DATABASE - Requires that all similar transactions be

grouped together
- Collection of data stored on the
- Best suited to application having large
computer
volumes of similar transactions
- Implies a single set of files that is shared
by each app ONLINE PROCESSING

RELATIONAL DATABASE - Each transaction is entered and

processed one at a time
- Stores data in several small 2
- Real-time processing system
dimensional tables that can be joined
together DATA WAREHOUSE
- Ex. Single customer having more than
- Integrated collection of enterprise-wide
one order
data that generally includes several
- Database that allows admin(s) and
years of nonvolatile data, used to
users to set up connections among
support management in decision
different data records
making and planning.
- Can be use in simple tasks
OPERATIONAL DATA BASE
MASTER FILES
- Contains the data Is continually updated
- Are the relatively permanent files that
as transaction processed
maintain detailed data for each major
process DATA MINING
- Permanent info necessary to process
payroll transactions - Process of searching data within data
warehouse
TRANSACTION FILES
STRUCTURED DATA
- Set of relatively temporary records that
will be processed to update the master - Easily fits into rows and columns
file - Columns usually are fields of fixed
lengths
TYPES OF ACCESS REQUIRED
UNSTRUCTED DATA
SEQUENTIAL ACCESS
- Does not easily fits into rows and
- Files store records in sequence columns
- Ex. Free-form text (twt, fb,)
RANDOM ACCESS FILES (DIRECT ACCESS FILES)
BIG DATA
- Not written/read in sequential order
- Known as high-volume, high-speed
INDEXED SEQUNTIAL ACCESS METHOD (ISAM)
information that may be so large and
- Stored sequentially but can also be diverse that it demands innovative
accessed randomly forms of IT processing

MODES OF PROCESSING IT ENABLEMENT

BACTH PROCESSING E- Business

 - Use of electronic means to enhance
business
- Encompasses all forms of online
electronic trading
Electronic Data Interchange
- Is the intercompany, computer-to-
computer transfer of business
document in a standard business
format
- “intercompany” 2 or more companies
conducts business electronically
- Virtual exchange of data or business
documents in electronic format
between trading partners
Point of Sale System
- System of hardware and software that
captures retail sales transaction by
stand bar coding
Automated Matching
- The software matches an invoice to its
related purchase order and receiving
report
Evaluated Receipt Settlement
- Invoice-less system in which computer
hardware and software complete an
invoice-less match comparing the
purchase order with the goods received
E‐Payables and Electronic Invoice
Presentment and Payment
- Both terms to web-enabled receipt and
payment of vendor invoices
LESSON 2
GENERAL CONROLS FOR IT SYSTEMS
1. Authentication of users and limiting
unauthorized access
- Process or procedure and it system to
ensure that the person accessing the IT
system is valid and authorized user
- LOG IN means to make the computer
recognize you in order to create a
connection at the beginning of a
computer session
- To increase the effectiveness of log‐in
restriction, USER IDs must be unique for
each user.
- A PASSWORD is a secret set of
characters that identifies the user as the
authentic owner of that associated user
ID
- The smart card is plugged into the
computer’s card reader and helps
authenticate that the user is valid. The
smart card is a credit card–sized device
with an integrated circuit that displays a
constantly changing ID code
- A newer technology to authenticate
users is a security token, which plugs
into the USB port and thereby
eliminates the need for a card reader
- The SMART CARD is plugged into the
computer’s card reader and helps
authenticate that the user is valid. The
smart card is a credit card–sized device
with an integrated circuit that displays a
constantly changing ID code
- A newer technology to authenticate
users is a SECURITY TOKEN, which plugs
into the USB port and thereby
eliminates the need for a card reader
- BIOMETRIC DEVICES
- Use some unique physical
characteristic of the user to identify the
user and allow the appropriate level of
access to that user
- All accesses should be logged. The
organization should maintain a
computer log of all log‐ins.
- Purpose of Logs:
- COMPUTER LOG is a complete record of
all dates, times, and uses for each user
- The log‐in procedures and logs establish
non- repudiation of users.
Nonrepudiation means that a user
cannot deny any particular act that he
or she did on the IT system
- User profile
- AUTHORITY TABLE contains a list of
valid authorized users and the access
level granted to each one
- CONFIGURATION TABLE contains the
appropriate set-up and security
settings. Limit use access
2. Hacking and other network break-ins
FIRE WALL
- is hardware, software, or a combination
of both that is designed to block
unauthorized access
ENCRYPTION
- renders the data useless to those who
do not possess the correct encryption
key
SYMMETRIC ENCRYPTION
- uses a single encryption key that must
be used to encrypt data and also to
decode the encrypted data
PUBLIC KEY ENCRYPTION
- encryption uses both a public key and a
private key
- The public key, which can be known by
everyone, is used to encrypt the data,
and a private key is used to decode the
encrypted data. Knowing which public
encryption method a receiver uses
enables the sender to use that public
key to encrypt the data, and the
receiver will use her private key to
decode the data.
WEP
- Wireless network equipment, such as
access points and wireless network
cards, uses an encryption method called
wired equivalency privacy, or WEP.
WPA
- Can check to see whether encryption
keys have been tampered with
SSID
- service set identifier- is a password that
is passed between the sending and
receiving nodes of a wireless network
VPN
- A virtual private network utilizes
tunnels, authentication, and encryption
within the Internet network to isolate
Internet communications so that
unauthorized users cannot access or
use certain data
- The VPN traffic can be thought of as
traveling through a separate tunnel
within the Internet network of public
lines
SSL
- communication protocol built into Web
server and browser software that
encrypts data transferred on that
website
VIRUS
- is a self‐ replicating piece of program
code that can attach itself to other
programs and data and perform
malicious actions such as deleting files
or shutting down the computer
WORM
- Is a small piece of program code that
attaches to the computer’s unused
memory space and replicates itself until
the system becomes overloaded and
shuts down.
ANTIVIRUS SOFTWARE
- To avoid destruction of data programs
and to maintain operation of the IT
system, an organization must employ
antivirus software, which continually
scans the system for viruses and worms
and either deletes or quarantines them.
- Antivirus soft- ware renders virus and
worm program code harmless.
 MONITORING EXPOSURE
VULNERABILITY ASSESSMENT
- is the process of proactively examining
the IT system for weaknesses that can
be exploited by hackers, viruses, or
malicious employees
INTRUSION DETECTION
- systems are specific software tools that
monitor data flow within a network and
alert the IT staff to hacking attempts or
other unauthorized access attempts
PENENTRATION TESTING
- is the process of legitimately attempting
to hack into an IT system to find
whether weaknesses can be exploited
by unauthorized hackers.
3. Organizational structure
4. Physical environment and physical
security of the system
5. Business community
MARCH 26
ORGANIZATIONAL STRUCTURE
IT GOVERNANCE COMMMITTEE
- Made up of top executive
- Its function is to govern the overall
development and operation of IT
system
- Includes: CEO, CFO, CIO
RESPONSIBILITIES
- Align IT investments to business
strategy
- Budget funds and personnel for the
most effective use of the IT systems
- Oversee and prioritize changes to IT
systems
- Develop, monitor, and review all IT
operational policies
- Develop, monitor, and review security
policies
IT SYSTEMS THAT MUST BE SEGREGATED
- Systems analysts analyze and design IT
systems
- Programmers actually write the
software, using a programming
language
- Operation personnel are employees
who are responsible for processing
operating data
- The database administrator develops
and maintains the database and
ensures adequate controls over data
within the database
PHYSICAL ENVIRONMENT & SECURITY
Physical security
- Is intended to limit physical access to
computer hardware and software so
that malicious acts or vandalism do not
disrupt the system, and so that the data
is protected
Location
- A large IT system should be physically
located in an area and building that are
least risk of natural disasters.
- Natural disasters can easily destroy or
disrupt IT system operations.
Uninterruptible power supply (UPS)
- Includes a battery to maintain power in
the event of a power outage in order to
keep the computer running for several
minutes after a power outage.
Emergency power supply
- Is an alternative power supply that
provides electrical power in the event
that a main source is lost.
- Ex. Gasoline – powered generator
Physical controls
- Limited access to computer room
through employee ID badges or card
keys
- Video surveillance equipment
- Logs of persons entering and exiting the
computer rooms
- Locked storage of backup data and
offsite backup data
Business continuity plan (BCP)
- Is a proactive program for considering
risks to the continuation of business
and developing plans and procedures to
reduce those risks
2 pats of BCP related to IT:
- A strategy for backup and restoration of
IT systems, to include redundant
servers, redundant data storage, daily
incremental backups, a backup of
weekly changes, and off - site storage of
daily and weekly backups
- A disaster recovery plan
Redundant servers
- 2 or more computer network/data
servers that can run identical process or
maintain the same data.
- Accomplished by:
o Redundant arrays of
independent risk (RAIDs)- often
set up such that 2/more disks
are exact mirror images
o This backup protection is
improved by off-site backup, an
additional copy of the backup
files stored in & off site
location.
Disaster recovery plan (DSP)
- The plan for the continuance of IT
systems after a disaster
- Whereas BCP is proactive planning, DRP
is a more reactive plan to restore
business operations to normal after a
disaster occurs
General control from AICPA trust services
principle perspective
5 categories of IT controls and risk
Security
- The system is protected against
unauthorized (physical and logical)
access.
Availability
- The system is available for operation
and use as committed or agreed.
Processing integrity
- System processing is complete,
accurate, timely, and authoried
Online privacy
- Personal info obtained as a result of a e-
commerce is collected, used, disclosed
and retained as committed or agreed.
Confidentiality
- Information designated as confidential
is protected as committed or agreed
Security risks
- While the most popular type of
unauthorized access is probably by a
person unknown to the organization,
employees of the organization also may
try to access data to which they do not
need access to perform their job duties
Availability
- must be assessed and controlled by
authentication of user controls. Once a
person gains unauthorized access, it is
 conceivable that he may tamper with
the IT system in a manner that may shut
down systems and/or programs.

Processing integrity

- refers to the accuracy, completeness,

and timeliness of the processing in IT
systems. If unauthorized users access
the IT system, they could alter data to
change the results of processing

Confidentiality risk

- The risk of confidential data being

available to unauthorized users, can
occur if authentication controls are
weak.
- An unauthorized user who gains access
can browse, steal, or destroy
confidential data