CIA3 PPT 2020 SU05

CIA REVIEW: PART 3
Study Unit 5
Workstations, Databases,
and Applications
Copyright © 2019 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com. 1
CIA 3 SU 5
Table of Contents
5.1 Workstations and Databases
5.2 Application Development and Maintenance
CIA 3 SU 5
Workstations
• A workstation is any combination of input, output, and
computing hardware that can be used for work.
• It may take the form of a personal computer (PC) or a
powerful microcomputer, which is used for scientific or
engineering work.
CIA 3 SU 5
Binary Storage
• Digital computes store all information in binary format, that is, as
a pattern of ones and zeros.
o This makes arithmetic operations and true/false decisions on
the lowest level extremely straightforward.
• A bit is either 0 or 1 (off or on) in binary code.
• A byte is a group of bits, most commonly eight.
o A byte can be used to signify a character.
• A field, also called a data item, is a group of bytes.
o The field contains a unit of data about some entity.
• A record is a group of fields.
o Some field or combination of fields on each record is
designated as the key.
• A file is a group of records.
CIA 3 SU 5
Electronic Data Interchange
(EDI)
• EDI is the communication of electronic documents directly
from a computer in one organization to a computer in
another organization.
• Advantages of EDI include (1) reduction of clerical errors,
(2) higher speed of transactions, and (3) elimination of
repetitive clerical tasks.
• A disadvantage of EDI is that it cannot handle a large volume
of customer orders.
• An extension of EDI is computer-stored records, a less
expensive medium than traditional physical file storage.
CIA 3 SU 5
Electronic Funds Transfer
(EFT)
• EFT is a service provided by financial institutions worldwide
that is based on electronic data interchange (EDI)
technology.
• EFT transaction costs are lower than for manual systems
because documents and human intervention are eliminated
from the transaction process.
• The most important application of EFT is check collection.
• To reduce the enormous volume of paper, the check-
collection process has been computerized.
• The result is a reduction of the significance of paper checks.
CIA 3 SU 5
Governance, Risk, and
Compliance (GRC) Systems
• Data governance encompasses information systems (IS) and
information technology (IT).
o IS and IT are vital to ensure the successful implementation of
an organization’s strategy.
o IT strategy should be driven by the business needs and not by
the functions of available technology when formatting a plan
to achieve goals.
o An IT strategic plan should be aligned with organizational
goals and integrated with the overall business strategy.
• Organizations generally develop strategies at three different
levels.
o Corporate-level strategy
o Business-level strategy
o Functional-level strategy
CIA 3 SU 5
Governance, Risk, and
Compliance (GRC) Systems
• Strategic drivers are the critical elements that help
determine the success or failure of an organization’s
strategy.
• A well-functioning governance program generally
concentrates on strategic alignment, risk management,
value delivery, performance measurement, and resource
management.
• GRC software enables organizations to manage the
governance program strategy.
CIA 3 SU 5
Data, Databases, and Database
Management System (DBMS)
• A database is an organized collection of data in a computer system.
• Data in the database are integrated to eliminate redundancy of data
items.
• A single integrated system allows for improved data accessibility.
• When systems within the organization are not integrated, they not only
may contain different data but also may define and update data in
inconsistent ways.
• A DBMS is an integrated set of computer programs that create the
database, maintain the elements, safeguard the data from loss or
destruction, and make the data available to applications programs and
inquiries.
• The data are stored physically on direct-access storage devices (e.g.,
magnetic disks, cloud). They are also stored for efficient access.
• Databases and the associated DBMS permit efficient storage and
retrieval of data for formal system applications.
CIA 3 SU 5
Example
• The various files related to human resources in the
conventional record systems of most organizations include
payroll, work history, and permanent personnel data.
• An employee’s name must appear in each of these files
when they are stored and processed separately. The result is
redundancy. When data are combined in a database, each
data item is usually stored only once.
CIA 3 SU 5
Two Early Database
Structures
• Storing all related data on one storage device creates
security problems.
• To understand the vast improvement in performance
brought about by database technology, it is helpful to
review the development of file structures.
o The early mainframe computers used flat files, meaning
that all the records and all the data elements within
each record followed one behind the other. Much of the
early mainframe storage was on magnetic tape, which
naturally stored data in this fashion.
CIA 3 SU 5
Two Early Database
Structures
• Two inefficiencies are apparent at once in this method of
accessing data:
o The customer’s address has to be stored with every
order the customer places, taking up much unnecessary
storage.
o All intervening records must be read and skipped over in
order to find both records pertaining to this customer.
• Database technology overcame these two difficulties.
CIA 3 SU 5
Flat File
• Here are two records excerpted from a tape file:
CIA 3 SU 5
Organizing a Database
• The main ways to organize a database include tree or
hierarchical, network, relational, and nonrelational
databases.
• A tree or hierarchical structure arranges data in a one-to-
many relationship in which each record has one antecedent
but may have an unlimited number of subsequent records.
• The network structure connects every record in the
database with every other record.
CIA 3 SU 5
Hierarchical Database
• One customer, many orders; one order, many parts:
CIA 3 SU 5
Relational Database Structure
• A relational structure organizes data in a conceptual
arrangement.
o An individual data item is called a field or column (e.g.,
name, date, amount).
• Related fields are brought together in a record or
row.
• Multiple records make up a file or table.
• Tables can be joined or linked based on common
fields rather than on high-overhead pointers or
linked lists as in other database structures.
• Every record in a table has a field (or group of fields)
designated as the key.
CIA 3 SU 5
Relational Database
• One customer, many orders; one order, many parts:
CIA 3 SU 5
Three Basic Operations
• The three basic operations in the relational model are
selecting, joining, and projecting.
o Selecting creates a subset of records that meet certain
criteria.
o Joining is the combining of relational tables based on a
common field or combination of fields.
o Projecting results in the requested subset of columns
from the table.
CIA 3 SU 5
Cardinality and Referential
Integrity
• Cardinality refers to how close a given data element is to
being unique.
• Referential integrity means that for a record to be entered
in a given table, there must already be a record in some
other table(s).
CIA 3 SU 5
Distributed Database
• A distributed database is stored in two or more physical
sites using either replication or partitioning.
o The replication or snapshot technique makes duplicates
to be stored at multiple locations.
o Fragmentation or partitioning stores specific records
where they are most needed.
o Updating data in a distributed system may require
special protocols.
o A deadly embrace (deadlock) occurs when each of two
transactions has a lock on a single data resource.
CIA 3 SU 5
Non-Relational Databases
• Provide a mechanism for storage and retrieval of data other
than the tabular relations used in relational databases.
o They capture all kinds of data, which allows for a flexible
database that can easily and quickly accommodate any
new type of data and is not disrupted by content
structure changes.
o They provide better “horizontal” scaling to clusters of
machines, which solves the problem when the number
of concurrent users skyrockets for applications that are
accessible via the Web and mobile devices.
CIA 3 SU 5
Additional Terminology
• The database administrator (DBA) is the individual who has overall
responsibility for developing and maintaining the database and for
establishing controls to protect its integrity.
o The data control language specifies the privileges and security rules
governing database users.
o The data manipulation language is used to retrieve, store, modify,
delete, insert, and update data in databases.
o The data definition language is used to create and modify the
structure of database objects in databases.
• The data dictionary is a file that describes both the physical and logical
characteristics of every data element in a database.
• Data from a relational database can be displayed in graphs and reports,
changed, and otherwise controlled using a program called Query
Management Facility (QMF).
• The schema is a description of the overall logical structure of the
database using data-definition language, which is the connection
between the logical and physical structures of the database.
CIA 3 SU 5
• The database mapping facility is software that is used to evaluate
and document the structure of the database.
• Data command interpreter languages are symbolic character
strings used to control the current state of DBMS operations.
• An object-oriented database is a response to the need to store
not only numbers and characters but also graphics and
multimedia applications.
• In a hypermedia database, blocks of data are organized into
nodes that are linked in a pattern determined by the user so that
an information search need not be restricted to the predefined
organizational scheme.
• Advanced database systems provide for online analytical
processing (OLAP), also called multidimensional data analysis,
which is the ability to analyze large amounts of data from
numerous perspectives.
CIA 3 SU 5
• A data warehouse contains not only current operating data
but also historical information from throughout the
organization.
o Data cleansing cleans up data in a database that is
incorrect, incomplete, or duplicated before loading it
into the database.
o Data mining is the process of analyzing data from
different perspectives and summarizing it into useful
information.
o A data mart is a subset of a data warehouse.
CIA 3 SU 5
Multiple-Choice Question
Query facilities for a database system would most likely include all of the following except
A. Graphical output capability.

B. Data dictionary access.
C. A data validity checker.
D. A query-by-example interface.
CIA 3 SU 5
Multiple-Choice Answer
Query facilities for a database system would most likely include all of the following except
A. Graphical output capability.

B. Data dictionary access.
C. A data validity checker.
D. A query-by-example interface.
The least likely feature of a query tool would be a data validity checker because
the database system has already enforced any validity constraints at the time the
data were inserted in the database. Any further data validity checking would be a
function of a user application program rather than a query.
CIA 3 SU 5
Application Development
and Maintenance
5.2
CIA 3 SU 5
Organizational
Needs Assessment
• The organizational needs assessment is a detailed process of
study and evaluation of how information systems can be
deployed to help the organization meet its goals.
• The steps in the assessment are as follows:
o Determine whether current systems support
organizational goals
o Determine needs unmet by current systems
o Determine capacity of current systems to accommodate
projected growth
o Propose path for information systems deployment to
achieve organizational goals within budgetary
constraints
CIA 3 SU 5
Business Process Design
• A business process is a flow of actions performed on goods
and/or information to accomplish a discrete objective.
• Some business processes are contained entirely within a
single functional area; e.g., hiring a new employee is
performed by the human resources function.
• Enterprise resource planning (ERP) systems are the most
advanced integrated systems.
• Business process reengineering involves a complete
rethinking of how business functions are performed to
provide value to customers.
CIA 3 SU 5
Participants in
Business Process Design
• The everyday functioning of a business process affects multiple
stakeholder groups.
• End-users are generally the drivers of a new or redesigned
process.
• Because IT pervades every aspect of operations in a modern
organization, the IT steering committee must study each request
for a new process and either approve or deny it.
o Typical members of the steering committee include the chief
information officer and the head of systems development
from the IT function.
• Once a new process or system has been approved, a project team
is assembled, consisting of representatives of the end-users who
requested it and the IT personnel who will design and build the
software components that will support it.
CIA 3 SU 5
Build or Buy
• When an organization acquires a new system by purchasing from
an outside vendor, contract management personnel oversee the
process.
o The future end-users of the system as well as IT personnel are
also involved, drawing up specifications and requirements.
• Extensive time and resources are devoted to the creation of a
new application, and generally, the more important the business
function being automated, the more complex the application is.
• Both the end-users who specified the new system’s functionality
and IT management who are overseeing the development
process must approve progress toward the completion of the
system at the end of each stage.
CIA 3 SU 5
Systems Development
Life Cycle (SDLC)
• The SDLC approach is the traditional methodology applied to the
development of large, highly structured application systems.
• A major advantage of the life-cycle approach is enhanced
management and control of the development process.
• SDLC consists of five steps.
o Systems strategy, which requires understanding the
organization’s needs.
o Project Initiation is the process by which systems proposals
are assessed.
o In-house development is generally chosen for unique
information needs.
o Commercial packages are generally chosen for common
needs rather than developing a new system from scratch.
o Maintenance and support involves ensuring the system
accommodates changing user needs.
CIA 3 SU 5
Phases and Component Steps
of the Traditional SDLC
• The phases and component steps of the traditional SDLC
include
o Initiation, feasibility, and planning
o Requirements analysis and definition
o System design
o Build and development
o Testing and quality control
o Acceptance, installation, and implementation
o Operations and maintenance
CIA 3 SU 5
• Initiation, Feasibility, and Planning
o The SDLC begins with recognizing there is a need for a new
system, gaining an understanding of the situation to
determine whether it is feasible to create a solution, and
formulating a plan.
• Requirements Analysis and Definition
o A formal proposal for a new system is submitted to the IT
steering committee, describing the need for the application
and the business function(s) that it will affect.
o Feasibility studies are conducted to determine
• What technology the new system will requirement
• What economic resources must be committed to the new
system
• How the new system will affect current operations
CIA 3 SU 5
• System Design
o Logical design consists of mapping the flow and storage of the
data elements that will be used by the new system and the
new program modules that will constitute the new system.
o Physical design involves planning the specific interactions of
the new program code and data elements with the hardware
platform on which the new system will operate.
• Build and Development
o The actual program code and database structures that will be
used in the new system are written.
o Hardware is acquired and physical infrastructure is
assembled.
CIA 3 SU 5
• Debugging is performed during system development with
the intent of identifying errors or other defects.
• The following are various methods available to test systems:
o Static testing
o Dynamic testing
o White-box testing
o Black-box testing
o Gray-box testing
CIA 3 SU 5
Levels of System Tests
• Unit testing refers to tests that verify:
o The functionality of a specific section of code
o The handling of data passed between various units or
subsystems components
• Integration testing is any type of software testing that seeks to
verify the interfaces between components against a software
design.
• System testing, or end-to-end testing, tests a completely
integrated system to verify that the system meet its
requirements.
• Acceptance testing is conducted to determine whether the
systems meets the organization’s needs and is ready for release.
CIA 3 SU 5
• User acceptance testing is the final step before placing the system
in live operation.
• Four strategies for converting to the new system can be used.
o With parallel operation, the old and new systems both are
run at full capacity for a given period.
o With direct changeover conversion, the old system is shut
down and the new one takes over processing at once.
o Under pilot conversion, one branch, department, or division
at a time is fully converted to the new system.
o Under phased conversion, one function of the new system at
a time is placed in operation.
• Training and documentation are critical.
CIA 3 SU 5
• After a system becomes operational, the system should be
monitored to ensure ongoing performance and continuous
improvement.
• Systems follow-up or post-audit evaluation is a subsequent
review of the efficiency and effectiveness of the system
after it has operated for a substantial time (e.g., 1 year).
CIA 3 SU 5
Change Management
• Change management is the processes executed within an
organization’s IT environment designed to manage the
changes to production systems.
• IT components subject to change management include
o Hardware (e.g., mainframes, servers, and workstations)
o Software (e.g., operating systems and applications)
o Information, data, and data structures (e.g., files and
databases)
o Security controls (e.g., antivirus software and firewalls)
o Processes, policies, and procedures
o Roles and responsibilities (e.g., over authorization,
authority to act, and access to controls)
CIA 3 SU 5
Effective Change Management
• To be effective, change management must provide the
organization’s management with the following knowledge:
o What is being changed, the reason(s) for the change,
and when the change will occur
o How efficiently and effectively changes are implemented
o Problems caused by the changes and their severity
o Cost of the changes
o Benefits of the changes
• Effective change management ultimately depends on

implementing effective controls.
CIA 3 SU 5
Change Management Process
• The primary goal of the change management process is to
sustain and improve the organization’s operations.
• Changes must be managed in a repeatable, defined, and
predictable manner.
CIA 3 SU 5
Change Management Process
• The change management process typically includes the following steps:
o Identify the need for the change.
o Prepare for the change.
o Justify and obtain approval.
o Authorize.
o Schedule, coordinate, and implement.
o Verify and review.
o Back out.
• Back out if the change was unsuccessful.
o Close.
• Close the change request and communicate with the affected
shareholders.
o Publish.
• Produce and release the change schedule.
o Change processes.
• Make improvements to the change management process.
CIA 3 SU 5
Risk and Controls
• The risks resulting from ineffective change management
include lost market opportunities, unsatisfactory product or
service quality, and increased potential for fraud.
• The top risk indicators of ineffective change management
are
o Unauthorized changes,
o Unplanned changes,
o Low change success rate,
o High number of emergency changes, and
o Delayed project implementation.
CIA 3 SU 5
Risk and Controls
• Effective change management requires preventive,
detective, and corrective controls to manage the risks
associated with changes to production systems.
o Preventive controls include segregation of duties,
change authorization, and limiting persons who may
update access to production data and production
programs.
o Detective controls include monitoring, reconciling actual
changes to approved changes, and assurance services
performed by internal or external auditors.
o Corrective controls include post-implementation
reviews.
CIA 3 SU 5
Role of Internal Auditors
• Internal auditors assist in change management by
o Understanding the organization’s IT objectives,
o Assisting in identifying risks to IT objectives,
o Assessing whether such risks are aligned with the
organization’s risk appetite and tolerances,
o Assisting in deciding the appropriate risk management
response,
o Understanding the controls used to manage risks and carry
out risk responses, and
o Promoting a culture of effective change management.
• Internal audit engagements associated with systems and
application development may include but are not limited to an
access control review, an application control review, a source
code review, a system design review, and a post-implementation
review.
CIA 3 SU 5
Rapid Application
Development
• Prototyping is an alternative approach to application
development.
o It involves creating a working model of the system
requested, demonstrating it for the user, obtaining
feedback, and making changes to the underlying code.
• Computer-aided software engineering (CASE) applies the
computer to software design and development.
o CASE facilitates the creation, organization, and
maintenance of documentation and permits some
automation of the coding process.
CIA 3 SU 5
End-User vs.
Centralized Computing
• End-user computing (EUC) involves user-created or user-acquired
systems that are maintained and operated outside of traditional
information systems controls.
• Program development, documentation, and maintenance also
may lack the centralized control found in larger systems.
• In a personal computer setting, the user is often the programmer
and operator.
• In general, the available security features for stand-alone
machines are limited compared with those in a network.
• Responsibility for the control of EUC exists at the organizational,
departmental, and individual user levels.
o The end-user is directly responsible for security of
equipment.
CIA 3 SU 5
Multiple-Choice Question
Responsibility for the control of end-user computing (EUC) exists at the
organizational, departmental, and individual user level. Which of the
following should be a direct responsibility of the individual users?
A. Acquisition of hardware and software.

B. Taking equipment inventories.
C. Strategic planning of end-user computing.
D. Physical security of equipment.
CIA 3 SU 5
Multiple-Choice Answer
Responsibility for the control of end-user computing (EUC) exists at the
organizational, departmental, and individual user level. Which of the
following should be a direct responsibility of the individual users?
A. Acquisition of hardware and software.

B. Taking equipment inventories.
C. Strategic planning of end-user computing.
D. Physical security of equipment.
EUC involves user-created or user-acquired systems that are

maintained and operated outside of traditional information systems
controls. In this environment, an individual user is ordinarily
responsible for the physical security of the equipment (s)he uses.
CIA 3 SU 5

CIA3 PPT 2020 SU05

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIA3 PPT 2020 SU05

Uploaded by

Copyright:

Available Formats

CIA REVIEW: PART 3

A. Graphical output capability.

A. Graphical output capability.

• Effective change management ultimately depends on

A. Acquisition of hardware and software.

A. Acquisition of hardware and software.

EUC involves user-created or user-acquired systems that are

You might also like