CHAPTER 1 ORGANIZATIONAL MANAGEMENT AND INFORMATION SYSTEM

Computer based management information system (

Revision of organization and management level CBIS)
WHY Necessary: >It offers and consolidates information for management-related activities, functions and
1)To use different type of information for perform set of distinct functions decisions
2) To delegate responsibility to specialist in each area (production, marketing, >It is a complex system composed of computer hardware and software that work together
finance, human resource) and make the accountable for efficient functioning. >MIS enables collection, transmission, processing and storing information.
Revision should be as follow: >It organizes huge volumes of seemingly unmanageable data and turns them into reports
Middle level manage- > It also must reaffirm and evaluate decisions made in the past.
Provided typical function of each category (eg p&D,human,
Finance)Etc. CHARACTERISTICS OF COMPUTER BASED INFORMATION SYSTEM
Report to CEO Code: F.O.I.L.
They have many assistant known as line manager 1. If one sub system Fails , the whole system may work or not that depends on how sub systems are
They deal with tactical short range policies interrelated.
CEO - 2. All systems work for predetermined Objectives & is designed & developed accordingly.
Deals with tactical short range policies and act as overall 3. All sub-system in a system Interacts with each other and can’t work in isolation.
incharge of the organization. 4. Work done by individual sub system is integrated to achieve the central goal of the system. Low priority is given to
Line Manager importance to individual sub system.
Deals with operational day to day policies Role of CBIS
>The size of organizations is becoming larger and complex to manage them
>Availability of varieties in processing of data (Manager able to look data from diff. angle)
Security triade/ Primary goals of information system >Due to large volume of data and increase in variety of organizations, CBIS important
• Confidentiality: Prevention of the unauthorized disclosure >Organization have many branches in widespread geographical area
of the data is referred as Confidentiality . With the use of >Markets are becoming competitive . To maintain favorable balance of payment in country , organizations
encryption and physical isolation, data can be kept secret have to be internationally competitive.
. >Better environmental adaptations (human socity change faster , gove regulation complex , interact with various
• Integrity: Integrity refers to the prevention of unauthorized stakeholder)
modification of data and it ensures that data is of high
quality, correct, consistent and accessible.
How is the security of the average company setup?
Ans: Average company security have crude design that resembles egg shell i.e harder from outside and once it
• Availability : Availability refers to the prevention of is broken there is nothing internal to prevent or limit the access.
unauthorized withholding of data and it ensures the data Things that should be considered while making setup of the security system:
backup through Business Planning Continuity Planning ( -It should be harder to make damage to security.
BCP) and Disaster Recovery Planning (DRP). Temporary -Possible analysis should be done to know how often damage can happen.
breakdowns, sustained and Permanent Outages, Denial of -All possible damages should be compared with monetary value.
Service (DoS ) attacks , equipment failure and natural -There. should be provision of secondary security in event of breach of primary security line.
calamities are all threats to availability.

Types of information
There are four main classes of information:
How do most security breach happen?
Public – Information that can be freely shared with any individual or group.
Internal – Potentially sensitive information that should not be shared outside our organization.
It mainly happen because of the following reasons:
Confidential – Information (whether in oral, written, or electronic form) that may adversely affect employees, individuals, or
1)Installation of bad bit of software
our business if disclosed to unauthorized parties . For example , business strategies , marketing plans , manufacturing
2)Automated attack through worm, viruses & Trojans
techniques, etc.
3)Internal breach of security by its users.
Restricted /Secret -It is the information which is hidden form all except some users . Loss of this data may cause critical
4)Hardware failure of the security system.
damage to the company and could be the major reason of the downfall of the company .Eg.Trade Secrets , External
Secrets
 CHAPTER 1 ORGANIZATIONAL MANAGEMENT AND INFORMATION SYSTEM
Major Focus Area that make up IT governance
>Strategic alignment: It relates to how IT supports the enterprise strategy and how IT
operations are aligned with the current business operations. Alignment involves the
understanding the needs of the organization, developing IT strategies and objectives,
demand management, resource allocation, and of course communication.
>Value Delivery: It is making sure that IT department is delivering benefit which was
promised at the begining of project or investment.
>Resource management: It means managing resource effectively like skill enhancement
training should be provided to human resource.
>Risk Management: It means instituting formal risk framework that puts some rigor around
how IT measures, accepts and manages risk, as well as reporting on what IT is managing
in terms of risk.
>Performance measures: It means putting structure around measuring business
performances. It can be done through IT balanced scorecard. It examines the contribution
in achievement of business goal, developing resources. It uses both qualitative and
quantitative measures to get those answers.
How do you actually implement everything involved in IT governance?
95% of companies use one of the following IT governance framework while only few create
their own:Most companies use CoBIT or ITIL while 65% use combine form of CoBIT & ITIL.
ITIL :It offers eight sets of management procedures in eight books : service delivery ,
service support , service management , ICT infrastructure management , software asset
management , business perspective , security management and application management . It is
well suited to organization who concern about operations . it helps organization across
industries ofer their services in a quality dirven and a cost effective way. The framework was
developed in the 1980 and most recent update to version 3 was published in 2011 .
Infrastructure involves app,cloud,web,personnel etc and library include servie strategy, service
design, service transition, service operation and continual service imporvement.
COSO : This model for evaluating internal controls is from the Committee of Sponsoring
Organizations of the Treadway Commission (COSO ). COSO 's focus is less IT-specific than
the other frameworks, concentrating more on business aspects like enterprise risk management
(ERM) and fraud deterrence .In Computerised Environment , goals of asset safeguarding , data
integrity , system efficiency & system effectiveness can be achieved only if organization ’s
management sets up a system of IC. According to COSO, IC is comprised of five interrelated
components:
• Control Environment: For each business process, an organization needs to develop &
maintain a control environment including categorizing the criticality & materiality of each
business process and the owner of the business process.
• Risk Assessment: Each business process comes with various risks. A control environment
must include an assessment of risks associated with each business process.
• Control Activities: Control activities must be developed to manage, mitigate & reduce risks
associated with each business process. It is unrealistic to expect to eliminate risks completely.
• Information & Communication: Control activities are associated with information &
communication systems of the entity. These enable an organization to capture & exchange
information needed to conduct, manage & control its business processes.
• Monitoring: IC process must be continuously monitored & modifications to be made as
warranted by changing conditions.
IT Governance
IT governance is a formal framework that provides a structure for organizations to ensure that IT
investments support business objectives. The need for formal corporate and IT governance practices
across most organizations was fueled by the enactment of laws and regulations of that country.
Essentially, IT governance provides a structure for aligning IT strategy with business strategy. By
following a formal framework, organizations can produce measurable results toward achieving their
strategies and goals. In simple,IT Governance is system by which IT activities in a company /
enterprise are directed & controlled to achieve business objectives with ultimate objective of meeting
stakeholder
How do I choose which framework to use?
Most IT governance frameworks are designed to help you determine how your IT department is
functioning overall, what key metrics management needs and what return IT is giving back to the
business from its investments.
When reviewing frameworks, consider your corporate culture. Does a particular framework or model
seem like a natural fit for your organization? Does it resonate with your stakeholders? That
framework is probably the best choice.But you don't have to choose only one framework. For
example, COBIT and ITIL complement one another in that COBIT often explains why something is
done or needed where ITIL provides the "how." Some organizations have used COBIT and COSO,
along with the ISO 27001 standard (for managing information security).
FAIR (Factor analysis of information Risk ):FAIR is a relatively new model that helps
organization quantify risk. The focus is on cyber security and operational risk with the goal
of making more well informed decision. The risk is the probability of loss tied to and assets.
FAIR defines six kind of losses; I) productivity II) Response III) Replacement IV)Fine and
Judgment (F/J) V) Competitive Advantage VI) Reputation
CMMI ( Capability Maturity Model Integration ): The method , CMMI developed by the
Software Engineering Institute , is an approach to performance improvement . CMMI uses a
scale of 1 to 5 to gauge an organization's performance, quality and profitability maturity level.
IT contains 22 process area. It is divided into appraisal, evaluation and structure
(SEA ).CMMI is particularly well suited to organization that need help with application
development , life-cycle issue and improving the delivery of products throughout life cycle.
CMMI is successor of the capability maturity model (CMM). version 1.1 in 2002, ver 1.2 in
2006 Aug, version 1.3 in 2010 nov.
LEVEL of CMMI
LEVEL 1: Initial, LEVEL 2: Managed , Level 3: Defined , Level 4:Quantitatively managed ,
Level 5: optimization
COBIT : COBIT is a set of best practices for IT management developed by Information
Systems Audit & Control Association (ISACA ) and IT Governance Institute in 1996 .
COBIT 5 is the only business framework for the governance & management of enterprise IT.
As per COBIT , information is the success drivers but also it can’t be ignored that it also
raises governance and management issues too.Components of COBIT is FRAMEWORK ,
PROCESS DESCRIPTION , CONTROL OBEJCTIVES ,MANAGEMENT GUIDELINES ,
MATURITY MODEL. Principles of COBIT 5 includes; >Meet stakeholder Need
>Cover the enterprise end to end
> Integrate multiple framework in one umbrella framework
>Encourge a holistic approach to business
>Move governance away from management

Finance & accounting
This subsystem ensures financial
viability of org ., enforce financial
discipline , plan & monitor financial
budget . It also helps in forecasting
revenues, determining & managing
financial resources in best possible
way . It includes sub -application
like –
 Financial accounting;
 General ledger;
 Accounts receivable/payable;
 Asset accounting;
 Investment management;
 Cash/Fund management;
 Balance sheet, etc.
Chapter 2: Different Type of Information System
Major areas of computer based application
Marketing & sales Production or Inventory/stores Human resource management
This subsystem aims to manufacturing management Human resource is most valuable asset for an
maximize sales & ensure This subsystem aims to This sub system keeps org. This sub system aims to adequate
customer satisfaction . It optimally deploy man , track to materials in stores. utilization of manpower in most effective &
facilitates order procurement by machine & material to It regulate the efficient way through dispute-free environment
marketing / advertising products maximize production or maximum /minimum level of to facilitate disruption free & timely services in
& creating new customers . service . It generates stocks , raise alarm at business. Skill database (includes details of
Sales department uses order schedules of production , danger level stock , give qualifications, training, experience, interests
processing system to track material requirements , & timely alert for re -ordering etc.) helps management to allocate manpower
orders , generate bills & monitors product quality, of materials with optimal re- to right activity at time of need. It may include –
delivering products , analyzing plans for replacement or order quantity & facilitates  Personnel administration;
sales data in diff . region , overhauling of machinery stock management by  Recruitment management;
computing commission to & also helps in overhead solving various queries  Travel management;
dealers / salesman , rendering cost control & waste about inventory.  Benefit administration;
services during warranty period control.  Salary administration;
& beyond.  Promotion management etc.

Types of Information System

Operational Level System (OSS)
It support operational managers in tracking elementary
activities like tracking customer order, invoice etc. It
produces variety of information for internal & external
use. Their role is to effectively process business
transactions, control industrial processes, support
enterprise communications & collaborations and
update corporate database. Main objective of OSS is
to improve operational efficiency of enterprise.
 TPS
Knowledge Level System Management Level System Strategic Level System
It supports discovery, processing It supports middle managers in monitoring, SLS are for strategic managers to track & deal
& storage of knowledge & data. It decision-making & administrative activities. with strategic issues, assisting long-range
supports business to integrate It is helpful in answering questions like - are planning. It support senior level management to
new knowledge into business & things working well & in order? It also tackle & address strategic issues and long term
control paperwork & enable group ensures that business procedures are trends, both inside organization & outside world.
working followed & provide periodic report rather It answers the questions like what products
E.g. Workstations. than instant information. should be launched to increase profit & capture
 OAS  MIS market.
 KMS  DSS  EIS

TPS (Transaction Processing System): Major activities of TPS

 Developed for bottom / lowest level of management.  Capturing data to organize in files/database
 It organize & manipulate data or transaction to generate various information for internal / external use.  Processing files/databases using application software
 Process transactions like sales / purchase / delivery / payments etc. & demand data in detailed form.  Generating information in form of reports
E.g. Tally / ATM / Admission software.  Processing queries from various quarters of organizations.
TPS Components: Basic features of TPS:
 Input: Source Documents (such as customer orders, slip & invoices employee time card)  Large volume of Data: As TPS is transaction oriented, it consist of large volume of
are physical inputs into TPS. They serve purposes like data which require greater storage capacity. It ensures that data regarding economic
- Capturing Data activities are captured quickly & correctly.
- Indicating need to record data  Automation of basic operations: TPS aims at automating basic operations & day-to-
- Providing permanent file for future access & analysis if it is retained. day functioning of business enterprise. Any failure in TPS can be havoc for enterprise.
 Processing: After giving input, transaction gets processed & then only users gets an  Benefits are easily measurable: It reduces workload of people associated with
output. E.g. Journals, Register. operations by automating some operations & improves their efficiency. Benefits of TPS
 Storage: It includes Ledger & Files which provide storage of data for future reference. are tangible & easily measurable. Thus it is easy to conduct cost benefits analysis &
 Output: Any document generated in system is output. E.g. Financial Report summarizes obtain user acceptance.
the result of transaction processing & expresses it in accordance with principles of  Source of input for other systems: TPS is basic source of other Internal IS.
financial reporting. Some document are both input & output. E.g. Customer Invoice.
 Chapter 2: Different Type of Information System
OAS (Office Automation System): The application of computers to handle office activities is termed as office automation. It refers to Benefits of Office Automation Systems –
integration of office functions related to managing information. Basic activities involved in OAS:  It improve communication within & b/w org.
 Document Capture: Documents originating from outside sources like incoming mails, handouts etc. needs to be preserved.  It reduces cycle time b/w preparation &
 Document Creation: it consists of preparation of documents, dictation, editing etc. It takes major part of secretary’s time. receipt of messages.
 Distributions: It includes distribution of correspondence to designated recipients.  It also reduces costs of communication in
 Filing, Search, Retrieval, Follow up: It relates to filling, indexing, searching of documents which takes significant time. terms of time & cost.
 Calculations: It includes usual calculator functions like routine arithmetic, operations for bill passing, interest or % age calculations.  It ensures accuracy of information & smooth
 Recording utilization of resources: It includes record keeping of utilization of specific resources by office personnel. communication flow.

COMPUTER BASED OAS / TYPES OF OAS

I. Text Processing Systems
It is most commonly used components of OAS, as large
proportion of office communication takes place in writing.
It automates process of development of documents such as
letters, reports, memos etc. which reduce effort & minimizes
chances of errors
It helps in quick production of multiple copies of document
using printers, scanner etc.
II. Electronic Document Management System
It captures information contained in documents, store for future
reference & make them available to users whenever required.
This is very useful in remote access of documents which is almost
impossible with manual document management systems & in
case of internal communication.
E.g. Loan application form filed in a branch can be accessed at
head office or any office for scrutiny of loan proposals.
IV. Teleconferencing & Video-conferencing
Systems
Teleconferencing is used in business meeting
involving more than 2 persons located at 2 or more
different places.
It reduces time & cost of meeting as participants do
not have to travel to attend meeting.
It may be audio or video conferencing.

III. Electronic Message Communication Systems – Business enterprises uses variety of communication systems to send & receive messages for e.g. telephone, mail, Fax, etc.
Computer based message communication systems reduces time & cost of sending or receiving messages and also enhance reliability of message.
Components of Message Communication Systems
1. Electronic Mail- Features of electronic mail:
 Electronic Transmission- Transmission of email is electronic, hence very quick & almost instantaneous.
 Online Development & Editing - Email message can be developed & edited online before transmission, which eliminates need of paper, & provide storage facility.
 Broadcasting & Rerouting - Email permits rerouting & sending a message to large number of target recipients.
 Integration with other IS - E-mail has advantage of being integrated with the other IS which helps in attaching attachments.
 Portability – Email can be accessed from any Personal computer/tablet/smart phones.
 Economical - Advancements in communication technology & competition among communication service providers have made Email most economical mode for sending &
receiving messages.
2. Facsimile (Fax) – It is electronic communication of images of documents over telephone lines. It uses special software & fax servers to send & receive fax messages using common
communication resources. Servers have ability to receive fax messages & automatically reroute them to the intended recipient after viewing it at central computer, similarly, a person
can leave fax messages to server which will send it to the intended recipient automatically. Fax is gradually fading away with more use of emails.
3. Voice Mail – It is a variation of email in which messages are transmitted as digitized voice. Recipient can access e-mail box & hear messages in voice of sender. For security
purpose it may require identification code before accessing voice mail.

Knowledge Management System (KMS) - The world is moving swiftly in direction of a knowledge-based system as enterprises adapt more & more cost-cutting measure. There is
shift from an economy principally concerned by management of tangible resources (equipment, machinery, buildings, ....) to an economy in which renovation & growth are determined
by intangible resources (knowledge, technology, competencies, abilities to innovate....). Information & Knowledge are key elements of this economy. A firm’s competitiveness depends
on its knowledge processing i.e. what it knows; how it uses & how fast it can know something new. It’s much more influential than the harmony of land, labour & capital (i.e. three most
important production factors).
Knowledge Management (KM) is process of capturing, developing, sharing, & effectively using organizational knowledge to achieve organizational objectives. KMS refers to any kind
of IT system that stores & retrieves knowledge, improves collaboration, locates knowledge sources, mines repositories for hidden knowledge, captures & uses knowledge, & enhances
KM process.

Types of Knowledge:
Explicit knowledge: It is formalized easily & easily available across org. in form of spoken Tacit knowledge: It resides only in few hands & is unarticulated & represented as intuition,
words, written material & compiled data. This type of knowledge can be codified, easy to perspective, beliefs & values that individuals form based on their experiences. It is difficult to
document, transfer & reproduce. E.g. online tutorials, Policy & procedural manuals. document & communicate. E.g. hand-on skills, special know-how, employee experiences.
 Chapter 2: Different Type of Information System
Management Information Systems (MIS) – MIS enables management at different levels in decision making & problem solving by using results produced by TPS & other information.
MIS is an integrated user-machine system designed for providing info. to support operational control, management control & decision making functions in an org.”. MIS is
computer based system that provides flexible & speedy access to accurate data”. It supports managers at different levels in decision making to achieve organizational goals.
MIS at top level is comprehensive but is condensed / summarized at middle level management. It generates reports which can be displayed on demand or under exceptional conditions.
Characteristics of an effective MIS: Pre-requisites of an Effective MIS –
 Management Oriented – Development of IS should start from an appraisal  Database- Data in database should be easily accessible with minimum redundancy. It should be
of management needs & overall business objectives to meet requirement of  User-oriented.
top, middle or operating levels of management.  Capable of being used as common data source to various users.
 Management Directed – Since MIS is management oriented, management  Available to authorized persons only.
should direct system’s development by devoting sufficient time at designing,  Controlled by a separate authority.
review & implementation stage of system development.  Qualified System & Management Staff –
 Integrated – All sub- systems are tied together into one entity. An integrated  Qualified system staff refers to computer experts who develop & maintains system & capable
IS has capability of generating more meaningful information to management of understanding management concepts to facilitate understanding of problems faced by org.
as it takes comprehensive & complete view at org.  Management staff refers to those who uses & understand operation of MIS & guide for types
 Common Data Flows – It means use of common input, processing & output of information required.
procedures whenever required. Data is captured only once which eliminates  Support of Top Management – It is required for effectiveness of MIS in org.
duplication in data collections, simplifies operations & make system more  If top management do not support MIS then it will also be not supported by subordinate &
efficient. get lesser priority & may be delayed or abandoned.
 Heavy Planning Element – MIS development takes 1-3 years or even  To gain support of top management, officers should place before top management all
longer. Therefore, consider future information requirements & objectives as supporting facts & state clearly the benefits accruing from it to org. to enlighten them.
per organizational structure.  Control & maintenance of MIS- Some time, users develop their own procedures or short cut
 Sub System Concept – MIS is viewed as a single entity, it must be broken methods to use system, which reduce its effectiveness. Control ensures everyone operate
down into digestible sub-systems, which can be implemented in phased plan. system as it was designed to operate.
 Common Database – MIS is "super-file", which consolidates & integrates It has to be improved with time, hence maintenance is required.
data stored in separate data files. Data can be accessed by several sub-  Evaluation of MIS – MIS should meet information required by executives continuously. It can
systems which eliminates duplication in data storage, updating, deletion & be achieved by evaluating MIS & taking appropriate action timely. It should consider:
protection.  Existence of flexibility in MIS to cope with expected or unexpected info. requirement in future.
 Computerized - Use of computers increases effectiveness, accuracy of  Views of users & designers about capabilities & deficiencies of system.
system & consistency in processing data & reduce clerical staff.  Guiding appropriate authority to steps to maintain effectiveness of MIS.
Constraints in operating a MIS – Limitations of MIS –
 Non-availability of experts, who can diagnose objectives of org. & provide  Quality of outputs of MIS depends on quality of input & processes.
direction to install suitable system & operate. We can overcome this problem  MIS is not a substitute for management. It cannot replace managerial judgment in making
by grooming internal staff by proper selection & training. decisions. It is merely a tool for executives for decision making & problem solving.
 Experts face problem of selecting sub-system of MIS to be installed &  MIS may not quickly update itself with change in needs with time.
operated upon. We can overcome by understanding the criteria which guides  MIS is not a tailor-made information packages suitable for every type of decision to be
need & importance of a function for which MIS can be installed first. made by executives.
 Due to varied objectives of org., approach adopted by experts for designing  MIS takes into account mainly quantitative factors & ignores non- quantitative factors like
& implementing MIS is a non-standardized one. morale & attitude of members of org., which is important for decision making.
 Non-availability of cooperation from staff is a crucial problem, which  MIS is less useful for making non-programmed decisions. Such types of decisions are not
should be handled tactfully by educating them by organizing lecturers, routine type & thus require information, which may not be available in existing MIS.
showing films to explain utility of system & involving them in development &  Effectiveness of MIS is reduced in enterprises having culture of hoarding (not sharing) info.
implementation of system.  Effectiveness of MIS decreases due to frequent changes in top management, organizational
structure & operational team.
Misconceptions about MIS –
o Any computer based IS is a MIS. o It is a file structure.
o Any reporting system is MIS. o MIS is about use of computers.
o It is a management technique. o More data means more information to managers.
o It is a bunch of technologies. o Accuracy plays vital role in reporting.
 Chapter 2: Different Type of Information System
Decision Support System (DSS) – DSS is interactive software-based system intended to help decision making by compiling useful information from raw data, documents, personal
knowledge, and/or business models to identify, solve problems & make decisions. It is defined as system that provides tools to managers to assist them in solving semi-structured
& unstructured problems. It do not make decisions for managers, but rather generate information required by them in making decisions. DSS supports human decision-making
process, rather than a means to replace it.
Components of DSS –
 The user – It include manager with unstructured/semi-structured problem to solve without having computer background.
 Manager - They have basic computer knowledge & want DSS to be very user friendly, may be at any level either top or operating level.
 Staff Specialist (Analysts) - They are more details oriented & are willing to use complex system in their day-to-day work.
 Databases – DSS includes routine & non-routine data from both internal (from TPS & MIS) & external (from EIS) sources.
Database is implemented at three levels:
 Physical level – It involves implementation of database on hard disk i.e. storage of data in hard disk.
 Logical Level – It is designed by professional programs, which have complete knowledge of DBMS. It deals with nature of data stored, scheme of data. Storage is divided
into various tables having rows & columns and techniques for defining relationships with indexes.
 External level – Logical level defines schema, which is divided into smaller units known as sub-schemas which contain all relevant data needed by manager.
 Model base – It is “brain” of DSS because it performs data manipulations & computations with data provided to it by user & database.
 Planning languages –
 General-purpose planning languages that allow users to perform many routine tasks like retrieval of data, statistical analyses. E.g. languages used in Excel spreadsheets.
 Special-purpose planning languages are more limited in what they do, & they do certain jobs better than GPPL. E.g. programming language for PC.
Characteristics of DSS Examples of DSS in Accounting –
o DSS supports decision making at all levels of management.  Cost Accounting System - Health care industry is well known for its cost complexity. Managing costs in
o It should also help group in making decisions instead of helping such industry require controlling costs of supplies, expensive machinery, technology, & variety of personnel.
individuals only. Cost accounting applications help health care enterprises to calculate product costs for individual
o It should be flexible & adaptable to change as per changes in procedures or services. DSS can accumulate these product costs to calculate total cost per patient.
environment.  Capital Budgeting System – Decision makers need to supplement analytical techniques (like NPV or IRR)
o DSS focuses on decision rather than data & information. with decision support tools. DSS allows decision makers to consider financial, non-financial, quantitative, &
o It should be easy to use i.e. User Friendly. User not having qualitative factors in their decision-making processes. Using DSS can evaluate multiple investment
knowledge of computer programming should be able to generate alternatives at once.
reports with helps of DSS.  Budget Variance Analysis System – Financial institutions rely heavily on their budgeting systems for
o It can be used for structured problems. controlling costs & evaluating managerial performance. DSS generate variance reports & allow them to
o It should be extensible & evolve overtime. analyze variances in tabular & graphical form to forecast budget.
o DSS are used for decision making rather than  General Decision Support System – DSS also solves general accounting problems like ratio analysis,
communicating decisions. working capital or debtor management etc.

Executive Information Systems (EIS) – Also referred to as Executive Support System (ESS). It serves strategic level i.e. top level managers. It creates generalized computing &
communications environment rather than providing any preset applications or specific competence.
Characteristics of EIS –
o EIS is Computer-based-information system that serves info. need of top executives. o EIS is capable of accessing both internal & external data.
o EIS enables users to extract summary data without need to learn query languages, statistical o EIS provides extensive online analysis tool like trend analysis, market
formulas or high computing skills. conditions analysis, etc.
o EIS provides rapid access to timely information. o EIS can be given as DSS support for decision making.
The Executive Decision-Making Environment – Executives make decisions based on vision to make Contents of EIS – EIS includes “whatever is interesting to executives"
their enterprise successful. They rely mostly on their own intuition. The intuitive character of decision- A practical set of principles to guide the design of measures and indicators
making reflects types of information useful to executives. to be included in an EIS:
Characteristics of information used in EIS: o EIS measures must be easy to understand & collect data. Data should be
 Lack of structure – Decisions made by executives are relatively unstructured & not as clear-cut. collected naturally as part of process of work.
It is not always known, ‘which data are required’ or ‘how to weigh available data in decision making.’ o EIS measures should not add substantially to workload of managers/staff.
 High degree of uncertainty – Results of decision are not scientifically predictable & are often o EIS measures must be based on balanced view of organization's
characterized by lack of precedent. objective in areas of productivity, resource management, and quality &
customer service.
 Future orientation – It is executive’s responsibility to make sure that org. keeps pointed toward
o Performance indicators in EIS must reflect everyone's contribution in fair
future & take strategic decisions to shape future events. They need to take care about future
& consistent manner.
14
 Chapter 2: Different Type of Information System
technologies, competition & future government policies.
 Informal Source – Executives rely heavily on informal source for key information. E.g. lunch with
a colleague in another firm, information form TV might reveal some important competitor strategies.
 Low level of detail – Executive decisions are made by observing broad trends which requires
awareness of large overview than tiny items i.e. sometimes, answers to some questions found by
going through details.
o EIS measures must encourage management & staff to share ownership
of organization's objectives.
o EIS information must be available to everyone in organization to provide
them information about organization's performance.
o Confidential information should not be part of EIS of organization.
o EIS measures must evolve to meet changing needs of organization.

DIFFERENCE BETWEEN DSS & TRADITIONAL MIS DIFFERENCE BETWEEN EIS & TRADITIONAL INFORMATION SYSTEMS
DSS Traditional MIS EIS Traditional IS
Philosophy Provide integrated tools, data, Provide structured info. to end Nature of Information Specific issues/problems Status reporting
models & languages to end users users Access & aggregate reporting
Orientation External orientation Internal orientation Level of management Top Executives Lower staff
Flexibility Highly flexible Relatively inflexible Nature of info. provided Online tools analysis Offline status reporting
Analytical capability More analytical Little analytical Drill down facility Available Not available
System analysis Emphasis on tools to be used in Emphasis on info. requirement Information Sources More external, less Internal
decision process analysis internal
System design Interactive process System development based on Information format Text with graphics Tabular
static info. requirements Nature of interface User-friendly Computer-operator generated

Expert System - ES is highly developed DSS that utilizes knowledge generally possessed by an expert to solve a problem. ES imitate reasoning processes of human experts & provide
decision makers with expert type advice. ES have ability to explain reasoning process that was used to make decisions.
E.g. ES of investment portfolio management might ask about specific questions like – how much can be invested / preferences regarding any securities, etc.
Business applications of Expert Systems: Properties of Expert System:
 Accounting & Finance - It provides tax advice & assistance, investment advice, helping with  Availability – Experts must be capable of communicating problems to which
credit- authorization decisions. ES will be applied.
 Marketing - It establish sales quotas, respond to customer inquiries, determining discount  Complexity – ES should be able to solve complex task which requires logical
policies. inference processing.
 Manufacturing - It determine whether a process is running correctly by analyzing quality &  Domain – The domain, or subject area of problem is relatively small & limited
providing corrective measures, maintaining facilities, scheduling job-shop tasks, selecting to a relatively well-defined problem area.
transportation routes, assisting product design, etc.  Expertise – Solutions to problem requires effort of experts. Only few possess
 Personnel - It helps in assessing applicant qualifications & assist employees in filling forms. knowledge, techniques, & intuition needed.
 General Business - It helps to assist project proposals, recommending acquisition strategies,  Structure – Solution process must be able to cope with ill-structured, uncertain,
educating trainees & evaluating performance. missing, & conflicting data.
Benefits of Expert Systems – Need for Expert Systems –
 ES preserve knowledge that might be lost through retirement / resignation / death of expert.  Expert labor is expensive & scarce. Hence, companies cannot easily find &
 ES put information into an active-form so it can be said almost as a real-life expert. keep experts.
 ES assist novices in thinking in way experienced professional do.  Expert can only handle few factors at a time, but ES can handle all factors at
 ES are not emotional. a time.
 ES can be used as strategic tool in areas of marketing & improving products, cutting costs.  Due practical limit on quality of human decision making put a need for ES.

1. Knowledge Base :Knowledge base stores the rules data and relationships that are used to solve problems and contains specific facts about the expert area. For instance, the example
where an insurance agent needs both expert tax and financial advice is a good candidate for an Expert System with two knowledge bases.
2. Inference Engine (Infer means To draw a conclusion):The inference engine is the main processing element consisting of system of programs that requests data from the user , manipulates
the knowledge base and provides a decision to the user . It performs this task in order to deduce new facts , which are then used to draw further conclusions.
3. Knowledge Acquisition Subsystem (KAS):Knowledge Acquisition Subsystem is the software component of an Expert System that enables to build and refine an expert systems knowledge
base.
4. UI: A user interface is the method by which an expert system interacts with a user. These can be through dialog boxes, command prompts, forms, or other input method
 Chapter 2: Different Type of Information System
Application of Expert system
1)Accounting and Finance :It provides tax advice and assistance , helping with
credit - authorization decisions , selecting forecasting models , providing
investment advice.
2) Marketing : It provides establishing sales quotas , responding to customer
inquiries , referring problems to telemarketing centers , assisting with marketing
timing decisions, determining discount policies.
3) Manufacturing: It helps in determining whether a process is running correctly
, analyzing quality and providing corrective measures , maintaining facilities ,
scheduling job -shop tasks , selecting transportation routes , assisting with
product design and faculty layouts.
4) Personne l:It is useful in assessing applicant qualifications and assisting
employees in filling out forms . 5) General BusinessIt helps in assisting with
project proposals, recommending acquisition strategies, educating trainees, and
evaluating performance.
6) Cognitive Science :Cognitive science is an area of artificial intelligence based
on research in biology , neurology , psychology , mathematics , and many allied
disciplines . It focuses on researching how the human brain works and how
humans think and learn . The results of such research in human information
processing are the basis for the development of a variety of computer -based
applications in artificial intelligence . . It includes adaptive learning systems that
can modify their behaviors based on information they acquire as they operate.
7) Robotics :Robotics is an interdisciplincary branch of engineering and science
that includes mechanical engineering, computer science and others. It deals with
design, construction, operation and use of robot as well as computer system for
their control, sensory feedback and information processing .AI, engineering and
physiology are thte basic disciplines of robotics. This technology are used to
develop machines that can subsittute for human . This area , thus , includes
applications designed to give robots the power of sight, visual perception, touch,
locomotion, navigation, etc.
8)Natural Interfaces
Natural Interface or Natural User Interface (NUI ) is a user interface that is effectively
invisible and remains invisible as the user continuously learns increasingly complex
interactions . The development of natural interfaces is considered as major area of AI
applications and is essential to the natural use of computers by humans . For e.g. the
development of natural languages and speech recognition are major thrusts of this area
of AI. Being able to talk to computers and robots in conversational human languages and
have them "understand " us as we understand each other is a goal of AI research . This
goal involves research and development in nlinguistics , psychology , computer science
and other disciplines . Other natural interface research application include the
development of multisensory devices that use a variety of body movements to operate
computers , which is related to the emerging application area of virtual reality . Virtual
reality invloves using multisensory human computer interfaces that enable human users
to experience computer simulated objects, spaces, activities etc
9)Knowledge Engineering (KE)
Knowledge Engineering refers to all technical , scientific and social aspects involved in
building , maintaining and using knowledge -based systems . A knowledge engineer is a
professional who works with expert to captures the knowledge they possess . The
knowledge engineer then builds the knowledge base using an iterative , prototyping
process until the expert system is acceptable. Thus, knowledge engineers perform a role
similar to that of systems analysts in conventional information systems development.
Once the decision is made to develop an expert system , a team of one or more domain
experts and a knowledge engineer may be formed . Experts skilled in the use of expert
system shells could also develop their own expert system. If a shell is used, fact and rules
of thumb about specific domain can be defined and entered into a knowledge base with
the help of a rule editor or other knowledge acquisition tool. A limited working prototype of
the knowledge base is then constructed, tested and evaluated using the inference engine
and user interface programs of the shell. The knowledge engineer and domain experts
can modify the knowledge base , then retest the system and evaluate the results . This
process is repeated until the knowledge base and the shell result in an acceptable
expert system.

Artificial intelligence (AI) is the intelligence exhibited by machines or software . It is also the name of the The most important attributes of intelligent behavior are
academic field of study which studies how to create computers and computer software that are capable of as follows:
intelligent behavior . AI is the science and engineering of making intelligent machines , especially intelligent 1. Think and reason.
computer programs . It is related to the task of using computers to understand human intelligence . The goal of AI 2. Use reason to solve problems.
is to develop computers that can simulate the ability to think, as well as see, hear and feel. 3. Learn or understand from experience.
Major Branches of AI 4. Acquire and apply knowledge.
1. Neural Networks :Neural networks are made of artificial neurons , connected by weights , which are indicative 5. Exhibit creativity and imagination.
of the strengths of the connections. The neurons are arranged in layers, and depending on the complexity of the 6. Deal with complex or perplexing situations.
application , there could hundreds or thousands of neurons . Iterative propagation of input from one layer of 7. Respond quickly and successfully to new situation
neurons to the next (training) is what enables the neural network to learn from experience. Unlike humans, when based on previous experiences and acquired knowledge.
a neural is fully trained, it can classify and identify patterns in massive amounts of complex data, at high speeds 8. Recognize the relative importance of elements in a
that cannot be duplicated by humans. situation.
2. Expert System :An expert system can solve real-world problems using human knowledge and following human
reasoning skills. Knowledge and thinking processes of experts are collected and encoded into a knowledge base
. From that point on, the expert system could replace or assist the human experts in making complex decisions by
integrating all the knowledge it has in its knowledge base.
Chapter 2: Different Type of Information System

Genetic Algorithms : The genetic algorithm is a method for solving both constrained and
unconstrained optimization problems that is based on natural selection , the process that
drives biological evolution . It is growing application of artificial intelligence . It uses
Darwinian (survival of fittest) randomizing and other mathematical functions to simulate an
evolutionary process that can yield increasingly better solutions to a problem . Genetic
algorithm software is being used to model a variety of scientific , technical and business
process .Genetic algorithms are especially useful for situations in which thousands of
solutions are possible and must be evaluated to produce optimal solution . Genetic
algorithm software uses sets of mathematical process rules (algorithms ) that specify how
combinations of process components or steps are to be formed. This process may involve
trying random process combination , combining parts of several good processes and
selecting sets of processes and discarding poor ones to generate increasingly better
solutions.

Neural Networks: It is also called Artificial Neural Network (ANN) or connectionist system
. They arecomputing systems inspired by biological neural networks that constitute animal
brains . Such system learn to do taks by considering examples , generally without task
specific programming . An ANN is based on a collection of connected units called artificial
neurons. Each connection between neurons can transmit a signal to another neuron. The
receiving neuron can process the signal and then signal downstream neurons connected
to it. Neurons may have state, generally represented by real numbers, typically between 0
and 1. Typically , neurons are organized in layers . Different layers may perform different
kinds of transformations on their inputs . Signals travel from the first (input ), to the last (
output ) layer , possibly after traversing the layers multiple times .The original goal of the
neural network approach was to solve problems in the same way that a human brain
would. Neural networks have been used on a variety of tasks, including computer vision,
speech recognition , machine translation , social network filtering, playing board and video
games, medical diagnosis and in many other domains."
 Chapter 3 Information Technology Strategy and Trend
Information Technology as Strategic Vision Position and Business focus of the entity
The top level management can use the tools and services of information
technology i) Business Level Strategy : The Value Chain Model
i) for these external affairs of the business: This strategy helps us to compete effectively in the particular market . The most common generic
- To analyze of the competitive activities related with the rivalry and new strategies at this level are:
competitors - To become the low-cost producer
- To analyze customer preferences , historical behaviors of customers , the - To differentiate product or service
changes in business in different time frames - To change the scope of competition by either enlarging the market or narrowing the market by
- To analyze economic trends , legal rulings and technological changes focusing on small niches not well served by competitors.
which impacts the business and its profits Digital firms provide new capabilities for supporting business-level strategy by managing the supply
ii) Following internal business activities chain. Building efficient customer "sense and respond" systems , and participating in value webs to
• To analyze historical sales and costs of the products deliver new products and services to market.
• To analyze profit, cash flow, divisional income, expenses
• To analyze financial ratios, interests; credit outstanding ii) Leveraging Technology in the Value Chain
The information related with these activities are available with the use of At the business level the most common analytical tool is value chain analysis . The value chain
information technology . This is how the top level management is benefited model highlights specific activities in the business where competitive strategies can best be applied
with the use of IT to achieve its strategic vision. and where information systems are most likely to have a strategic impact . The value chain model
identifies specific , critical leverage points where a firm can use information technology most
Planning of information system strategy with business strategy effectively to enhance its competitive position. This model views the firm as a series or chain of basic
A business form has specific strategy plans for specific periods of time to activities that add a margin of value to a firm 's products or services . These activities can be
achieve some specific goals . . Development and deployment of information categorized as either primary activities or support activities.
should be in line with the strategy of the firm . Information system manager How does the factor of
should understand how it can change the social and work life in the firm. So Factor Influencing IT changes in technology affect IT
Information system manager should have clear idea what type of system 1. Flexibility of Changes in Technology and Business strategy of a business
needs to be built , what it will do and how it will be implemented . While 2. Budget organization?
planning the information system strategy other things to be considered are the 3. Speed to the Market IT strategy mainly involves
consequences that might be brought out after the implementation e.g. 4. Legal and Regulatory body planning the deployments of
reduction of human resources, cutting of jobs, need of expert manpower and 5. Business Units systems and services for the
need of new equipment. In Short, betterment of business processes
Points to be considered while planning information system strategy with the The factors which influence the information technology can be listed as . If the strategy is made without
business strategy are thus: a. Business Environment 1. The organization internal flexibility and acceptance of the changes rigorous study of the
b. Organizational Culture in business. 2. Budget available in the organization technological and other changes,
c. Organizational Structure 3. Speed and access to the market. the system or service planned
d. Business Process 4. The governing rules and regulations of the regulatory organization can be obsolete or of little use by
e. Internal Politics of the country. the time it is deployed and ready
f. Management Decision Making process 5. International norms and practices about the technology. for organizational use . For
6. Personnel self -interest and motivations towards the use of example , let‘s assume a financial
technology. audit system is planned to
Current Status of IT 7. The functional business units of the organization. integrate with existing old
8. Knowledge and qualifications of the personnel. accounting platform . All the
1) Hardware :Computer hardware consists of a central processing unit,
i) Operating System: schedules computer events, allocates computer dimensioning , designing , testing
primary storage , secondary storage , input device , output device and
resources & monitor events is done with the old accounting
communication devices
ii) Language Translator:Interpreters & Compilers iii) system . However , suddenly the
.
iii) Utility Programs: Routine Operations (e.g. sort, list, print) & Manage management decides to deploy a
2) Software: Software is the detailed instructions that control the operation of
data (e.g. manage data (e.g. create file, merge files) new accounting platform .
a computer system. The functions of software are to:
However , the audit system is not
i)Manage the computer resources of the organization
B. Application Software tested with the new system . It
Application software describes the programs that are written for or by might not integrate or create
ii) Provide tools for human beings to take advantage of these resources
users to apply the computer to a specific task. Programmers who write more delays in testing and
application software are called application programmers . e.g customizing again. Hence, overall
iii) Act as an intermediary between organizations and stored information.
Programming Language, Assembly Language, COBOL, Basic, Pascal strategy should consider all
Types of Software:
possible aspects of current and
3) Peoples, Procedure and Data future changes in the whole
A.System Software
Procedures are operating instruction for the people who will use an organizational ecosystem in
System Software is a set of generalized programs that manage the
information system. Examples are instruction for filling out a paper form terms of technologies and trends.
resources of the computer, such as the central processor, communication
links, and peripheral devices. E.g of System software: or using a software package
 Chapter 3 Information Technology Strategy and Trend
Risk Factors Influencing development of IT
A probability or threat of damage , injury, liability, loss, or any other negative occurrence that is The factors which effect the efficient deployment of Information Technology can be
caused by external or internal vulnerabilities , and that may be avoided through preemptive summarized as:
action.
Process of Risk Management 1. Human behavior:
The existing personnel are generally reluctant to the change in the system and its
1. Risk Identification operation.
The project manager needs to anticipate the risks in the project as early as possible so that the
impact of the risks can be minimized by making effective risk management plans. So early risk 2. Cost:
identification is important. The cost of deployment may be higher in the initial stage so management may be
unwilling.
Types of Risk:
i) Project risk 3. Need of expert manpower:
Project risks concern various forms of budgetary, schedule, personnel, resources and customer- For the efficient deployment of Information Technology there will be need of the
related problems. technical manpower which can handle and execute the system . Sometimes such
manpower would not available.
ii)Technical risk
Technical risk concern potential design , implementation , interfacing , testing , and maintenance 4. Dependency on machine:
problems . Technical risks also include ambiguous specification , incomplete specification , The use of IT in organization means depending on it for each and every operation of
changing specification , technical uncertainty , and technical obsolescence . Most technical risks the organization with the technology . Power failure disrupts overall operation of the
occur due to the development team's insufficient knowledge about the product. organization.
iii) Business risk 5. Change management:
Business risks include risks of building an excellent product that no one wants, losing budgetary During the stage of transition from the existing system to new IT system there might be
or personnel commitments etc. problem deciding which system to operate and how to manage if it fails . Moreover
migrating existing system and data to the new system is another big challenge.
2. Risk Assessment
The objective of risk assessment is to rank the risks in terms of their damage causing potential. 6. Organizational strategic plan:
For risk assessment, each risk should first be rated in two ways: This is the critical things which effect the efficient deployment. If the organization is not
- The likelihood of a risk coming true (r) clear about the strategic vision, the deployment will not be as expected.
- The consequence of the problems associated with that risk (s) Moral dimension of IT
If all identified risks are prioritized, then the most likely and damaging risks can be handled first
and more comprehensive risk abatement procedures can be designed for these risks The following can be considered as the moral dimensions of IT:
. 1. Information rights and obligations:
3. Risk Containment What information rights do individuals and organizations possess with respect to
After all the identified risks of a project are assessed , plans must be made to contain the most information about themselves ? What can they protect ? What obligation do individuals
damaging and the most likely risks . Different risks require different containment procedures . and organization have concerning this information?
There are three main strategies for risk containment:
- Avoid the risk 2. Property rights:
- Transfer the risk How will traditional intellectual property rights be protected in a digital society in which
tracing and accounting for ownership is difficult, and ignoring such property rights is so
4. Risk Reduction easy?
This involves planning ways to contain the damage due to a risk. For e.g. if there is risk that
some key personnel might leave, new recruitment may planned. For this, risk leverage must be 3. Accountability and Control:
computed for different risk. Risk leverage is the difference in risk exposure divided by the cost of Who can and will be held accountable and liable for the harm done to individual and
reducing the risk. collective information and property rights?
Factor that increases the risk 4. System Quality:
1. The Nature of Complex System :Many individuals understood parts of system , but few What standards of data and system quality should we demand to protect individual
understand all of a complex system. Inability to anticipate how the system will operate under all rights and the safety of society?
circumstances leads to accidents and increases the chances of computer crime.
5. Quality of Life:
2. Pressure in Business Environment :The business environment increases vulnerability by What values should be preserved in information and knowledge based society ? What
adding pressures to complete systems rapidly with limited staffs. In the rush to meet deadlines institutions should we protect form violation ? What cultural values and practices are
with insufficient resources, features and testing that reduce vulnerability may be left out. supported by the new information technology?
 Chapter 3 Information Technology Strategy and Trend
IT Strategy Planning Challenges and Opportunities associated with IT
IT strategy is a comprehensive plan that information technology management professionals use to guide their
organizations. An IT strategy should cover all facets of technology management, including - cost management Some of the challenges that Information Technology encounters
- cost management during the process of implementation and operation can be listed as
- human capital management - As the new technology it needs to have the trained manpower for
- hardware and software management, the operation and maintenance.
- vendor management - People expect it as the complete solution and they fully rely on IT
- risk management and as the solution to their problem.
- all other considerations in the enterprise IT environment. They couldn’t think that it is just a tool to make the analysis and its
us human beings who need to make the decision with its help.
Executing an IT strategy requires strong IT leadership ; the chief information officer (CIO ) and chief technology - Unclear government rules and regulations about the legalities and
officer (CTO) need to work closely with business, budget and legal departments as well as with other user groups securities of the data and electronics transactions.
within the organization . Many organizations choose to formalize their information technology strategy in a written - High investment cost on infrastructures , data migration and
document or balanced scorecard strategy map. trainings.
- Employees ’ reluctance to migrate from their manual working
Dimensions of Planning/Corporate business plan procedures to the computerized procedures.
The plan may either be long-range or short-range, but the execution of the plan is, year after year. The plan is made
on a rolling basis where every year it is extended by one year, keeping the plan period as the next five years. Similarly the opportunities that Information Technology brings in the
1. Entity modern business can be listed as:
Entity is the thing on which the plan is focused. The entity could be the production in terms of quantity or it could be - It provides the relevant information on click, which help in overall
a new product . It could be about the finance , the marketing , the capacity , the manpower or the research and operation , managerial activities and formulation strategy of the
development. organization.
- It can reduce the number of working staff.
2. Elements - Provides the quick means of communications among all the
Plan begins with mission & goals for an organization . Mission provides direction to organizations . Plan provides personnel located in different places.
strategies to meet other final targets & objectives of organization related to plan, sales etc. Budget is an important - Although the initial investment would be higher however operation
element of plan. cost is lower which ultimately lead to return on the overall
investment.
3. Characteristics - Provides easy and quick access to the huge amount of data for
No definite characteristics of a corporate plan. Plan is subject to change in light of new circumstances.. future references and analysis.

4. Organization Aligning Future IT Strategy with Business Strategy

The corporate plan would deal with the company as a whole, but it has to be taken down for its subsidiaries, if any.
The breaking of the corporate business plan into smaller organizational units helps to fix the responsibility for IT Strategy with Business Strategy
execution. The corporate plan, therefore, would be a master plan and it would comprise several subsidiary plans. IT Strategy should be aligned with the business strategy because of
the following reasons:
Elements of Strategic Planning: 1. It improve the company's overall performance.
1. Market Forces 2. It can lead to more efficient process , development of better
It is difficult to predict market forces like demand, supply, trend of market growth, consumer behavior, new product products & services , cost reduction , faster response times and
concepts etc. These forces affect sales growth, profitability etc of organizations . Business should be managed with more efficient supply chain management.
strategic planning to predict market forces & gain benefits. 3. It provide positive impact on organizations.
4. It serve as way of meeting business goals and providing value.
2. Competition 5. It provide plan to manage and implement the future business
Organization has to develop new strategies to deal with competition . Such strategies could be new products , new strategy.
markets, new technologies etc.
Data representation by computer (RTP Dec 2016)
All information that is stored on a computer is represented in a
3. Technological Changes
sequence of zeros and ones . The computer interprets different
A good strategic planning could help to match organization strength with market opportunities . Good strategic
sequences of these numbers as different types of data. Computer
planning helps to grab opportunities brought by new technologies and prevent threat from IT.
codes are based upon the binary number system (a base -two
system ) as opposed to a more common decimal system .
4. Complex Diversity in business
Computer memory is stored as bits (0 or 1), bytes (8 bits), words (
An organization deals several products, markets, manufacturing processes, has to depend on consumers, suppliers,
2, 4 or 8 bits), or byte addressable (each byte has its own address
bank and financial institution, transportation and communication which brings complexity in business organization. A
).
strategic planning should be developed to deal with these factors.
 Chapter 3 Information Technology Strategy and Trend
Database Management System (DBMS):A database management system (DBMS) is a
software package designed to define, manipulate, retrieve and manage data in a database.
A DBMS generally manipulates the data itself , the data format , field names , record
structure and file structure . It also defines rules to validate and manipulate this data . A
database management system receives instruction from a database administrator (DBA)
and accordingly instructs the system to make the necessary changes . These commands
can be to load, retrieve or modify existing data from the systemA DBMS relieves users of
framing programs for data maintenance. Fourth-generation query languages, such as SQL,
are used along with the DBMS package to interact with a database .Some other DBMS
examples include :MySQL ,SQL Server , Oracle , DBASE FoxPro . It is simply thesoftware
that permits an organization to centralize data, manage them efficiently and provide access
to the stored data byapplication programs.
Component of DBMS
1. A data definition language:
It is a formal language programmers use to specify the structure of the content of the
database . It defines each data element as it appears in the database before that data
element is translated into the forms required by application programs.
Types of DBMS
1. Relational DBMS:
This is the most common of all the different types of databases . In this , the data in a
relational database is stored in various data tables. Each table has a key field which is used
to connect it to other tables. Hence all the tables are related to each other through several
key fields.
2. Operational Databases:
In its day to day operation , an organisation generates a huge amount of data . Think of
things such as inventory management, purchases, transactions and financials. All this data
is collected in a database which is often known by several names such as operational /
production database , subject - area database (SADB ) or transaction databases . An
operational database is usually hugely important to Organisations as they include the
customer database, personal database and inventory database ie the details of how much
of a product the company has as well as information on the customers who buy them. The
data stored in operational databases can be changed and manipulated depending on what
the company requires.

2. A data manipulation language: 3. Distributed Databases:

This language contains commands that permit end users and programming specialists to Many organizations have several office locations , manufacturing plants , regional offices ,
extract data from the database to satisfy information request and develop applications. The branch offices and a head office at different geographic locations . Each of these work
most prominent data manipulation language is Structured Query Language groups may have their own database which together will form the main database of the
company. This is known as a distributed database.
3. A data dictionary:
This is an automated or manual file that stores definitions of data elements and data 4. Database Warehouses:
characteristics such as usage , physical representation , ownership , authorization and Organizations are required to keep all relevant data for several years. In the UK it can be
security. as long as 6 years. This data is also an important source of information for analyzing and
DBMS helps to solve problem of traditional file environment in following way: comparing the current year data with that of the past years which also makes it easier to
1. DBMS can red6. Flat Database: Data is organized in a single kind of record with a fixed determine key trends taking place . All this data from previous years are stored in a
number of fields. This database type encounters more errors due to the repetitive nature of database warehouse . Since the data stored has gone through all kinds of screening ,
data. editing and integration it does not need any further editing or alteration.
DBMSuce data redundancy and inconsistency by minimizing isolated files in which the
same data are repeated. 5. End-User Databases:
2. DBMS may not enable the organization to eliminate data redundancy entirely but it can The end user is usually not concerned about the transaction or operations done at various
help control redundancy. levels and is only aware of the product which may be a software or an application .
3. Even if the organization maintains some redundant data, using DBMS eliminates data Therefore, this is a shared database which is specifically designed for the end user, just like
inconsistency because the DBMS can help the organization ensure that every occurrence different levels’ managers. Summary of whole information is collected in this database.
of redundant data has the same values.
4. DBMS uncouples programs and data, enabling data to stand on their own. 6. Flat Database: Data is organized in a single kind of record with a fixed number of fields.
5. Access and availability of information can be increased and program development and This database type encounters more errors due to the repetitive nature of data.
maintenance costs can be reduced because users and programmers can perform ad hoc
queries of data in the database.
Use of IT in gaining competitive advantage over strategic planning:
1. Create barriers of Entry :Organization can successfully implements IT applications it becomes strength in making barrier for a newcomer to enter with similar matching strength since
IT applications are complex and take long time for successful implementation
2. Reduction in Process Cost :IT application reduces the cost of business operations by reducing the use of resources and cutting down the process cycle time.
3. Differentiating Product Functions , Features and Facilities :The technology is used to innovate functional side of the product or service through better design, customization and
variety of features. IT applications help to monitor, tract and post sales activities helping customer to solve the problems.
4. Scoring Through Quality Assurance of Product or Services :The technology is capable of data capture and then processing it to help quality management. Technology has ability to
address this issue across the scope of system i.e Input-Process-Output. It is capable of checking quality of input, controlling the process of input conversion so that process defects are
removed and ensures quality of the output.
5. Moving up on Value Chain :Improving value chain proposition works on six dimensions of the product or service namely, functional quality, service and product features, customer
problem solving, delivery and continuous innovation. Improving value chain means improving communications to one and all, reducing costs of each aspect of business, reduce cycle time
of transaction or operation, monitor and meet customer expectations, assess rivals moves and improve customer service and relations.
 Chapter 3 Information Technology Strategy and Trend
Short Notes
1. Client/Server and its benefits
The terms server refers to running program on networked computer that
accepts requests from the programs running on other computers to perform a
service and respond appropriately. The requesting processes are referred to
as client.
Benefits of client/server computing
• Client /server computing provides easier access to corporate 's internal and
external data.
• It reduces costs of processing dramatically
• The maintenance cost of program is low
• It provides an infrastructure that enables business processes to be
reengineered for strategic benefit
• It gives control to users of their own applications at their own locations.
• It reduces the operating costs of information system department.
2. Groupware:
Collaborative software or groupware is an application software designed to help
people involved in a common task to achieve goals . Groupware refers to
programs that help people work together collectively while located remotely
from each other . Groupware services can include the sharing of calendars ,
collective writing , e-mail handling , shared database access , electronic
meetings with each person able to see and display information to others , and
other activities. Groupware enhances collaboration by allowing the exchange of
ideas electronically . All the messages on a topic can be saved in a group ,
stamped with the date , time and author . Any group member can review the
ideas of others at any time and add to them or individuals can post a document
for others to comment upon or edit.
3.Value Web
The value web is a networked system that can synchronize the value chains
of business partners within an industry to respond rapidly to changes in
supply and demand .Value Web Models is a collection of independent firms
using highly synchronized IT to coordinate value chains to produce or service
collectively . It is more customer driven and works in a less linear operation
than value chain. The book uses Amazon as an example making your system
more effective and efficient overall as a website retailer , and internet
technology has made it possible through the value web models Value chain
and value web are not static . From time to time they may have to be
redesigned to keep pace with changes in the competitive landscape .
companies may need to reorganize and reshape their structural , financcial ,
and human assets andrecast systems to tap new source of value.
4.Data Administration
If your organization uses a database management system (DBMS ) for
mission -critical workloads , it is important to employ one or more database
administrators to ensure that applications have ongoing , uninterrupted
access to data . Most modern organizations of every size use at least one
DBMS , and therefore the need for database administrators is greater today
than ever before .DBAs are the subject matter experts for database
management systems and all related topics, including DBMS implementation
and configuration ; database design ; SQL coding ; data extraction ,
transformation and loading (ETL); test data management; problem resolution;
data integrity ; database security ; optimization ; and database backup and
recovery.
5. Database Distribution
Information systems can be designed with a centralized database that is used by a single
centralized database that is used by a single central processor or by processors in a client/server
network. Alternatively, the database can be distributed. A distributed database is one that is stored
in more than one physical location. Distributed system reduce the vulnerability of a single, massive
central site. System administrators can distribute collections of data (e.g. in a database ) across
multiple physical locations .Because distributed databases store data across multiple computers ,
distributed databases may improve performance at end-user worksites by allowing transactions to
be processed on many machines, instead of being limited to one.
6. Object oriented Database
An object database is a database management system in which information is represented in the
form of objects as used in object -oriented programming . Object databases are different from
relational databases which are table -oriented . Object -relational databases are a hybrid of both
approaches .Object -oriented database management systems (OODBMSs ) also called ODBMS (
Object Database Management System ) combine database capabilities with object -oriented
programming language capabilities.Some object-oriented databases are designed to work well with
object-oriented programming languages such as Delphi, Ruby, Python, JavaScript, Perl, Java, C#,
Visual Basic .NET, C++, Objective-C and Smalltalk.
7. Method of accessing data in computer
When a file is used, information is read and accessed into computer memory and there are several
ways to access this information of the file. There are three ways to access a file into a computer
system: Sequential-Access, Direct Access, Index sequential Method
A)Sequential Access: It is the simplest access method. Information in the file is processed in order,
one record after the other. Sequential access is the only method for data stred on tape, but it can
also be used for data on a direct access device such as a disk. Although sequential processing is
useful for many types of scheduled periodic processing , it has the same drawback as a tape
cassette containing a number of songs.
B) Direct Access : In computer storage , direct access is the ability to obtain data from a storage
device by going directly to where it is physically located on the device rather than by having to
sequentially look for the data at one physical location after another . Magnetic disk storage was
developed to provide this capability. optical storage is another physical implementation of the same
logical approach for finding data.he direct access is based on the disk model of a file since disk
allows random access to any file block.There is no restriction on the order of reading and writing for
a direct access file.
C) Index sequential method –
A index is a table used to find the location of data. The index indicates where alphabetical groups
of names are stored. It is the other method of accessing a file which is built on the top of the direct
access method. These methods construct an index for the file. The index, like an index in the back
of a book, contains the pointer to the various blocks. To find a record in the file, we first search the
index and then by the help of pointer we access the file directly.
Key points:
It is built on top of Sequential access.
It control the pointer by using index.
8)HTML :Stands for "Hypertext Markup Language ." HTML is the language used to create web
pages . "Hypertext " refers to the hyperlinks that an HTML page may contain . "Markup language "
refers to the way tags are used to define the page layout and elements within the page.A website
can be composed of different elements such as images, videos, text, graphics, tables or links, like
concrete that holds the bricks with one another to build the structure of our house HTML is the
virtual concrete through which holds and orders all the elements allowing to show in the web
browser this union as a web-page.
 Chapter 3 Information Technology Strategy and Trend
Object oriented programming is a programming paradigm that was developed to
overcome the drawbacks and limitations of particularly procedure oriented
programming. The major need for developing such languages was to manage the ever-
increasing size and complexity of programs.Object-Oriented Programming (OOP) is the
term used to describe a programming approach based on objects and classes . The
object-oriented paradigm allows us to organize software as a collection of objects that
consist of both data and behaviour.(Mobile ko example remember gara)
The object-oriented programming approach encourages:
Modularization: where the application can be decomposed into modules.
Software re-use : where an application can be composed from existing and new
modules.
An object-oriented programming language generally supports five main features:
Classes
Objects
Classification
Polymorphism
Inheritance
Characteristics of OOP
Emphasis is on data rather than procedure.
Programs are divided into objects.
Data structures are designed such that they characterize the objects.
Functions that separate on the data of an object are tied together in the data structure.
Data is hidden and cannot be accessed by external functions.
Objects may communicate with each other through functions.
New data and functions can be easily added whenever necessary.
Bottom-up approach is followed in program design.
Multiprogramming
Sharing the processor , when two or more programs reside in memory at the same time,
is referred as multiprogramming . Multiprogramming assumes a single shared processor.
Multiprogramming increases CPU utilization by organizing jobs so that the CPU always
has one to execute.
An OS does the following activities related to multiprogramming.
The operating system keeps several jobs in memory at a time.
This set of jobs is a subset of the jobs kept in the job pool.
The operating system picks and begins to execute one of the jobs in the memory.
Multiprogramming operating systems monitor the state of all active programs and system
resources using memory management programs to ensures that the CPU is never idle,
unless there are no jobs to process.
Advantages
High and efficient CPU utilization.
User feels that many programs are allotted CPU almost simultaneously.
Disadvantages
CPU scheduling is required.
To accommodate many jobs in memory, memory management is required.
Function of Operating System
One way to look at the operating system is as the system's cheif manager. OS software decides
which computer resources will be used , which programs will be run , and the order in which
activites will take place. An operting system performs three functions;
1)Allocation and assignment : OS manage the computer 's resources , such as the central
processing unit, memory, disk drives, and printers, memory allocation, space allocation.
2) scheduling : The process scheduling is the activity of the process manager that handles the
removal of the running process from the CPU and the selection of another process on the basis
of a particular strategy.
Process scheduling is an essential part of a Multiprogramming operating systems . Such
operating systems allow more than one process to be loaded into the executable memory at a
time and the loaded process shares the CPU using time multiplexing.
3)Monitoring : The os monitors the activities of the computer system . It keeps track of each
computer job and may also keep track off who is using the system, of what programs have been
run, and of any unauthorized attempts to access the system.
Time-sharing operating systems
A time sharing operating system is a multi tasking operating system in which the CPU time is
divided equally among all the jobs waiting for the time on the CPU. Normally this time slice is
10 to 100 miceoseconds .Time sharing operating system is usually works on the concurrent
execution ideas wherever multiple jobs area unit executes at identical (same ) time through
switch them oftentimes. In this operating system Switching method/function is available. This
switching is incredibly quick in order that the users will move with every program whereas it’s
running while not knowing that , the system is being shared .The main difference between
Multiprogrammed Batch Systems and Time -Sharing Systems is that in case of
Multiprogrammed batch systems , the objective is to maximize processor use , whereas in
Time-Sharing Systems, the objective is to minimize response time.Multiple jobs are executed
by the CPU by switching between them, but the switches occur so frequently. Thus, the user
can receive an immediate response.
Multitasking
Multitasking is when multiple jobs are executed by the CPU simultaneously by switching
between them. Switches occur so frequently that the users may interact with each program
while it is running. An OS does the following activities related to multitasking −
The user gives instructions to the operating system or to a program directly, and receives an
immediate response.
The OS handles multitasking in the way that it can handle multiple operations /executes
multiple programs at a time.
Multitasking Operating Systems are also known as Time-sharing systems.
These Operating Systems were developed to provide interactive use of a computer system at
a reasonable cost.
A time-shared operating system uses the concept of CPU scheduling and multiprogramming
to provide each user with a small portion of a time-shared CPU.
Each user has at least one separate program in memory.

Virtual memory is a memory management capability of an operating system (OS) that uses hardware and software to allow a computer to compensate for physical memory shortages by
temporarily transferring data from random access memory (RAM) to disk storage. A computer can address more memory than the amount physically installed on the system. This extra
memory is actually called virtual memory and it is a section of a hard disk that's set up to emulate/copy the computer's RAM.The main visible advantage of this scheme is that programs
can be larger than physical memory. Virtual memory was developed at a time when physical memory -- the installed RAM -- was expensive. Computers have a finite amount of RAM, so
memory can run out, especially when multiple programs run at the same time. A system using virtual memory uses a section of the hard drive to emulate RAM. With virtual memory, a
system can load larger programs or multiple programs running at the same time, allowing each one to operate as if it has infinite memory and without having to purchase more RAM.

Multiprocessing : is the use of two or more central
processing units (CPUs ) within a single computer
system. The term also refers to the ability of a system to
support more than one processor or the ability to
allocate tasks between them .Multiprocessing is the
coordinated processing of programs by more than one
computer processor . Multiprocessing is a general term
that can mean the dynamic assignment of a program to
one of two or more computers working in tandem or can
involve multiple computers working on the same
program at the same time (in parallel).With the advent of
parallel processing , multiprocessing is divided into
symmetric multiprocessing (SMP) and massively parallel
processing (MPP ). Multiprocessing should not be
confused with multiprogramming , multitasking ,
multithreading.
Chapter 3 Information Technology Strategy and Trend
Peripherals : A computer peripheral is
any external device that provides input
and output for the computer. For example
, a keyboard and mouse are input
peripherals , while a monitor and printer
are output peripherals . Computer
peripherals , or peripheral devices , are
sometimes called "I/O devices " because
they provide input and output for the
computer . Some peripherals , such as
external hard drives , provide both input
and output for the computer . Peripherals
is the generic name given to all input ,
output and secondary storage devices
that are part of computer system but are
not part of CPU.
Radio Frequency Identification (RFID
Radio Frequency Identification (RFID) is a technology that uses radio waves to
identify a tagged object . The RFID technology works using small pieces of
hardware called RFID chips . These chips feature an antenna to transmit and
receive raiio signals. Currently there are two general types of RFID chips: Active
and passsive. Recentntly , RFID has raaised some privacy concerns as a result
of the invisible nature of the system and its capability to transmit fairly
sophisticated messages.
KEY TAKEAWAYS
Radio Frequency Identification (RFID ) is a type of wireless technology that
allows for the matching of a pet, person or object.
The system has two parts: tags and readers . The reader gives off radio waves
and gets signals back from the RFID tag , while the tag uses radio waves to
communicate its identity and other information.
The technology has been approved since the 1970 s but has become more
prevalent in recent years due to its usage in pet micro chipping.

CPU stands for "Central Processing Unit." The CPU is the primary
component of a computer that processes instructions . It runs the
operating system and applications , constantly receiving input from
the user or active software programs . It processes the data and
produces output, which may stored by an application or displayed on
the screen .The CPU contains at least one processor , which is the
actual chip inside the CPU that performs calculations.
Components of a CPU
The two typical components of a CPU include the following:
The arithmetic logic unit (ALU ), which performs arithmetic and
logical operations.
The control unit (CU), which extracts instructions from memory and
decodes and executes them, calling on the ALU when necessary.
Arithmetical logical unit and control unit:
An arithmetic logic unit (ALU) is the main part of the central processing unit (
CPU) of a computer system. It performs all processes related to arithmetic and
logic operations that need to be done on instruction words. In some processors,
the arithmetic logical unit is divided into two units, an arithmetic unit (AU) and a
logic unit (LU).
The control unit (CU ) is a component of the central processing unit of the
computer system that controls the operations of the processor . It informs the
arithmetic and logic unit, the computer’s main memory and the output and input
devices how to respond to the command that have been sent to the processor.
The control unit is taken to be the processor brain because it issues orders to
everything and ensure that the best results are produced.
Typically , the control unit has been designed with digital circuits , encoders ,
decoders, logic gates and flip-flops that are arranged in a certain fixed way.
Secondary storage Device
Magnetic Tape
It is similar to audio tape containing a plastic strip coated with magnetic material .
The data is encoded on the magnetic material in the form of electric current .
Conduction state (ON ) represent ONE (1) and non conduction state (OFF )
represent ZERO (0).
The type of data encoding is called binary data storage . Magnetic tape are with
large storage capacity and inexpensive, it can store data from 60 MB to 24 GB.
Magnetic Disk
These are Direct Access storage media , where the accessing of a data is much
faster because there is no need to go through call previous data for reaching a
specific data.
In this type of storage devices , there is present a round diskette (round disk ) of
plastic material coated with magnetic ink on which data encoding is done.
The magnetic disk commonly of three types, that are:
floppy disk
hard disk
Winchester disk
Optical Disk
The data can be read from and write to the optical disk by laser beam. These disks between CPU and the main memory .It is also called CPU memory , that a computer microprocessor
are able to store large amount of data into GB. These are available as CD-ROM, can access more quickly than it can access regular RAM.Cache memory saves time and increases
WORM (write once read only) erasable optical disks.
Optical Scanning :It represent the process of interpreting data in printed ,
handwritten , bar -code , or other visual form by a device (optical scanner or
reader) that scans and identifies the data.An optical scanning device combines
specialized computer hardware and software . The hardware devices capture
an image and software converts the image to computer -readable data. Thus,
optical scanning enables the direct entry of data from source documents into a
computer system.There are four main types of optical scanning technologies:
Optical Mark Reading (OMR)
Optical Character Recognition (OCR)
Intelligent Character Recognition (ICR)
Imaging Technology
Pen Based Computing
pen -based computer , computer that uses software to enable it to accept
handwriting or drawing as a form of input. A stylus, which may contain special
electronic circuitry , may be used to write on the computer display or on a
separate tablet. Despite the popularity of touch-screen technologies , many
still prefer the use of stylus rather than their fingertip. You can use the digitizer
pen as a pointing device or to draw or write on the pressure -sensitive surface
of the graphic tablet. Your handwriting or drawing is digitized by the computer
, accepted as input , displayed on its video screen and entered into your
application.
Parallel processing is a method in computing of running two or more
processors (CPUs) to handle separate parts of an overall task. Breaking
up different parts of a task among multiple processors will help reduce the
amount of time to run a program . Any system that has more than one
CPU can perform parallel processing , as well as multi -core processors
which are commonly found on computers today.
Primary storage Devices
RAM:A RAM constitutes the internal memory of the CPU for storing data, program and program result
. It is read/write memory. It is called Random Access Memory (RAM).
Since access time in RAM is independent of the address to the word that is, each storage location
inside the memory is as easy to reach as other location and takes the same amount of time. We can
reach into the memory at random and extremely fast but can also be quite expensive.RAM is volatile,
that is data stored in it is lost when we switch off or turn off the computer or if there is a power Failure.
Hence, a backup un-interruptible power system (UPS) is often used with computers .RAM is a small,
both in terms of its physical size and in the amount of data that can hold.Type:Static Ram, Dynamic
Ram
Read Only Memory (ROM):ROM stands for read only memory. The memory from which we can only
read but cannot write on it.This type of memory is non-volatile. The information is stored permanently
in such memories during manufacture .A ROM , stores such instruction as are required to start
computer when electricity is first turned on, this operation is referred to as bootstrap.ROM chip are not
only used in the computer but also in other electronic items like washing machine and microwave
oven.
Types of ROM :Masked Read Only Memory (MROM ),Programmable Read Only Memory (PROM )
Erasable and Programmable Read Only Memory (EPROM),Electrically Erasable and Programmable
Read Only Memory (EEPROM)
Cache:Cache memory is a very high speed semiconductor memory which can speed up CPU. It acts
as a buffer between the CPU and the main memory.It is used to hold those parts of data and program
which are most frequently used by the CPU. The parts of data and programs , are transferred from
disk to cache memory by operating system, from where CPU can access them.Cache memory, lies in
efficiency because the most recently processing data is stored in it which takes the fetching easier.
Pointing Device Speech recognition is the ability of a machine
A pointing device , or sometimes called a pointing or program to identify words and phrases in
tool, is a hardware input device that allows the user spoken language and convert them to a
to move the mouse cursor in a computer program machine -readable format . More sophisticated
or GUI operating system . Using a pointing device , software has the ability to accept natural speech
you can point at or manipulate any object or text on .Speech recognition works using algorithms
the screen . For example , using a pointing device through acoustic and language modeling . Early
you could point at and select an icon from a list of speech recognition products used discrete
icons.E.g.Computer mouse ,Finger on touch screen speech recognition where ou had to pause
, Footmouse , J mouse , Joystick , Light pen (pen ), between each spoken word . New continuous
Touchpad, Keyboard speech recognition software recognizes
continuous , conversationally paced speech.
Type of computer
Minicomputers
Supercomputers A minicomputer is a multiprocessing machine
A supercomputer is pretty much exactly what it sounds like that can support up to about 200 users at the
. It’s a term used to describe computers that have the most same time. It’s like a less powerful mainframe
capable processing power of its time .Today , modern computer , and is about the size of a
supercomputers run hundreds of thousands of processors, refrigerator . A server can be an example of a
capable of computing quadrillions of calculations in just a minicomputer , but not all servers are
few nanoseconds . Modeling molecular structures, weather minicomputers.
forecasting , and the field of quantum mechanics , among
others , rely on supercomputers and their intense Microcomputers/PC
processing power to solve their equations. Microcomputers are the ones people are
Mainframe Computers most familiar with on a daily, non-professional
Like supercomputers , mainframe computers are huge , basis, but of course that doesn’t mean they’re
towering machines with lots of processing power . exclusive to the home . Microcomputers are
Mainframe computers are mostly used by corporations , smaller computers that run on
government agencies , and banks – organizations that microprocessors in their central processing
need a way to store large quantities of information. units.

Key Security Threats in E-
Commerce (HD-MICSS)
1. Malicious code: Virus, worms, Trojan
horses and “bad applets ” are a threat
to a system 's integrity and continued
operation , often changing how a
system functions or altering documents
created on the system
2. Hacking and cyber -vandalism :
Intentionally disturbing, defacing or
even destroying a site
3. Credit card fraud /theft : One of the
most feared occurrences and one of
the main reasons more consumers do
not participate in e-commerce . The
most common cause of credit card
fraud is lost or stolen card that is used
by someone else , followed by
employee theft of customer numbers
and stolen identities.
4 . Spoofing : Occurs when hackers
attempt to hide their true identities or
misrepresent themselves by using fake
e-mail addresses or masquerading as
someone else . Spoofing can also
involve redirecting a web link to an
address different from the intended one
, with the site masquerading as the
intended destination.
5. Denial of service attacks : hackers
flood a web site with useless traffic to
inundate and overwhelm the network,
frequently causing it to shut down and
damaging a site 's reputation and
customer relationship.
6. Sniffing : a type of eavesdropping
program that monitors information
traveling over network , enabling
hackers to steal proprietary information
from anywhere on a network, including
e-mail messages , company files and
confidential reports . The threat of
sniffing is that confidential or personal
information will be made public.
7. Insider jobs - although the bulk of
internet security efforts are focused on
keeping outsider out, the biggest threat
is from employees who have access to
sensitive information and procedures.
Chapter 6: E-commerce
E-commerce : Sharing business information, maintaining business relationships and
conducting business transactions using computers connected to a
telecommunication network is called E-Commerce . E-commerce is the buying and
selling of goods and services, or the transmitting of funds or data, over an electronic
network , primarily the Internet without using any paper documents . It uses the
internet and web to transact business. It is carrying out digitally enabled commercial
transaction between and among organizations and individuals.
Importance of E-commerce
1. E-Commerce Influences Purchase Decisions When customers are deciding on a
purchase, they start by looking online.
2. E-Commerce Taps into Social Media
It's a social world out there , with customers turning to social media such as
Facebook and Twitter to research potential purchases. For a smart business, an
engaging social media presence can raise their company profile and encourage
traffic and sales.
3. E-Commerce Is Convenient
It is convenient for customers to shop online from their home instead of travelling
and visiting multiple stores. T
4. E-Commerce Can Broaden the Brand
E-Commerce can be used in ways a traditional shop couldn 't, whether that is by
offering intangible products, providing some kind of web search, or giving customers
the ability to order a product to their exact specifications. E-Commerce can be used
to broaden the range of products for sale, bringing the organization more custom
and diversifying sales.
5. E-Commerce Offers a Personalized Experience
There are many ways in which e-Commerce can be used to forge a more personal
connection with customers . For example , an e-Commerce site could include
personal recommendations, order tracking, quick customer service, or personalized
rewards, allowing a business to offer the same kind of personal service online that it
would offer face to face.
6.Round the clock service
E-commerce provides us round the clock services at all times even in midnight. So
the customers do not require visiting a physical market if they need something
during the night.
Dimensions/Basic Principles of E-Commerce Security (CA PAIN)
1. Integrity: The ability to ensure that information displayed on the web site or sent or
received via the internet has not been altered in any way by an unauthorized party.
2. Non-repudiation: the ability to ensure that e-commerce participants do not deny their
online actions.
3. Authenticity: refers to the ability to verify an individual or business's identity
4. Confidentiality : determines whether the information shared online , such as credit
card number, email communication can be viewed by anyone other than the intended
recipient.
5. Privacy : Deals with the use of information shared during online transaction
consumers want to limit the extend to which their personal information can be divulged
to other organizations , while merchants want to protect such information from failing
into the wrong hands.
6. Availability : Determines whether a web site is accessible and operational at any
given moment.
Advantage of E-Commerce
- Easy Availability
- Speed Access
- Wider selection of goods and services
- Accessibility and International Reach
- Easy in doing business :
Easy in doing business of virtually any size that is
located virtually anywhere on the planet with anyone,
anywhere. Imagine a small olive oil manufacturer in a
remote village in Italy selling its wares to major
department stores and specialty food shops in New
York , London , Tokyo , and other large metropolitan
markets.
Legal And Etical Issue in E-commerce
Web tracking
E-businesses draw information on how visitors use a site
through log files. Analysis of log file means turning log data
into application service or installing software that can pluck
relevant information from files in-house. Companies track
individual ’s movement through tracking software and
cookie analysis.
Privacy
Most Electronic Payment Systems knows the identity of the
buyer . So it is necessary to protect the identity of a buyer
who uses Electronic Payment System .A privacy issue
related to the employees of company is tracking .
Monitoring systems are installed in many companies to
monitor e-mail and other web activities in order to identify
employees who extensively use business hours for non-
business activities . The e-commerce activities performed
by a buyer can be tracked by organizations.
Legal Issues
Where are the headlines about consumers defrauding
merchants ? What about fraud e-commerce websites ?
Internet fraud and its sophistication have grown even
faster than the Internet itself. There is a chance of a crime
over the internet when buyers and sellers do not know
each other and cannot even see each other.
Fraud on the Internet
E-commerce fraud popped out with the rapid increase in
popularity of websites. It is a hot issue for both cyber and
click-and-mortar merchants.
Copyright
The copyright laws protect Intellectual property in its
various forms, and cannot be used freely. It is very difficult
to protect Intellectual property in E -Commerce . For
example , if you buy software you have the right to use it
and not the right to distribute it. The distribution rights are
with the copyright holder. Also, copying contents from the
website also violates copy right law
Taxation
Validity of electronic documents
Online gambling
 Chapter 6: E-commerce
1. Essential E-Commerce Process
These are foundation for companies willing to operate E-Commerce.
1. Access Control & Security
E-Commerce processes must establish mutual trust and secure access between the
parties in an ecommerce transaction by authenticating users , authorizing access and
enforcing security features. For that username & passwords, encryptions keys & security
measures to protect from hacker attacks, password theft, and credit card number theft to
be implemented.

2. Profiling and Personalizing

User profiles are built using profiling tools . The profiles help to recognize the user &
provides personalized view of contents . Profiling & personalizing help in authenticating
user identity , Account management , Payment process , gather data for customer
relationship management and marketing, etc

3. Search Management
E-Commerce should provide users search option that helps users to find the specific
goods and services of their choice. E-Commerce may include a website search engine
for that . Efficient and effective search processes provide a top e-commerce website
capability that helps customers find the specific product or service they want to evaluate
or buy.

4. Content and Catalog Management

Content Management Software (CMS) helps E-Commerce to develop, generate, update,
and archive text & multimedia information at e-commerce website. CMS help to generate
catalogs of product information . Contents & Catalogs in E-Commerce website help
customers to select the best product to meet their needs.

5. Workflow Management
Essential Features of a good e-commerce website
Workflow management system in e-commerce ensures that proper & valid transaction
1. Login and Authorization:
are performed and correct data & document are routed to right employee , suppliers ,
This feature allows to login in into the system with the validation of the user name and password.
customer , etc Thus workflow management helps in smooth flow of e-commerce
System also facilitates the creation of new username and password.
transaction.
2. Searching of the Product:
6. Event Notification
As the virtual web front lists the large varieties of the product people might be unable to find the
Its concept is that customers , suppliers , employees & other stakeholders must be
product of their choice so in this case the effective searching mechanism of the product should
notified of all events that might affect their status in a transaction . E.g. when money is
be available in the website. Conditioning can be deployed in the searching.
transferred from your Ebanking , you should receive an email for Account debit with
details.
3. Product Details and Catalogue:
Once the client finds any product, then website should give the details information about product
7. Collaboration and Trading
with possible 2D/3D or video view along with all essential information and procedures.
E-Commerce should arrange collaboration & trading service to customers, suppliers etc
to accomplish e-commerce transaction . The essential collaboration among business
4. Payment Mechanism:
trading partners in e-commerce may also be provided by Internet-based trading services
The payment mechanism and procedures should be clear to every user. It might be electronics
payment procedures or the cash on delivery it should be documented properly. Steps in developing E-Commerce Security Plan
1. Perform a risk assessment: an assessment of the risks and points of vulnerability.
5. Profiling and Personalization: 2. Develop a security policy : a set of statements prioritizing the information risks ,
The personal behavior of the selling / buying product or accessing product catalogue should be identifying acceptable risk targets and identifying the mechanisms for achieving these
tracked to personalize in future . This will be helpful for the promotion of the new or related targets
product to that user in the future. 3. Create an implementation plan: Create a plan that determines how you will translate
the levels of acceptable risk into a set of tools, technologies, policies and procedures
6. Event Notifications; 4. Crate security team : Create the individuals who will be responsible for ongoing
It is the procedure of informing the client about the completion of any event . This helps in the maintenance, audits and improvements.
ensuring the completion of the process. It can be done in email or phone etc. 5. Implement Security Measures : Implement the planned security measures with the
help of security professional & security team.
6. Perform periodic security audits : Perform periodic information security audits to
ensure security is in order & as per information security plans.
 Chapter 6: E-commerce
Steps in developing E-Commerce Security Plan
1. Perform a risk assessment : an assessment of the risks and points of vulnerability.
2. Develop a security policy : a set of statements prioritizing the information risks , identifying
acceptable risk targets and identifying the mechanisms for achieving these targets
3. Create an implementation plan: Create a plan that determines how you will translate the levels of
acceptable risk into a set of tools, technologies, policies and procedures
4. Crate security team : Create the individuals who will be responsible for ongoing
maintenance, audits and improvements.
5. Implement Security Measures : Implement the planned security measures with the help of
security professional & security team.
6. Perform periodic security audits : Perform periodic information security audits to ensure
security is in order & as per information security plans.
Security Mechanism for E-Commerce
The main component of the security mechanism used for E-Commerce are: 1. User
authentication mechanism using simple means such as normal use- rid /password to more
complex means such as smart cards , multilayer passwords etc.
2. Use of secure transaction channels over encrypted virtual private networks etc. However , this
may not be very effective in public e-commerce sites (i.e. B 2C or C2C e-commerce facilities).
3. Use of secure mechanisms such as secure HTTP, public key infrastructure or digital signatures
to ascertain the authenticity of the transactions and their sources.
4. Use of professional and dedicated third party certification , monitoring and control mechanism to
make sure that the trust level of the transactions are high.
5. Use of robust systems to counter threats such as viruses , intrusion , hacking, man-in
the-middle attacks etc.
Payment Mechanism commonly used in E-Commerce
1. Digital Credit Card:
It is the extension of credit card into the internet so that it can be used for the online
payment . The information dissipated through the Internet is protected for merchant ,
consumer and processing bank by authorizing and authenticating.
2. Digital wallet:
Digital wallet makes paying for purchase over web more efficient by eliminating the
need for shoppers to repeatedly enter their address and credit card information each
time they buy something . A digital wallet securely stores credit card and owner
identification information and provides that information at an electronic commerce sites.
The digital wallet enters the shoppers name , credit card number and shipping
information automatically when invoked to complete the purchase.
Categories of E-commerce
a. Business-to-Consumer (B2C) e-Commerce
Business to consumer (B2C) e-commerce refers to the business or transactions
conducted directly between a company and consumers who are the end-users of its
products or services . In this form of electronic commerce , businesses must develop
attractive electronic marketplaces to entice and sell product and service to customer .
Company may offer:
- E-commerce website that provide virtual storefronts and multimedia catalogs . -
Interactive order processing
- Secure electronic payment system.
- Online customer support
Amazon, Muncha and Kaymu are some of the examples of Business to Consumer e-
commerce.
b. Consumer-to-Consumer (C2C) e-Commerce
Consumer -to -consumer e-commerce , is a business model that facilitates the
transaction of products or services between customers . In C2C e-commerce the
consumer prepares the product for market, place the product for auction or sales and
relies on the market maker to provide catalog, search engine and transaction clearing
capabilities so that product can be easily displayed, discovered and paid for.
EBay and Hamrobazar are some of the example of C2C e-commerce.
c. Business-to-Business (B2B) e-Commerce
When a business sells products or services to other companies , that e-commerce
model is called B2B, or business -to-business . In contrast with the business -to-
consumer or consumer -to-consumer models , B2B facilitates the transfer of raw
materials , parts and components from which additional profit is derived , through
manufacturing or final sales to consumers . This category of electronic commerce
involves both electronic business market places and direct link between businesses .
Company may offer:
- Secure Internet or extranet e-commerce websites for their business customers and
suppliers.
- Electronic data interchange (EDI ) via the Internet or extranets for computer -to-
computer exchange or e-commerce documents with their larger business customers
and suppliers.
B2B e-commerce portals that provide auction and exchange markets for businesses

3. Micropayment:
It is developed to make the payment of less than 10$ as such payment will be too small
to pay through the credit cards . Accumulate balance payment system facilitates such
type of small payment in the web by accumulating it into the debit card or in credit card.

4. Stored value payment systems;

It enables consumer to make the instant online payment to merchants and other
individuals based on valued store in digital account . Online value systems rely on the
value stored in consumer 's bank , checking or credit card account and some of this
system requires the use of digital wallet.
5. Digital cash:
Digital cash which is also known as e-cash can also be used for micropayment or larger
purchase . It is the currency represented in electronics form that moves outside the
normal network of money. Users are supplied with the client software and can exchange
money with another e-cash user over the internet or with retailer accepting e-cash.
 Chapter 6: E-commerce
Electronic Payment Process
a. Web Payment Process
Most e-commerce systems on the web involving businesses and consumer (B2C) depend on
credit card payment process , but many B2B e-commerce systems rely on more complex
Payment processes based on the use of purchase orders. However, both types of e-commerece
typically use an electronic shopping cart process , which enables customers to select products
from Website catalog displays and put them temporarily in a virtual shopping basket for later
checkout and processing.
b. Electronic Fund Transfer
Electronic Funds Transfer (EFT ) is a system of transferring money from one bank account
directly to another without any paper money changing hands. Such transfer can be within single
financial institution or across multiple institution through computer -based system and without
direct intervention of bank staff.
One of the most widely -used EFT programs is Direct Deposit , in which payroll is deposited
straight into an employee 's bank account, although EFT refers to any transfer of funds initiated
through an electronic terminal, including credit card, ATM, and point-of-sale (POS) transactions.
It is used for both credit transfers , such as payroll payments , and for debit transfers , such as
mortgage payments.
The growing popularity of EFT for online bill payment is paving the way for a paperless universe
where checks , stamps , envelopes , and paper bills are obsolete . The benefits of EFT include
reduced administrative costs, increased efficiency, simplified bookkeeping, and greater security.
However , the number of companies who send and receive bills through the Internet is still
relatively small.
c. Secure Electronic Payments
- It is a form of protocol for electronic credit card payments.
- In this the secure electronic transaction (SET ) protocol is used to facilitate the secure
transmission of consumer credit card information via electronic avenues, such as the Internet.
- When we make an online purchase on the internet, out credit card information is vulnerable to
interception by network sniffers, software can easily recognize credit card number formats.
- Basic security measures are being used to solve this security problem are:
o Encrypt (code or scramble) the data passing between the customer and merchant.
o Encrypt the data passing between the customer and the company authorizing the credit card
transaction or
o Take sensitive information off-line.
- E.g. Many companies use Secure Socket Layer (SSL ) security method that automatically
encrypts data passing between the web browser and merchant's server.
- However , sensitive information is still vulnerable to misuse on it's decrypted and stored on a
merchant's server.
- So, a digital wallet payment system was developed.
- In this method, we add security software add-on-modules to the web browser.
- This enables the browser to encrypt the credit card data in such a way that only the bank that
authorizes credit card transaction for the merchant gets to see it.
d. Micro Payment System
A micropayment is an e-commerce transaction involving a very small sum of money in exchange
for something made available online, such as an application download, a service or Web-based
content.
Micropayments are sometimes defined as anything less than 75 cents and can be as low as a
fraction of a cent. A special type of system is required for such payments, which are too small to
be feasible for processing through credit card companies.
Working Principles of Payment Gateway
A payment gateway facilitates the transfer of information between a payment portal (
such as a website, mobile phone or IVR service) and the Front End Processor or
acquiring bank. When a customer orders a product from a payment gateway-enabled
merchant, the payment gateway performs a variety of tasks to process the transaction:
1. A customer places order on website by pressing the 'Submit Order' or equivalent
button, or perhaps enters their card details using an automatic phone answering service.
2. If the order is via a website, the customer's web browser encrypts the information to
be sent between the browser and the merchant's web-server. This is done via SSL (
Secure Socket Layer) encryption.
3. The merchant then forwards the transaction details to their payment gateway. This is
another SSL encrypted connection to the payment server hosted by the payment
gateway.
4. The payment gateway forwards the transaction information to the payment processor
used by the merchant's acquiring bank.
5. The payment processor forwards the transaction information to the card association (e
.g., Visa/MasterCard)
- If an American Express or Visa Card was used, then the processor acts as the issuing
bank and directly provides a response of approved or declined to the payment gateway.
- Otherwise, the card association routes the transaction to the correct card issuing bank.
6. The credit card issuing bank receives the authorization request and sends a response
back to the processor (via the same process as the request for authorization) with a
response code. In addition to determining the fate of the payment, (i.e. approved or
declined) the response code is used to define the reason why the transaction failed (
such as insufficient funds, or bank link not available)
7. The processor forwards the response to the payment gateway.
8. The payment gateway receives the response, and forwards it on to the website (or
whatever interface was used to process the payment) where it is interpreted as a
relevant response then relayed back to the cardholder and the merchant.
9. The entire process typically takes 2–3 seconds.
10. The merchant submits all their approved authorizations, in a "batch", to their
acquiring bank for settlement via their processor.
11. The acquiring bank deposits the total of the approved funds in to the merchant's
nominated account. This could be an account with the acquiring bank if the merchant
does their banking with the same bank, or an account with another bank.
Many payment gateways also provide tools to automatically screen orders for fraud and
calculate tax in real time prior to the authorization request being sent to the processor.
Tools to detect fraud include geo-location, velocity pattern analysis, delivery address
verification, computer finger printing technology, identity morphing detection, and basic
AVS checks.
 Chapter 6: E-commerce
Disadvantage/Limitation Challenges to cloud computing: ( D. –
L.A.S.T. – I.C.A.I. – G.A.A.P)
Data Stealing : In cloud computing , data is accessible by everyone and from anywhere .
There may be the chances where the cloud provider uses infrastructure of some other
service provider. As such, data is less secured and is prone to concept of “data stealing”.
L Legal Issues And Compliance s There are various data , security laws that to be
complied with by the entity. There is need to understand various types of rules and laws that
imposes security and privacy duties on the organization.
Audit: It emphasis on “What is happening in the cloud environment ”. It is being hosted on
the virtual machine to watch “what is happening in the system”. The context of use of clouds
, time consuming audits seriously detains the key gain of cloud agility.
S Software Isolation : Software isolation is a way to understand virtualization and other
techniques that the cloud owner employs in software architecture and evaluate the risks
required for the organization.
Trust: Deployment model provide a trust to cloud environment . An entity has direct control
over its security issue. Trust is an important issue in the cloud. Trust ensures that service
arrangements are sufficient to allow visibility into security and privacy controls.
Incident Response: It ensures to meet the organization’s requirement during an incident. It
ensures that cloud provider has a transparent response process in proper place. Affected
network, applications, exposed intrusion helps to understand an incident response.
C Confidentiality : Prevention of data access from unauthorized disclosure referred to as
confidentiality . Cloud works on public network therefore it is imperative to keep the data
confidential . This can be done through encryption of data or by way of physically secure at
separate location.
A Architecture : In cloud computing model , there should be control over security and
privacy of the system . Its reliable and scalable infrastructure depends on design and
implementation to support the overall framework.
I INTEGRITY : Integrity means prevention of data from unauthorized modification of data
and ensures that data is of high quality, correct, accessible and correct. On cloud network it
should be ensured that data is not changed. Redundant Array of Independent Risks (RAID)
is one of the way to preserve integrity on the cloud computing.
Governance : Since on cloud computing there is no control over the employees and
services, it creates problems like design, implementation, testing etc. So there is need to put
up governance model that will control the standards, policies and procedures of the entity.
A Application securit y: It applies when application moves to cloud platform . Service
provider should have complete access to server with all rights to ensure protection of the
application . Infected application need to be monitored and recovered by the cloud security
drivers.
A Availability: The goal of availability for Cloud Computing systems (including applications
and its infrastructures ) is to ensure its users can use them at any time , at any place . It
ensures back up of data through BCP, DRP. Cloud computing system enables its users to
access the system (e.g., applications, services) from anywhere. This is true for all the Cloud
Computing systems.
P Privacy : It is one of the important issue in the cloud computing . The privacy issues are
embedded in each phase of cloud design. The cloud should be designed in such a way that
it decreases the privacy risks.
Cloud Computing
It means use of computing resources as a service through networks , say Internet . It helps
users to access database resources via Internet from anywhere at any time, without worrying
about any maintenance or management of actual resources . E.g. Google Apps , where any
application can be accessed using a browser & can be deployed on thousands of computer
through Internet.It is combination of software & hardware based computing resources delivered
as a networked service . These applications & resources can be accessed using a simple front-
end interface such as Web browser from any client device like notebooks , desktops , mobile
devices etc. The location of such physical resources & devices being accessed are generally
not known to end users.It helps companies to scale upto massive capacities instantly without
having to invest in new infrastructure , train new personnel or license new software . Cloud
computing is of benefit to small &medium - sized business , who wish to completely outsource
their data -centre infrastructure ; or large companies , who wish to get peak load capacity
without incurring higher cost of building larger data centres . In both instances , service
consumers use ‘what they need on Internet’ & ‘pay only for what theyuse.
Cloud Computing ARCHITECTURE:
It is structure of system & consists of Front End & Back End.
•FRONT END ARCHITECTURE : The front end of the cloud computing system comprises of
the client ’s devices (or computer network ) and some applications needed for accessing the
cloud computing system.
•BACK END ARCHITECTURE : Back end refers to some service facilitating peripherals. In
cloud computing, the back end is cloud itself, which may encompass various computer
machines, data storage systems and servers. Groups of these clouds make up a whole
cloud computing system. Characteristics:
1. On-demand self-service: A consumer can unilaterally provision computing capabilities, such
as server time and network storage , as needed automatically without requiring human
interaction with each service provider.
2. Broad network access : Capabilities are available over the network and accessed through
standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g.,
mobile phones, tablets, laptops, and workstations).
3. Resource pooling : The provider 's computing resources are pooled to serve multiple
consumers using a multi-tenant model, with different physical and virtual resources dynamically
assigned and reassigned according to consumer demand.
4. Rapid elasticity : Capabilities can be elastically provisioned and released , in some cases
automatically , to scale rapidly outward and inward commensurate with demand . To the
consumer , the capabilities available for provisioning often appear unlimited and can be
appropriated in any quantity at any time.
5. Measured service : Cloud systems automatically control and optimize resource use by
leveraging a metering capability at some level of abstraction appropriate to the type of service (
e. g., storage , processing , bandwidth , and active user accounts ). Resource usage can be
monitored, controlled, and reported, providing transparency for both the provider and consumer
of the utilized service.
Benefit/Advantage:
- Reduced Cost: Cloud computing can reduce both capital expenses and operating
expenses cost because resources are only acquired when needed and are only paid for
when used.
- Refined Use of Personnel : Using cloud computing frees valuable personnel allowing
them to focus on delivering value rather than maintaining hardware and software.
- Robust scalability: Cloud computing allows for immediate scaling, either up or down, at any
time without long-term commitment.
- Increased Storage: With massive infrastructure that is offered by cloud providers today,
storage and maintenance of large volumes of data is a reality.
- Flexibility : With enterprises having to adapt , even more rapidly , to changing business
conditions , speed to deliver is critical . Cloud computing stresses on getting applications to
market very quickly, by using the most appropriate building blocks necessary for deployment.
 Chapter 6: E-commerce
Process involved in the payment using credit card:
1. The consumer contacts an issuing card bank and opens a credit card
account. They are issued a credit card with a unique account number and a
credit line ( which is how much they are allowed to spend on the account).
2. Consumer provides the credit card information to pay for the transaction
whenever s/he wants to purchase any goods or services from a merchant.
3. The merchant takes the credit card information provided by the consumer
and attempts to validate it through tests and checks and sends it to the
acquiring bank to find out if the consumer has money available on the credit
card to make the purchase . There should be some communication
mechanisms between the POS of merchant and acquiring bank.
4. The acquiring bank routes a request through the card association physical
network to the issuing
bank to see if funds are available on the consumer’s credit card.
5. The issuing bank checks the consumer ’s credit line and if funds are
available they will set aside the amount of money that the order requires for
payment. This money is “ reserved” only — it has not changed hands, and is
not the merchant’s money yet. At this point a reply is sent back through the
card association network to the acquiring bank, then back to the merchant to
let them know the status of the request for funds.
Benefits of saas
o No additional hardware costs :The processing power required to run
the application is supplied by the cloud provider.
o No initial setup costs :Applications are ready to use once the user
subscribe
o Pay for what your use :If a piece of software is only needed for a
limited period then it is only paid for overe that period andsubscriptions
can usually be halted at any time.
o Usage is scalable :If a user decides they need more storage or
additional services then they can access these on demand without
needing to install new software or hardware.
o Updates are automated :Whenever there is an update it is available
online to existing customers, often free of charge. No new software will
be required as it often is with other types of applications and the
updates will usually be deployed automatically by the cloud provider.
o Cross device compatibility :This application can be accessed via any
internet enabled device which makes it ideal for those who use a
number of different devices , such as internet enabled phones and
tablets and those for who don't always use the same computer.
o Accessible from any location :Rather than being restricted to
installations on individual computers , an application can be accessed
from anywhere with an internet enabled device.
o Application can be customized and white labeled :With some
software , customization is available meaning it can be altered to suit
the need and branding of a particular customer.
Cloud computing environment
PUBLIC CLOUD
A public cloud sells services to anyone on the Internet. (Currently, Amazon Web Services is the largest
public cloud provider ). Public cloud services may be free or offered on a pay- per-usage model . This
environment can be used by general public.
(a) Scalable: Resources and the users in the public code are large and service provider has to grant all
the requests. Hence public clouds are considered to be scalable. (Able to be changed in size or scale.)
(b) Affordable: In this case, user pays for that only foe what he or she is using and this don’t involve any
cost related to the deployment Less Secure: Since it is offered by third party and they have full control
over the cloud, as such it is less secured as compared to on-premises public cloud.
(c) Stringent SLAs: Since there is Service level agreement between the service provider and users, and
reputation of the service provider is dependent on that, they follow the SLA very strictly.
(d) Available: It is highly available since anyone can link to the public cloud with the proper permission.
PRIVATE CLOUD
A private cloud is a proprietary network or a data center that supplies hosted services to a limited
number of people. These are typically deployed within an organization 's own internal ecosystem , often
leveraging the organization 's own private data center . Private clouds typically rely on the organization
having trained IT staff onsite to manage the private cloud ecosystem.
(a) Secure : Private cloud is being managed by organization itself , hence less chance of data being
stolen and leaked out.
(b) Central Control: Private cloud is managed by organization itself so there is no need of relying on the
outside agency hence results in central control by the entity.
(c) Weak Service -level Agreement : SLAs are agreement between user and the service provider .
However , in case of private cloud the SLA is week since this type of networking is between the
organizations & user of the same organization
COMMUINITY CLOUD
Here the cloud is being shared by person (s) of one community and hence the name . In this type of
cloud infrastructure is provisioned by a specific community
(a) Cost effective : Since community cloud is shared by several organizations , the community cloud is
cost effective too.
(b) Collaborative & Distributive Maintenance : Since there is sharing of the cloud among various
organization, as such the control is distribute and hence better cooperation provides better results
.
HYBRID CLOUD
A hybrid storage cloud uses a combination of public and private storage clouds. Hybrid storage clouds
are often useful for archiving and backup functions, allowing local data to be replicated to a public cloud
(a) Scalable: Hybrid has the property of public cloud hence scalable.
(b) Partly Secure : Public cloud is more vulnerable and is subject to high risk of security breach . AS
such hybrid is not fully secure, hence partly.
(c) Stringent SLAs: Since there is Service level agreement between the service provider and users, and
reputation of the service provider is dependent on that, they follow the SLA very strictly.
(d) Complex Cloud Management:
Since hybrid model comprises of one or more deployment models & users are also very large.
 Chapter 6: E-commerce
Cloud computing service models:
MEANING OF IaaS:
Infrastructure -as-a-Service providers provide an alternative to buy and install the software and the equipment
which are needed to support the business operations . The servers and the networks that are required to provide
the storage , server functions and networks are provided by this IaaS vendor . Example of IaaS provider includes
Amazon, EC2, Dyn DNS, Google chrome engine etc. IaaS provides you the computing infrastructure, physical or (
quite often ) virtual machines and other resources like virtual -machine disk image library , block and file-based
storage, firewalls, load balancers, IP addresses, virtual local area networks etc.
CHARACTERISTICS OF IaaS: (M. - W.I.S.E.)
M Management is centralized : Resources distributed across different places to be controlled from
any management console that ensure effective resource management
W Web access to the resources: IaaS enables the users to access the infrastructure resources over the
internet. I Infrastructure Sharing: In IaaS, different users share same physical infrastructure and thus ensure
high resource utilization.
S Metered Services: IaaS allows the user not to buy the computing resources but to rent them. The user will
be charged as per the usage.
E Elasticity & dynamic Scaling : IaaS service provider can increase or decrease the usage of the
resources depending on the load.
DIFFERENT INSTANCE OF IaaS:
•Network-As-A-Service (NaaS)
• Storage as a Service (STaaS)
• Database as a Service (DBaaS)
• Backend as a Service (BaaS)
• Desktop as a Service (DTaaS)
MEANING OF PaaS:
PaaS is a category of cloud computing that provides a platform and environment to allow developers to build
applications and services over the internet . Platform as a Service allows users to create software applications
using tools supplied by the provider . PaaS services can consist of preconfigured features that customers can
subscribe to; they can choose to include the features that meet their requirements while discarding those that do
not.
CHARACTERISTICS OF PaaS:
Web access to development platform: PaaS provides helps the developer to create, modify, test & deploy
different applications.
Scalability: PaaS ensure that applications built are capable of handling the varied loads efficiently.
Collaborative Platform : To enable collaboration among developers , most of PaaS provider provides tools
for project planning and communication.
Metered Services : IaaS allows the user not to buy the computing resources but to rent them. The user will
be charged as per the usage.
Elasticity & dynamic Scaling : IaaS service provider can increase or decrease the usage of the
resources depending on the load.
MEANING OF SaaS:
Software -as-a-Service is cloud service where consumers are able to access software applications over the
internet. The programs which are developed by the software developers are accessed by the customers through
the browser and pay the fees for their usage. Users don’t have to worry about the installation, setup and running of
the application. Service provider will do that.
CHARACTERISTICS OF SaaS: ( W.O. – C.A.M)
Web access: User can use application from any location of device is connected to internet.
One to many: Single application can be used by multiple users.
Centralized Management: SaaS services are managed from a single location as such there is centralized
control. Availability: SaaS ensures almost100% availability of data..
Multi-device Support: SaaS can be accessed from any devices e.g. desktop, mobile, laptop etc.
Roles of IT in Cloud Computing
1. Role as Developers
Evolutions of the commercial IT processes and systems have
guaranteed the work for the developers committee. There will be radical
increase in the developers to meet the growing need in the IT filed.
Cloud computing is one of the area which are benefited by the evolution
of developers. With rapid acceptance of cloud computing across the
globe, more developers will be required because they are only the
person who can understand how the cloud computing works.
2. Role as Administrator
Administrator are the guardians and legislators of an IT system. They
are responsible for the control of user access to the network. This
means sitting on top of the creation of user and passwords and the
formulation of rules and procedures for such fundamental functionality
as general access to the system assets.
The advent of cloud computing will necessitate adjustments to this
process since the administrator in such an environment is no longer
merely concerned about internal matters, but also the external
relationship of this enterprise and the cloud computing concerns, as well
as the actions of other tenants in a public cloud.
3. Role as Architect
The function of the architecture is the effective modeling of the given
systems functionality in the real IT world. The basic responsibility of the
architect is development of the architectural framework of the agency's
cloud computing model. The role of architect in the age of cloud
computing is to conceive and model a functional interaction of the cloud'
s layers. The architect must use the abstraction as a means to ensure
that IT is playing its proper role in the attainment of organizational
objectives.
4. Role in Risk Assessment
IT department performs risk assessment to ensure whether data is to
cloud or not. The main concerns voiced by those moving to the cloud
are security and privacy. The company supplying cloud computing
services know this and understand that without reliable security, their
business collapse. So security and privacy are high priorities of IT
department for all cloud computing
5. Role in Governance
IT governance team is board or senior management responsibility and
IT governance is specifically related to IT. It will monitor the standards of
the cloud computing because governance is the primary responsibility of
the owner of a private cloud and the shared responsibility of the service
provider and service consumer in the public cloud. They will determine
whether some kind of broader collaboration is required or not.
6. Role in Bandwidth Requirement
IT strategy should evaluate the bandwidth and potential bandwidth while
adopting the cloud framework. For cloud computing, bandwidth to and
from the cloud provider is a bottleneck.
7. Role in Financial Impact
IT operations requires a sizable proportion of the cost which comes from
administrative and management functions. The cloud computing
environment is the implicit automation of some of these functions.
 Chapter 6: E-commerce
Mobile Computing
A technology that allows transmission of data, via a computer, without having to be connected to a
fixed physical link. Mobile data communication has become a very important and rapidly evolving
technology as it allows users to transmit data from remote locations to other remote or fixed
locations. This proves to be the solution to the biggest problem of business people on the move –
mobility.
Green Computing:
Green Computing or Green IT refers to the study and practice of environmentally
sustainable computing or IT. In other words, it is the study and practice of establishing
/ using computers and IT resources in a more efficient and environmentally friendly
and responsible way. Below are the best practices of green computing→
(a) Develop a sustainable green Computing plan
1. Involve stakeholders to include checklist, recycling policies for disposal of used
components & equipment.
2. Involve power usage, reduction of consumption of papers, recycling old machines
& equipment.
3. Use cloud computing so that multiple organizations share same computing
resources.
(b) Recycle:
1. Dispose e-waste as per regulations.
2. Discard unwanted equipment in environmentally responsible manner.
3. Manufacturers must provide option how to dispose equipment when become
unusable.
(c) Environment Sound Decisions:
1. Purchase of laptops, desktops based on environmental attributes.
2. Clear policy in respect of designing of the product.
(d) Reduced Paper Consumption:
1. More use of emails resulting in saving of papers.
2. For marketing, advertising on-line marketing is best and will reduce paper wastage.
3. Use both side of paper while printing any document.
BYOD: This refers to business policy that allows employees to use their preferred
computing devices, like smart phones and laptops for business purposes. It means
employees are welcome to use personal devices (laptops, smart phones, tablets etc.)
to connect to the corporate network to access information and application.
Advantages
1. Happy employees: Employees use their own devices at work. It lowers the burden
since they have to take only their device not the organizational device.
2. Lower IT budget: Since employee bring their own device, this result in decrease
in outlay of the organization. (Organizations need not to purchase the devices for their
employee).
3. IT reduces support requirement: Since, devices are of employee there is cost
saving since IT doesn’t have to provide and user support and maintenance activities.
4. Increased employee efficiency: In case of self- device, user is efficient in
working on its own device. In case it works on other devices some learning phase is
included.
Threats
1. Application risks: Employee’s phone or smart devices that are connected to
corporate network are not protected by security software.
2. Device risks: Lost or stolen computer device or mobile phones can result adverse
impact on the company as these devices contains vital information about the
company.
3. Implementation risks: A weak BYOD policy may result in failure of
communication of employee expectations; thereby increase the chances of device
misuse.
4. Network risks: As BYOD involves use of personal devices, IT is unaware of
number of devices connected to the company network. For instance, any virus is
detected in the network as such it is imperative to scan all connected devices. Since
complete visibility is not there, it may be possible that some devices may not get
covered under scanning program. This is hazardous for the company.
 Chapter 6: E-commerce
Data Exchange
Data exchange is the process of taking data structured under a source schema and transforming it into
data structured under a target schema , so that the target data is an accurate representation of the
source data. Data exchange allows data to be shared between different computer programs. It is similar
to the related concept of data integration except that data is actually restructured (with possible loss of
content) in data exchange. There may be no way to transform an instance given all of the constraints.
Conversely, there may be numerous ways to transform the instance (possibly infinitely many), in which
case a "best" choice of solutions has to be identified and justified.
Single-domain data exchange
Often there are a few dozen different source and target schema (proprietary data formats ) in some
specific domain . Often people develop an exchange format or interchange format for some single
domain , and then write a few dozen different routines to (indirectly ) translate each and every source
schema to each and every target schema by using the interchange format as an intermediate step.
That requires a lot less work than writing and debugging the hundreds of different routines that would be
required to directly translate each and every source schema directly to each and every target schema. (
For example , Standard Interchange Format for geospatial data , Data Interchange Format for
spreadsheet data, GPS exchange Format or Keyhole Markup Language for indicating GPS coordinates
on the globe, Quicken Interchange Format for financial data, GDSII for integrated circuit layout, etc.)
Data exchange languages
A data exchange language is a language that is domain-independent and can be used for any kind of
data. Its semantic expression capabilities and qualities are largely determined by comparison with the
capabilities of natural languages. The term is also applied to any file format that can be read by more
than one program, including proprietary formats such as Microsoft Office documents. However, a file
format is not a real language as it lacks a grammar and vocabulary.
Practice has shown that certain types of formal languages are better suited for this task than others,
since their specification is driven by a formal process instead of a particular software implementation
needs.
For example, XML is a markup language that was designed to enable the creation of dialects (the
definition of domain-specific sublanguages) and a popular choice now in particular on the internet.
However, it does not contain domain specific dictionaries or fact types. Beneficial to a reliable data
exchange is the availability of standard dictionaries-taxonomies and tools libraries such as parsers,
schema validators and transformation tools.
Virtulization
In computing, virtualization refers to the act of creating a Benefits of Virtual organization
virtual (rather than actual) version of something, including 1. To the organization
virtual computer hardware platforms, storage devices, o Competitive advantage
and computer network resources.Virtualization uses o Bridge the merger and acquisition process
software that simulates hardware functionality in order to between two companies
create a virtual system. This practice allows IT o Pool of abilities and knowledge
organizations to operate multiple operating systems, o Less investment cost initially
more than one virtual system and various applications on
a single server. The benefits of virtualization include 2. To the employees
greater efficiencies and economies of scale. o More independence o Amount of stress
is reduced
OS virtualization is the use of software to allow a piece of o Less money is spent
hardware to run multiple operating system images at the
same time. The technology got its start on mainframes 3. To the society
decades ago, allowing administrators to avoid wasting o Less pollution in environment
expensive processing power. o Expansion of the workplace area
Virtual Organization
A virtual organization is an organization involving detached and disseminated
entities (from employees to entire enterprises ) and requiring information
technology to support their work and communication. Virtual organizations do not
represent a firm’s attribute but can be considered as a different organizational
form.
In such organization , members are geographically apart , usually working by
computer e-mail and groupware while appearing to others to be single , unified
organization with a real physical location . It is a network of cooperation made
possible by information and communication technology which is flexible and
comes to meet the dynamics of the market.
It is a social network in which all horizontal and vertical boundaries are removed.
Characteristics:
1. Flat organization
2. Dynamic
3. Informal communication
4. Power Flexibility
5. Multidisciplinary (virtual) teams
6. Vague organizational boundaries
7. Goal orientation
8. Customer orientation
9. Home-work
10. Absence of apparent structure
11. Sharing of information
12. Staffed by knowledge workers
Types of Virtual Organization
1. Telecommuters:
These companies have employees who work from their homes . They interact
with the workplace via personal computers connected with a modem to the
phone lines . Examples of companies using some form of telecommuting are
Dow Chemicals, Xerox, Coherent Technologies Inc., etc.
2. Outsourcing Employees/Competencies:
These companies are characterised by the outsourcing of all /most core
competencies . Areas for outsourcing include marketing and sales , human
resources , finance , research and development , engineering , manufacturing ,
information system, etc. In such case, virtual organisation does its own on one or
two core areas of competence but with excellence . For example, Nike performs
in product design and marketing very well and relies on outsources for
information technology as a means for maintaining inter -organisational
coordination.
3. Completely Virtual:
These companies metaphorically described as companies without walls that are
tightly linked to a large network of suppliers, distributors, retailers and customers
as well as to strategic and joint venture partners . Atlanta Committee for the
Olympic Games (ACOG ) in 1996 and the development efforts of the PC by the
IBM are the examples of completely virtual organisations.
 Types of Vertulization Chapter 6: E-commerce
1)Server virtualization is the process of dividing a physical server into multiple unique and
isolated virtual servers by means of a software application . Each virtual server can run its
own operating systems independently .Server virtualization is used to mask server
resources from server users. This can include the number and identity of operating systems
, processors, and individual physical servers.
Key Benefits of Server Virtualization:
Higher server ability
Cheaper operating costs
Eliminate server complexity
Increased application performance
Deploy workload quicker
Three Kinds of Server Virtualization:
1)Full Virtualization:
2)Para-Virtualization
3)OS-Level Virtualization
2. Client/Desktop/ Virtualization
It is virtualization technology used to separate a computer desktop environment from the
physical computer . It is considered a type of client-server computing model because the "
virtualized " desktop is stored on a centralized , or remote , server and no the physical
machine being virtualized.
Virtualized desktops are generally hosted on a remote central server, rather than the hard
drive of the personal computer . Because the client -server computing model is used in
virtualizing desktops, desktop virtualization is also known as client virtualization.
Desktop virtualization provides a way for users to maintain their individual desktops on a
single , central server . The users may be connected to the central server through a LAN,
WAN or over the Internet.
Benefits
o Lower the total cost of ownership (TCO) o Increased Security o Reduced energy costs o
Reduced downtime and centralized management Limitations : o Difficulty in maintenance
and set up of printer drivers o Increased downtime in case of network failures o Complexity
and costs involved in Virtual Desktop Infrastructure (VDI) deployment o Security risk in the
event of improper network management.
5. Storage Virtualization
Storage virtualization is the process of grouping the physical storage from multiple network
storage devices so that it looks like a single storage device . The process involves
abstracting and covering the internal functions of a storage device from the host application,
host servers or a general network in order to facilitate the application and
networkindependent management of storage.
Benefits:
o Improved storage management in a heterogeneous IT environment.
o Better availability and estimation of down time with automated management.
o Better storage utilization.
o Automated Management
o Reduce time in manual supervision
Limitations:
o Lack of standards and Interoperability : Storage virtualization is a concept and not a
standard. As a result vendors frequently do not easily interoperate.
o Metadata : Since there is a mapping between logical and physical location , the storage
metadata and its management becomes key to a working reliable system.
o Backout : The mapping between local and physical locations also makes the backout of
virtualization technology from a system a less than trivial process.
3. Application Virtualization
It refers to running an application on a thin client; a terminal or a network workstation with few
resident programs and accessing most programs residing on a connected server . The thin
client runs in an environment separate from , sometimes referred to as being encapsulated
from, the operating system where the application is located.
This is a process where applications get virtualized and are delivered from a server to the end
user ’s device , such as laptops , smartphones , and tablets . So instead of logging into their
computers at work, users will be able to gain access to the application from virtually anywhere,
provided an Internet connection is available . This type of virtualization is particularly popular
for businesses that require the use of their applications on the go.
Benefits
o Security : Virtual applications often run in user mode isolating them from OS level functions.
o Management: Virtual applications can be managed and patched from a central location.
o Legacy Support : Through virtualization technologies legacy applications can be run on
modern operating systems they were not originally designed for.
o Access: Virtual applications can be installed on demand from central locations that provide
failover replication.
o Requiring fewer resources compared to using a separate virtual machine.
o Allowing incompatible applications to run on a local machine simultaneously.
o Maintaining a standard , more efficient , and cost-effective OS configuration across multiple
machines in a given organization, independent of the applications being used.
o Facilitating more rapid application deployment.
Limitations
o Packaging: Application must be packaged first before they can be used.
o Resource: Virtual applications may require more resources in terms of storage and CPU
o Compatibility: Not all application can be virtualized easily.
4. Network Virtualization
Network virtualization refers to the management and monitoring of an entire computer network
as a single administrative entity from a single software-based administrator’s console.
Network virtualization is designed to allow network optimization of data transfer rates, flexibility
, scalability , reliability and security . It automates many network administrative tasks , which
actually disguise a network's true complexity. All network servers and services are considered
one pool of resources , which may be used without regard to the physical components .
Network virtualization is especially useful for networks experiencing a rapid , large and
unpredictable increase in usage.
Benefits:
o Less Time, Effort, and Money Spent on Hardware
o Less Demand for lots of different technical skills
o Speeding up the time to application delivery.
o Improved security
o Improved recovery times following a hardware failure or disaster
6. Service/Application Infrastructure Virtualization
It is a method to emulate the behavior of specific components in heterogeneous component-
based applications such as API-driven applications , cloud-based applications and service-
oriented architectures.
 Chapter 7 E-Business Enabling software package
ERP Characteristic of ERP (IF-I'M-CRUMB)
It is process management software that allows org. to use integrated applications to manage business & 1. Integrated:
automate many back office functions related to technology , services &human resources . ERP software ERP integrates functional area of organization like manufacturing , sales, HR
integrates all facets of an operation , including product planning , development , manufacturing , sales & etc
marketing. It requires dedicated teams to customize & analyze data & to handle upgrades & deployment. 2. Flexibility:
Enterprise Resource Planning (ERP ) system is a fully integrated business management system that Necessary change can be made to ERP to meet new user requirement even
integrates the core business and management processes to provide an organization a structured after implementation of ERP. ERP can be customized as per user needs. It is
environment in which decision concerning demand, supply, operational, personnel, finance, logistic, etc. are not rigid system.
fully supported by accurate, reliable, and real-time information. 3. Intelligent Business Tools:
ERP programs help organizations manage company-wide business processes, using a common database ERP is intelligent business tools because it makes the use of latest
and shared management reporting tools. technologies like Electronic fund transfer, internet, intranet, etc
ERP solutions are designed to help organizations improve the operational efficiency of business resources. 4. Modular & Open:
Businesses use ERP systems to integrate all its business processes into a single system to efficiently and ERP comprises organizational function in the form of modules . While
effectively manage business goals. implementing ERP , it may be implemented in part module (part -part ) or all
modules may be implemented together.
5. Common database:
Advantage of ERP Disadvantage of ERP ERP has a common database which records data relating to all business
1. Better use of organizational resources 1. It is expensive to develop and set up an ERP system initially functions.
2. Lower operating costs 2. Staff resistance to change specially during initial phase 6. Real Time Access:
3. Proactive Decision Making 3. The ERP designed and implemented may not be appropriate ERP is best business practices because it uses real time approach to perform
4. Decentralized decision making for the organization. 4. Involves significant user training time and any big functions.
5. Enhanced customer services costs 7. Common User Interface:
6. Flexibility in business operation 5. Integration of truly independent businesses can create ERP provide common interface to all users from wherever it is accessed.
7. Reduces paper works unnecessary dependencies. 8. Multi-language and multi-currency:
8. Improves timeliness of information 6. Overcoming resistance to sharing sensitive information ERP support multi language and data in multiple currencies . That is the
9 . Increases efficiency by avoiding between departments can divert management attention. reason why several bank are operating in more than one nations.
multiple entry of transactions 7. Re-engineering business processes to fit the ERP system may 9. Beyond the company/Wide Scope:
10. Enables global outreach damage competitiveness or divert focus from other critical Scope of ERP extends beyond organization boundary . By the help of internet
11. Better utilization of resources activities. & e-commerce ERP can be made accessible to external parties like customer,
Component of ERP suppliers etc
1. Financial Management: 3. Inventory Control:
At the core of ERP are the financial modules , including general ledger , accounts receivable , Inventory module facilitates processes of maintaining the appropriate level of stock in a
accounts payable, billing and fixed asset management. Financial management modules include warehouse . The activity of inventory control involves identifying inventory requirements ,
budgets, cash-flow, expense and tax reporting. setting targets, providing replenishment techniques and options, monitoring item usages,
2. Supply Chain Management: reconciling the inventory balances, and reporting inventory status. Integration of inventory
Supply Chain Management (SCM) improves the flow of materials through an organization by control module with sales , purchase , finance modules allows ERP systems to generate
managing planning, scheduling, procurement, and fulfillment, to maximize customer satisfaction vigilant executive level reports.
and profitability . Sub modules in SCM include production scheduling , demand management ,
distribution management , inventory management , warehouse management , procurement and 4. ERP Sales Module:
order management Revenues from sales are lifeblood for commercial organizations . Sales module
3. Human Resource Management: implements functions of order placement, order scheduling, shipping and invoicing. Sales
Human resource management ERP modules enhance the employee experience – from initial module is closely integrated with organizations' ecommerce websites. Many ERP vendors
recruitment to retirement . Sub modules can include payroll , performance management , time offer online storefront as part of the sales module.
tracking , benefits , compensation and workforce planning . Self -service tools that allow
managers and employees to enter time and attendance, choose benefits and manage PTO are 5. ERP Marketing Module:
available in many ERP solutions. ERP marketing module supports lead generation, direct mailing campaign and more.

Functional Areas or Modules of ERP 6. ERP Financial Module:

1. Production Planning: The financial module is the core of many ERP software systems . It can gather financial
This module is used in production planning optimizes the utilization of manufacturing capacity, data from various functional departments , and generates valuable financial reports such
parts , components and material resources using historical production data and sales balance sheet, general ledger, trail balance, and quarterly financial statements.
forecasting.
7. ERP HR Module:
2. Purchasing: HR module streamlines the management of human resources and human capitals . HR
Purchase module streamlines procurement of required raw materials . It automates the modules routinely maintain a complete employee database including contact information ,
processes of identifying potential suppliers , negotiating price, awarding purchase order to the salary details, attendance, performance evaluation and promotion of all employees.
supplier, and billing processes.
 Chapter 7 E-Business Enabling software package
Implementation of ERP
Guidelines for ERP Implementation
The following are the steps/process for ERP Implementation:
1. Need Analysis
1. Understanding the corporate needs and culture of the organization and
Firstly need of ERP to organization is to be known . Whether or not ERP would solve organizational
then adopt the implementation technique to match these factors.
existing problem and ERP requirement are need to be assessed.
2. Doing business process redesign prior to starting the implementation
2. Current Situation Analysis
Evaluating the current processes , critical situation of the business i.e. to understand the strength and
3. Establishing a good communication network across the organization
weakness prevailing under the existing circumstances and see if improvement over them could be
done after ERP implementation.
4. Providing a strong and effective leadership so that people down the line
are well motivated.
3. Desired Situation Analysis
Deciding the ‘would be’ situation for the business i.e. the changes expected after the implementation of
5. Finding an efficient and capable project manager.
ERP.
6. Creating a balanced team of implementation consultants who can work
4. Conduct Business Process Re-design(BPR)
together as a team.
Re-engineering the Business Process to achieve the desired results in the existing processes as BPR
is backbone for successful ERP implementation.
7 . Selecting a good implementation methodology with minimum
customization.
5. Evaluating ERP Package
Evaluating the various available ERP packages to assess suitability on criteria like flexibility, modular,
8. Training end users.
cost-benefit, etc
9. Adapting the new system and making the required changes in the working
6. Selecting ERP Package
environment to make effective use of the system in future.
The most suitable ERP package that suits the organizational need and is feasible form cost-benefit
view should be selected for implementation.
Factors to be considered before ERP Implementation
7. Installation of ERP
1. Infrastructure Resource Planning
The required hardware and networks for the selected ERP package are installed. Appropriate training
2. Education about ERP
are provided to staff. In case needed, expert consultation are hired for facilitation.
3. Human Resource Planning
4. Top management commitment
8. Maintenance
5. Training facilities
Periodic review of system should be done and necessary upgrades should be done to ensure that
6. Commitment to release the right people for the implementation
installed ERP meet the organizational requirement at all time.
Issues & Challenges of ERP
Following are the issues and challenges that would occur in implementing ERP : Reason for ERP Failure
1. Awareness: 1. Reluctance to change (even after
There is a low level of awareness amongst SMEs regarding ERP applications and its benefits. M ERP Implementation)
2. Perception: 2. Inability to cope latest technology
SMEs have the perception that ERP is meant only for large firms mainly owing to the high cost of acquisition, implementation and maintenance into ERP
and also complexity. 3. Inappropriate HR Training
3. Earlier implementation:
SMEs have heard of the much publicized failures in ERP system in E-Governance implementation which have even led firms to bankruptcy . How E-Commerce fits ERP ?
Some SMEs who have implemented ERP earlier have also failed. ERP can go with e -commerce to
4. Approach to implementation: provide best practices . E-Commerce
ERP vendors advise SMEs to mold their business to ERP’s way of working considering that ERP systems bring with it best business practices. provides B2B, B2C interfaces to ERP.
But most SMEs have processes that they have evolved over time and hold very dear to their hearts . As a result SMEs have the entire ERP E .g . NIBL website helps users to
system customized to meet their requirements. access their bank statements from
5. Cost: NIBL's database (ERP) Care should be
SMEs have less capital than their larger counterparts. taken for restricted access & security
6. Change management: issues . E-Commerce provides ERP
One of the major reasons why ERP implementation nationwide have been known to fail is due to the implementation being considered as an access to consumers , suppliers via
automation project instead of one that involves change management. This results in the system being put in place but not being used effectively internet . Thus , helps in customer
due to people’s lack of acceptance. relation management , supply chain
7. Limited resources: management, etc
Most SMEs do not have an in-house IT team. Due to this they have to rely on external agencies to help them and this adds to implementation
cost.
 Chapter 7 E-Business Enabling software package
Supply Chain Management (SCM)
Introduction
It is an integrated approach to planning, implementing & controlling the flow of information, material & services from
raw material and component supplier through the manufacturing of finished product for ultimate distribution to the
end users.
SCM is the management of a network of all business processes and activities involving procurement of raw
materials , manufacturing and distribution management of Finished Goods . It is cross functional inter-enterprises
system that uses IT to help, support and manage links between some of a company 's key business process and
those of its suppliers, customers and business partners. SCM is also called the art of management of providing the
Right Product at the Right Time at Right Place and at the Right Cost to the Customer.
SCM is interconnected information system of business organization which helps in easy flow and tracking of raw
materials , intermediate products and finished goods . It minimizes the material warehousing cost and product
delivery cost.
Importance for Organization
- Supply chain strategy is the critical backbone to business organization today.
- Effective market coverage, availability of products at locations which hold the key to revenue recognition depends
upon the effectiveness of supply chain.
- It boosts the customer service i.e right product and right time at right place and right quantity.
- It create fast, efficient and low-csot network of business relationships or supply chain to get company 's product
form concept to market.
Reverse Logistic
- It is the process of planning , implementing and controlling the efficient , cost effective flow of RM, WIP, FG and
related information from the point of consumption to the point of origin for the purpose of recapturing value or proper
disposal.
- More precisely , it is the process of moving goods from their typical final destination for the purpose of capturing
value or proper disposal to the satisfaction of the customer or consumer.
- Remanufacturing and refurbishment (repair) activities may be the part of the production.
- It is for all operations related to the reuse of products and material
- Reverse logistics includes processing returned merchandise due to damage, seasonal inventory, restock, salvage,
recalls , and excess inventory . It also includes recycling programs , hazardous material programs , obsolete
equipment disposition, and asset recovery.
o Eg. Reverse logistics begins when a customer buying a product returns due to damage or defects.
o The manufacturing firm has to perform shipping of the manufacturing products , testing the product , dismantling ,
repairing, recycling or disposing the product.
o The product also will travel an reverse through the supply chain network in order to any use from the defective
product
Object of Reverse Logistics
1. Improved customer satisfaction and loyalty
2. Reduced repair / replacement unit costs
3. Reduced replacement turnaround times
4. Feedback on hardware design and ease of use
5. Feedback on OEM quality
6. Feedback on end consumer education and first level customer support
7. Improve understanding of real reasons for hardware returns
8. Reduce overall level of returns
9. Standardize returns processes across enterprise where possible/desired
10. Utilize common systems across enterprise and automate the returns process to the extent possible/desired
11. Handle increased volumes of returns due to new products, programs, business partners
12. Enable demand driven supply chain concepts for returned products
13. Differentiate company services from the competition
Supply Chain Planning and Execution System
Supply chain management software is segmented into planning
components and execution components. Planning are activities such
as developing demands forecasts , establishing the supplies ,
planning and scheduling manufacturing operations and developing
key performance metrics to ensure efficient and cost effective
operations . The execution functions manage the processes and
activates to ensure completion of the plans , including creating
purchase orders , planned orders , and project orders . This also
includes taking customer orders , updating the inventory , managing
movement of products in the warehouse and delivering goods to the
customer.
The major distinction between supply chain planning and supply
chain execution applications is the business users planning horizon
or decision time frame . Supply chain planning applications support
strategic and tactical planning processes that look several months to
years into the future , often in terms of weekly and monthly time
buckets. Supply Chain Execution applications deal with tactical and
operational planning processes that look hours, days and weeks into
the future, usually measured by small incremental buckets.
Supply Chain Planning
Supply Chain Planning provides strategic and tactical planning
which is forward looking with an outllok for the future . The Supply
Chain Planning deals with the supply , distribution , manufacturing ,
planning , production scheduling , demand planning , forecasting ,
supply chain collaboration and supply chain network design. Supply
Chain Planning applications coordiniate assets to optimize the
delivery of goods and services and information form supplier to
customer , balancing supply and demand . Supply Chain Planning
application suite sits on top of a transactional system to provide
planning , what -if scenario analysis capabilities and real -time
demand commitments . Typical software modules chain planning
include network design , network planning , capacity planning ,
demand planning , manufacturing planning and scheduling and
distribution and deployment planning.
Supply Chain Execution
Supply Chain Execution applications use the information generated
by supply chain planning tools to guide the physical production ,
storage and movement of raw material , assembly components and
completed products . Supply Chain Execution applications are able
to interface with Supply Chain Planning and other management
systems to determine production capacity , both the cost and time
constrained , capacities and calculate a production plan which
satisfies all requirements . This plan can also adapt quickly to any
change in variables . Supply Chain Execution applications are order
management , inventory management , warehouse management ,
transport management and logistics . These execution applications
hence track the physical status of goods , the management of
materials and financial information involving all parties.
 Chapter 7 E-Business Enabling software package
Sales Force Automation (SFA)
The Sales Force Automation , abbreviated as SFA, refers to the technique wherein the software are used to automate the business tasks such as inventory control system , account
management , process management , contact management , customer tracking , sales funnel management , sales forecasting analysis , product knowledge , sales lead tracking system,
sales team performance evaluation , etc.he Sales Force Automation software can be customized according to the business needs or can be purchased from the market that suits the
business requirements. Some of the software available in the market are:
Salesforce.com
Infusionsoft
Microsoft Dynamics CRM
Prophet
PlanPlus offline, etc.
The SFA is the part of the company’s Customer Relationship Management system; that records every stage of the sales process. It is often called ad Customer Relations Management
Software.It is the use of computer to automate sales recording and reporting by sales people as well as communication and sales support. It is an integrated application of customizable
customer relationship management (CRM) that automates business tasks such as:
- Inventory Control,
- Sales processing & forecasting
- Order Processing
- Listing of potential customer & their contacts
- Tracking of customer interactions as well as
- Analyzing sales forecasts & performance
It improves the productivity by saving time otherwise spent on manual creation of records , reports & presentation . It is the process of maximizing the efficiency of the repeatable
processes a sales person performs.
- For eg. Many sales forces have multiple representatives calling on the same customer.
- SFA helps to coordinate communication with the customer.
- Over communicating can irritate a prospect or customer. Here's an example of how that can happen
- A sales team might have a field sales rep, a sales engineer , a marketing support representative , an inside sales representative , a technical specialist , an industry expert, a solutions
expert and all of their management working inside the same account
- Imagine that company came out with a new product and all these representatives sent the customer the new product announcement.
- Now imagine that same customer also getting the same information from the product marketing , industry marketing , solutions marketing , vertical marketing and field marketing
organizations.
- Can you see how that might be irritating to the customer?
SFA in particular provides the sales organization with tools to improve communication with consumers until they are ready to buy. A prospect can be set up in the CRM where they
receive informative emails on a regular basis.
- SFA includes a contact management system which tracks all contact that has been made with a given customer, the purpose of the contact and any follow up that might be required.
- This ensures that sales efforts are not duplicated, reducing the risk of irritating customers.

Competitive/Strategic Advantage of SFA System

- Sales staff will use their time more effectively. Sales manager time on collecting information and reports will be saved. This increases productivity and creates competitive advantage by
reducing cost and increasing sales and market share
- Field Sales staff can send their sales information more quickly to management after each sales. Management becomes updated on sales status.
- If information about customers obtained from SFA system is used to develop products that meet customer expectations , customers would be satisfied which results customer loyalty
and provides competitive advantage. Disadvantage
- Difficult to Implement
- Requires continuous maintenance & upgrading
- Costly
- Difficult task to integrate with other existing information system.

Advantages of Sales Force Automation Disadvantages of Sales Force Automation

1.Increased Productivity
2.Competitive Advantage in terms of cost, revenue, and market share.
3.Timely information regarding the sales.
4.Increased customer satisfaction with the reduced response time.
5.Keeping proper records of the customer, that can be tracked down easily.
6.The sales forecast can be done accurately with the help of past sales data.
7.Efficient utilization of scarce resources.
8.Less time required by the sales manager to prepare the daily, quarterly, monthly or annual reports.
9.Optimum utilization of time by the staff members.
1.Data entry is too much time consuming.
2.Difficult to accustom with the existing information software system.
3.With automation, the personal touch is lost.
4.Tedious job of regularly upgrading the system, making the new entries, cleaning
the unwanted data entries and maintaining the system as a whole.
5.Sometimes difficult to integrate with company’s other management information
systems.
6.The high cost involved in the installation and maintenance of the system
7.Requires continuous maintenance & upgrading .
 Chapter 7 E-Business Enabling software package
CRM
Customer Relationship Management (CRM ) is a strategy that companies use to manage interactions with
customers and potential customers . CRM helps organisations streamline processes , build customer
relationships , increase sales , improve customer service , and increase profitability.
- It is an approach to managing a company's interactions with current and future customer
- It often involves using technology to organize, automate, and synchronize sales, marketing,
customer service, and technical support.
- The focus of CRM can create loyalty in customer that results in increased sales
- CRM systems are designed to compile information on customers across different channels or points of
contact between the customer and the company, which could include the company's website, telephone,
live chat, direct mail, marketing materials and social media.
- CRM systems can also give customer -facing staff detailed information on customers '
personal information, purchase history, buying preferences and concerns.
- CRM software is designed to help businesses meet the overall goals of customer relationship
management.
- Today 's CRM software is highly scalable and customizable , allowing businesses to gain actionable
customer insights with a back-end analytical engine , view business opportunities with predictive analytics
Major Application Area of CRM /How different business functions benefit , streamline operations and personalize customer service based on the customer 's known history and
prior interactions with your business.
from CRM? A.Sales teams can use CRM to understand their sales pipeline - CRM software is commonly used to manage a business-customer relationship, however CRM software
systems are also used in the same way to manage business contacts , clients ,contract wins and sales
better. leads
Sales managers can access reliable information about the progress of individual Main goals of CRM Challenges/limitation of CRM
team members in achieving their sales targets , for example , and see how well - Expensive : The cost of implementation is
individual sales teams , products and campaigns are performing too.Sales reps - Find new customer high . It is requires investment to keep
benefit from reduced admin , a deeper understanding of their clients , and the - Retain existing customer customer data.
opportunity to spend more time selling and less time inputting data. - Enhance customer loyalty - Reduce - Business managers and IT professionals
marketing costs underestimate the complexity of the
B.Marketing teams can use CRM to make forecasting simpler and more planning , development , and training that
accurate. They can get clear visibility over every opportunity or lead , and Benefit/Objectives are needed to prepare for a new CRM
map out the whole customer journey from enquiry through to sale, so giving - Streamlined sales and marketing processes system.
them a better understanding of the sales pipeline or prospective work coming - Higher sales productivity - Insufficient training in the new work tasks
in.It’s also possible to include information from customers’ public social media - Added cross-selling and up-selling opportunities - required by the CRM System.
activity – their likes and dislikes, and their sentiment about specific brands and Improved service, loyalty and retention - Overreliance by company or IT
businesses. - Increased call center efficiency management on claims of CRM software
- Higher close rates vendors or the assistance of prestigious
C.Customer service teams can effectively track conversations across - Better profiling and targeting consulting firms hired to lead the
channels. A customer might raise an issue in one channel – say, Twitter or - Reduced expenses implementation.
Facebook – but then switch to email, phone or live chat to resolve it in private. - Increased market share - Failure to involve affected employees in
Without a common platform for customer interactions, communications can be - Higher overall profitability planning and development phase and
missed or lost in the flood of information – leading to an unsatisfactory response - Marginal costing change management programs.
to a valued customer. - Trying to do too much fast in the
conversion process.
D.Supply -chain , procurement and partner management teams can
manage relationships better. ISO 27001 (formally known as ISO /IEC 27001 :2005 ) is a specification for an information security
They can track meetings with suppliers and partners , record requests made, add management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal,
useful notes, schedule follow-ups and stay on top of expected next steps.Reporting physical and technical controls involved in an organization 's information risk management processes .
enables businesses to compare the efficiency of suppliers and so manage their According to its documentation , ISO 27001 was developed to "provide a model for establishing ,
entire supply chain more effectively. implementing , operating , monitoring , reviewing , maintaining and improving an information security
management system."ISO 27001 uses a top down, risk-based approach and is technology-neutral. The
E. The HR team can use CRM to accelerate the recruitment process specification defines a six-part planning process:
and track employee performance. 1)Define a security policy. 2)Define the scope of the ISMS. 3)Conduct a risk assessment.
CRM can help the HR function by speeding up the on -boarding process , 4)Manage identified risks. 5)Select control objectives and controls to be implemented.
automating the process of managing candidates, analysing resourcing needs and 6)Prepare a statement of applicability.
identifying skills gaps, and supporting the pursuit of staff retention targets.
 CHAPTER – 9 BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING
BCP is creation & validation of practical logistical plan for enterprise to recover & restore critical (urgent) functions within predetermined time after disaster / disruption. It is to be
performed before disaster occurs otherwise it would be too late to plan effective response. Consequences of disaster may be more severe in case of inadequate planning / no planning
on operations, profitability, quality of service, & convenience.
During disruptive events, BCP is guiding document which layout steps to be initiated by mgmt. to continue operations / run business under stressful condition on occurrence of disaster.
Areas covered under BCP Objectives of BCP Goals of BCP
 Business Resumption Planning: It is Primary objective is to minimize loss by minimizing cost associated with disruptions &  Identify weaknesses &
operation’s piece of BCP to resume business. enable org . to survive disaster & to re-establish normal business operations . Key implement disaster prevention
 Disaster Recovery Planning : It is technological objectives of plan shall include: program;
aspect of BCP for advance planning &  Provide safety of people on premises  Minimize immediate damage & losses;  minimize duration of disruption
preparation necessary to ensure continuity of during disaster;  Establish management succession & to business operations;
critical business functions in event of disaster.
 Identify critical lines of business & emergency powers;  facilitate effective co-ordination
 Crisis Management: It means co-ordination of org.’ supporting functions.  Facilitate effective co-ordination of of recovery tasks;
s response to crisis to minimize damage to its
 Continue critical business operations; recovery tasks;  reduce complexity of recovery
profitability, reputation or ability to operate.
 Minimize duration of serious disruption  Reduce complexity of recovery effort; effort.

Methodology/ Characteristics BCP Manual

 Providing management with detailed understanding of efforts required to develop & BCP manual is documented description of actions to be taken, resources to be used &
maintain effective recovery plan. procedures to be followed before , during & after event which disrupt business
 Obtaining commitment from appropriate management to support & participate in effort. operations. BCP is expected to provide:
 Defining recovery requirements from perspective of business functions.  Reasonable assurance to senior management about capability to recover from
 Documenting impact of loss to operations & key business functions. unexpected incident / disaster & continue to provide services with minimum impact.
 Focusing appropriately on disaster prevention, impact minimization & orderly recovery.  Anticipate various types of incident / disaster scenarios & outline action plan for
 Selecting business continuity teams. recovering from same with minimum impact & ensuring ‘Continuous availability of
 Developing business continuity plan which is understandable, easy to use & maintain. all key services to clients’.
 Define how business continuity considerations must be integrated into ongoing business  Specify responsibility of BCM team is to establish appropriate BCP procedures to
planning & system development processes so that plan remains viable. ensure continuity of critical business function.
Eight-Phases of BCP Phase 4 – Detailed Definition of Requirements
Phase 1 – Pre-Planning Activities (BCP Initiation) In this phase, a profile of recovery requirements is developed for analyzing alternative recovery
It obtain understanding of existing & projected computing environment of org. to strategies . The profile is developed by identifying resources required to support critical functions
identify & address any issues that could have impact on project. identified in Phase 3. Profile include hardware, software, documentation, facilities & personnel for
In this phase, a Steering Committee is established to provide direction & guidance each business unit.
to project team & also make all decisions related to recovery planning effort. Phase 5 – Plan Development
Phase 2 – Vulnerability Assessment & General Definition of Requirements Objective of this phase is to determine available options . It formulates alternative operating
Security & controls within org. are continuing concern . It is better to concentrate strategies for providing timely recovery of all critical processes . In this phase , recovery plans
on activities having effect of reducing the possibility of disaster occurrence, rather components are defined & plans are documented.
than concentrating on minimizing impact of actual disaster. Phase 6 – Testing/Exercising Program
a. A thorough Security Assessment of system & communications environment Testing /Exercising Programs are developed during this phase . Testing /exercising goals are
like physical security , operating procedures , backup & contingency planning , established & alternative testing strategies are evaluated . Testing strategies suitable to
systems development & maintenance, database security etc. environment should be selected & on-going testing program should be established.
b. Security Assessment will enable project team to improve existing / implement Phase 7 – Maintenance Program
emergency plans & disaster prevention measures. Maintenance of plans is critical for success of actual recovery . Management should revised /
c. Findings & recommendations should be forwarded to the Steering Committee implemented to take recovery plan maintenance into accountPhase 8 – Initial Plan Testing & Plan
so that corrective actions can be initiated. Implementation:
d. Assemble Project Team & conduct awareness sessions. Once plans are developed, initial tests of plans areconducted & necessary modifications to plans
Phase 3 – Business Impact Analysis (BIA): It enables the project team to: are made based on analysis of test results. This phase include :
a. identify critical systems, processes & functions; a. Defining test purpose/approach
b. assess economic impact of incidents & disasters which result in denial of b. Identifying test teams
access to systems services & facilities; & c. Structuring test
c. assess “pain threshold ,” i.e. length of time which business units can survive d. Conducting test
without access to systems, services & facilities. e. Analyzing test results
BIA Report should be presented to Steering Committee . BIA report identifies f. Modifying plan as appropriate
critical service functions & timeframes in which they must be recovered after
interruption
 CHAPTER – 9 BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING
DRP and its component:A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. It
refers to an organization’s ability to effectively plan and recover from a disaster and/or unexpected event, ultimately resuming operations as necessary. .

1.Emergency Plan 2.Back-up-plan 3.Recovery Plan 4. Test Plan

It specifies immediate actions to be taken when disaster It specifies type of backup to be kept ,
occurs. Management must identify situations that require frequency with which backup is to be
to invoke plan e.g., major fire , structural damage , or undertaken , procedures for making
terrorist attack. backup , location of backup resources ,
 ‘Who is to be notified immediately when disaster site where these resources can be
occurs - management, police, fire department, assembled & operations can be restarted,
medical team etc.? personnel responsible to gather backup
 Actions to be undertaken, like shutdown of resources & restart operations , priorities
equipment, removal of files, or termination of power. & time frame for recovery.
 Evacuation procedures required must be  It is better to have more than 1
specified. knowledgeable person in backup
 Return procedures (e.g., conditions that must be task in case someone leaves or
met before site is considered safe) must be injured when disaster occurs.
designated.  Lists of hardware & software must
Personnel responsible for actions must be identified & be updated to reflect acquisitions &
protocols to be followed must be specified clearly. disposals.
 It set out procedures to restore full IS
capabilities.
 It should identify a recovery committee
that will be responsible for working out
specifics of recovery to be undertaken.
 It should specify responsibilities of
committee.
 It might also indicate which
applications are to be recovered first.
 Periodically, they must review &
practice executing their
responsibilities so they will be prepared
when disaster occur.
 If committee members leaves, new
members must be appointed
immediately.
Its purpose is to identify
deficiencies in emergency ,
backup , or recovery plans
or in preparedness of org. &
its personnel for facing
disaster.
Periodically , test plans must
be invoked but unfortunately ,
top managers are often
unwilling to carry out it
because daily operations
are disrupted . They also
fear a real disaster could
arise as a result of test
procedures.

TYPES OF BACK-UPS
Full Backup Incremental Backup
It captures all files on disk / within folder selected for backup . Every backup generated contains It captures files that were created or changed since last backup (full / incremental
every file in backup set. At each backup run, all files designated in backup job will be backed up backup ). With incremental backups , one full backup is done first & subsequent
again including files & folders that have not changed. backup runs are just changed files & new files added since LAST BACKUP.
It is commonly used as an initial / first backup followed with subsequent incremental or differential Advantages Disadvantages
backups. Any good backup plan has at least one full backup of a server.  Faster backup  Restoration is slower & complex
Advantages Disadvantages  Efficient use of storage
 Easy to manage & fast restoration  Backup take long time & consume more storage
Differential Backup
Mirror Back-up
It fall in middle b/w full backups & incremental backup. It stores files that have changed since last full
backup . With differential backups , one full backup is done first & subsequent backup runs are It’s a mirror of the source being backed up. With mirror backups , when a file in
changes made since LAST FULL BACKUP. source is deleted, that file is also deleted in mirror backup. Because of this, mirror
Restoring from a differential backup is 2-step operation: backups should be used with caution as a file that is deleted by accident, sabotage
i. First restore from last full backup; & then or through virus may also cause that same file in mirror to be deleted as well.
ii. Restore the appropriate differential backup It is identical to a full backup with exception that files are not compressed in zip
Advantages . Disadvantages files & they cannot be protected with a password. It is used to create exact copy of
backup data. E.g. - Many online backup services offer a mirror backup with 30 day
 Much faster backups than full backups  Slower backups than incremental backups 
delete. Disadvantages
 More efficient use of storage than full Not as efficient use of storage as Advantages
backups incremental backups  Chances that files in source deleted
 Backup is clean & does not
 Faster & simpler restoration than  Slower & complicated restoration than with
contain old & obsolete files.
accidentally / by sabotage / through virus
incremental backups full backups & also deleted from backup mirror.
 CHAPTER – BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING
ALTERNATIVE PROCESSING FACILITY ARRANGEMENTS (Backup option sites
)Cold Site : If org . can tolerate some Hot Site : If fast recovery is critical , org. might Warm Site : A warm site provides Reciprocal Agreement : Two or more
downtime , cold -site backup might be need hot site backup . All hardware & intermediate level of backup. It has all cold- organisations might agree to provide
appropriate . A cold site has all operations facilities will be available at hot site facilities in addition to hardware that backup facilities to each other in event of
facilities needed to install a site . In some cases , software , data & might be difficult to obtain or install. one suffering disaster . This option is
mainframe system like raised floors , supplies might also be stored there. Hot site E.g. a warm site might contain selected relatively cheap , but each participant must
AC, power, communication lines etc. It is expensive to maintain . They are usually peripheral equipment plus a small maintain sufficient capacity to operate
can be managed inhouse or outhouse. shared with other organisations that have hot - mainframe with sufficient power to handle another’s critical system.
site needs. critical applications in short run. *
*If a third-party site is to be used for backup & recovery purposes, SECURITY ADMINISTRATORS MUST ENSURE THAT A CONTRACT IS WRITTEN TO COVER ISSUES:
 how soon site will be made available subsequent to disaster;  conditions under which site can be used;
 number of organizations allowed to use the site concurrently in event of disaster;  facilities & services agreed to make available; &
 priority to be given to concurrent users of the site in event of common disaster ;  What controls will be in place & working at the off-site facility.
 period during which the site can be used;

CONTENT OF DRP DOCUMENT

 Emergency procedures to be taken after incident posing threats on
business operations / human life. E.g. Police, Fire brigade.
 Fallback procedures for moving essential business activities to alternate temporary
locations.
 Resumption procedures to be taken to return to normal business operations.
 Maintenance schedule specifying ‘how & when plan will be tested’.
 List of important vendors including contact numbers & addresses.
 List of phone numbers of employees in event of emergency.
Main Aspect of DRP/BCP
- The strategy to restore the system and its normal operation in case of a disaster causing
unavailability of the system.
- Provisioning of a disaster recovery system setup, preferably in a separate geographical
location.
- Detailed data and system backup/restoration action-plan and procedures to make sure that
minimal data loss occurs even in case of major disaster.
- Predefined procedure of data recovery and restoration using backup data or other sources.
- Mechanism to alert the system operators, administrators and users immediately in the event
of a disaster. This entails proper monitoring and alarm/alert mechanism.
Audit tools and technique used by a system auditor to ensure that disaster recovery
plan is in order:
- Automated tools:
They make it possible to review large computer systems for a variety of faults in a short time
period. They can be used to find threat and vulnerabilities such as weak access controls,
weak passwords, and lack of integrity of the system software.
- Internal Control Auditing:
This include inquiry, observation and testing. The process can detect illegal acts, errors,
irregularities or lack of compliance for laws and regulations.
- Disaster and Security Checklists:
These checklists are used to audit the system. The checklists should be based upon disaster
recovery policies and practices, which form the baseline. Checklists can also be used to verify 9. Implement the BCP/DRP
changes to the system from contingency point of view.
- Penetration testing:
It is used to locate vulnerabilities to the system
 Emergency phone list like fire, police, hardware, software, suppliers, customers, back-
up location, etc.
 Medical procedures for emergency purposes.
 Insurance papers & claim form.
 Location of data & program files, documentation manuals, back-up media.
 Names of employees trained for emergency situation, first aid & life saving
techniques with their contact details.
 Details of airline, hotels & transport arrangement.
General Steps to Create BCP/DRP
1. Identify the Scope and boundaries of BCP
First step enables us to define the scope of BCP. It provides an idea for limitations and
boundaries of plan. It also includes audit and risk analysis report for institution's assets.
2. Conduct a Risk Assessment
3. Conduct a Business Impact Analysis (BIA)
BIA is the study and assessment of effects to the organization in the event of the loss or
degradation of business/mission functions resulting from a destructive event. Such loss
may be financial or less tangible but nevertheless essential.
4. Inform Top Management
Inform top management about importance of DRP/BCP and also about analysis made
earlier. Obtain commitment for BCP/DRP from top management.
5. Seek help of all departments
Each department will be affected by disaster & breakdown of system. So involve each
department in the planning portion that relate to their department.
6. Develop Business Continuity and Recovery Strategies
7. Develop Business Continuity Plans
8. Conduct awareness, testing and training of the DRP
The BCP project team finally has to implement the plan. Guidelines set up in BC plan are to
be followed.
10. Conduct DRP maintenance and exercise
 CHAPTER – 9 BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING
Mirroring Clustering
In data storage, disk mirroring or RAID 1 is the replication of logical disk volumes It is technique in which IS server is designed in such a way that data & applications are replicated in
into separate physical hard disks in real time to ensure continuous availability. A more than 1 physical system. Two or more computers are connected such that they behave like a single
mirrored volume is a complete logical representation of separate volume copies. computer . The system is designed in such a way that system availability & data security is guaranteed
In a disaster recovery context, mirroring data over long distance is referred to as even if no. of services, storage devices fail. In a good clustered system, switchover from one equipment
storage replication . Depending on the technologies used , replication can be o another is automatic when any equipment fail.
performed synchronously, asynchronously, semi-synchronously, or point-in-time. Clustering is used for:
Replication is enabled via microcode on the disk array controller or via server 1. Parallel Processing:
software . It is typically a proprietary solution , not compatible between various Simultaneous use of more than 1 CPU to process a task
storage vendors.
Mirroring is typically only synchronous. Synchronous writing typically achieves a 2. Fault Tolerance:
recovery point objective (RPO) of zero lost data. Asynchronous replication can Ability of system to respond to an unexpected hardware or software failure. Fault tolerant systems mirror
achieve an RPO of just a few seconds while the remaining methodologies all operations i.e every operation is performed on 2 or more computers. So that if one fails, another can
provide an RPO of a few minutes to perhaps several hours. take over i.e fault tolerance is a high availability features or means to achieve high availability.
Disc Imaging & Analysis 3. Load balancing:
Disk imaging refers to creating an exact copy of a storage device , such as a Multiple computers are linked together to share workload & function as a single virtual computer . Busy
hard drive, CD, DVD, etc. Disk image represents contents exactly as it is on the websites generally employ 2 or more web servers . If one server gets flooded with user requests ,
original storage device. This preserves integrity of the storage device. Common requests are forwarded to another server with more capacity.
use of disk imaging are:
- Burning CD's , DVD's High Availability Planning of Servers
- System Backup In information technology , high availability refers to a system or component that is continuously
- Data Recovery operational for a desirably long length of time. Availability can be measured relative to "100%
- Creating portable version of user's system etc Analysis: operational " or "never failing." A widely-held but difficult-to-achieve standard of availability for a
The image copy of disc is processed to make analysis (such as in fraud system or product is known as "five 9s" (99.999 percent) availability. For any system to be highly
investigation ). A search is made across all contents of disc. Information can be available , the parts of a system should be well-designed and thoroughly tested before they are
recovered from investigation of free space, lost chains, deleted files etc. used. For example , a new application program that has not been thoroughly tested is likely to
To ensure high availability for a server environment , consider the following when become a frequent point-of-breakdown in a production system. Achieving business continuity is
planning for hardware: a primary concern for modern organizations . Downtime can cause significant financial impact
1 . Plan on running multiple (at least two ) server in an organization group to and , in some cases , irrecoverable data loss .The solution to avoiding service disruption and
accommodate running multiple instances of organization hosts across the organization unplanned downtime is employing a high availability architecture .Because every business is
servers in the group . This will accommodate load balancing and fault tolerance of highly dependent on the Internet , every minute counts . That is why company computers and
processes running in the host instances. servers must stay operational at all times .Whether you choose to house your own IT
infrastructure or opt for a hosted solution in a data center, high availability must be the first thing
2. Consider implementing a storage area network (SAN ) to house the organization to consider when setting up your IT environment . A highly available architecture involves
server databases. The SAN disks should be configured using RAID 1+0(a stripe of mirror multiple components working together to ensure uninterrupted service during a specific period.
sets) topology, if possible, for maximum performance and high availability. This also includes the response time to users’ requests . Namely, available systems have to be
not only online, but also responsive .Implementing a cloud computing architecture that enables
3. Plan on installing multiple SQL servers to house the organization server databases . this is key to ensuring the continuous operation of critical applications and services . They stay
Multiple SQL servers are required for SQL server clustering (recommended ) and /or online and responsive even when various component failures occur or when a system is under
housing certain organization server databases on separate physical SQL server high stress.
instances. Highly available systems include the capability to recover from unexpected events in the shortest
time possible . By moving the processes to backup components , these systems minimize
4. Plan on installing one or more windows servers in a perimeter network domain to downtime or eliminate it. This usually requires constant maintenance , monitoring , and initial in-
provide internetrelated services for your organization . Configure multiple windows depth tests to confirm that there are no weak points .High availability environments include
servers in the perimeter network domain using a network load balancing (NBL) solution. complex server clusters with system software for continuous monitoring of the system ’s
performance. The top priority is to avoid unplanned equipment downtime. If a piece of hardware
To ensure high availability for a organization server environment , consider the fails, it must not cause a complete halt of service during the production time.
following when planning for software: Staying operational without interruptions is especially crucial for large organizations . In such
1. Consider investing in the enterprise edition of organization server to accommodate settings, a few minutes lost can lead to a loss of reputation, customers, and thousands of dollars
scenarios that would benefit from clustering of organization hosts or that would benefit . Highly available computer systems allow glitches as long as the level of usability does not
from running multiple message box databases. Typically, the only reason that you should impact business operations.
cluster a organization host would be to provide high availability for certain organization A highly available infrastructure has the following traits:
adapters. • Hardware redundancy
2. Plan on implementing a windows server cluster to house the organization server • Software and application redundancy
databases and the enterprise single sign-on master secret server. • Data redundancy
• The single points of failure eliminated
 CHAPTER – 9 BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING
High Availability Vs Disaster Recovery
A company has decided to outsource its recovery process to a third-party site. What are
the issues that should be considered by the security administrators while drafting the
contract?
If a third-party site is to be used for recovery purposes, security administrators must ensure that
a contract is written to cover the following issues:
- How soon the site will be made available after a disaster
- The number of organizations that will be allowed to use the site concurrently in the event of a
disaster
- The priority to be given to concurrent users of the site in the event of a common disaster.
- The period during which the site can be used
- The facilities and services the site provider agrees to make available
- Procedures to ensure security of company 's data from being accessed /damaged by other
users of the facility
- What controls will be in place for working at the off-site facility.
n = Total no. of disk used
(Explanation: If fault tolerance is 1 disk = It means " Even if one disk is damaged, data can be
recover but if two disks are damaged then data cannot be recovered")
IT Outsourcing
It refers to outsourcing all or parts of IT functions to an external party who performs
better IT functions than organization 's internal IT department . An IT outsourcing
strategy can require input from many departments including operations , legal, supply
chain and human resources . The responsibility for the outcome of an IT outsourcing
strategy however usually lies with the organization's chief information officer.
Reason of IT Outsourcing:
1. Gain operational or financial efficiencies.
2. Increase management focus on core business functions.
3. Refocus limited internal resources on core functions.
4. Obtain specialized expertise.
5. Increase availability of services.
6. Improve quality, reduce costs and strengthen controls
Board and Management responsibilities in IT Outsourcing:
1. Ensuring each outsourcing relationship supports the institution's overall requirement
and strategic plans.
2. Ensuring the institution has sufficient expertise to oversee and manage the
relationship 3. Evaluating prospective providers based on the scope and criticality of
outsourced services.
4. Tailoring the enterprise -wide, service provider monitoring program based on initial
and ongoing risk assessments of outsourced services; and
5. Notifying its primary regulator regarding outsourced relationships, when required by
that regulator.
Operational/Transaction risk associated with IT Outsourcing:
Operational risk in IT Outsourcing arise from fraud , error or the inability to deliver
products or services, maintain a competitive position, or manage information . It exist
in each process involved in the delivery of the financial institution 's product or
services. The following are the major operational risk in IT Outsourcing
1. Reputation Risk:
Errors , delays or omissions in IT that become public knowledge or directly affect
customers can significantly affect the reputation of the serviced financial institution. e.
g. A Trusted Service Provider (TSP ) failure to maintain adequate business
resumption plans and facilities for key processes may impair the ability of serviced
financial institutions to provide critical services to their customers.
2. Strategic Risk:
Inadequate management experiences and expertise can lead to a lack of
understanding and control of key risks. Additionally, inaccurate information from TSPs
can cause the management of serviced financial institutions to make poor strategic
decisions.
3. Compliance (Legal) Risk:
Outsourced activities that fail to comply with legal or regulatory requirements can
subject the institution to legal sanctions . For e.g. inaccurate or untimely consumer
compliance disclosures or unauthorized disclosure of confidential customer
information could expose the institution to civil money penalties or litigation . TSPs
often agree to comply with banking regulations , but their failure to track regulatory
changes could increase compliance risk for their serviced financial institutions.
4. Interest rate, liquidity and price (market) Risk:
Processing errors related to investment income or repayment assumptions could lead
to unwise investment or liquidity decisions there by increasing market risks.
 CHAPTER – 9 BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING
RAID (Redundant Array of Independent/Inexpensive Disk) 3. RAID 2 : Hamming code parity
It is a technology that allows high levels of storage reliability from low-cost and less reliable It has bit-level striping with dedicated parity. Data is striped such that each sequential bit
PC class disk drive components via the technique of arranging the devices into arrays of is on different matrix . An additional drive stores parity information . At least 3 disks are
redundancy. RAID is now used as an umbrella term for computer data storage schemes that required.
can divide and replicate data among multiple hard disk drives. Advantage:
RAID combines two or more physical hard disks into a single logical unit using special - Data error correction
hardware & software solutions . Hardware solutions are designed to present themselves to - High data transfer rate/speed i.e read-write speed.
the attached system as a a single hard drive, so that the operating system would be unaware - Since parity is used, it can withstand single disk failure without losing data.
of the technical workings . Software solution are implemented in OS & would present the Disadvantage:
RAID volume as a single drive to applications running within the OS. - Complex to implement.
There are 3 key concepts in RAID: - More resources required to implement.
- Mirroring: Writing of identical data to more than one disk.
- Striping: Splitting of data across more than one disk. Striping means partitioning each drive' 4. RAID 3 : Striped set with dedicated parity or bit interleaved parity or byte level parity
s storage space. It has byte-level striping with dedicated parity. Data is striped such that each sequential
- Error Checking : Where redundant parity data is stored to allow problems to be detected & byte is on different disk . An additional drive stores parity information . At least 3 disks
possibly repaired. required.
RAID's various design involves two goals: Advantage:
- Increase data reliability - Data error correction
- Increase input/output performance - High data transfer rate/speed i.e read-write speed.
Each RAID schemes affects reliability & performance in different ways. Every additional disk - Since parity is used, it can withstand single disk failure without losing data.
included in an array increases the likelihood that one will fail, but by using error checking &/or
the array as a whole can be made more reliable by ability to survive & recover from a failure. Disadvantage:
Types/Level of RAID: - Complex to implement.
1. RAID 0 : Disk Striping 5. RAID 4 : Block level parity
2. RAID 1: Disk Mirroring It has block-level striping with dedicated parity. Data is striped such that each block is on
3. RAID 2 : Hamming code parity different disk. An additional drive stores parity information. At least 3 drives are required.
4. RAID 3 : Striped set with dedicated parity or bit interleaved parity or byte level parity It is identical to RAID 5 but it confines all parity data to a single disk which can create
5. RAID 4 : Block level parity performance bottleneck.
6. RAID 5 : Striping with parity Advantage:
7. RAID 6 : Striping with double parity - Error detection
In details, - It can withstand single disk failure - High read speed Disadvantage:
1. RAID 0 : Disk Striping - Worse write transaction speed
It has block -level striping without parity or mirroring and has no redundancy . It provides 6. RAID 5 : Striping with parity
improved performance and additional storage but no fault tolerance. Any disk failure destroys It has block-level striping with distributed parity. It distributes parity information across all
the array, and the likelihood of failure increases with more disks in the array. disk in the array . Drive failure requires replacement but the array is not destroyed by
Advantage: single drive failure.
- Provides faster read-write speed It can withstand one disk failure. At least 3 disks are required.
- Easy to implement Advantage:
Disadvantage: - Error detection
- If one disk fails, entire array data is lost. So it is not fault tolerant - It can withstand single disk failure - Medium read speed Disadvantage:
- Complex to design.
2. RAID 1: Disk Mirroring - Drive replacement during failure is difficult
It has mirroring without parity or striping . Data is written identically to multiple disks . Any
number of disks may be used ; normally only two are used . Array provides fault tolerance 7. RAID 6 : Striping with double parity
from disk errors or failures and continues to operate as long as at least one drive in the It has block -level striping with double distributed parity . It provides fault tolerance from
mirrored set is functioning. two drive failures ; array continues to operate with up to two failed drives . This makes
Advantage: larger RAID groups more practical, especially for high-availability systems. This becomes
- Excellent read write speed. increasingly important as large capacity drives lengthen the time needed to recover from
- In case a disk fails, data can be easily recovered from other (fault tolerant) Disadvantage: the failure of a single drive.
- Effective storage capacity is only half of total disk capacity because all data get written
twice.
 CHAPTER – 10 Auditing and Information system
An IT audit is the examination and evaluation of an organization's
information technology infrastructure, policies and operations.Information
technology audits determine whether IT controls protect corporate assets,
ensure data integrity and are aligned with the business's overall goals. IT
auditors examine not only physical security controls, but also overall
business and financial controls that involve information technology systems.
Because operations at modern companies are increasingly computerized, IT
audits are used to ensure information-related controls and processes are
working properly.
Need for Audit of Information Systems
FACTORS INFLUENCING AN ORGANIZATION TOWARD CONTROLS & AUDIT OF COMPUTERS.
Organisational Costs of Data Loss: Data is critical resource for surviving in changing environment
Incorrect Decision Making: High level decisions require accurate data to make quality decision.
Costs of Computer Abuse: Unauthorised access to computer systems, malwares & unauthorised
copies of sensitive data can lead to destruction of assets (hardware, software, data, information etc.)

The primary objectives of an IT audit include:
Evaluate the systems and processes in place that secure company data.
Determine risks to a company's information assets, and help identify
methods to minimize those risks.
Ensure information management processes are in compliance with IT-
specific laws, policies and standards.
Determine inefficiencies in IT systems and associated management.
To optimize the use of various information system resources (E.g. Machine
time).
Value of Computer Hardware, Software & Personnel: These are critical resources, it has credible
impact on its infrastructure & business competitiveness.
High Costs of Computer Error: Data error during entry / process would cause great damage.
Maintenance of Privacy: Data collected in business contains private information about an individual.
Controlled evolution of computer Use: Use of technology & reliability of complex computer systems
cannot be guaranteed, & consequences of using unreliable systems can be destructive.

FUNCTION OF IS AUDITOR STEPS (Stages) IN IS AUDIT AUDIT TRAIL

IS Auditor often is assessor of business risk . IS 1.Scoping : Determining main areas of focus & any areas Audit trails are logs that can be designed to record activity at the
Auditor makes sound assessment & present risk- explicitly out - of -scope . Information sources include system, application, & user level. When properly implemented, audit
oriented advice to management . IS AUDITORS background reading & web browsing , previous audit reports , trails provide an important detective control to help accomplish
REVIEW RISKS RELATING TO IT SYSTEM & pre audit interview, observations. security policy objectives. Audit trail controls attempt to ensure that
PROCESSES: 2.Planning: Scope is broken down into greater levels of detail, a chronological record of all events that have occurred in a system
1.Inadequate information security controls (e.g. no usually involves generation of audit work plan or risk- control- is maintained.
antivirus, no / weak password) matrix. The Accounting audit trail shows the source & nature of data &
3.Fieldwork : Gathering evidences by interviewing staff & processes that update the database.
2.Inefficient use of resources (e.g. unnecessary managers, reviewing documents, & observing processes etc. The Operations audit trail maintains a record of attempted or actual
expending on high power servers or workstations) 4.Analysis : Sorting out, reviewing & trying to make sense of resource consumption within a system.
all that evidences gathered earlier. Audit Trail Objectives:
3.Ineffective IT strategies, policies & practices (e.g. 5. Reporting : Reporting to management is done after Detecting Unauthorized Access to System: The primary objective of
lack of Internet usage policy) analysis of evidences. real-time detection is to protect system from outsiders who are
6. Closure : Preparing notes for future audits & follow up with attempting to breach system controls, indicate infestation by virus or
4.IT-related frauds (e.g. phishing, hacking) management. worm. Real - time detection can impose a significant overhead on
the operating system, which can degrade its performance. Logs can
SKILL OF IS AUDITOR CATEGORIES (Types) OF IS AUDIT (5 types) be stored electronically & reviewed periodically. It can also be used
Audit objective & scope has significant bearing on -Systems & Application: To verify that systems & to determine if unauthorized access was accomplished, or
skill & competence requirements of IS auditor. The applications are appropriate, efficient, & adequately attempted and failed.
set of skills that is generally expected; controlled. Facilitating Reconstruction of Events: Audit trail analysis helps to
-knowledge of business -Information Processing (Online / Batch): To verify that reconstruct the steps that led to events such as system failures,
operation, practices & compliance requirement; processing facility is controlled to ensure timely, accurate security violations or application processing errors and to avoid
-Understand technical & manual controls relating to , & efficient processing under normal & potentially similar situations in the future.
business continuity; disruptive conditions. E.g. By maintaining record of all changes to account balances,
-Possess requisite professional qualification, -Systems Development: To verify that systems under audit trail can be used to reconstruct accounting data files that were
certification & experience ; development meet objectives of organization & developed corrupted by a system failure.
-Understanding of information Risks & Controls; in accordance with generally accepted standards for Promoting Personal Accountability: Audit trails can be used to
-Knowledge of IT strategies, policy & procedural systems development. monitor user activity. Individuals will not violate security policy if
controls; -IT Management & Enterprise Architecture: To verify that they know that their actions are being monitored.
-Knowledge of Professional Standards & Best IT management has developed organizational structure &
Practices of IT controls & security. procedures to ensure controlled & efficient environment for
information processing.
-Telecommunications, Intranets, & Extranets: To verify
that controls are in place on client, server, & on network
connecting clients & servers.
 CHAPTER – 10 Auditing and Information system
What is IT Audit Strategy? IT audit Procedure Expla in information system audit
An IT audit strategy sets the direction , timing, and scope of an audit. The strategy is Audit Procedure: System Review: process (Dec 2016 – 7 marks)
then used as a guideline when developing an audit plan . The strategy document 1. Inspect Computer Sites (locations)
usually includes a statement of the key decisions needed to properly plan the IT audit. 2. Interview IS personnel about IS security procedures , The process of information system
The IT audit strategy is based on the following considerations: measures. audit involves four steps:
• The characteristics of the engagement 3 . Review physical & logical access policies & 1 . Measuring vulnerability of
• Reporting objectives procedures. information system:
• Timing of the audit 4. Review backup & recovery policies & procedures. The first step in the process of
• Nature of communications 5. Review backup & recovery policies & procedures. information system audit is the
• Significant factors in directing engagement team efforts 6. Review data transmission & storage policies & identification of the vulnerability of each
• The results of preliminary engagement activities procedures. application . Where the probability of
• The knowledge gained on other engagements 7. Examine System Access logs computer abuse is high , there is a
• The nature, timing, and extent of resources available for the engagement 8. Examine Disaster Recovery Plan greater need for an information system
An IT strategic audit should be conducted with the view that the primary purpose of an Audit Procedures: Test of Controls: audit of that application. The probability
organization 's technological resources is to support their business objectives and 1. Observe computer access procedures. of computer abuse would depend upon
these technologies should be considered a risk to the organization if their failure 2. Observe preparation & off-site storage of backup files the nature of the application and the
thwarts attainment of those objectives. 3. Review password modifications record. quality of controls.
What are the IT Audit Strategy? 4. Inquire how unauthorized access (security breaches)
- Review of IT Organizational Structure attempts were dealt with. 2. Identification of sources of threat:
- Review of IT policies and procedures 5. Observe the use of data encryption. Most of the threats of computer abuse
- Review of IT Standards 6. Verify use of effective firewalls. are from the people . The information
- Review of IT documentation 7. Verify virus protection methods. system auditor should identify the
- Review of organization's BIA 8. Verify uninterruptible power supply being made. people who might pose a threat to the
- Interview the appropriate personnel 9. Verify whether or not appropriate insurance cover is information systems . These people
- Observe the processes and employee performance taken. include system analysts, programmers,
- Examination, which incorporates by necessity, the testing of controls, and therefore
data entry operators , data providers ,
includes the results of the tests.
users , vendors of hardware , software
and services , computer security
AUDIT/Review OF BCP/DRP specialists, PC users, etc.

General Building, Utilities & Transportation
- Identification & prioritization of - Provision for building engineer to
activities. inspect
- Plan is based on BIA building & facilities soon afte
- Plan is simple & easy to disaster so that damage can be
understand. identified & repaired.
- Plan is realistic in its assumption - Considered the need of alternative
- Sufficient information backup shelter, if needed?
procedures for recovery of critical - Review agreements for use of
data. backup facilities.
- If test plan exist, to what extent it - Verify that backup facilities are
is tested. adequate & will it be secured?
- Review documentation of actual - Considered the failure of electrical
test. power, natural gas, toxic chemical
- Interview functional area containers, & pipes?
managers or key employees , do - Are building safety features
they clearly understand their role. inspected & tested regularly?
Information Technology
- Analyze current IT environment.
- Identify prioritized critical
applications & systems.
- Time requirements for recovery /
availability of critical system included
in plan are reasonable or not.
- Arrangements for emergency
telecommunication.
- Alternate means of data
transmission if computer network is
interrupted & security of such
alternate method.
- Is testing schedule exist & adequate
, date of last test & action taken
thereon, if weakness identified.
Administrative Procedures
-Does plan cover administrative
& management aspect.
- Procedures for disaster
declaration, general shutdown
& migration of operation to
backup facility.
-Duplicate set of essential
records & its retrieval facility
exist in secured location.
-Plan include names & numbers
of important suppliers.
- Provision or budget for cost of
recovery.
3. Identification of high risk points:
The next step in the process of
information system audit is to identify
the occasions , points or events when
the information system may be
penetrated . These points may be when
a transaction is added , altered or
deleted . The high risk point may also
be the occasion when a data or
program file is changed or the
operation is faulty.
4. Check for computer abuse:
The last step in the process is to
conduct the audit of high risk potential
points keeping in view the activities of
the people who could abuse the
information system for the applications
that are highly vulnerable.
 CHAPTER – 10 Auditing and Information system
Network Control :A Networked Control System (NCS ) is a control system wherein the
control loops are closed through a communication network. The defining feature of an NCS is
that control and feedback signals are exchanged among the system 's components in the
form of information packages through a network .The functionality of a typical NCS is
established by the use of four basic elements:
1.Sensors, to acquire information,
2.Controllers, to provide decision and commands,
3.Actuators, to perform the control commands and
4.Communication network, to enable exchange of information.
The most important feature of an NCS is that it connects cyberspace to physical space
enabling the execution of several tasks from long distance . In addition , NCSs eliminate
unnecessary wiring reducing the complexity and the overall cost in designing and
implementing the control systems.
Computer Assisted Audit Technique (CAAT)
CAAT is audit techniques that use computer applications as the primary tool. It is generally
used for sampling , statistical analyses and exception reporting and for this specialized
software , such as generalized audit software , test data generator , computerized audit
programs and specialized audit utilities are used
It is the practice of analyzing large volumes of data looking for anomalies . A well designed
CAAT audit will not be a sample , but rather a complete review of all transactions . Using
CAAT the auditor will extract every transaction the business unit performed during the period
reviewed . The auditor will then test that data to determine if there are any problems in the
data. The CAAT auditor can easily look for duplicate vendors or transactions . When such a
duplicate is identified , they can approach management with the knowledge that they tested
100% of the transactions and that they identified 100% of the exceptions.
CAAT is a growing field within the financial audit profession . CAATs is the practice of using
computers to automate or simplify the audit process . In the broadest sense of the term ,
CAATs can refer to any use of a computer during the audit. This would include utilizing basic
software packages such as SAS, Excel, Access, Crystal Reports,, and also word processors
. In practice , however , CAATs has become synonymous with incorporating Data analytics
into the audit process. This is one of the emerging fields within the audit profession.
Risk in IT Audit:
What is Audit Risk?
Audit risk is the risk that information may contain a material error that may go undetected
during the course of the audit.
1. Inherent Risk
The risk that an error exists that could be material or significant when combined with other
errors encountered during the audit , assuming that there are no related compensating
controls is called inherent risk. Inherent risks exist independent of an audit and can occur
because of the nature of the business.
2. Control Risk
The risk that a material error exist that will not be prevented or detected in a timely
manner by the internal control system is called control risk.
3. Detection Risk
The risk that an IT auditor uses an inadequate test procedure and concludes that material
error do not exist when, in fact, they do is called detection risk.
As an IS Auditor , what are the risks reviewed by you relating to IT System and
processes as part of your functions?
IS Auditor review risks relating to IT systems and processes; some of them are as follow:
1. Inadequate information security controls (e.g. missing or out of date antivirus controls,
open ports, open system without password or weak passwords etc)
2. Inefficient use of resources or poor governance (e.g. huge spending on unnecessary IT
project like printing resources, storage devices, high power servers and workstations etc.)
3. Ineffective IT strategies , policies and practices (including a lack of policy for use of
Information and Communication Technology (ICT ) resources , internet usage policies ,
security practices etc)
4. IT-related frauds (including phishing, hacking etc)

Audit specialized software can perform Introduction to standards for IS Audit Objective of IS Audit and Assurance
the following functions: Requirement of standards for IS Audit: Guidelines:
- Data queries - They inform IS audit and assurance professionals of the minimum level of acceptable - Provide guidance and additional
- Data stratification performance required to meet the professional responsibilities set out in the ISACA information on how to comply with the IS
- Sample extractions Code of Professional Ethics. Audit and Assurance Standards
- Missing sequence identification - They inform management and other interested parties of the profession's expectations Tools and Technique of IS Audit and
- Statistical analysis concerning the work of practitioners. Assurance Guidelines:
- Calculations - They inform holders of the certified information system auditor (CISA) designation of The tools and technique provide additional
- Duplicate inquires their requirements. Failure to comply with these standards may result in an investigation guidance , but do not set requirements .
- Pivot tables into the CISA holder's conduct by the ISACA BOD or appropriate ISACA committee and, Tools and Technique include such things
- Cross tabulation ultimately, in disciplinary action. as:
Advantage of CAAT: Importance of IS Audit and Assurance Standards: - IS Audit Reporting
- Recalculating and verifying balances - Cornerstone of its professional contribution to the audit and assurance community. - White Papers
- Testing compliance with standard - Comprise the first level of ITAF guidance - IS Audit/Assurance Programmes
- Ageing analysis of receivables and payables - Provide information required to meet compliance needs. - COBIT 5 family of product
- Identifying control issue - Supply essential guidance to improve effectiveness and efficiency.'
- Testing duplicate within data - Offer a risk-based approach that is aligned with ISACA methodology
- Testing gaps in invoice numbers - Apply to individual providing assurance over some components of IS System ,
application and infrastructure.
- Provide benefits to a wider audience, including users of IS audit and assurance reports
 CHAPTER – 10 Auditing and Information system
Issues that are primary concerns for IS Auditor: 1. Intrusion detection system (RTP June 2017 ) 1. List the Audit Technique used in On-line System:
- Determine the adequacy of IS Security. Intrusion detection refers to the process of monitoring A. Concurrent Audit Technique
- Ensures that he computer data files are accurate , computer and network activities and analyzing those 1. Integrated Test Facility (ITF)
protected from unauthorized access, modification, events to look for signs of intrusion in the computer system In this technique , a small set of fictitious records is placed in the
destruction. . The reason of looking for unauthorized intrusions is to master file. Processing test transactions to update these dummy
- Ensures that the system development (in house) or alert IT professionals and system administrators within the records will not affect the actual records . Actual and fictitious
acquisition were down with top management approvals. organization to potential system or network security records are concurrently processed together , without the
- Ensures that program modifications have been threats and weaknesses to take preventative measures. knowledge of employees . Auditor compares the output of dummy
authorized and duly approved. records with expected results and its controls to verify the
- Ensures Data processing is accurately done. 2. Ethical Issues associated with Information system: correctness of the system.
- Ensures that the bugs & security breaches identified (June 2015 – 4 marks)
have been handled as per prescribed procedures. 1. Proper use of information for intended purpose 2. Snapshot Technique
- Ensures that internal controls are adequate & 2. Protection of personal privacy This technique examines the way transactions are processed .
working effectively. 3. Protection of intellectual property Selected transactions are marked with special code that triggers
- Ensures that organization assets are properly 4. Accountability for use of IS information the snapshot processes . Audit modules in the program record
safeguarded. these transactions and their master file records before and after
- Ensures that data transmission are done with proper 3. Residual Risk (Dec 2013) processing . Snapshot data are recorded in a special file and
encryption . reviewed by the auditor to verify that all processing steps have
- Ensures Adequate backups and DRP Any risk still remaining after the counter measures are been properly executed.
- Observe computer access procedures. analyzed and implemented is called Residual Risk . An
- Observe preparation & off-site storage of backup files. organization ‘s management of risk should consider these 3. System Control Audit File Review (SCARF)
- Review password modifications record. two areas : acceptance of residual risk and selection of System Control Audit Review File uses embedded audit modules
- Inquire how unauthorized access (security breaches) safeguards . Even when safeguards are applied , there is to continuously monitor transaction activities and collect data on
attempts were dealt with. probably going to be some residual risk . The risk can be transactions with special audit significance. The data is recorded in
- Observe the use of data encryption. minimized , but it can seldom be eliminated . Residual risk a SCARF file , which may have been exceptional transactions .
- Verify use of effective firewalls. must be kept at a minimal , acceptable level. As long as it is Periodically the auditor receives a print out of the SCARF file ,
- Verify virus protection methods. kept at an acceptable level , (i.e. the likelihood of the event examines the information to identify any questionable transactions,
- Verify uninterruptible power supply being made. occurring or the severity of the consequence is sufficiently and performs any necessary follow up investigation
- Verify whether or not appropriate insurance cover is reduced) the risk can be considered as managed.
taken. 4. Audit Hooks
These are audit routines that flag suspicious transactions . When
Application Controls Vs General Controls; audit hooks are employed , auditors can be informed of
A. Application Controls :It refers to the transaction and data relating to each computer-based application system questionable transactions as soon as they occur . This approach ,
; therefore they are specific to each application; therefore, they are specific to each application. E.g. known as “realtime notification”, displays a message on the auditor
- Internal accounting control ’s terminal.
- Operational controls
- Administrative controls 5. Continuous and Intermittent Simulation (CIS)
- Organizational security policies and procedures - Overall policies for the design and use of adequate documents Continuous and intermittent simulation embeds an audit module in
and records. a DBMS . This module examines all transactions that update the
Steps in performing Application Control Audit: DBMS using criterion similar to those of SCARF . If a transaction
1. Identifying the significant application components; the flow of transactions through the application (system); and has special audit significance , the module independently
to gain a detailed understanding of the application by reviewing all available documentation and interviewing the processes the data, records the results and compares them with
appropriate personnel, such as system owner, data owner, data custodian and system administrator. those obtained by the DBMS. Discrepancies are noted and details
2. Identifying the application control strengths and evaluating the impact, if any, of weaknesses you find in the are investigated.
application controls.
3. Developing a testing strategy. B. Analysis of Program Logic
4. Testing the controls to ensure their functionality and effectiveness If a serious natured unauthorized code is found , the auditor goes
5. Evaluating your test results and any other audit evidence to determine if the control objectives were achieved. for detailed analysis of the program logic. This is a difficult task and
6. Evaluating the application against management 's objectives for the system to ensure efficiency and the auditor must be well versed with the programming language .
effectiveness. These days following software packages serve as aids in this
B.General Control:It apply to all areas of the organization including the IT infrastructure and support services. analysis.
E.g. - Input Control - Automated Flowcharting programs
- Processing Control -Automated decision table programs
- Output Control -Scanning Routine
-Mapping Programs
-Program Tracing
 CHAPTER – 10 Auditing and Information system
Review of IT access controls, input and output controls
Access Control:
These controls ensure access to resource only to authorized users. There are two
types of controls:
1. Physical Access Control:
o Allows physical access to system only to authorized users i.e. accessing system
physically.
o Door locks , finger prints etc in room with computer /server . CCTV , security
guards to prevent access physically to system.
2. Logical Access Control:
o Access to system through programs. e.g server
o Routes to access system could be online terminal (ATM), telecommunication link
and Internet etc.
o Logical access increases risks of viruses , worms etc to system which cause
financial losses, loss of reputation & loss of confidential data/information etc.
o Violators of logical access control are crackers , employees , Intelligence
Agencies etc.
o Logic Access Controls are:
- Login ID & Passwords
- Control in system access rights. e.g HBL CSD get few system options.
- Data encryption
- Firewall
- Network mirroring
Input Validation Controls: These controls are intended to detect errors in transaction
data before the data are processed. Validation procedures are most effective when they
are performed as close to the source of the transactions as possible. However,
depending on the type of Computer Based Information Systems (CBISs) in use, input
validation may occur at various points in the system. For example, some validation
procedures require making references against the current master file. Computer Based
Information Systems (CBISs) using real-time processing or batch processing with direct
access master files can validate data at the input stage. Some validation procedures
are performed by each processing module prior to updating the master file record.
Three levels of input validation controls are given as follows:
1. Field Interrogation
It involves programmed procedures that examine the characters of the data in the field.
The following are some common types of field interrogation. Various field checks used
to ensure data integrity have been described below:
i) Limit Check:
This is a basic test for data processing accuracy and may be applied to both the input
and output data. The field is checked by the program against predefined limits to ensure
that no input/output error has occurred or at least no input error exceeding certain pre-
established limits has occurred.
ii) Picture Checks:
These check against entry of incorrect/invalid characters.
iii) Valid Code Checks:
Checks are made against predetermined transactions codes, tables or order data to
ensure that input data are valid. The predetermined codes or tables may either be
embedded in the programs or stored in (direct access) files.
iv) Check Digit:
One method for detecting data coding errors is a check digit. A check digit is a control digit (or digits
) added to the code when it is originally assigned that allows the integrity of the code to be
established during subsequent processing. The check digit can be located anywhere in the code, as
a prefix, a suffix, or embedded someplace in the middle.
v) Arithmetic Checks:
Simple Arithmetic is performed in different ways to validate the result of other computations of the
values of selected data fields.
Example: The discounted amount for Rs 4,000 at 5% discounted may be computed twice by the
following different ways:
4,000 – 4,000 × 5/100 = 3,800 or Next time again at (3800/(100-5))*100.
vi) Cross Checks:
may be employed to verify fields appearing in different files to see that the result tally.
2. Record Interrogation
These are discussed as follows:
i) Reasonableness Check:
Whether the value specified in a field is reasonable for that particular field?
ii) Valid Sign:
The contents of one field may determine which sign is valid for a numeric field.
iii) Sequence Check:
If physical records follow a required order matching with logical records.
2. File Interrogation
These are discussed as follows:
i) Version Usage:
Proper version of a file should be used for processing the data correctly. In this regard it should be
ensured that only the most current file is processed.
ii) Internal and External Labeling:
Labeling of storage media is important to ensure that the proper files are loaded for processing.
Where there is a manual process for loading files, external labeling is important to ensure that the
correct file is being processed. Where there is an automated tape loader system, internal labeling is
more important.
iii) Data File Security:
Unauthorized access to data file should be prevented, to ensure its confidentiality, integrity and
availability.
iv) Before and after Image and Logging:
The application may provide for reporting of before and after images of transactions. These images
combined with the logging of events enable re-constructing the data file back to its last state of
integrity, after which the application can ensure that the incremental transactions/events are rolled
back or forward.
v) File Updating and Maintenance Authorization:
Sufficient controls should exist for file updating and maintenance to ensure that stored data are
protected. The access restrictions may either be part of the application program or of the overall
system access restrictions.
vi) Parity Check:
When programs or data are transmitted, additional controls are needed. Transmission errors are
controlled primarily by detecting errors or correcting codes.
 Chapter 11:Ethics and Legal issue in Information Technology

The significance of IT related Law are as follows: Introduction to digital data exchange and digital reporting standard-XML and XBRL
1. Grant legal recognition to all transactions done via electronic exchange of Digital Data Exchange:
data or other electronic means of communication or e-commerce , in place of Digital Data Exchange (DDEX) is a standards-setting organization that was formed to:
the earlier paper-based method of communication. - Design standardized XML message formats for the exchange of meta data across the digital content
value chain (or digital supply chain)
2. Give legal recognition to digital signatures for the authentication of any - Develop common protocols for the automated communication and management of messages ; and -
information or matters requiring legal authentication Originate material to promote its standards and assist companies in their implementations.
XML Standards:
3. Facilitate the electronic filing of documents with Government agencies and DDEX has developed a series of XML-base standards for the communication of meta data between record
also departments companies, music rights societies and online retailers, These are:
i) Electronic Release Notification Message Suite Standard: It enables the communication by record labels
4. Facilitate the electronic storage of data of meta data about release (e.g artist name , album name , track names , release dates , etc) and their
associated commercial terms to online retailers.
5. Give legal sanction and also facilitate the electronic transfer of funds ii) Digital Sales Reporting Message Suite Standard: It enables the communication of sales information from
between banks and financial institutions online retailers to record companies and collection societies . iii) Musical Work Licensing Message Suite
Standard : It enables record labels and online retailers to obtain license for the use of musical works ,
usually from a music rights society.
XBRL: XBRL is the open international standard for digital business reporting,
managed by a global not for profit consortium, XBRL International. It is for improving
reporting in the public interest . It replace the older paper based reports with Advantages for XBRL:
more useful , more effective and more accurate digital versions. - It makes reporting more accurate and more efficient.
It provides language in which reporting terms can be authoritatively defined . It - Information contained in XBRL can be consumed and analysed accurately.
uniquely represent the contents of financial statements or other kinds of compliance, - It helps in capturing and avoiding mistakes at their source.
performance and business reports . It lets reporting information move between - It can use different language, alternative currencies and own preferred style.
organization rapidly, accurately and digitally. - Data provided conforms a set of sophisticated pre-defined definitions.
It allows to do all the things that used to be possible in paper, PDF and HTML based - Report prepared in XBRL is interchangeable between different information systems.
report. It also opens up a range of new capabilities because the information is clearly
defined , platform -independent , testable and digital. Digital business report in XBRL
format simplifies the way that people can use, share , analyse and add value to the
data.
 Chapter 11:Ethics and Legal issue in Information Technology
What are the ethical issues related with Information Technology
What are the moral dimensions of Information Technology
Moral Dimension/ethical issue of Information Technology can be summarized as:
i) Information rights and obligations : What information rights do individuals and
organizations possess with respect to information about themselves ? What can they
protect? What obligation do individuals and organization have concerning this information?
ii) Property rights : How will traditional intellectual property rights be protected in a digital
society in which tracing and accounting for ownership is difficult , and ignoring such
property rights is so easy?
iii) Accountability and Control : Who can and will be held accountable and liable for the
harm done to individual and collective information and property rights?
iv) System Quality : What standards of data and system quality should we demand to
protect individual rights and the safety of society?
v) Quality of Life: What values should be preserved in information and knowledge based
society ? What institutions should we protect form violation ? What cultural values and
practices are supported by the new information technology?
Public key infrastructures (PKIs) are necessary to help ascertain the identity of different
people, devices , and services . In a nutshell , PKIs go way beyond the use of user IDs and
passwords , employing cryptographic technologies such as digital signatures and digital
certificates to create unique credentials that can be validated beyond reasonable doubt and
on a mass scale.
PKI is the basis for digital signature today . PKI provides each user with a pair of keys ,
private key, public key, used in all signed transaction.
PKI technology is already used more widely than you might think. It is a cornerstone of how
data is encrypted as it is passed over the internet using SSL/TLS – without it, e-commerce
wouldn’t be practical. PKI is used to digitally sign documents transactions , and software to
prove the source as well as the integrity of those materials – an important task as Trojans
and other malware proliferates . Finally , PKI underpins the security of the consumer world
by supporting authentication of smart phones and tablets , games consoles , citizen
passports, mass transit ticketing, and mobile banking.
Component of PKI
1. Certificate authority
2. Registration Authority
3. Centeral directory
4. Validation Authority
5. Certificate Management System
6. A Certificate Policy
The following is the list of the major points being addressed in a managed PKI.
1. Key and certificate creation
2. privacy key protection
3. Certificate revocation
4. Key backup and Recovery
5. Key and Certificate update
6. Key History Management
7. Certificate Access
Explain ethics in an information society
Ethics is a branch of philosophy that deals with what is considered right and wrong in society.
Ethics is a far greater concept than legality. It has something to do with the basic idea of right
and wrong that becomes ingrained in us from childhood . Therefore , if you do a good job and
your boss steals all the credit for your work then it becomes unethical behavior on his part but
it may not be illegal.
The issue of ethics in the information age has acquired a different dimension altogether. With
more access to information, greater connectivity and anonymity new ethical issues are coming
to the fore every day. Some major ethical issues hover around the following questions:
1. How much information about an individual is private and how much that is private which
cannot be captured or disclosed?
2. What information can be kept by organizations dealing with individuals?
3. How much right does an individual have over his/her own information?
4. Who can access and who cannot access information?
Most cases of ethical violation in the information society occur due to disclosure of private
information. This brings us to the interesting topic of privacy. Let us delve into the issue a little
deeper. Is information about a suspected terrorist private or the act that he commits private?
Probably not on the other hand if we are asked if information about a dowry victim is private,
we will all probably agree that it is. Thus , we see that privacy assumes different degree of
severity . In the first case, one can argue that if information about a suspected terrorist is not
made public, then the terrorist will not get caught, and will cause more destruction . Thus, the
well -being of a majority is at stake if the privacy of information of the terrorist is to be
considered . Hence, it may be argued by some that disclosure of such private information as
how he looks and what his height is may be considered fine but the same cannot be said for
the latter case about the dowry victim . Thus , we see that ethics , privacy and other such
related issues have to be considered carefully .However , the following may be considered
ethical issues in information society:
1. Disclosing another individual 's personal details to others . This is a serious ethical issue .
Sometimes when the disclosure is of a very private nature this can even become a legal issue.
2. Cyber stalking is when an individual is always stalked in cyberspace resulting in violation of
an individual 's privacy and creating a fear in the mind of the stalked. This on a small scale is
an ethical issue but may become a legal issue if the stalking becomes serious.
3. Disclosure of trusted content is also another ethical issue . If an individual is in the
possession of some trusted content and he shares it with others then that becomes an ethical
issue.
4. Distribution of pornographic material with open access is another ethical issue and needs to
be controlled.
5. Plagiarism is becoming very rampant as content in soft form can just be copied and pasted
from other files and claimed as one's own. On a small scale this is an ethical issue but when
the plagiarism is intentional and on a large scale then this becomes a violation of copyright
which is a legal issue.
6. Sending SPAM is also another ethical issue which creates a lot of problems for ordinary
users of information systems
Ethics in information society is a very delicate issue and changes with time. At one point of
time, stealing of password was an ethical issue. Today it is a crime and has become a legal
issue. Such changes in legal and ethical points of view occur with change in legislation and
with changes in the norms of society.
 Chapter 11:Ethics and Legal issue in Information Technology
-
Encryption
Encryption is the process of encoding simple text and other information that can be accessed by
the sole authorized entity if it has a decryption key. It will protect your sensitive data from being
accessed by cybercriminals . It is the most effective way of achieving data security in modern
communication systems. In order for the receiver to read an encrypted message, he/she should
have a password or a security key that is used in decryption. Data that has not been encrypted is
known as plain text while encrypting data is known as a cipher text . There are a number of
encryption systems , where an asymmetric encryption is also known as public -key encryption ,
symmetric encryption and hybrid encryption are the most common.
Symmetric encryption – Uses the same secret key to encrypt and decrypt the message. The
secret key can be a word, a number or a string of random letters. Both the sender and the
receiver should have the key. It is the oldest technique of encryption.
Asymmetric encryption – It deploys two keys, a public key known by everyone and a private key
known only by the receiver . The public key is used to encrypt the message and a private key is
used to decrypt it. Asymmetric encryption is little slower than symmetric encryption and consumes
more processing power when encrypting data.
Hybrid encryption – It is a process of encryption that blends both symmetric and asymmetric
encryption . It takes advantage of the strengths of the two encryptions and minimizes their
weakness.
Short Notes
Hash function – Hashing is the transformation of a string of characters into a usually
shorter fixed-length value or key that represents the original string. Hashing is used to
index and retrieve items in a database because it is faster to find the item using the
shorter hashed key than to find it using the original value . It is also used in many
encryption algorithms .. This generated string is unique to the file being hashed and is a
one -way function — a computed hash cannot be reversed to find other files that may
generate the same hash value . Some of the more popular hashing algorithms in use
today are Secure Hash Algorithm -1 (SHA-1), the Secure Hashing Algorithm -2 family (
SHA-2 and SHA-256), and Message Digest 5 ( MD5).
Public key cryptography – Public key cryptography (also known as asymmetric
encryption) is a cryptographic method that uses a key pair system. One key, called the
private key, encrypts the data and is kept secret. The other key, called the public key,
decrypts the data and is distributed openly to others. Public key cryptography can be
used several ways to ensure confidentiality , integrity , and authenticity . Public key
cryptography can ensure integrity by creating a digital signature of the message using
the sender ’s private key. This is done by hashing the message and encrypting the
hash value with their private key . By doing this , any changes to the message will
result in a different hash value.
Ensure confidentiality by encrypting the entire message with the recipient’s public key.
This means that only the recipient, who is in possession of the corresponding private
key, can read the message.
Verify the user’s identity using the public key and checking it against a certificate
authority.
Public key infrastructure (PKI) – PKI consists of the policies, standards, people, and
systems that support the distribution of public keys and the identity validation of
individuals or entities with digital certificates and a certificate authority.
Certificate authority (CA) – A CA is a trusted third party that validates a person ’s
identity and either generates a public/private key pair on their behalf or associates an
existing public key provided by the person to that person . Once a CA validates
someone’s identity, they issue a digital certificate that is digitally signed by the CA. The
digital certificate can then be used to verify a person associated with a public key
when requested.
Digital certificates – Digital certificates are analogous to driver licenses in that their
purpose is to identify the holder of a certificate . Digital certificates contain the public
key of the individual or organization and are digitally signed by a CA. Other information
about the organization, individual, and CA can be included in the certificate as well.
Private key encryption -Private key means that each computer has a secret key (
code ) that it can use to encrypt a packet of information before it is sent over the
network to the other computer . Private key requires that you know which computers
will talk to each other and install the key on each one . Private key encryption is
essentially the same as a secret code that the two computers must each know in order
to decode the information. The code would provide the key to decoding the message.
Think of it like this. You create a coded message to send to a friend where each letter
is substituted by the letter that is second from it. So "A" becomes "C" and "B" becomes
"D". You have already told a trusted friend that the code is "Shift by 2". Your friend
gets the message and decodes it. Anyone else who sees the message will only see
nonsense.
 Chapter 11:Ethics and Legal issue in Information Technology
All about Digital signature
A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file, etc.) is authentic. Authentic means that you know who created the document
and you know that it has not been altered in any way since that person created it .

Digital signatures rely on certain types of encryption to ensure authentication . Encryption is the process of taking all the data that one computer is sending to another and encoding it
into a form that only the other computer will be able to decode. Authentication is the process of verifying that information is coming from a trusted source. These two processes work
hand in hand for digital signatures.

Digital signatures , like handwritten signatures , are unique to each signer . Digital signature solution providers , such as DocuSign , follow a specific protocol , called PKI . PKI
requires the provider to use a mathematical algorithm to generate two long numbers, called keys. One key is public, and one key is private.

When a signer electronically signs a document, the signature is created using the signer’s private key, which is always securely kept by the signer. The mathematical algorithm
acts like a cipher, creating data matching the signed document, called a hash, and encrypting that data. The resulting encrypted data is the digital signature. The signature is also
marked with the time that the document was signed. If the document changes after signing, the digital signature is invalidated.

As an example , Jane signs an agreement to sell a timeshare using her private key. The buyer receives the document . The buyer who receives the document also receives a
copy of Jane ’s public key. If the public key can’t decrypt the signature (via the cipher from which the keys were created ), it means the signature isn’t Jane ’ s, or has been
changed since it was signed. The signature is then considered invalid.

Benefits of Digital Signature over handwritten signature

- Provides much stronger security guarantee.

- Fully paperless which completely eliminates the need to print documents for signing. - Fast, low-cost and fully digital.

- Impossible to forge a digital signature

- Any changes made to the data that has been signed cannot go undetected. Verification of digital signature by signer

To protect the integrity of the signature, PKI requires that the keys be created, conducted, and saved in a secure manner, and often requires the services of a reliable Certificate
Authority (CA). Digital signature providers, like DocuSign, meet PKI requirements for safe digital signing.

A digital signature is a mathematical scheme for ensuring the authenticity of data (document, email, etc). The digital signature assures that any changes made to the data that
has been signed cannot go undetected. Digital signatures can also provide non-repudiation, meaning that the signer cannot claim they did not sign the document.

1. Using Key generation algorithms like RSA, a sender generates a key pair- a Public Key and a Private Key. The Public Key is available to anyone in public, while the Private
Key is kept to the sender. A Key can encrypt data and another Key can decrypt data.

2. With the Private Key, a sender can put digital signatures on a document and other data.

3. Using a "hashing" algorithm like MD5, the sender performs the hash-function on the data. This creates a message-digest of the data. This function is irreversible.

4. The sender then encrypts this message-digest with his Private Key. The result is a digital signature.

5. This digital signature can be appended to a document. The sender then sends this digitally signed document.

6. The receiver after receiving this document, verifies the digital signature. The receiver decrypts the digital signature using the sender's Public Key and obtains the message-
digest.

7. The receiver then performs the same hash-function on the document data and obtains its own message-digest.

8. If the message-digest obtained from the digital signature and the one obtained after performing the hash-function match, then the receiver can be assured that the data has
not been changed.
 Chapter 11:Ethics and Legal issue in Information Technology
What is Certificate
Practical use of Hash value
In cryptography , a public key certificate , also known as a digital certificate or identity certificate , is an electronic
Public key encryption uses a combination of a private key and a document used to prove the ownership of a public key . The certificate includes information about the key ,
public key. The private key is known only to your computer while the information about the identity of its owner (called the subject), and the digital signature of an entity that has verified
public key is given by your computer to any computer that wants to the certificate's contents (called the issuer). Certificate is piece of information that proves the identity of public key
communicate securely with it. To decode an encrypted message , a owner, like a passport , a certificate provides reconsigned proof of a persons (or entities ) identity . Certificate are
computer must use the public key provided by the originating signed and delivered securely by a rusted third party entity called CA.
computer and it's own private key. Type of certificate
-TLS/SSL server certificate
The key is based on a hash value . This is a value that is computed -TLS/SSL client certificate
from a base input number using a hashing algorithm . The important -Email certificate
thing about a hash value is that it is nearly impossible to derive the -Code signing certificate
original input number without knowing the data used to create the -Qualified certificate
hash value. Here's a simple example: -Root certificate
-Intermediate certificate
Input number 10667 -End-entity or leaf certificate
Hashing Algorithm = Input # x 143 -Self-signed certificate
Hash Value = 1525381 A certificate contain amount other things.:
You can see how hard it would be to determine that the value of 1. The CA's identity
1525381 came from the multiplication of 10667 and 143. But if you 2. The owner Identity
knew that the multiplier was 143 , then it would be very easy to 3. The owner's public key
calculate the value of 10667 . Public key encryption is much more 4. The certificate expiry date
complex than this example but that is the basic idea . Public keys 5. The CA's Signature of that certificate
generally use complex algorithms and very large hash values for 6.Other information
encrypting : 40-bit or even 128-bit numbers . A 128-bit number has a
possible 2128 different combinations . That's as many combinations With the certificate instead of a public key, a recipient can now verify a few things about the issuer to make sure
as there are water molecules in 2.7 million olympic size swimming that the certificate is valid and belongs to the person claiming it's ownership.
pools. Even the tiniest water droplet you can image has billions and -compare the owner's identity
billions of water molecules in it! -verify that the certificate has been signed by trusted CA
-verify the issuer certificate signature

Input Digest
input