operations are:
Login and authorization
Searching of the Products
Product Details
Payment Mechanism
Profiling and Personalization
Event Notifications
Login and Authorization:
This feature allows to login in into the system with the validation of the user name and password.
People without valid username and password can see just the basic information about the ecommerce website but once having the system user name password they can initiate any process
in the system. System also facilitates the creation of new username and password.
Searching of the Product:
As the virtual web front lists the large varieties of the product people might be unable to find the
product of their choice so in this case the effective searching mechanism of the product should be
available in the website. Conditioning can be deployed in the searching.
Product Details and Catalogue:
Once the client finds any product, then website should give the details information about product
with possible 2D/3D or video view along with all essential information and procedures.
Payment Mechanism:
The payment mechanism and procedures should be clear to every user. It might be electronics
payment procedures or the cash on delivery it should be documented properly.
Profiling and Personalization:
The personal behavior of the selling / buying product or accessing product catalogue should be
tracked to personalize in future. This will be helpful for the promotion of the new or related
product to that user in the future.
Event Notifications;
It is the procedure of informing the client about the completion of any event. This helps in the
ensuring the completion of the process. It can be done in email or phone etc.

5.
a) What are the security features of information systems? Explain.
b) What are the general steps to be followed while creating BCP (business
continuity planning)?
c) What do you mean by Internal Threats and Software Vulnerability?
YZF

5
5
5
P.T.O.

(8)
Answer of Q.N.5.a
A secure system accomplishes its task with no unintended side effects. Using the analogy of a
house to represent the system, you decide to carve out a piece of your front door to give your
pets' easy access to the outdoors. However, the hole is too large, giving access to burglars. You
have created an unintended implication and therefore, an insecure system.
While security features do not guarantee a secure system, they are necessary to build a secure
system. Security features have four categories:
Authentication: Verifies who you say you are. It enforces that you are the only
one allowed to logon to your Internet banking account.
Authorization: Allows only you to manipulate your resources in specific ways.
This prevents you from increasing the balance of your account or deleting a bill.
Encryption: Deals with information hiding. It ensures you cannot spy on others
during Internet banking transactions.
Auditing: Keeps a record of operations. Merchants use auditing to prove that you
bought specific merchandise.
Answer of Q.N.5.b
Identify the scope and boundaries of business continuity plan. First step enables us to
define scope of BCP. It provides an idea for limitations and boundaries of plan. It also
includes audit and risk analysis reports for institutions assets.
Conduct a business impact analysis (BIA). Business impact analysis is the study and
assessment of effects to the organization in the event of the loss or degradation of
business/mission functions resulting from a destructive event. Such loss may be
financial, or less tangible but nevertheless essential (e.g. human resources, shareholder
liaison)
Sell the concept of BCP to upper management and obtain organizational and financial
commitment. Convincing senior management to approve BCP/DRP is key task. It is
very important for security professionals to get approval for plan from upper
management to bring it to effect.
Each department will need to understand its role in plan and support to maintain it. In
case of disaster, each department has to be prepared for the action. To recover and to
protect the critical functions, each department has to understand the plan and follow it
accordingly. It is also important for each department to help in the creation and
maintenance of its portion of the plan.
The BCP project team must implement the plan. After approval from upper management
plan should be maintained and implemented. Implementation team should follow the
guidelines procedures in plan.
NIST tool set can be used for doing BCP. National Institute of Standards and Technologies has
published tools which can help in creating BCP.
Answer of Q.N.5.c
Internal threats mean we tend to think the security threats to a business originate outside the
organization. In fact, the largest financial threats to business institutions come from insiders.
Some of the largest disruptions to service, destruction of e-commerce sites, and diversion of
customer credit data and personal information have come from insidersonce trusted
employees. Employees have access to privileged information, and in the presence of sloppy
YZF

P.T.O.

(9)
internal security procedures, they are often able to roam throughout an organizations systems
without leaving a trace.
Studies have found that users lack of knowledge is the single greatest cause of network security
breaches. Many employees forget their passwords to access computer systems or allow other
coworkers to use them, which compromises the system. Malicious intruders seeking system
access sometimes trick employees into revealing their passwords by pretending to be legitimate
members of the company in need of information. This practice is called social engineering.
Employeesboth end users and information systems specialistsare also a major source of
errors introduced into an information system. Employees can introduce errors by entering
faulty data or by not following the proper instructions for processing data and using computer
equipment. Information systems specialists can also create software errors as they design and
develop new software or maintain existing programs.
Software Vulnerability means the Software errors also pose a constant threat to information
systems, causing untold losses in productivity
A major problem with software is the presence of hidden bugs, or program code defects. Studies
have shown that it is virtually impossible to eliminate all bugs from large programs. The main
source of bugs is the complexity of decision-making code. Important programs within most
corporations may contain tens of thousands or even millions of lines of code, each with many
alternative decision paths. Such complexity is difficult to document and designdesigners may
document some reactions incorrectly or may fail to consider some possibilities. Even after
rigorous testing, developers do not know for sure that a piece of software is dependable until the
product proves itself after much operational use.
6. Write short notes on the following:
a) Risk Assessment
b) Types of System Testing
c) Firewalls
d) CASE Tools
e) Hacking

(53=15)

Answer of Q.N.6.
(a) Risk Assessment: A risk assessment activity can provide an effective approach, which
acts as the foundation for avoiding the disasters. Risk assessment is also termed as a critical step
in disaster and business continuity planning. Risk assessment is necessary for developing a
well-tested contingency plan. In addition, Risk assessment is the analysis of threats to resources
(assets) and the determination of the amount of protection necessary to adequately safeguard the
resources, so that vital systems, operations, and services can be resumed to normal status in the
minimum time in case of a disaster. Disasters may lead to vulnerable data and crucial
information suddenly becoming unavailable. The unavailability of data may be due to the nonexistence or inadequate testing of the existing plan.
Risk assessment is a useful technique to assess the risks involved in the event of unavailability
of information, to prioritize applications, identify exposures and develop recovery scenarios.
(b) Types of System Testing: System testing is a process in which software and other
system elements are tested as a whole. Major types of system testing that might be carried out,
are given as follows:
Recovery Testing: This is the activity of testing how well the application is able to recover
YZF

P.T.O.

(10)
from crashes, hardware failures and other problems. Similar Recovery testing is the forced
failure of the software in a variety of ways to verify that recovery is properly performed.
Security Testing: This is the process to determine that an Information System protects data
and maintains functionality as intended or not. The six basic security concepts that need to be
covered by security testing are: confidentiality, integrity, availability, authentication,
authorization and non-repudiation. This testing technique also ensures the existence and proper
execution of access controls in the new system.
Stress or Volume Testing: Stress testing is a form of testing that is used to determine the
stability of a given system or entity. It involves testing beyond normal operational capacity,
often to a breaking point, in order to observe the results. Stress testing may be performed by
testing the application with large quantity of data during peak hours to test its performance.
Performance Testing: Software performance testing is used to determine the speed or
effectiveness of a computer, network, software program or device. This testing technique
compares the new system's performance with that of similar systems using well defined
benchmarks.

(c)
Firewall: A firewall is a collection of components (computers, routers, and software) that
mediate access between different security domains. All traffic between the security domains
must pass through the firewall, regardless of the direction of the flow. Since the firewall serves
as an access control point for traffic between security domains, they are ideally situated to
inspect and block traffic and coordinate activities with network intrusion detection system
(IDSs).
There are four primary firewall types from which to choose: packet filtering, stateful inspection,
proxy servers, and application-level firewalls. Any product may have characteristics of one or
more firewall types. The selection of firewall type is dependent on many characteristics of the
security zone, such as the amount of traffic, the sensitivity of the systems and data, and
applications. Additionally, consideration should be given to the ease of firewall administration,
degree of firewall monitoring support through automated logging and log analysis, and the
capability to provide alerts for abnormal activity.
Typically, firewalls block or allow traffic based on rules configured by the administrator. Rule
sets can be static or dynamic. A static rule set is an unchanging statement to be applied to
packet header, such as blocking all incoming traffic with certain source addresses. A dynamic
rule set often is the result of coordinating a firewall and an IDS.
For example, an IDS that alerts on malicious activity may send a message to the firewall to
block the incoming IP address. The firewall, after ensuring that the IP is not on a "white list",
creates a rule to block the IP. After a specified period of time the rule expires and traffic is once
again allowed from that IP.
Firewalls are subject to failure. When firewalls fail, they typically should fail closed, blocking
all traffic, rather than failing open and allowing all traffic to pass. Firewalls provide some
additional services such as network address translation, dynamic host configuration protocols
and virtual private network gateways.
(d) CASE Tools : The data flow diagram and system flow charts that users review are
commonly generated by systems developers using the on-screen drawing modules found in
CASE (Computer-Aided-Software Engineering) software packages. CASE refers to the
automation of any thing that humans do to develop systems. In 1980s, these tools enabled
YZF
P.T.O.

(11)
system analysts and programmers to create flow charts and data flow diagrams on a mini
computer or a micro computer workstation. Today, CASE products can support virtually all
phases of traditional system development process. For example, these packages can be used to
create complete and internally consistent requirements specifications with graphic generators
and specifications languages. CASE products are still relatively new and evolving. However
numerous organizations have already reported great success with them.
(e)
Hacking: It is an act of penetrating computer systems to gain knowledge about the
system and how it works. Technically, a hacker is someone who is enthusiastic about computer
programming and all things relating to the technical workings of a computer.
Crackers are people who try to gain unauthorized access to computers. This is normally done
through the use of a backdoor program installed on the machine. A lot of crackers also try to
gain access to resources through the use of password cracking software, which tries billions of
passwords to find the correct one for accessing a computer.
There are many ways in which a hacker can hack. These are:

Net BIOS
ICMP Ping

FTP

RPC. Statd

HTTP.

YZF

P.T.O.