CAIIB- General Bank Management -Technology Management –

MODULE C

Madhav PrabhuM. Tech, MIM, PMP, CISA, CAIIB, CeISB, MCTS, DCL

prabhu.madhav@gmail.com

Agenda

• Information Systems and Technology

• IT Applications and Banking

• Networking Systems

• Information System Security and Audit

Information Systems and Technology

• System terminology

• MIS and its characteristics

• Data warehouse

System Terminology

• Systems Development Life Cycle– Planning and analysis – defines needed

information etc– Design - data structures, software

architecture, interface– Implementation - Source code, database,

documentation, testing and validation etc.– Operations and maintenance - ongoing

SDLC

• A framework to describe the activities performed at each stage of a software development project.

Various SDLC Models

• Waterfall Model when– Requirements are very well known– Product definition is stable– Technology is understood– New version of an existing product– Porting an existing product to a new platform.

Various SDLC Models

• V-Shaped SDLC Model when– A variant of the Waterfall that emphasizes the

verification and validation of the product.– Testing of the product is planned in parallel with a

corresponding phase of development• Excellent choice for systems requiring high

reliability – tight data control applications – patient information etc.

• All requirements are known up-front• When it can be modified to handle changing

requirements beyond analysis phase • Solution and technology are known

Various SDLC Models

• Prototyping Model when– Developers build a prototype during the requirements

phase– Prototype is evaluated by end users and users give

corrective feedback – Requirements are unstable or have to be clarified – Short-lived demonstrations – New, original development– With the analysis and design portions of object-

oriented development.

Type of Information Systems

• Transaction Processing Systems

• Management Information Systems

• Decision Support Systems

MIS Structure

• Strategic – Top management

• Tactical – Middle Management

• Operational – Lower Management

Strategic

• External information – Competitive forces, customer actions, resource availability, regulatory approvals

• Predictive information – long term trends

• What if information

Strategic Management

• The People– Board of Directors– Chief Executive Officer– President

• Decisions– Develop Overall Goals– Long-term Planning– Determine Direction

• Political• Economic• Competitive

Tactical

• Historical information- descriptive

• Current performance information

• Short term future information

• Short term what if information

Tactical Management

• People– Business Unit

Managers– Vice-President to

Middle-Manager

• Decisions– short-medium range

planning– schedules– budgets– policies– procedures– resource allocation

Operational

• Descriptive historical information

• Current performance information

• Exception reporting

Operational Management

• People– Middle-Managers to– Supervisors– Self-directed teams

• Decisions– short-range planning– production schedules– day-to-day decisions– use of resources– enforce polices– follow procedures

MIS System

• MIS provides information about the performance of an organization

• Think of entire company (the firm) as a system.

• An MIS provides management with feedback

The FirmProcessing

MIS: The Schematic

Input: Raw Materials, Supplies, Data, etc.

Output: Products, Services, Information etc.MIS

Managers, VPs, CEO

MIS - Questions

Q: How are we doing?A: Look at the report from the MIS

Generic reports: Sales, Orders, Schedules, etc.Periodic: Daily, Weekly, Quarterly, etc.Pre-specified reports

Obviously, such reports are useful for making good decisions.

How is a DSS different?

MIS• Periodic reports

• Pre-specified, generic reports

DSS• Special reports that may

only be generated once

• May not know what kind of report to generate until the problem surfaces; specialized reports.

MIS vs. DSS: Some Differences

• In a DSS, a manager generates the report through an interactive interface– More flexible & adaptable reports

• DSS Reporting is produced through analytical modeling, not just computing an average, or plotting a graph.– Business Models are programmed into a DSS

Decision Support System

• Broad based approach

• Human in control

• Decision making for solving structured/unstructured problems

• Appropriate mathematical models

• Query capabilities

• Output oriented

Types of Decisions

Operational Tactical Strategic

Un-structured

Cash Management

Re-engineering a process

New e-business initiatives

Company re-organization

Semi-structured

Production Scheduling

Employee Performance Evaluation

Capital Budgeting

Mergers

Site Location

Structured Payroll

Project Management

• Planning Tools– Gantt chart– PERT

• Interdependencies• Precedence relationships

• Project Management software

Information Technology

• Some IT systems simply process transactions• Some help managers make decisions• Some support the interorganizational flow of

information• Some support team work

When Considering Information,

• The concept of shared information through decentralized computing

• The directional flow of information

• What information specifically describes

• The information-processing tasks your organization undertakes

INFORMATION FLOWS• Upward Flow of Information - describes the current

state of the organization based on its daily transactions.

• Downward Flow of Information - consists of the strategies, goals, and directives that originate at one level and are passed to lower levels.

• Horizontal Flow of Information - between functional business units and work teams.

INFORMATION PROCESSING

1. Information Sourcing- at its point of origin.2. Information - in its most useful form.3.Creating information - to obtain new information.4.Storing information - for use at a later time.5.Communication of information - to other people or another location.

Data Centers

• Centralised data environment– Data integration– Management awareness– Change impact

• Decentralised data environment– Functional specialisation– Local differences– User proximity– User confidence– Lack of central control– Corporate level reporting– Data redundancy– Loss of synergy

IT Applications and Banking

Banking Systems and software

– Multi currency– Multi lingual– Multi entity– Multi branch– Bulk transaction entry– High availability– Performance management

Selection criteria

• Industry knowledge• Banking IT knowledge• Application familiarity• Project Management• Pricing options• Track record• Incumbency• Technical skills• Accessibility• Total Cost

Other systems

• Electronic clearing and settlement systems– MICR/OCR– Debit Clearing system– Credit Clearing system– RTGS– Cheque truncation

• Electronic Bill presentment and payment– Decrease billing costs– Provide better service– New channels- new revenue

Networking Systems

Data communications

• Electronic mail

• Internet Connectivity

• Local Area Networking

• Remote Access Services

Information System Security and Audit

Computer Security

• Physical security

• Logical Security

• Network security

• Biometric security

Physical Security

• Intrusion prevention- locking, guarding, lighting

• Intrusion detection mechanisms – Disturbance sensors, buried line sensors, Surveillance

• Document security

• Power supply

Logical security

• Software access controls– Multiple type of access control– Internal access control – based on date, time

etc– Max tries– Audit trails– Priviliged access– Encryption

Network Security

• Physical intrusion

• System intrusion

Attacks

• Impersonation - forging identity

• Eavesdropping – Unauthorised read

• Data alteration – Unauthorised edits

• Denial of Service attacks - Overloading

Intrusion Detection Systems

• Categories– NIDS – Network Intrusion Detection –

monitors packets on network– SIV – System Integrity Verifier – files sum

check– Log file Monitor – Log entry patterns

• Methods– Signature recognition – Pattern recognition– Anomaly detection – Statistical anomalies

Firewalls

• First line or last line of defence?

Others

• VPN

• Encryption

• Honey pots

Biometric Security

• Signature recognition

• Fingerprint recognition

• Palmprint recognition

• Hand recognition

• Voiceprint

• Eye retina pattern

Communication Security

• Cryptography

• Digital Signatures

• PKI

• CA

Cryptography

• Art and science of keeping files and messages secure.

• Encryption

• Key – to encode– DES and Triple DES, IDEA– Safe key length

• Cipher

• Decryption

Digital Signatures

• Usage

• Verification

• Why use?– Authenticity– Integrity– Confidentiality– Non repudiation

• Prerequisites – Public private key pair, CA

PKI- Public Key Infrastructure

• A framework for secure and trustworthy distribution of public keys and information about certificate owners called clients

• Client

• Key Management– High quality secret keys– Generation

• Key distribution

CA- Certification Authority

• Central Authority

• Hierarchical

• Web of Trust

Disaster Management

• Natural

• Accidents

• Malicious

Disaster Management

• Disaster avoidance– Inventory– Risk Management

• Disaster Recovery– Data off site– Data off line– Data out of reach– Test

Business Continuity Planning

• Employee awareness

• Fire detection and prevention

• Hardcopy records

• Human factors

• LAN

• Media handling and storage

DRP – Disaster Recovery Planning

• Preplanning

• Vulnerability assessment

• BIA – Business Impact Assessment

• Detailed definition – RTO and RPO

• Plan development

• Testing

• Maintenance program

IS Audit

• Objectives– Safeguarding assets– Data Integrity– Process Integrity– Effectiveness auditing– Efficiency auditing– Importance

IS Audit Procedures

• Audit objectives

• Planning– Who, how and reporting structures

• Audit Software – execution

• Reporting

System Audit - Security

• Environmental Controls• Access controls• Input controls• Communication controls• Processing controls• Database controls• Output controls• Control of last resort (DRP, Insurance)

Cyber Law

• IT Act 2000– Legal recognition of electronic records– Acknowledgement of receipt of electronic records– Legal recognition of digital signatures– Submission of forms in electronic means– Receipt or payment by fee or charge– Retention of electronic records– Publication of rules, regulation in electronic form– CA to issue digital certificate

Some legal issues

• Data theft

• Email abuse

• Data alteration

• Unauthorised access

• Virus and malicious code

• Denial of Service

Thank You