CAIIB - General Bank Management -Technology Management – MODULE C Madhav Prabhu M. Tech, MIM, PMP, CISA, CAIIB, CeISB, MCTS, DCL [email protected].
Download ReportTranscript CAIIB - General Bank Management -Technology Management – MODULE C Madhav Prabhu M. Tech, MIM, PMP, CISA, CAIIB, CeISB, MCTS, DCL [email protected].
CAIIB - General Bank Management -Technology Management – MODULE C Madhav Prabhu M. Tech, MIM, PMP, CISA, CAIIB, CeISB, MCTS, DCL [email protected] Agenda • • • • Information Systems and Technology IT Applications and Banking Networking Systems Information System Security and Audit Information Systems and Technology • System terminology • MIS and its characteristics • Data warehouse System Terminology • Systems Development Life Cycle – Planning and analysis – defines needed information etc – Design - data structures, software architecture, interface – Implementation - Source code, database, documentation, testing and validation etc. – Operations and maintenance - ongoing SDLC • A framework to describe the activities performed at each stage of a software development project. Various SDLC Models • Waterfall Model when – Requirements are very well known – Product definition is stable – Technology is understood – New version of an existing product – Porting an existing product to a new platform. Various SDLC Models • V-Shaped SDLC Model when – A variant of the Waterfall that emphasizes the verification and validation of the product. – Testing of the product is planned in parallel with a corresponding phase of development • Excellent choice for systems requiring high reliability – tight data control applications – patient information etc. • All requirements are known up-front • When it can be modified to handle changing requirements beyond analysis phase • Solution and technology are known Various SDLC Models • Prototyping Model when – Developers build a prototype during the requirements phase – Prototype is evaluated by end users and users give corrective feedback – Requirements are unstable or have to be clarified – Short-lived demonstrations – New, original development – With the analysis and design portions of objectoriented development. Type of Information Systems • Transaction Processing Systems • Management Information Systems • Decision Support Systems MIS Structure • Strategic – Top management • Tactical – Middle Management • Operational – Lower Management Strategic • External information – Competitive forces, customer actions, resource availability, regulatory approvals • Predictive information – long term trends • What if information Strategic Management • The People • Decisions – Board of Directors – Develop Overall Goals – Chief Executive Officer – Long-term Planning – President – Determine Direction • Political • Economic • Competitive Tactical • • • • Historical information- descriptive Current performance information Short term future information Short term what if information Tactical Management • People – Business Unit Managers – Vice-President to Middle-Manager • Decisions – short-medium range planning – schedules – budgets – policies – procedures – resource allocation Operational • Descriptive historical information • Current performance information • Exception reporting Operational Management • People • Decisions – Middle-Managers to – Supervisors – Self-directed teams – – – – – – short-range planning production schedules day-to-day decisions use of resources enforce polices follow procedures MIS System • MIS provides information about the performance of an organization • Think of entire company (the firm) as a system. • An MIS provides management with feedback MIS: The Schematic The Firm Processing Input: Raw Materials, Supplies, Data, etc. MIS Managers, VPs, CEO Output: Products, Services, Information etc. MIS - Questions Q: How are we doing? A: Look at the report from the MIS Generic reports: Sales, Orders, Schedules, etc. Periodic: Daily, Weekly, Quarterly, etc. Pre-specified reports Obviously, such reports are useful for making good decisions. How is a DSS different? MIS • Periodic reports DSS • Special reports that may only be generated once • Pre-specified, generic reports • May not know what kind of report to generate until the problem surfaces; specialized reports. MIS vs. DSS: Some Differences • In a DSS, a manager generates the report through an interactive interface – More flexible & adaptable reports • DSS Reporting is produced through analytical modeling, not just computing an average, or plotting a graph. – Business Models are programmed into a DSS Decision Support System • Broad based approach • Human in control • Decision making for solving structured/unstructured problems • Appropriate mathematical models • Query capabilities • Output oriented Types of Decisions Operational Unstructured Tactical Cash Re-engineering a Management process Strategic New e-business initiatives Company re-organization Semistructured Production Scheduling Structured Payroll Employee Performance Mergers Evaluation Site Location Capital Budgeting Project Management • Planning Tools – Gantt chart – PERT • Interdependencies • Precedence relationships • Project Management software Information Technology • Some IT systems simply process transactions • Some help managers make decisions • Some support the interorganizational flow of information • Some support team work When Considering Information, • The concept of shared information through decentralized computing • The directional flow of information • What information specifically describes • The information-processing tasks your organization undertakes INFORMATION FLOWS • Upward Flow of Information - describes the current state of the organization based on its daily transactions. • Downward Flow of Information - consists of the strategies, goals, and directives that originate at one level and are passed to lower levels. • Horizontal Flow of Information - between functional business units and work teams. INFORMATION PROCESSING 1. Information Sourcing- at its point of origin. 2. Information - in its most useful form. 3.Creating information - to obtain new information. 4.Storing information - for use at a later time. 5.Communication of information - to other people or another location. Data Centers • Centralised data environment – Data integration – Management awareness – Change impact • Decentralised data environment – – – – – – – – Functional specialisation Local differences User proximity User confidence Lack of central control Corporate level reporting Data redundancy Loss of synergy IT Applications and Banking Banking Systems and software – Multi currency – Multi lingual – Multi entity – Multi branch – Bulk transaction entry – High availability – Performance management Selection criteria • • • • • • • • • • Industry knowledge Banking IT knowledge Application familiarity Project Management Pricing options Track record Incumbency Technical skills Accessibility Total Cost Other systems • Electronic clearing and settlement systems – – – – – MICR/OCR Debit Clearing system Credit Clearing system RTGS Cheque truncation • Electronic Bill presentment and payment – Decrease billing costs – Provide better service – New channels- new revenue Networking Systems Data communications • • • • Electronic mail Internet Connectivity Local Area Networking Remote Access Services Information System Security and Audit Computer Security • • • • Physical security Logical Security Network security Biometric security Physical Security • Intrusion prevention- locking, guarding, lighting • Intrusion detection mechanisms – Disturbance sensors, buried line sensors, Surveillance • Document security • Power supply Logical security • Software access controls – Multiple type of access control – Internal access control – based on date, time etc – Max tries – Audit trails – Priviliged access – Encryption Network Security • Physical intrusion • System intrusion Attacks • • • • Impersonation - forging identity Eavesdropping – Unauthorised read Data alteration – Unauthorised edits Denial of Service attacks - Overloading Intrusion Detection Systems • Categories – NIDS – Network Intrusion Detection – monitors packets on network – SIV – System Integrity Verifier – files sum check – Log file Monitor – Log entry patterns • Methods – Signature recognition – Pattern recognition – Anomaly detection – Statistical anomalies Firewalls • First line or last line of defence? Others • VPN • Encryption • Honey pots Biometric Security • • • • • • Signature recognition Fingerprint recognition Palmprint recognition Hand recognition Voiceprint Eye retina pattern Communication Security • • • • Cryptography Digital Signatures PKI CA Cryptography • Art and science of keeping files and messages secure. • Encryption • Key – to encode – DES and Triple DES, IDEA – Safe key length • Cipher • Decryption Digital Signatures • Usage • Verification • Why use? – Authenticity – Integrity – Confidentiality – Non repudiation • Prerequisites – Public private key pair, CA PKI- Public Key Infrastructure • A framework for secure and trustworthy distribution of public keys and information about certificate owners called clients • Client • Key Management – High quality secret keys – Generation • Key distribution CA- Certification Authority • Central Authority • Hierarchical • Web of Trust Disaster Management • Natural • Accidents • Malicious Disaster Management • Disaster avoidance – Inventory – Risk Management • Disaster Recovery – Data off site – Data off line – Data out of reach – Test Business Continuity Planning • • • • • • Employee awareness Fire detection and prevention Hardcopy records Human factors LAN Media handling and storage DRP – Disaster Recovery Planning • • • • • • • Preplanning Vulnerability assessment BIA – Business Impact Assessment Detailed definition – RTO and RPO Plan development Testing Maintenance program IS Audit • Objectives – Safeguarding assets – Data Integrity – Process Integrity – Effectiveness auditing – Efficiency auditing – Importance IS Audit Procedures • Audit objectives • Planning – Who, how and reporting structures • Audit Software – execution • Reporting System Audit - Security • • • • • • • • Environmental Controls Access controls Input controls Communication controls Processing controls Database controls Output controls Control of last resort (DRP, Insurance) Cyber Law • IT Act 2000 – – – – – – – – Legal recognition of electronic records Acknowledgement of receipt of electronic records Legal recognition of digital signatures Submission of forms in electronic means Receipt or payment by fee or charge Retention of electronic records Publication of rules, regulation in electronic form CA to issue digital certificate Some legal issues • • • • • • Data theft Email abuse Data alteration Unauthorised access Virus and malicious code Denial of Service Thank You