Free PDF

Security
Considerations:
IT Security & IT Audit
For JAIIB Exam

Siva Rama Prasad Sir Notes

EX-GM, SBI PO
36+ Years of Experience

www.Oliveboard.in
 Table of Contents

Security Considerations ........................................................ 3

Control Mechanism ........................................................... 3-4
Computer Audit ................................................................ 4
IT Security .............................................................................. 5
Threats to Information System Security ............................... 6
IT/IS Audit .......................................................................... 7
Security Considerations: IT Security & IT Audit JAIIB Free e-book

Security Considerations: IT Security & IT Audit JAIIB

Security Considerations

Customer Demands have sparked intense competition among banks and financial firms to
apply information technology to their operations to provide innovative goods and services at
lower prices. This is especially beneficial for those who are moving to new regions.
• Data and software: Data is a valuable resource that is required to keep a company
running. Inaccurate data can also have major consequences on decision-making. The
growing availability and usage of expert systems and the potential impact of erroneous
data can cause havoc with a company's operations.
• Infrastructure: Banks must make significant investments to adopt technology-based
tools and solutions. Computer and communication system functions require the same
hardware components as software and data.
• Peopleware: It refers to a group of people who are directly or indirectly responsible for
the administration and operation of digital systems.

Types of Threats

Threats to computerized systems appear as the following:

• Data and software errors and omissions
• Unauthorized release of sensitive information
• Abuse of computers and misappropriation of bank assets
• Cybercrime

Malicious Damages: Malicious damage to computerised systems can be caused by

dissatisfied workers who want to disrupt services or those with nefarious motives who want to
use technology to commit fraud for financial gain.
- Frauds
- Interruptions in Services

Accidental Damages: Computers and communications systems have many uses in banking
and other financial institutions. However, these systems are subject to harm caused by
human error and natural disasters.
- Human Error and Omissions
- Unreliable systems
- Environmental Hazards

Control Mechanism

Management of hazards linked with IT technologies necessitates the implementation of

appropriate control mechanisms.
➢ Physical Control: Physical control refers to applying security measures inside a defined
structure to prevent unwanted access to sensitive information.

➢ Internal Control: Internal control is a method used by a company's board of directors,

management, and other employees to offer reasonable confidence that information is
accurate, reliable, and timely. Laws, rules, contracts, policies, and procedures must all
be followed.
• Accounting Control: Accounting control refers to how processes are set up inside
a company to manage risk. The following are the accounting control objectives:
To protect assets from being lost. To guarantee that financial statements
accurately reflect a company's financial performance, position, and cash flows.
Security Considerations: IT Security & IT Audit JAIIB Free e-book

• Administrative Control: Administrative controls define the human security

components. It includes all levels of an organisation's people and defines which
users have access to resources and information through training and awareness.
It also includes plans for disaster preparedness and recovery.

➢ Operational Control: Security measures largely implemented and performed by humans

are known as operational controls (as opposed to systems). These safeguards are put
in place to increase the security of a system (or group of systems).
• Audit Trails: To examine and search for errors or anomalies, an Audit Trail should
capture all material events that happen within the border subsystem. Audit Trail
Controls try to preserve a chronological history of all events in a system. This
record is required to respond to enquiries, meet legislative obligations, discover
error implications, and permit system monitoring and adjustment. The following
are two types of audit trails that you should include in each subsystem:
An accounting audit trail to keep track of occurrences within the company
subsystem.
• An Operations Audit Trail to keep track of attempted and completed operations.
Each event in the subsystem consumes a certain number of resources.

➢ Checksum: IT experts use checksums to identify high-level problems in data transfers.

A checksum is a value that indicates the number of bits in a transmission message. A
checksum value can be assigned after performing a cryptographic hash function on
each piece of data or file before transmission.

➢ Data Encryption: Data encryption is the process of converting plaintext (unencrypted)

data into ciphertext (encrypted). Users can use an encryption key to access encrypted
data and a decryption key to decode encrypted data.

Computer Audit

Banks can create effective, secure, and reliable computer systems by employing the right
control approaches outlined above. The control measures chosen vary for each bank,
reflecting the dangers that each bank faces and the expenses of connected security and
control processes.

Regular independent audits of security and control processes by auditor’s aid in the detection
of flaws before banking operations are jeopardized. Computer audit is a generic
organizational activity that evaluates asset protection, data integrity, the effectiveness of the
system, and system efficiency in computerized systems.

More than accuracy and compliance to systems and processes, the major focus of a computer
audit is on gathering and evaluating evidence to assure asset safeguarding, data integrity,
fulfilling organizational goals of computerization efficiently, and ensuring optimal resource
utilization.

The objective of Computer Auditing is:

o Asset security: This function guarantees that the assets, including hardware, software,
data files, and system documents, are fully safeguarded against fire, destruction,
editing, change, and damage, which might be accidental or intentional. Both will be
detrimental to the organization’s goals. Internal control systems should provide a
consistent basis for safeguarding computerized assets.
o Data integrity guarantees that data is accurate, consistent, and complete. This gets
Security Considerations: IT Security & IT Audit JAIIB Free e-book

more challenging when the system is used by several users who all have access to the
same data. This envisions a reliable system that ensures data integrity and
confidentiality.
o System efficiency focuses on whether the system is cost-effective and economical. The
resources used to make this system work, such as the cost of the machine, time,
peripherals, consumables, and so on, provide value to the total function.
o Obtain organizational objectives: This audit role guarantees that the organization's
objectives for implementing computerization or data processing systems are met. This
will aid in determining if operational efficiency and service functionality have improved
as a result of computerization. This is a continuous review of the system, as well as a
comparison of manual operations to computerized processes.

In a computerized setting, an effective control mechanism

• Preventive: Preventative controls are required to be introduced before a threat

event to decrease or eliminate the possibility and effect of a successful threat
event.
• Detective: Detective control is an internal control that aims to find issues in a
company's operations after they have happened.
• Corrective: Corrective controls are implemented to lessen a loss-causing event's
impact and respond to occurrences in a risk-reducing way.

Information System Security (IS Security)

Information systems security (INFOSEC) is a broad topic in information technology (IT) that
focuses on securing computers, networks, and users. Almost all modern businesses and
people are concerned about the dangers of digital technology.

Information System Security is required for the following:

▪ To follow the law of the country and the regulations of the regulator.
▪ To adhere to company policies.
▪ To meet the needs of a business partner.

Information System Security in Banking

On many levels, banks must fulfil their clients' security requirements, whether with their
savings, using over-the-counter services in a branch office, withdrawing money from teller
machines, making deposits via the cash recycling system, or using online banking.
Security Considerations: IT Security & IT Audit JAIIB Free e-book

Threats to Information System Security

- Virus: A computer virus is a program or code that can reproduce and propagate from
one computer system to another. A computer virus can destroy or erase data on your
computer, and it may distribute the virus to other computers through an e-mail
application. It may potentially erase everything on your hard drive in the worst-case
scenario. Trojan viruses are one type of computer virus. Disk Killer, Stone Virus,
Sunday, Cascade, Nuclear, Word Concept, and other stealth viruses, worms, and
malware (malicious software)
- Phishing: It refers to bank clients receiving unsolicited emails seeking their login,
password, and other account information to access their account for whatever reason.
When customers click the links to submit their information, they are routed to a false
imitation of the genuine bank's website, unaware that fraud has happened. Following
that, the fraudster gained access to the customer's online bank account. After that
fraudster has access to the customer’s online bank account.
- Vishing: Vishing is the illegal activity of gaining access to private, personal, and
financial information using social engineering and Voice over IP (VoIP) for monetary
benefit. The name is a hybrid of the word’s "voice" and "phishing." A person pretends
to be a bank official calling to check account details in Vishing, and it's usually used to
steal credit card information.
- Malware: Malware is software code that has been maliciously designed. This sort of
malicious software is capable of the following:
o Theft of account information: Malware can grab your login credentials by capturing
keystrokes. It may also monitor and record other data required to verify an
individual's identification (like special images or words).
o Fake website substitution: Malware can produce web pages that look authentic but
are not. They replace a bank's website with a page that looks just like it except for
the word 'web address.' An attacker can use it to intercept user data. If a person
provides information, it is delivered without their awareness to both the bank and
the malicious attacker.
o Account hijacking: Malware may take over a browser and transmit money without
the user's awareness. When a person tries to log in to a bank website, the program
opens a covert browser window on the computer, signs in to the bank account,
examines the account balance, and initiates a secret financial transfer to the
intruder's account.
Security Considerations: IT Security & IT Audit JAIIB Free e-book

Information System Audit (IS Audit)

An information system (IS) audit, often known as an information technology (IT) audit,
reviews a company's IT infrastructure controls. These audits can be combined with a financial
statement audit, internal audit, or another type of attestation activity. It's the process of
gathering and analyzing evidence about a company's information systems, processes, and
operations. The use of obtained evidence may help determine if an organization’s information
systems are protecting assets, maintaining data integrity, and performing effectively and
efficiently to meet the organization’s goals and objectives.

Methodology for Auditing Information Systems

Phase 1: Audit Planning
Phase 2 – Risk Assessment and Business Process Analysis
Phase 3 – Performance of Audit Work
Phase 4: Reporting

Advantages of IS Audit
▪ It would indicate the dangers of being exposed to a digital world that already exists.
After identifying the risks, remedial action may be performed to safeguard an
organisation's interests.
▪ It would discourage people, workers, and users from engaging in data manipulation,
fraud, and other forms of corruption. The adoption of IS audit will detect an unwanted
action.

Evaluation Requirements
IT resources are always changing due to the creation of new applications, the procurement of
new hardware, the turnover of skilled staff, etc.
- Data
- Computer Software
- Computer Hardware
- System Development Process
- Disaster Recovery Management
- Communication channels

Legal Framework for Electronic Transactions

Many legal rules currently recognise the importance of signing paper-based records and
documents. Since then, computerised commerce has rendered paper transactions obsolete.
As a result, enactment/amendment of relevant legislation was required to facilitate e-
commerce.

On June 9, 2000, the Indian Parliament passed a comprehensive information technology bill,
which obtained the President's approval. Incidental adjustments to the following Acts have
been made as a result of the recognition given to electronic records, electronic documents,
and electronic signatures:
❖ The Indian Penal Code, 1860
❖ The Banker’s Bank Evidence Act, 1891
❖ The Indian Evidence Act, 1872
❖ The Reserve Bank of India Act, 1934
Security Considerations: IT Security & IT Audit JAIIB Free e-book

The term "electronic record," as well as the words "record" and "document," which appear in
different sections of the act, are intended to be included.

A "register" must comprise any list, data, or record of any entries kept in electronic form as
specified in the IT Act 2000 for Section 466 (relating to forgery of records), according to the
modification to the Indian Penal Code, 1860.

The Bankers Books Evidence Act of 1891 defines banker's books as ledgers, daybooks, cash
books, and account books used in the bank's regular operations.

The IT Act of 2000 revised the RBI Act of 1934, allowing the central board to issue
regulations for electronic cash transfers between banks or between banks and other financial
organizations.
Security Considerations: IT Security & IT Audit JAIIB Free e-book

JAIIB GLOSSORY

Capital Funds Equity contribution of owners. The basic approach of capital adequacy
framework is that a bank should have sufficient capital to provide a stable
resource to absorb any losses arising from the risks in its business.
Capital is divided into different tiers according to the characteristics /
qualities of each qualifying instrument.

Revaluation Revaluation reserves are a part of Tier-II capital. These reserves arise
reserves from revaluation of assets that are undervalued on the bank's books,
typically bank premises and marketable securities. The extent to which
the revaluation reserves can be relied upon as a cushion for unexpected
losses depends mainly upon the level of certainty that can be placed on
estimates of the market values of the relevant assets and the subsequent
deterioration in values under difficult market conditions or in a forced sale.

Leverage Ratio of assets to capital.

Capital reserves That portion of a company's profits not paid out as dividends to
shareholders. They are also known as undistributable reserves and are
ploughed back into the business.

BASEL The BASEL Committee is a committee of bank supervisors consisting of

Committee on members from each of the G10 countries. The Committee is a forum for
Banking discussion on the handling of specific supervisory problems. It
Supervision coordinates the sharing of supervisory responsibilities among national
authorities in respect of banks' foreign establishments with the aim of
ensuring effective supervision of banks' activities worldwide.

Risk Weighted The notional amount of the asset is multiplied by the risk weight assigned
Asset to the asset to arrive at the risk weighted asset number. Risk weight for
different assets vary e.g. 0% on a Government Dated Security and 20%
on a AAA rated foreign bank etc.

CRAR (Capital to Capital to risk weighted assets ratio is arrived at by dividing the capital of
Risk Weighted the bank with aggregated risk weighted assets for credit risk, market risk
Assets Ratio) and operational risk. The higher the CRAR of a bank the better
capitalized it is.

Non-Performing An asset, including a leased asset, becomes non performing when it

Assets (NPA) ceases to generate income for the bank.

Total income Sum of interest/discount earned, commission, exchange, brokerage and

other operating income.

Net operating Operating profit before provision minus provision for loan losses,
profit depreciation in investments, write off and other provisions.

Average Yield (Interest expended on deposits and borrowings/Average interest-bearing

liabilities) *100
Security Considerations: IT Security & IT Audit JAIIB Free e-book

Return on Asset Return on Assets (ROA) is a profitability ratio which indicates the net
(ROA)- After Tax profit (net income) generated on total assets. It is computed by dividing
net income by average total assets. Formula- (Profit after tax/Av. Total
assets) *100

Net Interest The NII is the difference between the interest income and the interest
Income (NII) expenses.

CASA Deposit Deposit in bank in current and Savings account.

Liquid Assets Liquid assets consist of: cash, balances with RBI, balances in current
accounts with banks, money at call and short notice, inter-bank
placements due within 30 days and securities under "held for trading" and
"available for sale" categories excluding securities that do not have ready
market.

Venture Capital A fund set up for the purpose of investing in start-up businesses that is
Fund perceived to have excellent growth prospects but does not have access
to capital markets.

Held Till Maturity The securities acquired by the banks with the intention to hold them up to
(HTM) maturity.

Yield to maturity The Yield to maturity (YTM) is the yield promised to the bondholder on
(YTM) or Yield the assumption that the bond will be held to maturity and coupon
payments will be reinvested at the YTM. It is a measure of the return of
the bond.

CRR Cash reserve ratio is the cash parked by the banks in their specified
current account maintained with RBI.

SLR Statutory liquidity ratio is in the form of cash (book value), gold (current
market value) and balances in unencumbered approved securities.
 More
Download Here
JAIIB Free PDFs

Join JAIIB
Selection Course - 2022
Enroll Now

Learn From India’s Top Faculty

Siva Rama Prasad Sir Shubhi Ma’am Arvind Shukla Sir

EX-GM, SBI PO Insurance and Teaching Banking
36+ Years of Banking Expert & Finance from
Experience 3+ years experience 10 Years.
Trainer for Bank Internal
Promotion Exams, Cleared
Multiple Bank PO Exams

Blog Discuss Forum Telegram Facebook

Your One-Stop Interact With Peers Stay Updated With Ensure you are
Destination For All & Experts, Exchange All JAIIB/ CAIIB Online prepared to pass your
Exam Related Score & Improve Your Classes & Get Free CAIIB and JAIIB exams
Information & Preparation. Resources. with the right
Preparation Follow Us On information. Click the
Resources. Telegram below link to join
Join Us!
Explore Now Explore Now Explore Now Explore Now

Free Mock Test + Sectional Test