Professional Documents
Culture Documents
Used by
ESS
5Years
Operating Plan
MIS
DSS
EIS
Sales Analysis
by
product,
area+, etc.
KMS
Engineering Workstations
Managerial Workstations
OAS
Word Processing
Document Imaging
Electronic Calendars
TPS
Order Tracking
Order
Processing
Sales and
Marketing
Production
Scheduling
Cost Analysis
Profitability
Analysis
Cash
Management
Manufacturing
Finance
Account
Receivable
Accounting
Manpower
Planning
Contract
Analysis
Cost
Compensation
Training
&
Development
Employee
Record Keeping
Human
Resource
Senior
Managers
Middle
Managers
Knowledge
and Data
Workers
Operational
Managers
Function
2.
Stores and
Retrieves
Knowledge.
Improves
Collaboration
Locates
Knowledge
Sources
Knowledge
Management
System
Mines
Repositories for
hidden
Knowledge.
Captures and
Uses
Knowledge.
Enhances the
KM Process.
2.
Recognition ofIntangible Resources(like knowledge, technology, competencies, abilities to innovate, etc.)as assets.
1
Obtaining Competitive Gain by knowledge processing i.e. what an Entity knows, how it uses & how fast it can know
something new.
4.
Treating knowledge (KM) as an important factor of production like Land, Labour, Capital, etc.
Explicit Knowledge
Tacit Knowledge
Meaning
Availability
Representation
Documentation
Examples
Handon skills,
Experiences, etc.
Transmission
Role of IT
and
Special
KnowHow,
Employee
Specialized Systems
1.
2.
Components of ERP:
(a) Software
Component
It consists of modules like Finance, HR, Supply Chain Management, Supplier Relationship
Management, Customer Relationship, and Business Intelligence. Software Component is the
most visible part of ERP.
It illustrates the flow of Information among different modules within an ERP system. This
helps to understand the working of ERP.
(c) Customer
Mindset
(d) Change
Management
In ERP implementation, change should bemanaged at several levels like User attitude,
resistance to change, andBusiness Process Changes.
Benefits of ERP
1.
2.
3.
4.
Single point data capture, and hence reduction in redundant data entry and processes.
5.
Improved workflow, efficiency, ontime delivery, quality, delivery times resulting in Customer Satisfaction.
6.
Reduced Inventory Costs resulting from better planning, trackingand forecasting of requirements.
7.
Speedy collections from customers due to better visibility into accounts andfewer billing, delivery errors.
8.
Decrease in Vendor Pricing due to better advantage of quantitybreaks and tracking vendor performance.
9.
Core Banking:
(a) Core Banking refers to Banking services provided by a group of networked Bank Branches where customers may
access their Bank Account and perform transactions from any of the Member Branch Offices.
(b) Core Banking functions include transactions of accounts, loans, mortgages and payments.
(c) CBS Services can be used across multiple channels like ATMs, Internet Banking, and Branches.
2.
3.
Application Controls
1.
Meaning
2.
Objective
3.
Aspects
covered
4.
Subsystems
(a)
(b)
(c)
(d)
(e)
(f)
(g)
Form Design,
Source Document Controls,
Input,Processing and Output Controls,
Media Identification,
Data Movement and LibraryManagement,
Data backup and Recovery,
Authentication
and
Integrity,
Legal
andRegulatory requirements.
Communication Controls
Three major types of exposure arise in the Communication subsystem:
(a) Transmission Impairments leading to difference between the Data Sent and the DataReceived,
(b) Corruption / Loss of Data through component failure, and
(c) Subversion of Data that is transmitted through thesubsystem, by a Hostile Party.
Controls to mitigate these types of exposure in Communication subsystem include:
1.
Physical Component Controls: Physical Components can affect the reliability of Communication Subsystem.
Control over Physical Components can mitigate the possible effects of exposures.
Component
Control Aspect
It is a physical path along which a signal can be transmitted between a Sender and a Receiver.
Transmission Media are classified as
Transmission
(a) Guided/Bound Media in which the signals are transported through enclosed physical
Media
path. (Twisted pair, Coaxial Cable, and Optical Fiber, etc.)
(b) Unguided Media, in which the signals propagate via freespace emission. (e.g. Satellite
Microwave, Radio Frequency, Infrared, etc.)
Communication
The reliability of Data transmission can be improved by choosing a Private (Leased)
Lines
Communication line rather than a Public Communication line.
(a) Increases the speed with which data can be transmitted over a communication line.
Modem
(b) Reduces the number of Line Errors arising due to distortion in equalization process, and
due to noise.
(a) This performs various Security functions to authenticate Users.
Port Protection
Devices
(b) It is used to mitigate exposures associated with dialup access to a computer system.
(a) It enhances the effectiveness of bandwidth/ capacity of a communication line can be
enhanced.
Multiplexers and
Concentrators
(b) These share the use of a highcost transmission line among many messages,that arrive at
the Multiplexer or Concentration Point from multiple low cost source lines.
Line Error Control:Error due to data transmission may be due to attenuation distortion, or noise that occurson the
Communication line. These errors must be detected and corrected through the following manner,
(a) Error Detection Detection using a Loop (Echo) Check orRedundancy Check into the message transmitted.
(b) Error Correction Correctionusing Forward Error Correcting Codes or Backward Error Correcting Codes.
3.
Flow Controls:These controls are required because two nodes in a network candiffer in terms of the rate at which
they can send, received, and process data.
Example:A Mainframe transmits data to a Microcomputer Terminal. Due to speed variations, theMicrocomputer cannot
display data on its screen at the same rate the data arrives fromthe Mainframe. Also, the Microcomputer will have
limited buffer space. Thus, itcannot continue to receive data from the mainframe and to store the data in its
bufferpending display of the data on its screen. Flow Controls will be used, toprevent the Mainframe swamping the
Microcomputer.
4.
Link Controls: In Wide Area Networks, Line Error Control and Flow Control are important functions whichmanages
the link between two nodes in a Network. The LinkManagement Components mainly use two common protocols HDLC
(Higher Level DataLink Control) and SDLC (Synchronous Data Link Control).
5.
Topological Controls: Communication Network Topology specifies the location ofnodes within a Network. It also
specifies the ways in which these nodes will be linked, datatransmission capabilities of the links,etc.Following are
different types of Network Topologies:
Topology
Features
Implement
ation
6.
Relatively
LowSpeed
Communication
among nodes,
Channel Access Controls: When two different nodes in a Network compete to use a Communication Channel,
Channel Access Control Techniques are used to resolve the conflict. These techniques involve
(a) Polling(NonContention): This technique establishes the order in which a Node can gain access to the
Channel capacity.
(b) Contention Methods: In this technique, Nodes in a network must competewith each other to gain access to a
Channel. Each Node is given immediate right ofaccess to the Channel. Accessing of Channels by Nodes depends on
the actions of other Nodes connected to the Channel.
7.
Internetworking Controls: Internetworking is the process of connecting two ormore communication networks
together to allow the Users of one network tocommunicate with the Users of other Networks. The Networks connected
to may or may not use same hardwaresoftware platform.Three types of devices are used to connect subnetworks
which is described below:
Device
Bridge
Router
Gateway
Functions
A Bridge connects similar Local Area Networks (e.g. one Token Ring Network to another Token Ring
Network).
A Router performs all the functions of a Bridge. In addition, it can (a) connect heterogeneous LANs
(e.g. a Bus Network to a Token Ring Network) (b) Network Traffic over the fastest channel between
two Nodes that reside in different subnetworks. (e.g. by examining traffic patterns within a Network
and between different Networks to determine channel availability.)
(a) Gateway performsProtocol Conversion to allow different types of communication architectures to
communicate with another.
(b) Gateway maps the functions performed in an application on one computer to the functions
performed by a different application with similar functions on another computer.
5
Processing Controls
The Processing subsystem is responsible for computing, sorting, classifying, and summarizing data. Its components are
Central Processor Programs are executedhere [Note: Processor comprises (a) Control Unit which fetches programs
from memory and determines their type, (b) Arithmetic andLogical Unit, which performs operations, and (c) Registers,
which are used to storetemporary results and control information.
1.
Some Controls to reduce expected losses from errors and irregularities associated with Central Processors are
Control
Explanation
Error Detection
and Correction
(a) Processors may malfunction due to design errors, manufacturing defects, damage,
electromagnetic interference, and ionizing radiation.
(b) Various types of Error Detection and Correction Strategies must be used.
Multiple
Execution
States
(a) Determination of number and nature of the execution states enforced by the Processor is very
critical for the auditors.
(b) They help to determine unauthorized activities, such as gaining access to sensitive data
maintained in memory regions assigned to the operating system or other user processes, etc.
Timing
Controls
An Operating System might get stuck in an infinite loop. In the absence of any control, the
program will not allow the Processorto function and prevent other programs from performing.
Component
Replication
Failure of Processor can result in significant losses. Redundant Processors allow errors to be
detected and corrected. If processor failure is permanent in multicomputer or multiprocessor
architectures, the system might reconfigure itself to isolate the failed processor.
2.
3.
Framework: It organizesIT governance objectives & good practices and to link them to Business Requirements.
2.
Process Descriptions: It acts as a reference process model &common language foreveryone in an organization. The
processes map to responsibility areas of Plan,Build, Run and Monitor.
3.
Control Objectives:It providesa complete set of highlevel requirements to beconsidered by management for
effective Control of each IT process.
4.
5.
Maturity Models:This helps to assess the maturity and capability of process, and to addressgaps.
2.
The COBIT 5 Process Reference Model incorporates both Risk IT and Val IT Frameworks. The complete COBIT 5
Enabler Model comprises of 37 Governance and Management Processes as under
Process Type
Description of Domains
Process Sequence
No. of Processes
Governance Processes Evaluate, Direct & Monitor Practices (EDM) EDM01 to EDM05
05
Align, Plan and Organize (APO)
APO 01 to APO 13
13
Build,
Acquire
and
Implement
(BAI)
BAI
01
to
BAI
10
10
Management
Processes
Deliver, Service and Support (DSS)
DSS01 to DSS06
06
Monitor, Evaluate and Assess (MEA)
MEA01 to MEA03
03
Total
37
Linkage of Processes:
Particulars
Governance Processes
Governance Process: This Process ensures
(a) Evaluating Stakeholders needs and
available options, to determine balanced,
agreedon enterprise objectives to be
achieved,
Scope
(b) Setting Direction through prioritization
and decision making, and
(c) Performance monitoring for compliance
and to reach the agreedon objectives.
Evaluate
Domain
Direct
Business
Needs
Management Processes
Management Process: These domains provides end
toend coverage of IT in alignment with the direction
set by the Governance Body to achieve the Enterprise
objectives.
Plan
Monitor
i.e. APO
Build
BAI
Run
DSS
Monitor
MEA
Feedback
2013 Standard
More emphasis on Information Security, Risk Assessment. PDCA Cycle
is no longer mandated.
Provides guidance on Outsourcing, since many Entities rely on third
parties to provide IT related services.
114 Controls are structured under 14 categories.
Has many common features with other management standards such as
ISO 9000 and ISO 20000. Other continuous improvement processes
like Six Sigmas DMAIC method also be implemented.
Coverage
Clause No.
Coverage
Clause 1
Scope
Clause 6
Planning
Clause 2
Normative references
Clause 7
Support
Clause 3
Clause 8
Operation
Clause 4
Clause 9
Performance evaluation
Clause 5
Leadership
Clause 10
Improvement
Coverage
No. of Controls
A.5
02
A.6
07
A.7
06
A.8
Asset Management
10
A.9
Access Control
14
A.10
Cryptography
02
A.11
15
A.12
Operations Security
14
A.13
Communications Security
07
A.14
13
A.15
05
A.16
07
A.17
04
A.18
08
Service Strategy:
2.
Description
(a) IT Service
Generation
(c) Financial
Management
(d) Demand
Management
Planning Methodology used to manage and forecast the demand of Products and Services.
(e) Business
Relationship
Management
Approach to understand, define, and support business activities relating to providing and
consuming knowledge and servicesthrough Networks.
Service Design:
Aspect
(a) Service
Catalogue
Management
Description
(c) Availability
Management
(d) Capacity
Management
(e) IT
Service
Continuity
Management
(f) Information
Security
Management
(g) Supplier
Management
3.
Service Catalogue should contain accurate details, dependencies and interfaces of all
services made available to Customers.
Information like Customer Ordering, Processing of Requests, Prices, Deliverables and
Contract Points are maintained.
It is the primary interface with the customer.
It is responsible for ensuring services are delivered when and where they are supposed to
be, interfacing with Availability Management, Capacity Management, Incident Management
and Problem Management.
It provides for continual identification, monitoring and review of the levels of IT services in
accordance with ServiceLevel Agreements (SLAs).
This helps the Entities to ensure the IT ServiceAvailability to support the Business at a
Justifiable Cost.
Activities comprise (a) realizing availability requirements, (b) compiling availability
plan, (c) monitoring availability and (d) maintenance of obligations.
This area addresses many IT component abilities like Reliability, Maintainability,
Serviceability, Resilience and Security to perform at an agreed level.
This helps to match the Entitys IT Resources to Business Demands, resulting in optimum
and costeffective provision of IT Services.
Activities include (a) Application Sizing, (b) Workload Management, (c) Demand
Management, (d) Modelling, (e) Capacity Planning, (f) Resource Management and (g)
Performance Management.
It is a process to ensure IT Services can recover and continue, even after a serious
incident.
Service Transition:
(a) Service Transition
Planning & Support
(b) Change
Management
Evaluation
and
4.
Standardized Methods and Procedures are used for efficient handling of all changes.
It ensures that theReleases and the Services meet the expectations of customer.
It also verifies whether IT operations are able to support the new service.
Service Operation
(b) Application
management
It is one of four ITIL functions,(It is primarily associated with the Service Operation Life
Cycle Stage.)
Service Desk Functions include (i) handling incidents&requests, and (ii) providing an
interface for other IT processes.
Features include Single Point of Contact (SPOC), Single Point of Entry and Exit, etc.
which is easier for customers due to streamlined communication channel.
It is aset of Best Practices to improve the overall quality of IT Software Development and
Support through SDLC, particularly fordefining requirements to meet Business Objectives.
(c) IT Operations
It isconcerned with specific subprocesses, such as (i) Output Management, (ii) Job
Scheduling, (iii) Backup and Restore, (iv) Network Management, (v) System Management,
(vi)Database Management and (vii) Storage Management, etc.
(d) IT Technical
Support
It provides functions like Research & Evaluation, (i) Market Intelligence, (ii) Proof of Concept
and Pilot Engineering, (iii) Specialist Technical Expertise, Documentation, etc.
(e) Incident
Management
It aims to restore normal service operations quickly and minimizes the adverse effect on
business operations, by ensuring best possible levels of service quality and availability.
(f) Request
Fulfillment
Request Fulfillment (or Request Management) focuses on fulfilling Service Requests, e.g.
requests to change a Password or requests for information by the User.
(g) Access
Management
(h) Event
Management
(i)
Problem
Management
An Event may indicate that something is not functioning correctly, leading to an incident
being logged.
Event Management generates and detects notifications. It monitors and checks the
functioning of components, even when no events are occurring.
This seeks to identify notifications and problem areas therein and initiate processor for
handling them.
Service Design
Service Transition
Service Operation
IT Service Generation
Service Catalogue
Management
Service Transition
Planning and
Support
Service Desk
Functions
Service PortfolioManagement
Service Level
Management
Change
Management&
Evaluation
Application
Management
FinancialManagement
Availability
Management
IT Operations
DemandManagement
Capacity
Management
Release &
Deployment
Management
IT Technical
Support
BusinessRelationshipManagement
IT Service
Continuity
Management
Service Validation
and Testing
Incident
Management
Information
Security
Management
Knowledge
Management
Request
Fulfillment
Supplier
Management
Access
Management
Event
Management
Problem
Management
11