CS 507 subjective Compose by sahar and sumera
Question No: 1 ( M a r k s: 2 ) What are the basic components of DSS?
There are two major components
• DSS data base – is a collection of current and historical data from internal external sources. It
can be a massive data warehouse.
• Decision Support Software system – is the set of software tools used for data analysis.
Question No:2 vuzs ( M a r k s: 2 ) Define the following:
a) Ethics
Ethics are moral choice made by individual in relation to the rest of the community, rules of
governing members and standards of acceptable behaviour.
b) Code of ethics
Code of ethics is collection of rules as guide for the members of the organization.
Question No: 3 ( M a r k s: 2 ) What is Stand Alone Processing?
Self contained is a micro computer that is not connected to a network. Processing on this
computer is called stand alone processing.
Question No: 4 ( M a r k s: 2 ) Define intrusion detection?
Intrusion Detection is a process that identifies the attempts to penetrate the system and gain
unauthorized access.
Question No: 5 ( M a r k s: 3 ) How can we make our password secure?
1: Keep secret
2: Don’t write anywhere
3: Always use the password with combination of letters, numbers, upper and lower cases
4: change password regular basis
Question No: 6( M a r k s: 3 ) What are some of the things you should keep in mind when
identifying risks?
The network attackers are getting smarter every day. Organizations and people want their data to
be protected. Businesses must operate within a similar risk management culture. A
comprehensive risk based approach starting from identifying risks may be a better solution.
Question No:7 ( M a r k s: 3 ) What is Data Driven Decision Support System?
Data driven DSS use large pool of data in major organizational systems. They help to extract
information from large quantities of data stored. These systems rely on Data Warehouses created
from Transaction Processing systems.
They use following techniques for data analysis
• Online analytical processing, and
• Data mining
Question No: 8 ( M a r k s: 3 ) Define Re-engineering?
Re engineering is the fundamental rethinking and redesigning of business process to achieve
dramatic improvement in critical, contemporary measures of performance, such as cost, quality,
service and speed.
Question No: 9 ( M a r k s: 5 ) List any five reasons that attract organizations to ERP?
Answer:
1. Planning the operations
2. Integrated customer related information – order tracking with customer database, inventory
and shipment at different locations.
3. Standardized HR information – A company with multiple business units will require a
comprehensive and all-encompassing method of locating employees and communicating with
them.
4. Integrated financial information and analysis.
CS 507
CS 507 subjective Compose by sahar and sumera
2
5. Monitoring the operations including those of sub-vendors and manufacturers
Question No: 10 vuzs ( M a r k s: 3 ) How virus and worms can be transmitted into
computers? Identify any three sources?
Answer:
Virus or worms are transmitted easily from the internet by downloading files to computers web
browsers. Other methods of infection occur from files received though online services, computer
bulletin board systems, local area networks. Viruses can be placed in various programs, for
instance
1. Free Software – software downloaded from the net
2. Pirated software – cheaper than original versions
3. Games software – wide appeal and high chances
4. Email attachments – quick to spread
5. Portable hard and flash drives – employees take disks home and may work on their own
personal PC, which have not been cleaned or have suitable anti-viruses installed on them.
Question No: 11( M a r k s: 3 )How the information is kept in the purchase system?
A simple example can be given of a purchase and sales system. In a typical purchase system
information related to purchase of materials is kept, for instance,
Orders for the purchase of various materials
Status of deliveries received against specific orders
Changes in the order quantity, time, day or other information
Quality inspection reports and whether they need to be communicated to the supplier
Updated status report of stock
Issues made out of the stock
Question No: 12 ( M a r k s: 2 )What is information Quality Checklist?
Answer: The information can also be ranked in accordance with the qualities it has in it. The
experts have devised certain criteria to evaluate the quality of information. Those some points
which are used to evaluate the quality are known as quality checks.
Question No: 13 ( M a r k s: 2 ) What are Active monitors? Define.
Answer: This software serves the concurrent monitoring as the system is being used. They act as
a guard against viruses while the operating system is performing various functions e.g connected
to internet, transferring data, etc.
Question No: 14 (M a r k s: 3 Briefly describe Incremental Model.
Answer: In incremental models, software is built not written. Software is constructed step by
step in the same way a building is constructed. The product is designed, implemented, integrated
and tested as a series of incremental builds, where a build consists of code pieces from various
modules interacting together to provide a specific functional capability and testable as a whole.
Question No: 15 ( M a r k s: 3 ) Information system security association of USA has listed
many ethical challenges, identify any three of them?
Answer:
1. Misrepresentation of certifications, skills
2. Abuse of privileges
3. Inappropriate monitoring Question No: 16 ( M a r k s: 5 ) What do you think what are the key benefits of
Ecommerce to organizations?
Answer: Advantages of E-Commerce to the Online Business
•E-Commerce helps to Increase the sales revenue to the business
• Business people can spend less money and earn high profits with e-commerce
CS 507
CS 507 subjective Compose by sahar and sumera
3
• Easily we can track the segment of customers who are happy with purchasing goods through
online
• Instantaneous global sales presence in quick time
• We can Operate the business in 24 *7 basis
• Easily we can increase our business customers
• We set up shop anywhere in the world, self-governing of geographical locations
• Inexpensive way to turn your Web site into a revenue center
• Reduce Customer Support costs via e-mail marketing & customary newsletters
• We can create customized mailing list
• Easily we can drive free traffic to the website
• We can easily promote our business website by using various promotional activities such as
Search Engine Optimization, Pay Per Click Management, Email Marketing, Social Media
Optimization, Online Banner Advertisement, Online Branding and Affiliate Management.
Question No: 17 ( M a r k s: 5 ) What do you understand by Disaster Recovery Planning?
A disaster recovery plan is a comprehensive statement of consistent actions to be taken before,
during and after a disaster. The plan should be documented and tested to ensure the continuity of
operations and availability of critical resources in the event of a disaster.
This typically details the process IT personnel will use to restore the computer systems. Disaster
recovery plans may be included in the business continuity plan or as a separate document all
together. Business continuity plan may not be comprehensively available in a non-critical
environment but Disaster Recovery Plan should be there at least to manage and help organization
to recover from disasters. A subcomponent of business continuity plan is the IT disaster recovery
plan. IS processing is one operation of many that
keep the organization not only alive but also successful, which makes it of strategic importance.
Question No: 18 ( M a r k s: 2 ) List information Requirements for Medium sizes
organizations.
Answer:
Planning for required Information
Monitoring of information of planning.
Question No: 19 ( M a r k s: 2 ) Why we need to secure information systems?
Sound security is fundamental to achieving this assurance. Furthermore, there is a need for
organizations to protect themselves against the risks inherent with the use of information systems
while simultaneously recognizing the benefits that can accrue from having secure information
systems. Thus, as dependence on information systems increases, security is universally
recognized as a pervasive, critically needed, quality.
Question No: 20 ( M a r k s: 3 ) What is access control? Give example
Answer: Access Controls
These controls establish the interface between the would-be user of the computer system and the
computer itself. These controls monitor the initial handshaking procedure of the user with the
operating system. For example when a customer enter the card and the pin code in an automatic
teller machine (ATM), the access controls are exercised by the system to block unwanted or
illegitimate access.
Question No: 21 ( M a r k s: 3 )
Risk mitigation is a process that takes place after the process of risk assessment has been
completed. Discuss briefly various risk mitigation options?
Answer:
• Risk assumption: To accept the potential risk and continue operating the IT system or to
implement controls to lower the risk to an acceptable level.
4
• Risk Avoidance: To avoid the risk by eliminating the risk cause and e.g. forgo certain
functions of the system or shut down the system when risks are identified.
• Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact
of a threat’s exercising a vulnerability e.g. use of supporting preventive and detective controls.
• Risk Planning: To manage risk by developing a risk mitigation plant that predicts implements
and maintains controls.
• Research and acknowledgement: To lower the risk of loss by acknowledging vulnerability or
flaw and researching controls to correct the vulnerability.
• Risk Transference: To transfer the risk by using other options to compensate loss such as
purchasing insurance.
Question No:22 ( M a r k s: 3 ) Differentiate CRM from ERP ?
Answer: ERP & CRM
Customer has become of critical importance in the modern day business. Early on, organizations
used to focus more on how much has been sold what has been produced. But now the focus is
quite different. Focus has been placed on the requirements of the customer, providing quality
service and quickness of response to customer queries. Analysis of the customer data from their
personal habits to spending one’s have become a crucial element of doing a successful business.
ERP has this unique potential to improve the quality of customer handling.
Question No: 21 ( M a r k s: 5 ) Differentiate Impact analysis from Risk determination?
This phase relates to analyzing how much the information assets are exposed to various threats
identified and thus quantifying the loss caused to the asset through this threat.
This phase relates to analysis of both physical and logical threats. It measures level of risk is to
determine the adverse impact resulting into a successful exercise of vulnerability. The
information can be obtained from existing organizational documentation, such as the mission
impact analysis report or asset criticality assessment report. A business impact analysis report or
asset criticality assessment report. The adverse impact of a security event can be described in
terms of loss or delay of any or all of the three security goals. Confidentiality, integrity,
availability.
Question No: 22 ( M a r k s: 2 ) What are the physical threats for Information System.
Answer: Physical threats
The risks of physical damage render the computer hardware becomes useless due to the damage
caused to it by natural disasters (Fire, earth quake, flood), pollution-Dust, energy Variations.
Reasonable measures should be taken to avoid undesirable consequences.
Question No: 23 ( M a r k s: 2 ) List any two types of information that can be used as input
for vulnerability. Following information is used as an input
2. Any audit comments
3. Security requirements
Question No: 24 ( M a r k s: 2 ) List down different types of SUPPLY CHAIN.
Types of Supply Chains
Supply chain may exist in various forms depending on the need of the business:
1. Made to Store
2. Continuous Replenishment
3. Built to order
Question No: 25 ( M a r k s: 3) What do u know about Key stroke Monitoring? (3)
Answer : A record of every keystroke---- often called keystroke monitoring. Keystroke
monitoring is the process used to view or record both the keystrokes entered by a computer user
and the computer's response during an interactive session. Keystroke monitoring is usually
considered a special case of audit trails.
CS 507
CS 507 subjective Compose by sahar and sumera
5
Question No: 26 ( M a r k s: 3 ) Identify roles and responsibilities of any three
professionals in an organization.
Answer: 1-Data Owners — responsible for determining sensitivity or classification levels of the
data as well as maintaining accuracy and integrity of the data resident on the information system;
2-Process Owners — responsible for ensuring that appropriate security, consistent with the
organization’s security policy, is embedded in their information systems;
3-Technology providers — responsible for assisting with the implementation of information
security
Question No: 27 Classify E-Commerce into different classes. (5)
The most prevalent of E-Commerce models can be classified as under:
1. Business to Consumer (B2C)
2. Business to Business (B2B),
3. Business to Employee (B2E),
4. Consumer to Consumer (C2C) and
5. E-Government
• Government to Citizens/Customers (G2C)
• Government to Business (G2B)
• Government to Government (G2G
Question No: 28 ( M a r k s: 5 ) Incorporate Risk management SDLC? identify its phases?
For each phase of SDLC, the process of risk management is no different. Rather it is iterative
process which can be performed at each major phase. Every step of development has its own
risks which need to be handled and addressed separately. Hence managing risk in SDLC means
managing risk of each phase of life cycle.
Phases of Risk Management
Following are various phases of SDLC
• System Characterization
• Threat Identification
• Vulnerability Identification
• Control Analysis
• Likelihood Determination
• Impact Analysis
• Risk Identification
• Control Recommendation
• Results Documentation
• Implementation
• Monitoring
Question No: 29 ( M a r k s: 2 ) What do you understand by OLAP?
Online Analytical Processing Decision support software that allows the user to quickly analyze
information that has been summarized into multidimensional views and hierarchies. The term
online refers to the interactive querying facility provided to the user to minimize response time
Question No: 30 ( M a r k s: 2 ) How threats are identified?
Threats can be identified on the basis of nature of Threat which can either be accidental-natural
occurrences/force major, or deliberate-intentional act of harm or on the basis of sources of threat
which can either be internal-threat caused within the organization, or external-threat from some
one outside the organization.
Question No: 31 ( M a r k s: 2 ) List down the inputs to Risk Determination phase ?
Likelihood of threat exploitation
Magnitude of impact
CS 507 subjective Compose by sahar and sumera
6
Adequacy of planned and current controls
Question No: 32 ( M a r k s: 2 ) Identify components of Intrusion detection system ?
Sensors that are responsible for collecting data. The data can be in the form of network
packets, log files, system call, traces, etc. Analyzers that receive input from sensors and
determine intrusive activity An administrative console – it contains intrusion definitions applied
by the analyzers.A user interface
Question No: 33 ( M a r k s: 3 )
What are the challenges to organizations for launching Ecommerce? Identify any three.
Security is the biggest challenge to for launching Ecommerce There is a consensus that the issue
of computer and data security is the biggest hurdle in the growth of ecommerce. Web servers
also face this security threat. Some other problems with launching e-commerce business is lack
of trust of customers, culture and languages problems.
lengthy procedure of payment and receipt of products or services.
Question No: 34 ( M a r k s: 3 )
Designing file or database is a major component of system designing. Identify its basic
purposes.
Designing file or database has the following purposes.
1. Data convenience is ensured to the user as and when it is required.
2. Data updates in master file will mechanically keep posted the data in the whole system.
3. Data is professionally processed & stored.
4. Data reliability that is Correctness of data is ensured.
Question No: 35 ( M a r k s: 3 )What is the responsibility of the management of the
organization to ensure the security of information systems?
Executive or senior management take the responsibility to provide safe and secure information
system environment to their employees and user of information system. Due to it employees will
feel no harm or fear and can easily do the work with secure information system of an
organization.
Question No: 36 ( M a r k s: 3 )
Discuss various steps in threat identification ? Give any example of threat sources and
threat actions .
Following are steps in threat identification.
1. Threat source identification
2. Motivation and threat actions
For example a hacker can hack a system and can delete or get any personal data or information.
Question No: 37 ( M a r k s: 5 ) Can you classify E-Commerce into different classes? Idetify
any five.
E-Commerce models can be classified as
Business to Business (B2B),
Business to Consumer (B2C)
Consumer to Consumer (C2C)
Business to Employee (B2E),
E-Government
Question No: 38 ( M a r k s: 5 ) How Audit trails are technical mechanism that helps
managers to maintain individual accountability?
In Audit trails are technical mechanism Users are recognized by the record being retain. Users
are informed of what the password allows them to do and why it should be kept secure and
confidential. Audit trails also help to give alternative from normal behavior which can guide to
illegal usage of resources.
CS 507 subjective Compose by sahar and sumera
7
Audit trails can be used together with access controls to identify and provide information about
users alleged of inappropriate modification of data.
Question No: 39 ( M a r k s: 2 )
What is the basic purpose of setting up systems and procedures. Give your own opinion.
Answer: The basic purpose of setting up system and procedures is to make available information
when it is required.
Question No: 40 ( M a r k s: 2 ) Define threat and identify its types.
Answer: Threat is an act or event which can cause loss. Threats are of two types logical threats
and physical threats.
Question No: 41 ( M a r k s: 2 )
List any two types of information that can be used as input for vulnerability?
Answer:
1- Any audit comments
2- Security requirements
Question No: 42 ( M a r k s: 2 ) Identify leading ERP software vendors ?
Answer:
1-SAP
2-Oracale
3-QAD
4-PeopleSoft
5-Sag
Question No: 43 ( M a r k s: 3 ) Define Risk Determination. Identify its inputs and outputs.
Answer: Risk determination phase assesses the risk and level of risk to IT system.
The inputs of to this phase are
1. Likelihood of threat exploitation
2. Magnitude of impact
3. Adequacy of planned and current controls
The output is the determination of risk and associated risk levels.
Question No: 44 ( M a r k s: 3 ) What are the types of threats?
Answer: There are three types of threats.
1-Physical threats: It refers to damage caused to the physical infrastructure of information
system. For example:
1-Fire
2-Water
3-Intrusion
4-Energy variation
5-Pollution
6-Structural damage
2-Logical Threat: It refers to damage caused to the information system without any physical
presence.
1-Worms and viruses
2-Logical intrusion
Question No: 45 ( M a r k s: 3 )
Differentiate between Incremental and iterative models with the help of one example each.
Answer: Incremental vs. Iterative
These sound similar, and sometimes are equated but there is a subtle difference:
• Incremental: add to the product at each phase
• Iterative: re-do the product at each phase
CS 507
CS 507 subjective Compose by sahar and sumera
8
Example:
Building a House
• Incremental: Starts with a modest house, keep adding rooms and upgrades to it.
• Iterative: The design/construction map.
Question No:46 ( M a r k s: 3 )
Identify any six factors that should be considered in order for change to be successful?
Answer:
Following factors should be considered in order for change to be successful:
• What are the implications and barriers to successful implementation?
• What processes will we need to change/introduce?
• Who will feel threatened by the change?
• How do we change people's behavior?
• How will success be measured and what value will success
Have for the business and individual?
•Is the proposed change aligned with the strategic plan?
Question No: 47 ( M a r k s: 5 )
Define the following:
a) EC (E commerce)
Electronic Commerce (e-commerce or EC) describes the buying, selling, and exchanging of
products, services, and information via computer network, primarily the internet. Some people
view the term commerce as describing transactions conducted between business partners.
b) EB (E business)
E-business means using the internet and online technologies to create operating efficiencies, and
therefore increase value to the customer. It is internally focused. All e-commerce is part of ebusiness.
Not all e-business is e-commerce.
Question No: 48 ( M a r k s: 5 )
Identify and define the types of active attacks ?
Answer: After getting proper information about system in passive attacks intruder will obtain
unauthorized access to modify data or programs, causing a denial of service, escalating
privileges, accessing other systems. They affect the integrity, availability and authentication
attributes of network security.
Types of Active attacks
Common form of active attacks may include the following:
• Masquerading – involves carrying out unauthorized activity by impersonating a legitimate
user of the system.
• Piggybacking – involves intercepting communications between the operating system and the
user and modifying them or substituting new messages.
• Spoofing – A penetrator fools users into thinking they are interacting with the operating
system. He duplicates logon procedure and captures pass word.
• Backdoors/trapdoors – it allows user to employ the facilities of the operating system without
being subject to the normal controls.
• Trojan Horse – Users execute the program written by the penetrator. The program undertakes
unauthorized activities e.g. a copy of the sensitive data
Question No: 49 ( M a r k s: 2 )
What are the information requirements of the service sector?
Answer:
Information requirements of Service Sector
• Quality of service provided.
CS 507
CS 507 subjective Compose by sahar and sumera
9
• Mode of delivery
• Customer Satisfaction
• Time Scheduling
• Resource Management
Question No: 50 ( M a r k s: 2 )
Define Business Continuity Planning (BCP) ?
Answer: Business Continuity Planning (BCP) is a methodology used to create a plan for how an
organization will resume partially or completely interrupted critical functions within a
predetermined time after a disaster or disruption.”
Question No: 51 ( M a r k s: 2 )
Identify different types of Information assets ?
1- Security Policy
2- Security Program
Question No: 52 ( M a r k s: 2 )
Identify components of Intrusion detection system ?
Answer: Components of IDS
An IDS comprises on the following:
• Sensors that are responsible for collecting data. The data can be in the form of network packets,
log files, system call traces, etc.
• Analyzers that receive input from sensors and determines intrusive activity.
• An administration
Question No: 53 ( M a r k s: 3 )
What is the necessary information needed to begin impact analysis?
Answer: Before beginning the impact analysis, it is necessary to obtain the following necessary
information.
• System mission
• System and data criticality
• System and data sensitivity
Question No: 54 ( M a r k s: 3 ) Define Active attacks?
Answer: Active attacks may include obtaining unauthorized access to modify data or programs,
causing a denial of service, escalating privileges, accessing other systems. They affect the
integrity, availability and authentication attributes of network security.
Question No: 55 ( M a r k s: 3 )
Why is it needed for Accounting information system (AIS) to be linked with all other
information systems in an organization?
Answer: Accounting information system (AIS) is linked to all the information systems in an
organization. This is important because the data required for proper book keeping and generation
of transactional reports is extracted from all over the organization. For instance sales information
can be sought only from marketing information system and stock information is available in
manufacturing information system.
Question No: 56 ( M a r k s: 3 )
Identify any six factors that should be considered in order for change to be successful?
Answer:
Following factors should be considered in order for change to be successful:
• What are the implications and barriers to successful implementation?
• What processes will we need to change/introduce?
• Who will feel threatened by the change?
CS 507
CS 507 subjective Compose by sahar and sumera
10
• How do we change people's behavior?
• How will success be measured and what value will success
Have for the business and individual?
•Is the proposed change aligned with the strategic plan?
Question No: 57 ( M a r k s: 5 )
What do you understand by Privacy? How can privacy be protected? List threats to
Privacy.
Answer:
Privacy means the quality or condition of being secluded from the presence or view of others, the
state of being free from unsanctioned intrusion: a person's right to privacy, the state of being
concealed; secrecy. Privacy is quite a subjective/relative concept.
Protecting Privacy
The rights of privacy must be balanced against the needs of the society. Every society has to
decide somewhere on the gray area between hiding all and knowing all extremes. Public’s rights
to know is superior to the individual’s rights of privacy. Usually public and individual’s rights
stand in conflict with each other. Since government agencies have their concerns in priority e.g.
criminal investigation, undesirable social activities. Various aspects can be seen as a threat to
privacy.
Threats to Privacy
• Electronic surveillance
• Data Profiling
• Online Privacy
• Workplace monitoring
• Location tracking
• Background checks
• Financial privacy
• Medical record and genetic profiling
• Digital right
• Intellectual property rights
• Taxation Issues
Question No: 58 ( M a r k s: 5 )
Give any two examples to prove that Audit trails help to provide variants from normal
behavior which may lead to unauthorized usage of resources.
Answer: Audit trails help to provide variants from normal behavior which may lead to
unauthorized usage of resources. For example
• Audit trails can be used together with access controls to identify and provide information about
users suspected of improper modification of data (e.g., introducing
errors into a database).
• An audit trail may record "before" and "after" images, also called snapshots of records.
Question No: 59 ( M a r k s: 3 ) What are hackers?
Answer:
A hacker is a person who attempts to invade the privacy of the system. In fact he attempts to gain
unauthorized entry to a computer system by circumventing the system’s access controls. Hackers
are normally skilled programmers, and have been known to crack system passwords, with quite
an ease. Initially hackers used to aim at simply copying the desired information from the system.
But now the trend has been to corrupt the desired information.
Question No: 60 ( M a r k s: 1 ) Define Risk Mitigation.
CS 507
CS 507 subjective Compose by sahar and sumera
11
Answer: Risk mitigation is a process that takes place after the process of risk assessment has
been completed. Systematic reduction in the extent of exposure to a risk and/or the likelihood of
its occurrence. Also called risk reduction.
Question No: 61 ( M a r k s: 1 ) What are the value sets?
Answer: Each attribute has a Value Set (domain) i.e. defined parameters or the range in which
value of the attribute may fall.
Question No: 62 ( M a r k s: 2 ) What are the purposes of the Objects?
Answer: An object can be defined as “A concept, abstraction, or thing with crisp boundaries and
meaning of the problem at hand. Objects serve two purposes, they promote understanding of the
real world and provide a practical basis for computer implementation.”
Question No: 63 ( M a r k s: 1 ) What is the purpose of line symbol in the Entity Relationship
Diagram?
Answer: Lines link attributes to entity sets, entity sets to relationship sets (also represent roles).
Question No: 64 ( M a r k s: 1 ) What are the logical threats to the information systems?
Answer: This refers to damage caused to the software and data without physical presence.
Examples are viruses and worms, logical intrusion commonly referred to as hacking
Question No: 65 ( M a r k s: 2 ) What is cryptography?
Answer:
In truthful conditions, cryptography means science of coded writing. It is a security defend to
make information incomprehensible if unlawful persons cut off the transmission. When the
information is to be used, it can be decoded. “The exchange of data into a secret code for the
secure transmission over a public network is called cryptography.”
Question No: 66 ( M a r k s: 2 )
What do you understand by Intrusion Detection Systems?
Answer:
Another element to securing networks is an intrusion detection system (IDS). IDS is used in
balance to firewalls. An IDS works in combination with routers and firewalls and it monitor
network that how much it used and It protects a company’s information systems resources from
external as well as internal mistreatment.
Question No: 67 ( M a r k s: 2 )
List information Requirements for Medium sizes organizations.
Answer:
Planning for required
Information
Monitoring of information of planning.
Question No: 68 ( M a r k s: 2 )
Define Dropper and Trojan horse ?
Answer:
Trojan horse is like it executes by user the program written by the penetrate. The program
undertakes illegal actions e.g. a copy of the sensitive data and files.
A dropper is a program not a virus. It installs a virus on the PC while performing another
function.
Question No: 69 ( M a r k s: 3 )
Designing file or database is a major component of system designing. Identify its basic
purposes.
Answer: Purposes of Designing file or database
Data is well processed
Data is stores carefully
CS 507
CS 507 subjective Compose by sahar and sumera
12
Data bring up to date carefully as it update in master file, master file automatically update whole
data Data accessibility is ensured when a customer or user need data
Data integrity is confirmed.
Question No:70 ( M a r k s: 3 )
What is the responsibility of the management of the organization to ensure the security of
information systems?
Answer:
The responsibility of the management of the organization to ensure the security of information
system that Security must be sponsored by senior management. Management has a
responsibility to ensure that the organization provides all secure information systems
environment for users or customers. This will make users of information systems that are they
feel secure and the importance of secure information environment.
Question No: 71 ( M a r k s: 3 )
Identify the information that is required before conducting an impact analysis?
Answer:
Information that is required before conduction an impact analysis are that Analyze the Mission of
the system analyze the System and data criticality analyze System and data sensitivity.
Question No: 72 ( M a r k s: 3 ) Define Reengineering?
Answer:
This is known as company transformation or business transformation. It
is the more essential form of change management, since it works for all the elements of
Processes or structures that have evolved over time.
Question No: 72 ( M a r k s: 5 )
Briefly discuss Risk Determination ?
Answer: Risk Determination:
Risk determination means that phase of analyzing how much the information assets are
uncovered to various threats known and thus count the loss cause to the asset through this threat.
This phase relates to analysis of both physical and logical threats and comprises of four steps.
Four steps are usually followed while analyzing the exposure.
The main reason of this step is to assess the level of risk to the IT system. The determination of
exacting threat can be spoken as a meaning of
1 The likelihood of a given threat-source’s attempting to exercise a given weakness.
2. The magnitude of the impact should a threat source successfully exercise a susceptibility
3. The competence of planned or existing security controls for reducing or minimizing risk.
Question No: 73 ( M a r k s: 5 )
Discuss Technical Limitations of Ecommerce in comparison with Non-Technical
Limitations in organizations ?
Answer:
Technical Limitations of Ecommerce in comparison with Non-Technical limitation in
organization are that more cost to use for softwares and technology,reliability for certain
processes.in sufficient communications the reason is that people don’t know about it. Software
tools are not fixed and used in regular manner.people has No enough access of internet and they
have difficulty to adopt e-commerce infrastructure instead of organizational systems
Question No: 74 ( M a r k s: 1 )
Give a brief definition of ERP.
Answer: “ERP (enterprise resource planning) is an industry term for the broad set of activities
supported by multi-module application software that helps a manufacturer or other business
manage the important parts of its business, including product planning, parts purchasing,
CS 507
CS 507 subjective Compose by sahar and sumera
13
maintaining inventories, interacting with suppliers, providing customer service, and tracking
orders.”
Question No: 75 ( M a r k s: 1 )
Why is a "risk matrix" necessary?
Answer: A problem when you have a number of possible risks is to decide which ones are
worthy of further attention. The Risk Matrix is a simple tool to help prioritize risks.
Question No: 76 ( M a r k s: 2 )
Define threat and identify its types.
Answer: “A threat is some action or event that can lead to a loss.”
There are 2 types of threats.
1-Physical threat
2-Logical Threat
Question No: 77 ( M a r k s: 2 ) Define Firewall.
Answer: Firewall
Firewall is the primary method for keeping a computer secure from intruders. A firewall allows
or blocks traffic into and out of a private network or the user's computer.
Question No: 78 ( M a r k s: 3 )
In accounting and finance terms, audit is a process which includes an examination of
records or financial accounts to check their accuracy, an adjustment or correction of
accounts an examined and verified account.Discuss the concept of Audit in IS?
Answer: An information technology (IT) audit or information systems (IS) audit is an
examination of the controls within an entity's Information technology infrastructure. IS audit
focuses more on examining the integrity of controls and ensuring whether they are properly
working.Obtained evidence evaluation can ensure whether the organization's information
systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to
achieve the organization's goals or objectives.
Question No: 79 ( M a r k s: 5 ) Differentiate object from class.
An object is an instance of some class. All objects are instances of some class. Instance also
carries connotations of the class to which the object belongs. For example, computers are the
domain/Class which can be divided into following sub-classes:
• Laptop computer
• Desktop computer
• Palmtop
Question No: 80 ( M a r k s: 1 )
Define Risk Mitigation.
Answer: Risk mitigation is a process that takes place after the process of risk assessment has
been completed. Systematic reduction in the extent of exposure to a risk and/or the likelihood of
its occurrence. Also called risk reduction.
Question No: 81 ( M a r k s: 1 )
Define Risk Mitigation.
Answer: Risk mitigation is a process that takes place after the process of risk assessment has
been completed. Systematic reduction in the extent of exposure to a risk and/or the likelihood of
its occurrence. Also called risk reduction.
Question No: 82 ( M a r k s: 1 ) Identify types of change management.
Answer:
Types of change management:
1- Organizational Development:
2- Re-engineering
CS 507
CS 507 subjective Compose by sahar and sumera
14
Question No: 83 ( M a r k s: 2 )
Identify what information is needed before conducting an Impact analysis?
Answer: Before beginning the impact analysis, it is necessary to obtain the following necessary
information.
• System mission
• System and data criticality
• System and data sensitivity
Question No:84 ( M a r k s: 2 )
Why process symbol is used in the Flow charts?
Answer:
Process symbol is used to indicate an activity undertaken or action done.
Question No: 85( M a r k s: 3 )
What are the objective/purposes of the DFDs?
Answer: The purpose of data flow diagrams is to provide a linking bridge between users and
systems developers. Data flow diagrams facilitate users to understand how the system operate.
DFD’s also help developers to
better understand the system which helps in avoiding delays in proper designing, development,
etc. of projects.
Question No:86 ( M a r k s: 3 ) What are hackers?
Answer:
A hacker is a person who attempts to invade the privacy of the system. In fact he attempts to gain
un authorized entry to a computer system by circumventing the system’s access controls.
Hackers are normally skilled programmers, and have been known to crack system passwords,
with quite an ease.
Question No: 87 ( M a r k s: 1 ) What are the value sets?
Answer: Each attribute has a Value Set (domain) i.e. defined parameters or the range in which
value of the attribute may fall.
Question No: 88( M a r k s: 2 ) What are the purposes of the Objects?
Answer: An object can be defined as “A concept, abstraction, or thing with crisp boundaries and
meaning of the problem at hand. Objects serve two purposes, they promote understanding of the
real world and provide a practical basis for computer implementation.”
Question No:89 ( M a r k s: 2 ) What do you understand by Intrusion Detection Systems?
Answer: An element to securing networks is an intrusion detection system (IDS). IDS is used in
complement to firewalls. An IDS works in conjunction with routers and firewalls by monitoring
network usage anomalies. It protects a company’s information systems resources from external
as well as internal misuse
Question No: 90 ( M a r k s: 3 ) What is the purpose of decision symbol in the flow chart?
Answer:
The symbol is used when a choice can be made between the options available.
Such options are mutually exclusive.
Only one flow line should enter a decision symbol, but two or three flow lines, one for
each possible answer, should leave the decision symbol.
Question No: 91 ( M a r k s: 1 ) Define Risk Mitigation.
Answer: Risk mitigation is a process that takes place after the process of risk assessment has
been completed.
Question No: 92 ( M a r k s: 1 ) Identify types of change management.
Answer:
Types of change management:
CS 507
CS 507 subjective Compose by sahar and sumera
15
1- Organizational Development:
2- Reengineering
Question No: 93 ( M a r k s: 2 ) Identify what information is needed before conducting an
Impact analysis?
Answer: Before beginning the impact analysis, it is necessary to obtain the following
necessary information.
• System mission
• System and data criticality
• System and data sensitivity
Question No: 94 ( M a r k s: 2 ) Why process symbol is used in the Flow charts?
Answer:
Process symbol is used to indicate a activity undertaken or action done.
Question No: 95 ( M a r k s: 3 ) What are the objective/purposes of the DFDs?
Answer: The purpose of data flow diagrams is to provide a linking bridge between users and
systems developers. Data flow diagrams facilitate users to understand how the system operate.
DFD’s also help developers to
better understand the system which helps in avoiding delays in proper designing, development,
etc. of projects.
Question No: 96 ( M a r k s: 3 ) What are hackers?
Answer:
A hacker is a person who attempts to invade the privacy of the system. In fact he attempts to gain
un authorized entry to a computer system by circumventing the system’s access controls.
Hackers are normally skilled programmers, and have been known to crack system passwords,
with quite an ease.
..Question No: 97 ( M a r k s: 2 ) What is an entity?
Answer: An entity is an object that exists and is distinguishable from other objects. An entity is
described using a set of attributes. For example specific person, company, event, plant, crop,
department, section, cost center.
Question No: 98 ( M a r k s: 2 ) Define CRM.
Answer: CRM Uses proven methodologies and e-business technologies to help companies to
identify, select, acquire, develop, and retain profitable customers, building the lasting
relationships that are key to long-term financial success.
Question No: 99( M a r k s: 3 ) Identify basic steps to implement BPRE.
Answer: Following steps should be followed to implement BPR.
• Break down the CSF’s into the key or critical business processes and gain
process ownership.
• Break down the critical processes into sub-processes, activities and task and
form the teams around these.
• Re-design, monitor and adjust the process-alignment in response to difficulties
in the change process.
Question No: 100 ( M a r k s: 3 )
Define Risk Determination. Identify its inputs and outputs.
Answer: This phase relates to analyzing how much the information assets are exposed to various
threats identified and thus quantifying the loss caused to the asset through this threat.
The inputs of to this phase are
1. Likelihood of threat exploitation
2. Magnitude of impact
3. Adequacy of planned and current controls
CS 507
CS 507 subjective Compose by sahar and sumera
16
The output is the determination of risk and associated risk levels.
Risk Determination
The purpose of this step is to assess the level of risk to the IT system. The determination of
particular threat can be expressed as a function of
1. The likelihood of a given threat-source’s attempting to exercise a given vulnerability
(system flaw)
2. The magnitude of the impact should a threat source successfully exercise a vulnerability
3. The adequacy of planned or existing security controls for reducing or eliminating risk.
This phase also presumes the definition of risk levels in order to classify the risks. The is more of
a discretionary act on part of the management. Levels can be defined as high medium low and
allocating various probability ranges. Risk levels are made to compare them with the ranges of
impact.
Question No: 102 ( M a r k s: 3 ) Differentiate CRM from ERP
Answer: The difference between CRM and ERP is that the former is outward-looking, while the
latter is inward-looking.
Question No: 102 ( M a r k s: 5 ) How the likelihood is determined? Enlist the factors.
Likelihood Determination
• This phase determines that a potential vulnerability could be exercised by a given
threat-source. Following table will help us to define and understand the likelihood
definitions. The input to this phase is
• Threat source motivation
• Threat capacity
• Nature of vulnerability
• Current Controls
The output to this phase is a likelihood rating to be used further in the risk assessment process.
Impact Analysis
This phase determines the adverse impact resulting from a successful threat exercise of
vulnerability. Following information is required before conducting an impact analysis.
1. System mission e.g. the process performed by IT system.
2. System and data criticality e.g. the system’s value or importance to an organization
3. System and data sensitivity
Question No:103 ( M a r k s: 10 ) How will you compare Integrated Systems to ERP?
Integrating systems
Let’s take a look what an integrated information system looks like. As seen in the above picture
all systems are interfaced with one another, the input in one system automatically updating the
data in the other relevant system. We thus observe simultaneous Data sharing between various
systems and simultaneous execution of different business processes. For Example, a confirmed
sales order received by the sales department from the customer will once entered into the sales
system automatically provide data input to stores/packing/ shipping and possibly the production
systems. Thus ensuring that all relevant departments are notified of ready for necessary action
simultaneously.
Question No: 104 ( M a r k s: 1 ) What indicates the symbol Arrow in the flow charts?
Answer: Arrow in a flow chart shows the direction of flow of procedure or system.
Question No: 105 ( M a r k s: 1 ) Define Unfreezing class of Change.
Answer: In this phase of change management, a situation for next phase is prepared by
disconfirming existent attitudes and behaviors.
Question No:106 ( M a r k s: 2 ) What are the physical threats to the information systems?
CS 507
CS 507 subjective Compose by sahar and sumera
17
Answer: This refers to the damage caused to the physical infrastructure of the information
systems. Examples are natural disasters (Fire, earth quake, flood), pollution, energy variations
and physical Intrusion.
Question No: 107 ( M a r k s: 2 ) What is cryptography?
Answer: In literal terms, cryptography means science of coded writing. It is a security safeguard
to render information unintelligible if unauthorized individuals intercept the transmission. When
the information is to be used, it can be decoded. “The conversion of data into a secret code for
the secure transmission over a public network is called cryptography.”
Question No: 108 ( M a r k s: 3 ) What is off-page connector?
Answer: If the flowchart becomes complex, it is better to use connector symbols to reduce the
number of flow lines. Off-Page Connector is used to connect remote flowchart portion on
different pages. One flow line enters or exits.
Question No: 109 ( M a r k s: 3 ) What is access control? Give example
Answer: These controls establish the interface between the would-be user of the computer
system and the computer itself. These controls monitor the initial handshaking procedure of the
user with the operating system. For example when a customer enters the card and the pin code in
an automatic teller machine (ATM), the access controls are exercised by the system to block
unwanted or illegitimate access.
Question No: 110 ( M a r k s: 3 ) List any three ethical challenges given by IS security
association of USA ?
Ethical Challenges
Information system security association of USA has listed down following ethical challenges
1. Misrepresentation of certifications, skills
2. Abuse of privileges
3. Inappropriate monitoring
4. Withholding information
5. Divulging information inappropriately
6. Overstating issues
7. Conflicts of interest
8. Management / employee / client issues
Question No: 111( M a r k s: 5 ) Differentiate the following (Intrusion Detection vs Variance
Detection
Intrusion detection
Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized access. If audit trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Intrusion detection system can be made part of the regular security system to effectively detect intrusion. Real time intrusion detection is technical and complex to achieve but reasonable extent can be attained. Real-time intrusion detection is primarily aimed at outsiders attempting to gain unauthorized access to the system.
Variance detection and audit trails
Trends/variance-detection tools look for anomalies in user or system behavior. It is possible to
monitor usage trends and detect major variations. The log can be detected and analyzed to detect
the irregularity. For example, if a user typically logs in at 9 a.m., but appears at 4:30 a.m. one
morning, this may indicate either a security problem or a malfunctioning of the system clock,
that may need to be investigated. The log can be sorted/filtered for all log ins befor 9 a.m. from
that particular terminal
Question No: 112 ( M a r k s: 5 ) What are the sources of critical success factor?
CS 507
CS 507 subjective Compose by sahar and sumera
18
Critical Success Factors have to be analyzed and established. CSF’s may be developed from
various sources.
Generally four major sources of identifying CSF’s are
• Industry CSFs resulting from specific industry characteristics;
• CSF’s resulting from the chosen competitive strategy of the business e.g. quick and timely delivery may be critical to courier service business
• Environmental CSFs resulting from economic or technological changes; and
• Temporal CSFs resulting from internal organizational needs and changes.
Question No: 113 ( M a r k s: 10 ) What is reusable software?
Reusable Software – The software developed using object oriented approach can be easily reused due to independence/uniqueness of the objects i.e. an independent accounting module built in object oriented environment can be made a part of a complete ERP solution without developing it again from scratch for ERP.
Question No:114 ( M a r k s: 10 )
Discuss System Characterization ? What information may help to characterize the system ?
System Characterization
In assessing risks for an IT system, the first step is to define the scope of the effort. The
resources and information that constitute the system are identified. The system related
information is documented which includes.
1. Hardware
2. Software
3. System Interface
4. Data & Information
5. People (Who support and use IT)
6. Systems Mission (Processes performed by IT system)
Additional information that may help in characterizing the system are:
1. Functional requirements of IT system
2. Users of system (technical support and application users)
3. System Security Policy
4. System Security Architecture
Question No: 115 ( M a r k s: 2 )
What should be the basic objective of an organization in your opinion?
The basic objective of an organization is to make a profit and get a sustainable competency.
Question No: 116 ( M a r k s: 2 ) Define intrusion detection ?
Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized access. If audit trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Intrusion detection system can be made part of the regular security system to effectively detect intrusion. Real time intrusion detection is technical and complex to achieve but reasonable extent can be attained. Real-time intrusion detection is primarily aimed at outsiders attempting to gain unauthorized access to the system.
Types of Viruses
Although viruses are of many types, however broad categories have been identified in accordance
with the damage they cause. Some of these categories have been stated below
CS 507
CS 507 subjective Compose by sahar and sumera
19
• Boot Sector Viruses
• Overwriting viruses
• Dropper
• Trojans
Boot sector Virus
The boot sector is part of computer which helps it to start up. If the boot sector is infected, the
virus can be transferred to the operating system and application software.
Overwriting Viruses
As the name implies, it overwrites every program/software/file it infects with itself. Hence the
infected file no longer functions.
Dropper
A dropper is a program not a virus. It installs a virus on the PC while performing another function.
Trojan horse
Information System (CS507) VU
© Copyright Virtual University of Pakistan 141
A Trojan horse is a malicious program that is disguised as or embedded within legitimate software.
They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are
actually harmful when executed. Examples are
• Logic bomb – Trojan horses are triggered on certain event, e.g. when disc clean up reaches a
certain level of percentage
• Time bomb – Trojan horse is triggered on a certain date.
Possible perpetrators include:
• Hackers
• Hacktivists
• Crackers
Hackers
A hacker is a person who attempts to invade the privacy of the system. In fact he attempts to gain
un authorized entry to a computer system by circumventing the system’s access controls. Hackers
are normally skilled programmers, and have been known to crack system passwords, with quite an
ease. Initially hackers used to aim at simply copying the desired information from the system. But
now the trend has been to corrupt the desired information.
Hacktivsts
This refers to individuals using their skills to forward a political agenda, possibly breaking the law
in the process, but justifying their actions for political reasons.
Crackers
There are hackers who are more malicious in nature whose primary purpose or intent is to commit
a crime through their actions for some level of personal gain or satisfaction. The terms hack and
crack are often used interchangeably.
Its very common for hackers to misuse passwords and Personal identification number, in order to
gain unauthorized access.
Passwords
“Password is the secret character string that is required to log onto a computer system, thus
preventing unauthorized persons from obtaining access to the computer. Computer users may
password-protect their files in some systems.”
Misuse of passwords
CS 507 subjective Compose by sahar and sumera
20
A very simple form of hacking occurs when the password of the terminal under the use of a
particular employee is exposed or become commonly known. In such a situation access to the
entire information system can be made through that terminal by using the password. The extent of
access available to an intruder in this case depends on the privilege rights available to the user.
Question No: 34 ( M a r k s: 2 )
What is the use of Default keyword in switch structure?
Question No: 36 ( M a r k s: 3 )
Where "While" loop is more preferable than "For" loop and vice versa? , explain with the help of
example.
Where "While" loop is more preferable than "For" loop and vice versa?
ans:
The golden rule in iteration: everything done with a for loop can be done with a while loop, BUT
not all while loops can be implemented with a for loop.
for-loops are just a short-cut way for writing a while loop, while an initialization statement,
control statement (when to stop), and a iteration statement (what to do with the controlling factor
after each iteration).CS507 - Information Systems - Q.No. 117 Where "While" loop is more preferable than "For" loop and vice versa?
The golden rule in iteration: everything done with a for loop can be done with a while loop, BUT not all while loops can be implemented with a for loop. for-loops are just a short-cut way for writing a while loop, while an initialization statement, control statement (when to stop), and a iteration statement (what to do with the controlling factor after each iteration).
What are the different types of viruses?
Types of Viruses
Although viruses are of many types, however broad categories have been identified in accordance with the damage they cause. Some of these categories have been stated below
• Boot Sector Viruses
• Overwriting viruses
• Dropper
• Trojans
Boot sector Virus
The boot sector is part of computer which helps it to start up. If the boot sector is infected, the virus can be transferred to the operating system and application software.
Overwriting Viruses
As the name implies, it overwrites every program/software/file it infects with itself. Hence the infected file no longer functions.
Dropper
A dropper is a program not a virus. It installs a virus on the PC while performing another function.
Trojan horse
A Trojan horse is a malicious program that is disguised as or embedded within legitimate software. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. Examples are
• Logic bomb – Trojan horses are triggered on certain event, e.g. when disc clean up reaches a certain level of percentage
• Time bomb – Trojan horse is triggered on a certain date. Possible perpetrators include:
CS507 - Information Systems - Q.No. 118 ( M - 1 ) What indicates the symbol Arrow in the flow charts?
Answer: Arrow in a flow chart shows the direction of flow of procedure or system.
CS507 - Information Systems - Q.No. 119 ( M - 1 )
Define Unfreezing class of Change.
Answer: In this phase of change management, a situation for next phase is prepared by disconfirming existent attitudes and behaviors.
CS507 - Information Systems - Q.No. 120 ( M - 2 )
What are the physical threats to the information systems?
Answer: This refers to the damage caused to the physical infrastructure of the information systems. Examples are natural disasters (Fire, earth quake, flood), pollution, energy variations and physical Intrusion.
CS507 - Information Systems - Q.No. 121 ( M - 2 )
What is cryptography?
Answer: In literal terms, cryptography means science of coded writing. It is a security safeguard to render information unintelligible if unauthorized individuals intercept the transmission. When the information is to be used, it can be decoded. “The conversion of data into a secret code for the secure transmission over a public network is called cryptography.”
CS507 - Information Systems - Q.No. 122 ( M - 3 ) What is off-page connector?
Answer: If the flowchart becomes complex, it is better to use connector symbols to reduce the number of flow lines. Off-Page Connector is used to connect remote flowchart portion on different pages.
.
CS507 - Information Systems - Q.No. 123 ( M - 3 )What is access control? Give example
Answer: These controls establish the interface between the would-be user of the computer system and the computer itself. These controls monitor the initial handshaking procedure of the user with the operating system.
For example when a customer enters the card and the pin code in an automatic teller machine (ATM), the access controls are exercised by the system to block unwanted or illegitimate access.
CS507 - Information Systems - Q.No.124 ( M - 3 ) List the Supply Chain Flows.
CS507 - Information Systems - Q.No. 125 ( M - 5 )
How the scanners are used as the technical control against the spread of viruses?
Scanners
They scan the operating system and application software for any virus based on the viruses definitions they contain. Every virus has a different bit pattern. These unique bit patterns act as an identity for the virus and are called signatures. These signatures are available in virus definitions. Every scanner contains in it certain virus definitions which in fact are signatures (bit patterns) for various kinds of virus.
The scanner checks or scans the operating system and other application software installed on the hard drives. While scanning, it checks the bit patterns in all software against the bit patterns contained in the virus definitions of the scanner. If they found similar, they are labeled as virus.
CS507 - Information Systems - Q.No. 126( M - 5 )
Can you classify E-Commerce into different classes? Identify any five.
E-Commerce models can be classified as
Business to Business (B2B)
Business to Consumer (B2C)
Consumer to Consumer (C2C)
Business to Employee (B2E)
E-Government
CS507 - Information Systems - Q.No. 127 ( M - 10 )
What do you understand by Intruder? Classify and discuss intruders according to way they operate.
In physical intrusion, the intruder physically could enter an organization to steal information system assets or carry out sabotage. For example the Intruder might try to remove hard disks. In case of logical intrusion, the intruder might be trying to have an unauthorized access to the system. The purpose could be damaging or stealing data, installation of bug or wire tapping -- Spying on communication within the organization.
A person making an intrusion is generally termed as intruder. However, he can be classified according to the way he operates.
Possible perpetrators include:
• Hackers
• Hacktivists
• Crackers
Hackers
A hacker is a person who attempts to invade the privacy of the system. In fact he attempts to gain un authorized entry to a computer system by circumventing the system’s access controls. Hackers are normally skilled programmers, and have been known to crack system passwords, with quite an ease. Initially hackers used to aim at simply copying the desired information from the system. But now the trend has been to corrupt the desired information.
Hacktivsts
This refers to individuals using their skills to forward a political agenda, possibly breaking the law in the process, but justifying their actions for political reasons.
Crackers
There are hackers who are more malicious in nature whose primary purpose or intent is to commit a crime through their actions for some level of personal gain or satisfaction. The terms hack and crack are often used interchangeably.
CS507 - Information Systems - Q.No. 128 ( M - 10 )
Identify and define different levels of likelihood determination.
Likelihood level
High
The threat source is highly motivated and sufficiently capable and controls to prevent the Vulnerability from being exercised are ineffective.
Medium
The threat source is motivated and capable but controls are in place that may impede the successful exercise of the vulnerability
Low
The threat source lacks motivation or capability or controls are in place to prevent or at least significantly impede the vulnerability from being exercised
CS507 - Information Systems - Q.No. 129 ( M - 5 )
Discuss Intrusion detection Systems and also explain its components ?
Intrusion Detection Systems (IDS)
Another element to securing networks is an intrusion detection system (IDS). IDS is used in complement to firewalls. An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies. It protects a company’s information systems resources from external as well as internal misuse.
Components of an ID
IDS comprise of following components:
• Sensors
These are responsible for collecting data. The data can be in the form of network
packets, log files, system call, traces, etc.
• Analyzers that receive input from sensors and determine intrusive activity
• An administrative console – it contains intrusion definitions applied by the analyzers.
• A user interface
CS507 - Information Systems - Q.No. 130 ( M - 5 )
Identify the objective and scope of security?
The concept of security applies to all information. Security relates to the protection of valuable assets against loss, disclosure, or damage. Valuable assets are the data or information recorded, processed, stored, shared, transmitted, or retrieved from an electronic medium. The data or information must be protected against harm from threats that will lead to its loss, inaccessibility, alteration or wrongful disclosure.
CS507 - Information Systems - Q.No. 131 ( M - 10 )
How will you differentiate CSF from KPI? Discuss briefly.
CS507 - Information Systems - Q.No. 132 ( M - 10
The concept of security applies to all information. Discuss what is the objective and scope of Security? What may be the security issues regarding information and what will be the management responsibility to resolve these issues?
Internet Security Controls
Information Systems can be made secure from the threats. There is not a
single control available to cater for the risk of vulnerabilities associated with web (Internet).
Some of the solutions are:
• Firewall Security Systems
• Intrusion Detection Systems
• Encryption
Firewall Security Systems
Every time a corporation connects its internal computer network to the Internet if faces potential danger. Because of the Internet’s openness, every corporate network connected to it is vulnerable to attack. Hackers on the Internet could break into the corporate network and do harm in a number of ways: steal or damage important data, damage individual computers or the entire network, use the corporate computer’s resources, or use the corporate network and resources as a way of posing as a corporate employee. Companies should build firewalls as one means of perimeter security for their networks. Likewise, this same principle holds true for very sensitive or critical systems that need to be protected from entrusted users inside the corporate network.
Firewalls are defined as a device installed at the point where network connections enter a site, they apply rules to control the type of networking traffic flowing in and out. The purpose is to protect the Web server by controlling all traffic between the Internet and the Web server. To be effective, firewalls should allow individual on the corporate network to access the Internet and at the same time, stop hackers or others on the Internet from gaining access to the corporate
network to cause damage. Generally, most organizations can follow any of the two philosophies
• Deny-all philosophy which means that access to a given recourses will be denied unless a user can provide a specific business reason or need for access to the information resource.
• Accept All Philosophy -- under which everyone is allowed access unless someone can provide a reason for denying access. System reports may also be generated to see who attempted to attack to system and tried to enter the firewall from remote locations. Firewalls are hardware and software combinations that are built using routers, servers and variety of software. They should control the most vulnerable point between a corporate network and the Internet, and they can be as simple or complex as the corporate security policy demands. There
are many types of firewalls, but most enable organization to
• Block access to an organization sites on the Internet
• Limit traffic on an organization’s public services segment to relevant addresses.
• Prevent certain users from accessing certain servers or services.
• Monitor communications between an internal and an external network
• Monitor and record all communications between an internal and the outside world to investigate network penetrations or detect internal subversion.
• Encrypt packets of data that are sent between different physical locations within an organization by creating a VPN over the Internet. Firewalls encrypt packets that are sent between different physical locations within an organization by creating a VPN over the Internet. The capabilities of some firewalls can be
extended so that they can also provide for protection against viruses and attacks directed to exploit known operating system vulnerabilities. Remote Location server protected by fire walls and IDS further complemented by IPS (Intrusion Prevention system) – Defining Specific ranges of IP addresses that may access the location with defined rights.
CS507 - Information Systems - Q.No. 133 ( M - 10 )
What is polymorphism? Define with example.
Polymorphism Following example will help understand the concept in a better manner.
Hence based on the example given above, the concept can be defined. Ppolymorphism is a
derived from Greek language meaning "having multiple forms"). Polymorphism is the
characteristic of being able to assign a different meaning or usage to something in different
contexts - specifically, to allow an entity such as a variable, a method, or an object to have more
than one form.
CS507 - Information Systems - Q.No. 134 ( M - 3 )
Explain intrusion with example
Intrusion can be both either physical or logical. In physical intrusion, the intruder physically
could enter an organization to steal information system assets or carry out sabotage. For example
the Intruder might try to remove hard disks. In case of logical intrusion, the intruder might be
trying to have an unauthorized access to the system. The purpose could be damaging or stealing
data, installation of bug or wire tapping -- Spying on communication within the organization.
CS507 - Information Systems - Q.No. 135 ( M - 3 )
Define Active attacks?
Active Attacks: Once enough network information has been gathered, the intruder will launch
an actual attack against a targeted system to either gain complete control over that system or
enough control to cause certain threats to be realized. This may include obtaining unauthorized
access to modify data or programs, causing a denial of service, escalating privileges, accessing
other systems. They affect the integrity, availability and authentication attributes of network
security.
CS507 - Information Systems - Q.No. 136 ( M - 10 )
What do you understand by Crypto systems? Discuss different types of controls.
In literal terms, cryptography means science of coded writing. It is a security safeguard to render
information unintelligible if unauthorized individuals intercept the transmission. When the
information is to be used, it can be decoded. “The conversion of data into a secret code for the
secure transmission over a public network is called cryptography.”
Encryption & Decryption
Cryptography primarily consists of two basic processes. These processes are explained through a
diagram.
• Encryption – the process of converting data into codes (cryptograms)
• Decryption – the process of decoding the code arrived at data actually encrypted
CS507 - Information Systems - Q.No. 137 ( M - 10 )
What are the components of the object? Give example
An object is defined as
“an abstraction of something in a problem domain, reflecting the capabilities of the system to
keep information about it, interact with it, or both.” Coad and Yourdon (1990)
An object is any abstraction that models a single concept.
Another Definition of object
“A concept, abstraction, or thing with crisp boundaries and meaning of the problem at hand.
Objects serve two purposes. They promote understanding of the real world and provide a
practical basis for computer implementation.” Rumbaugh et al. (1991)
Components of object
According to Booch, there are three components of object. Objects have state, behavior and
identity.
• Identity: Who is it?
Each object has unique identity.
• Behavior: What can it do?
What an object can do, how it can respond to events and stimuli.
CS 507
24
• State: What does it know?
The condition of an object at any moment, affecting how it can behave
Real-world objects share two characteristics: They all have state and behavior.
For example,
• Dogs have state (name, color, breed, hungry) and behavior (barking, fetching, wagging tail).
• Bicycles have state (current gear, current pedal cadence, two wheels, number of gears) and
behavior (braking, accelerating, slowing down, changing gears)..
CS507 - Information Systems - Q.No. 138 ( M - 10 )
How can we compute the expected loss? Discuss the
occurrence of threats.
Computing Expected Loss
In fourth step of the exposure analysis, the amount of expected loss is computed through
following formula
A = B x C x D
1. A = Expected Loss
2. B = Chances (in %) of threat occurrence
3. C = Chances (in %) of Threat being successful
4. D = Loss which can occur once the threat is successful
Control Adjustment
This phase involves determining whether any controls can be designed, implemented, operated.
The cost of devising controls should not exceed the expected potential benefit being en-cashed
and the potential loss being avoided. The controls that could mitigate or eliminate the identified
risk appropriate to the organization’s operations are provided. The goal of the recommended
controls is to reduce the level of risk to the IT system and its data to an acceptable level.
Following factors should be considered in recommending controls and alternative solutions to
minimize or eliminate identified risks.
• Effectiveness of recommended options
• Legislation and regulation
• Organizational policy
• Operational Impact
• Safety and reliability
The control recommendations are the results of the risk assessment process and provide the risk
mitigation process during which the recommended procedural and technical security controls are
evaluated, prioritized and implemented. It should be noted that not all possible recommended
controls can be implemented to reach and to determine which ones are required and appropriate
for a specific organization, a cost analysis, should be conducted for the proposed
recommendations of controls to demonstrate that the costs of implementing the controls can be
justified by the reduction in the level of risk. In addition, the operational impact and feasibility of
introducing recommended option should be evaluated carefully during the risk mitigation
process.
The above decision takes into account consideration of following factors:
5. Personal judgment of the situation
6. Any information gained on desired/non-existing controls during the previous phases
7. Seek demands of users for an ideal control environment.
Existing controls should not be totally discarded while adjusting controls. They can either be
terminated totally, due to the threats not being there any more or existence of better controls or
modification for betterment, this phase should consider the security to be cost effective, and
integrated.
2)- What are the conglomerate organizations?
3)- Feasibility
CS 507
25
4)- RAID model
5)- waterfall model
6)- system analyst
7)- Computer Integrated Manufacturing
Computer Integrated Manufacturing (CIM) Goals
CIM has three basic goals
• Simplification of all manufacturing technologies and techniques
• Automation of as many of the manufacturing processes as possible by integration of many
information technologies like
o Flexible Manufacturing Systems – a form of flexible automation in which several machine
tools are linked together by a material-handling system controlled by a central computer. It is
distinguished from an automated production line by its ability to process more than one product
style simultaneously.
o Computer aided Engineering (CAE) -- the application of computer software in engineering to
analyze the robustness and performance of components, assemblies, products and manufacturing
tools. o Just in time (JIT) – A Japanese idea that inventory is manufactured (or acquired) only as
the need for it arises or in time to be sold (or used). A major goal is to cut down on inventory
investment.
• Integration and coordination of all the manufacturing aspects through computer hardware and
software
8)- Define different models of SDLC?
Project lifecycle vs. SDLC
The systems development life cycle is a project management technique that divides complex projects into
smaller, more easily managed segments or phases. Segmenting projects allows managers to verify the
successful completion of project phases before allocating resources to subsequent phases. Although
System development can be seen as a project in itself, but the attribute that makes system development
different from regular projects is that a project has a definite end and it is unlikely that ongoing
maintenance will be included in the scope of the project but this falls in the definition of SDLC.
9)- Spiral Model.
SPIRAL is an iterative approach to system development. The spiral lifecycle model is a
combination of the classic waterfall model and aspects of risk analysis. This model is very
appropriate for large and complex Information Systems. The spiral model emphasizes the need to
go back and reiterate earlier steps a number of times as the project progresses. It's actually a
series of short waterfall cycles, each producing an early prototype representing a part of the
entire project. It is a circular view of the software lifecycle as opposed to the linear view of the
waterfall approach. It can incorporate other models in its various developmental phases.
There are usually four distinct phases of the spiral model software development approach.
10) physical design
The logical design is converted to physical design in this phase. The physical design involves
breaking up the logical design into units, which in turn can be decomposed further into
implementation units such as programs and modules.
Design of the Hardware/ Software Platform
New system requires new software and hardware not currently available in the organization.
For example
• User workstations might have to be purchased to support an office automation system.
• A minicomputer might have to be purchased to provide extra processing resources to the new
system.
Office Automation Systems
CS 507
26
Office automation system includes formal and informal electronic systems primarily concerned
with the communication of information to and from persons both inside and outside the firm. It
supports data workers in an organization.
For Instance
• Word processing
• Desktop publishing
• Imaging & Web publishing
• Electronic calendars – manager’s appt. calendars
• Email
• Audio & video conferencing – establishing communication between geographically dispersed
persons.
CS507 - Information Systems - Q.No. 139 ( M - 5 )
How the scanners are used as the technical control against the spread of viruses?
Use of antivirus software is another very important technical control against the spread of virus.
33.1 Scanners
They scan the operating system and application soft ware for any virus based on the viruses they
contain. Every virus has a different bit pattern. These unique bit patterns act as an identity for the
virus and are called signatures. These signatures are available in virus definitions. Every scanner
contains in it certain virus definitions which in fact are signatures (bit patterns) for various kinds
of virus. The scanner checks or scans the operating system and other application soft wares
installed on the hard drives. While scanning, it checks the bit patterns in all software against the
bit patterns contained in the virus definitions of the scanner. If they found similar, they are
labeled as virus.
CS507 - Information Systems - Q.No. 140 ( M - 5 )
Can you classify E-Commerce into different classes? Identify any five.
Electronic Commerce (e-commerce or EC) describes the buying, selling, and exchanging of
products, services, and information via computer network, primarily the internet. Some people
view the term commerce as describing transactions conducted between business partners.
Ebusiness is a broad definition of EC, not just buying and selling, but also servicing customers,
collaborating with business partners, and conducting electronic transactions within an
organization. The most prevalent of E-Commerce models can be classified as
1. Business to Consumer (B2C)
2. Business to Business (B2B),
3. Business to Employee (B2E),
4. Consumer to Consumer (C2C) and
5. E-Government
• Government to Citizens/Customers (G2C)
• Government to Business (G2B)
• Government to Government (G2G
What is Object Oriented Analysis and Design (OOAD)? (Marks 1)
Object Oriented Analysis and Design (OOAD)
The concept of object oriented analysis and design focuses on problems in terms of classes and
objects. This concept combines aspects of both entity relationship diagram and data flow
diagrams. The object oriented analysis and design tool has been devised to support the object
oriented languages, for example C++ and Java. The roots of the concept of object orientation
evolved in late 60’s with the emergence of first language “SIMULA 67” as the first object
oriented language. Object oriented methodologies do not replace traditional approaches (such as
data flow, process flow, and state transition diagrams); they are important new additions to the
toolkit.
CS 507
27
What do you understand by computing envroiment. Describe the • Stand Alone Processing and
Web Based Environment (Marks 5)
Web based Environment
The typically refers to the use of web, internet and browser based applications for transactions
execution. In Web based environment, clients connect to the application through Broad-band or
base band/dial up connection. Application is located on the enterprise server which is accessed
by the client through then internet connection. Access may be given to single application
software or the entire operating system. Web based environment can be combined with and
applied to both centralized or decentralized to optimize the performance.
Web based architecture can be used, either to give access to the company employees to the
information system e.g Virtual Private Networks (VPN) in case of banks or to give access to any
body and every body to company’s information system.
Following example can explain the concept in a better fashion. Two users A & B present at
remote locations or we can say outside the organization may want to access the server located
within the organization. They may get connected with the internet and access the server located
in the organization. The server needs to be online as well so as to be accessed by A & B through
any of the means (broad band, base band, wi-fi, or satellite). Hence data can be transmitted and
retrieved using the internet. Availability of connection of proper bandwidth allowing appropriate
internet connection speed is critical to both transmission and retrieval. Due to this reason,
companies have taken dedicated lines to enjoy uninterrupted service.
143 Roles & Responsibility any three (Marks 3)
Roles & Responsibility
For security to be effective, it is imperative that individual roles, responsibilities are clearly
communicated
and understood by all. Organizations must assign security related functions in the appropriate
manner to nominated employees. Responsibilities to consider include:
1. Executive Management — assigned overall responsibility for the security of information;
2. Information Systems Security Professionals — responsible for the design, implementation,
management, and review of the organization’s security policy, standards, measures, practices,
and procedures;
3. Data Owners — responsible for determining sensitivity or classification levels of the data as
well as maintaining accuracy and integrity of the data resident on the information system;
4. Process Owners — responsible for ensuring that appropriate security, consistent with the
organization’s security policy, is embedded in their information systems;
5. Technology providers — responsible for assisting with the implementation of information
security;
6. Users — responsible for following the procedures set out in the organization’s security policy;
and
7. Information Systems Auditors — responsible for providing independent assurance to
management on the appropriateness of the security objectives.
144 What is focal Point? Complete(Marks 10)
What is focal Point?
A corporate-level facilitator may serve as a focal point for assessments throughout the company,
including those pertaining to information security because of familiarity with the tools and the
reporting requirements. Each business unit in an organization may have a designated individual
responsible for the business unit's risk assessment activities. The computer hardware and
software company, may also create a team for the purpose of improving the overall risk
assessment process and reviewing results of risk assessments in the hardware and software
systems from the perspective of offering a better, reliable and risk free product.
145 What is Vulnerability? (Marks 1)
CS 507
28
Vulnerability is a weakness that can be accidentally triggered or intentionally exploited. This
phase helps in building up a list of weaknesses and flaws that could be exploited by the potential
threat sources.
146Two output of Impact Analysis? (Marks 2)
Impact Analysis
This phase determines the adverse impact resulting from a successful threat exercise of
vulnerability. Following information is required before conducting an impact analysis.
1. System mission e.g. the process performed by IT system.
2. System and data criticality e.g. the system’s value or importance to an organization
3. System and data sensitivity
The information can be obtained from existing organizational documentation.
The threat source lacks motivation or capability or controls are in place to prevent or at least
significantly impede the vulnerability from being exercised.
Low The threat source is motivated and capable but controls are in place that may impede the
successful exercise of the vulnerability.
Medium The threat source is highly motivated and sufficiently capable and controls to prevent
then vulnerability from being exercised are ineffective
High Likelihood level Likelihood Definition
Impact needs to be measured by defining certain levels. E.g. high medium low as qualitative
categories or quantifying the impact by using probability distribution.
• Mission Impact Analysis
• Assess criticality assessment
• Data criticality
• Data sensitivity
The output of this phase is impact rating.
147What is change management. Identify its types ? (Marks 5)
Change management
Change management means to plan, initiate, realize, control, and finally stabilize change
processes on both, corporate and personal level. Implementation of ERP or any other integration
software needs commitment and proper management. Managing change in implementation
projects has become a serious concern for the management.
Types of Change
• Organizational Development: This is the more gradual and evolutionary approach to change. It
bases on the assumption that it is possible to align corporate objectives with the individual
employees’ objectives. In practice, however, this will rarely be possible.
• Reengineering: This is known as corporate transformation or business transformation. It is the
more radical form of change management, since it challenges all elements of processes or
structures that have evolved over time.
148 What is difference between the Changing and Freezing? (Marks 3)
Another view of phases
Change management phases can be classified in an alternative way:
• Unfreezing -- Preparing a situation for change by disconfirming existing attitudes and
behaviors.
• Changing -- Taking action to modify a situation by altering the targets of change.
• Refreezing -- Maintaining and eventually institutionalizing the change.
149 How will you differentiate CSF from KPI? Discuss briefly.
CSF vs. Key Performance Indicator
A critical success factor is not a key performance indicator or KPI. Critical Success Factors are
elements that are vital for a strategy to be successful. A KPI measures the achievements.The
CS 507
29
following example will clarify the difference. A CSF for improved sales may be adopting a new
sales strategy through better and regularly arranged display of products in the shop windows.
However, the KPI identified would be the increased/decreased Average Revenue Per Customer
as a result of the strategy. Key Performance Indicators directly or indirectly measure the results
of implementation of Critical Success Factors. KPI’s are measures that quantify objectives and
enable the measurement of strategic performance.
CS507 - Information Systems - Q.No. 150 ( M - 1 ) What is an entity set? Entity
An entity is an object that exists and is distinguishable from other objects. An entity is described
using a set of attributes. For example specific person, company, event, plant, crop, department,
section, cost center.
• An entity set is a set of entities of the same type that share the same properties
• All entities in an entity set have the same set of attributes, i.e. common characteristics e.g.
names, addresses, date of birth, etc.
• Each entity set has a distinct attribute by which it can be easily identified, e.g. NIC no.,
employee no.
Example
• Bird is an entity
• The class of birds is an entity set
• The color of birds is an attribute
151 Why use in arrow of process in the flow chart? (Marks 1)
Flow Chart
"A schematic representation of a sequence of operations as in a manufacturing process or
computer program
CS507 - Information Systems - Q.No.152( M - 2 ) Why we use the tools like flowcharts, DFDs etc in the System
Design?
Entity Relationship Diagram (ERD)
Another diagrammatical tool used in system design is ERD. ERD as shown below indicates
simple relationships. These relationships can be read as follows.
• One department has one supervisor
• A department may have more than one employees
Or
• An employee may be in more than one departments
• An employee may not be working on any project but a project must have at least one employee
working on it Or
• An employee may be in more than one departments
• An employee may not be working on any project but a project must have at least one employee
working on it This is another form of ERD used to show the relations between various fields in
files used to record specific data.
153CS507 - Information Systems - Q.No. 153 ( M - 1 ) Define Clear Text ?
Clear text – it is the data to be encrypted.
• Cipher text – it is the code created out of data after encryption
Critical Success Factors differ from organization to organization. While approving any project, the
management may evaluate the project on the basis of certain factors critical to the success or failure
of the project. Five example in real life (Marks 10)
Critical Success Factors (CSF)
Critical Success Factor (CSF) is a business term for an element which is necessary for an
organization or project to achieve its mission. For example, for an international package delivery
system, CSF’s can be identified such as safe transport of customer consignments, timely delivery
of consignment, online status confirmation system to inform customers and proper packaging
and handling.
CS 507
30
Critical Success Factors differ from organization to organization. While approving any project,
the management may evaluate the project on the basis of certain factors critical to the success or
failure of the project. For instance:
• Money factors: positive cash flow, revenue growth, and profit margins.
• Acquiring new customers and/or distributors
• Customer satisfaction – No. of complaints, after sales service
• Quality – Customer feed back on the product.
• Product / service development -- what's new that will increase business with existing customers
and attract new ones?
• Intellectual capital – enhancing production techniques and acquiring knowledge relating to
advancement in hardware/machines, equipment, processes.
• Strategic relationships -- new sources of business, products and outside revenue, sub
contracting.
• Employee development and retention –
• Sustainability
• Corporate social responsibility
• Corporate Governance
27.1 Sources of Critical Success Factors
Critical Success Factors have to be analyzed and established. CSF’s may be developed from
various sources.
Generally four major sources of identifying CSF’s are
• Industry CSFs resulting from specific industry characteristics;
• CSF’s resulting from the chosen competitive strategy of the business e.g. quick and timely
delivery
may be critical to courier service business
• Environmental CSFs resulting from economic or technological changes; and
• Temporal CSFs resulting from internal organizational needs and changes.
CS507 - Information Systems - Q.No. 154 ( M - 2 )
What is the use of Default keyword in switch structure?
The default statement is used because, when dealing with switch, you will have many cases
either returning TRUE or FALSE.
If neither of those cases return true, then default will recognize the switch value. However, the
default line should be at the end of every caseIt's a catch-all for any case that doesn't exist. Think
of it as 'else' in a list of if-else statements, if the switch doesn't match a listed case, the default
case is used (if it exists).
155 Object Oriented Design has the purpose to create flexible Object Oriented Systems.
Object-Oriented Analysis(OOA) and Object-Oriented Design(OOD)?
Flexible in terms of Object Orientation means, that it's possible to add functionality without
messing the whole thing up. Object Oriented Analysis has the purpose of finding a proper OOD
for the problem, e.g. by using Design Patterns.
CS507 - Information Systems - Q.No. 156( M - 3 ) Identify draw backs to ERP systems.
Disadvantages of ERP: Many problems organizations have with ERP systems are due to inadequate investment in ongoing training for involved personnel, including those implementing
and testing changes, as well as a lack of corporate policy protecting the integrity of the data in the ERP systems and how it is used.