1

SYLLABUS
2.2 INFORMATION TECHNOLOGY FOR ACCOUNTING AND FINANCE

MODULE - 1
Information Systems and their role in businesses, types of information systems – Operation
support system, management support system, TPS, PCS, EIS, MIS, OAS, DSS, GDSS, expert
systems, artificial intelligence, Information systems at levels of management, HRIS,
Accounting Information system, Marketing information systems, manufacturing and
production information
system, Developing information systems — systems analysis and design, SDLC – types,
introduction to ERP, introduction to cloud computing.
MODULE - 2
IT-GRC (Governance, Risk and Compliance), Information system audit standards – ISO
27001– Information security and management standard (ISMS) , Capability Maturity Model
(CMM),Control Objectives for Information and related Technology (COBIT) – IT
Governance model,Health Insurance Portability and Accountability Act (HIPAA), Statement
on Auditing Standards(SAS) for service organization.
MODULE - 3
Overview of specific section of IT ACT 2008 different sections, electronic contracting,
digitalsignature, cyber offence, certifying authorities, Concepts of Cyber forensics/Cyber
Fraudinvestigation, Overview of Information Security Standards - ISAE 3402/SA 402, ITIL
MODULE - 4
Database definition, types of structures, DBMS software-creating, editing, modifying,
searchingand sorting databases, creating and printing formatted reports, designing custom
screen displays,multiple data files, executing queries and relational algebra
MODULE - 5
Spread sheet software - range, formulas, types of functions, types of charts, what-if analysis-
Goal Seek Analysis, data validation, subtotal, Applying Absolute (Fixed), statistical functions
min, max, count, countif, countA, stdev, mean, mode, median, variance, correlation,
percentile,quartile, rank, financial functions – PV, NPV, NPER, PMT, RATE, IRR, SLN,
SYD, IPMT,DB, logical functions – if, else, and, or, not, multiple if statements, Vlookup,
Hlookup, sortingdata - types, conditional formatting, page layout - settings, filtering data,data
analysis -descriptive statistics, pivot tables
Books for Reference:
1. O’ Brien James — A Management Information Systems, Tata Mc Graw Hill, New Delhi.
2. Lauden and Lauden —. Management Information Systems, Prentice flail of India, New Delhi.
3. Gordan B Davis — Management Information Systems, Mc Graw Hill Internal on.
4. Information Technology Control and Audit, Third Edition, Sandra Senft, Frederick Gallegos,
CRC Press
5. Information System Audit and Assurance, By D. P. Dube, Ved Prakash Gulati, Maraw Hill
Education
6. For modules 4 and 5 the teacher will decide the software of his/her choice and a appropriateBooks
2
3
 4

MODULE 1- INFORMATION SYSTEMS AND THEIR ROLE IN BUSINESSES

DATA & INFORMATION:

Data can be defined as “collection of facts, which is unorganized, but can be organized into
useful information”
Examples: Employee’s name, Product Name, Prices, Weight etc.,
Note: Data can exists in the form of number, characters, word, graph, sound, images.
Information can be defined as “data that has been converted into a meaningful and useful
context for specific end users”
Example: Processing of Attendance data
Processing includes the task of comparison, sorting etc.,
NOTE:
 Data is independent of user, whereas information is user dependent.
 Data is the result of routine recording of events and activities, whereas information is
user driven which is not always automatic.

Features of Information
1. It reduces uncertainty
2. It has a value in decision making
3. It is reusable
4. It has surprise element or new value
5. It corrects or confirms previous information
Dimensions of Information
1. Economic Dimension:
2. Business Dimension:
3. Technical Dimension:

1.The Economic Dimension: includes both the cost of information and benefits from use.
The cost of information consists of the cost to acquire data, the cost to maintain data, and the
cost for generation and communicating information.

2.The Business Dimension: The characteristics of information required by managers at

different levels of hierarchy are different. The top management requires environmental
information for strategic planning and giving direction to the organization.
Operations management requires information about operations just finished
like actual output, wastage, machine idle time and labour idle time

3.The Technical Dimension: of information depends on the quality and reliability of

technology used for data processing and information communication. It is also concerned
with the database that is vital for any information system.

Types of Information:

1.Strategic Information: pertains mostly to the organization as a whole and its environment
such as information about new technologies, new products, competitors etc. Top management
needs strategic information for its long terms planning.
2.Tactical Information: is required for short terms planning by middle level managers.
Examples are Sales analyses and forecasts, cash flow projections etc.
 5

3.Operational information: relates to very short period that may be few hours to few weeks.
Current stock levels of inventory, outstanding orders from customers, work schedule for next
shift etc.

4.External & Internal Information: External information originates outside the

organization such as market research information, competitor information.
Internal information originates inside the organization. Most of the data for internal
information results from Transaction processing.

5.Horizontal and Vertical Information: Information flowing up or down the organization

hierarchy is called vertical flow of information. Examples include orders, decisions etc.,
communicated to downward.
When information flows peer to peer at the same level, the flow is called horizontal.
Example includes, information flow between marketing manager , finance manager,
personnel manger and production manager.

Information System (IS)

Information system can be defined as “a set of people, procedures and resources that collects,
transforms, and disseminates(distribute) information in an organization. It is a system that
accepts data resources as input and processes them into information products as output. This
supports an organization’s business strategies, business processes and organizational
structures.

Components Of Information Systems :

1.Hardware – Physical computer equipments and associate device, machines and media
Eg- desktops, laptops, PDAs
2.Software – operating systems, application programs
3.Data – facts and figures entered into computers
4.Procedures – how the other four components are used
5.People – end users and IS specialists, system analyst, programmers, data administrators
technologists, IS support etc.

Role/ Importance of IS in Business

Organization strive to be market leaders in their given industry. In climates where factors
such as recession, inflation, & increased competition can hinder the achievement of their
goal, so company ook for strategy that lead to competitive advantages. One such strategy is
the adoption of IS within the company. IS helps a company to make adequate use of its data.

The followimg roles are:-

1.Information Storage and Analysis

At the date of publication, many companies no longer manage their data
and information manually with registers and hard-copy formats. Through
the adoption of information systems, companies can make use of
sophisticated and comprehensive databases that can contain all
imaginable pieces of data about the company. Information systems store,
update and even analyze the information, which the company can then
use to pinpoint solutions to current or future problems. Furthermore, these
systems can integrate data from various sources, inside and outside the
 6

company, keeping the company up to date with internal performance and

external opportunities and threats.

2.Assist With Making Decisions

The long-term success of a company depends upon the adequacy of its
strategic plans. An organization’s management team uses information
systems to formulate strategic plans and make decisions for the
organization's longevity and prosperity. The business uses information
systems to evaluate information from all sources, including information
from external references such as Reuters or Bloomberg, which provide
information on the general economy. This analysis of and comparison to
market trends helps organizations analyze the adequacy and quality of
their strategic decisions.

3.Assist With Business Processes

Information systems aid businesses in developing a larger number of
value added-systems in the company. For example, a company can
integrate information systems with the manufacturing cycle to ensure that
the output it produces complies with the requirements of the various
quality management standards. Adoption of information systems
simplifies business processes and removes unnecessary activities.
Information systems add controls to employee processes, ensuring that
only users with the applicable rights can perform certain tasks. Further,
information systems eliminate repetitive tasks and increase accuracy,
allowing employees to concentrate on more high-level functions.
Information systems can also lead to better project planning and
implementation through effective monitoring and comparison against
established criteria.

4.Separating Work From Location

It is possible now to organize globally while working locally. Many workers
can work remotely from their homes or cars Collaborative teamwork
across thousands of miles is a reality. Companies can coordinate their
geographically distributed capabilities and coordinate with other
organizations (virtual organization).

5.Reorganizing Work Flows

Electronic work flows have reduced the cost of operations in many
companies by displacing paper and the manual routines. Improved work-
flow management has enabled corporations to cut costs significantly and
improve customer service. Redesigned work flows have a profound impact
on organizational efficiency.

6.Increasing Flexibility Of Organizations

Using communication technologies organize the company into more
flexible ways, increase their ability to respond to changes, and take
advantage of new opportunities. Small organizations use IS to have the
power of large companies. Large organizations use information technology
to achieve the responsiveness of small organizations (mass
customization).
 7

7.The Changing Management Process

Information system provides powerful new capabilities to help managers
plan, organize, lead, and control. Many companies now use IT for
enterprise resource planning (ERP), which integrates all facets of the
business, including planning, manufacturing, sales, and finance so they
become closely coordinated.

8.The strategic business challenge: The power of computation and

communication has grown rapidly. To stay competitive, many
organizations need to be redesigned.

9.The globalization challenge: International trade is a reality. Given

lang., cultural, and political differences among countries, this focus
resulted in a failure of central management control. Hence, global
hardware, software are needed.

10.The information architecture challenge: The new technology

rearranges social relations in the office and work locations, and changes
reporting patterns, and therefore redesigns the organization.
-New information architecture is the particular form information
technology takes in an organization to achieve selected goals or functions.
It is the specific design for the business application systems.
-The platform for it is information technology infrastructure. It is the
set of computer hardware, software, network, and human resources
required to operate the equipment.
-Even under best situations, combining the knowledge of different
systems is a demanding task because of the incompatibility.

11.The information systems investment challenge: The challenging

is not to use the technology and inexpensive computers but, however,
management and organization. Is this investment pays off? Are we getting
return as expected? Do competitors get more?

12.The responsibility and control challenge: The systems are

essential for business if they are accurate, reliable and secure. It is
disastrous if system deliver info in an interpretable form. Fraud, abuse and
destruction chances are enormous.
 8

IS Vs IT Payroll
Syste
m

INFORMATIO
N Invent
TECHNOLOGY ory
are used to Syste
Hardware build INFORMATI m
ON
Software
SYSTEMS Marke
Databases ting
Networks Syste
m
Other related
components Custo
mer
Servic
e
Syste
m

The Four Major Types of Information Systems

 9

Classification of IS
Information
Systems

Operations Managem
Support ent
System Support
Transactio Office
System
Decisi Executi
Process Manag
n automa ement on ve
control
processin tion informa suppo informa
systems
g systems systems tion rt tion
systems syste systems
ms

1.Operations support systems

An operational support system (OSS) is a group of computer programs or an
IT system used by communications service providers for monitoring, controlling, analyzing
and managing a computer or telephone network system. It process data generated by
business operations
Major categories are:
i) Transaction processing systems
ii) Process control systems
iii) Office automation system

i.Transaction processing systems

A transaction processing system (TPS) is an information system that captures and processes
data generated during an organization’s day-to-day transactions.
Clerical staff typically perform the activities associated with transaction processing,
which include the following:
a. Recording a business activity such as a student’s registration, a customer’s order, an
employee’s timecard or a client’s payment.
b. Confirming an action or triggering a response, such as printing a student’s schedule,
sending a thank-you note to a customer, generating an employee’s paycheck or issuing a
receipt to a client.
 10

c. Maintaining data, which involves adding new data, changing existing data, or removing
unwanted data.
Example of transaction processing system:
Reservation systems.
Credit card processing system
Stock market processing system.
Super market processing system
Insurance processing system.

Transaction processing cycle:

The transaction processing cycle is the “how Transaction Processing Systems capture and
process data”
The Five Steps of the Transaction Processing Cycle:
a. Data entry
b. Transaction processing
c. Database maintenance
d. Document and report generation
e. Inquiry processing

a.Data Entry: Data entry is simply the capturing of business data during the transaction. For
example, when making a purchase at your favorite clothing store the cashier will collect
transaction data by scanning the bar code of the items that you've purchased and by swiping
your credit or debit card through the credit card reader. This same transaction data can also be
recorded through e-commerce web sites on the internet. When automating data entry a few
key points to consider include:
Capture data as early and as close to the source as possible
Capture data through the use of bar codes, magnetic strips and other readable media
Use ATM and/or OCR devices as transaction terminals

b.Transaction processing: There are two different types of transaction processing, batch
processing and real-time processing.
Batch processing is when transaction data is collected and processed periodically. For
example, a retail store might collect transaction data throughout the day but only after the
store closes does the data get processed. The theory supporting batch processing is that it is a
more efficient use of computer resources. Batch processing is also believed to be easier to
control than online processing, but is constantly out of date as transactions are not updated
immediately, but daily, weekly or even monthly.
Real-time processing is when transaction data is instantaneously processed. For example, an
online retailer collects and processes transaction data each time a transaction is made. This is
why customers receive an email confirmation within minutes of their purchase. An advantage
of real time processing is that it supports a high frequency of change; however, extra
precautions must be taken in order to ensure data protection. Online processing is often more
expensive than batch processing; however, the data is always up to date.

c. Database Maintenance: Databases must always be up-to-date and correct. Transaction

processing systems assist in maintaining the corporate databases of an organization to reflect
changes resulting from day-to-day business transactions. This maintenance ensures that the
data records stored in the company's databases are correct. For example, when you purchase
an airline ticket online two things happen your credit card is charged and one seat on that
flight is removed from the airline's inventory for that flight. If there was no database
maintenance, the airline might sell your seat to three other passengers.
 11

d. Document and Report Generation: Documents and reports are created through the
transaction processing system. Some examples include purchase orders, paychecks, sales
receipts, invoices, and customer statements. Important to remember that TPS reports are
operational and do not typically include analysis. Transaction processing systems typically
generate 2 types of reports, action documents and information documents. Action documents
require an action take place and information documents notify that a transaction has occurred.

e. Inquiry Processing: Inquiry processing is when the consumer uses the internet, intranets,
extranets, and web browsers to make inquiries and receive answers concerning the results of
a transaction processing activity. For example, every time you check your bank account
online, you are checking the status of transaction processing activities. Another example
would be when you track the shipping of an online or catalog purchase.

ii. Process Control System

Process control is an engineering discipline that deals with architectures, mechanisms and
algorithms for maintaining the output of a specific process within a desired range. For
example, the temperature of a chemical reactor may be controlled to maintain a consistent
product output.
The Heart of Process Controls : PLC and DCS
The primary devices that are used in a process control system are Programmable Logic
Controllers better known as PLCs in short. PLCs are the best bets for controlling machines
with several discrete devices such as motor starters, limit switches, and the likes of them,
which are often involved in automation process like material handling, state machines,
sequencing, status reports etc.
Distributed Control Systems, commonly abbreviated as DCS, are central control systems,
which are good at controlling analog devices; thereby aiding in process control.

iii. Office Automation System or office information system

Office Information Systems: An office information system, or OIS is an information system
that uses hardware, software and networks to enhance work flow and facilitate
communications among employees.
The software an office information system uses to support these activities include word
processing, spreadsheets, databases, presentation graphics, e-mail, Web browsers, Web page
authoring, personal information management, and groupware. Office information systems
use communications technology such as voice mail, facsimile (fax), videoconferencing, and
electronic data interchange (EDI) for the electronic exchange of text, graphics, audio, and
video. An office information system also uses a variety of hardware, including computers
equipped with modems, video cameras, speakers, and microphones; scanners; and fax
machines.

2. Management Support Systems

Management support systems focus on managerial uses of information resources. These
systems provide information to manage for planning and decision making. The information
provided by these systems is based on both the internal and external data using various data
analysis tools.
Major categories are
i) Management Information System
ii) Decision Support Systems
iii) Executive Information System
i.Management Information System:
 12

A management information system, or MIS is an information system that generates accurate,

timely and organized information, so managers and other users can make decisions, solve
problems, supervise activities, and track progress. Because it generates reports on a regular
basis, a management information system sometimes is called a management reporting system
(MRS).
Management information systems often are integrated with transaction processing
systems. To process a sales order, for example, the transaction processing system records the
sale, updates the customer’s account balance, and makes a deduction from inventory. Using
this information, the related management information system can produce reports that recap
daily sales activities; list customers with past due account balances; graph slow or fast selling
products; and highlight inventory items that need reordering. A management information
system focuses on generating information that management and other users need to perform
their jobs.

SCOPE/ OBJECTIVE/ PURPOSE OF MIS:

i.To provide managerial end users with information products that support much of their day
to day decision making needs
ii.To provide a variety of reports and displays to management
iii.To provide information on the contents of the information product specified in advance by
mangers
iv.To retrieve information about internal operations from database that have been updated by
TPS
v.To obtain data about the business environment from external sources so as to process them
to serve the managers in a better way
vi.To provide requisite(necessary) information support for managerial functions within the
organization
vii.To make available, right information at the right place at the right time at the lower cost
viii.To ensure wrong and unwanted information is not generated; the condition of data
overload is avoided.
ix.To Ensure appropriate data is collected from various sources, processed and sent to the
needy destinations
x.To Fulfill the information needs of an individual, a group of individuals , the management
functionaries at all levels.

Characteristics Of MIS:
i. MIS is management oriented: The designing of MIS takes care of managers, who meet
the information requirement. The development of the system starts after deciding the
management needs and keeping in view the overall objectives of the management
ii. MIS is management directed: Since MIS requires heavy planning and investment,
management is deeply involved in the design, implementation and maintenance of the
system.
iii. Flexibility and ease of use: MIS has been designed flexible enough to accommodate new
requirements. The system is easy to operate so that not much computer skills are required
on the part of the user to access database for information or for carrying out special
analysis of data.
iv. MIS is integrated system: Five Ms-Men, Money, Materials, Machines, and Methods are
the basic resources of management information and is recognized as an important factor
and its effective use contributes to the success of the management.MIS binds together
databases of all subsystems of the business system and through information interchange,
integrates the organization.
 13

v. Avoids redundancy in data storage: Since MIS is an integrated system, it avoids

unnecessary duplication and redundancy in data gathering and storage.
vi. Common data flow: Common data flow tries to utilize minimum data processing effort
and strives to minimize the number of output documents and reports. This type of
integration can avoid duplication, simplify operations and produce an effective MIS.
vii. Heavy planning element: Design and implementation of MIS require detailed and
meticulous planning of such activities as acquisition and deployment of hardware,
software, human ware, data processing operations, information presentation and
feedback.
viii. Subsystem concept: MIS gives provision for breaking into various subsystem based
on the activity as well as the functions of the organization so that effective
implementation of each subsystem is possible at a time.
ix. Common database: It acts as a master that holds the functional subsystems together. It
achieves this aim by allowing access to different master files of data to several functional
subsystems.
x. Computerization: MIS can be computerized because of its nature as a comprehensive
system. This provides speed in creating and accessing

DUTIES & RESPONSIBILITIES OF A MANAGER IN CONTEXT OF MIS

i. Develop and maintain broad knowledge of company’s’ business and technology

requirements and needs.

ii. Develop and maintain system plan including operational requirements, budget
requirements and schedules.

iii. Develop and implement MIS policies to ensure data accuracy and security.

iv. Develop and implement standardized MIS procedures across all business
applications.

v. Develop process improvements for increased efficiency and cost effectiveness.

vi. Plan and manage software and hardware installations.

vii. Perform periodic maintenance and servicing of MIS system to improve

operational efficiency.

viii. Monitor MIS performance regularly to avoid unplanned outages and down times.

ix. Provide customer support for OS issues, network problems and software
installations, etc.

x. Conduct training on MIS activities to increase staff expertise.

xi. Supervise and motivate MIS team to work collectively and efficiently.

xii. Coordinate with MIS team to ensure that technology, infrastructure and
operational requirements are met.

xiii. Plan and manage upgrades of hardware and software systems.

 14

xiv. Track and monitor security of hardware and software systems.

xv. Recommend and implement new technology solutions to improve productivity.

ii.Decision Support Systems

Decision Support Systems:

A decision support system (DSS) is an information system designed to help users reach a
decision when a decision-making situation arises. A variety of DSSs exist to help with a
range of decisions. Examples:-product pricing, profitability forecasting.
A decision support system uses data from internal and/or external sources. Internal
sources of data might include sales, manufacturing, inventory, or financial data from an
organization’s database. Data from external sources could include interest rates, population
trends, and costs of new housing construction or raw material pricing. Users of a DSS, often
managers, can manipulate the data used in the DSS to help with decisions.

Simon on the basis of level of the programmability of a decision, proposed three types of
decisions:
1. Programmed, also known as structured decisions: Programmed or structured are those
decisions, which are well defined and some specified procedure or some decision rule might
be applied to reach a decision. Such decisions/problems are routine and repetitive and require
little time for developing alternatives in the design phase. For example, a decision to
replenish(fill) is an example for structured decision. Here, the decision maker can develop
certain criteria, called decision rule, for reorder decision.

2.Non-programmed, also known as unstructured decisions: Decisions/problems, which

are not well defined and have not pre-specified procedures decision rule are known as
unstructured or non-programmed decisions. Here the decision-maker does not have a decision
rule to apply.
Example: Advertising Budget, Board Member Selection

3.Semi Structured decisions: These involve problems that are neither new nor routine.
There is some amount of familiarity with the decision problem but not complete. Example:
Hiring new employees.
Characteristics of DSS
i. It is designed and run by managers
ii. It focuses on decision processes rather than on transaction processing
iii. It is concerned with a small area of managerial activity or a small part of a large
problem
iv. It permits managers to test the probable results of alternative decisions
v. It supports decision-making, usually in solving semi-structured complex problems
vi. It improves managerial decisions and thereby managerial effectiveness
vii. It helps in refining managerial judgment applied to problem solving
viii. It contains a database drawn from internal files and external environment

Examples:
1) Allocating resources
2) Comparing budget to actual results
3) Drilling down to analyze results
4)Projecting revenues, and evaluating scenarios
 15

iii.Executive Information System

An executive information system (EIS), also known as an executive support

system (ESS), is a type of management information system that facilitates and supports
senior executive information and decision-making needs. It provides easy access to internal
and external information relevant to organizational goals. It is commonly considered a
specialized form of decision support system (DSS).
EIS emphasizes graphical displays and easy-to-use user interfaces. They offer strong
reporting and drill-down capabilities. In general, EIS are enterprise-wide DSS that help top-
level executives analyze, compare, and highlight trends in important variables so that they
can monitor performance and identify opportunities and problems. EIS and data
warehousing technologies are converging in the marketplace.

i. A computer-based system that serves the information needs of top executives.

ii. Provides rapid access to timely information and direct access to management reports.

iii. Very user-friendly, supported by graphics.

iv. Provides exceptions reporting and "drill-down" capabilities.

v. Easily connected to the Internet .

vi. Drill down- to determine how certain data was produced and allows an executive to
get more detailed information if needed.

Purpose of an EIS:

i. Gives managers access to the data

ii. Promotes managerial learning

iii. Provides timely information

iv. Looking at the data leads to questions

v. Identifies trends

vi. Measures performance

In recent years, the term EIS has lost popularity in favor of business intelligence (with the sub
areas of reporting, analytics, and digital dashboards)
 16

MANAGERS AND THEIR

INFORMATION SYSTEMS

OTHER INFORMATION SYSTEM ARE:

Expert system:
An expert system is an information system that captures and stores the knowledge of human
experts and then imitates(reproduce) human reasoning and decision-making processes for
those who have less expertise.
Expert systems are one part of an exciting branch of computer science called
artificial intelligence. Artificial intelligence (AI) is the application of human intelligence to
computers. AI technology can sense your actions and, based on logical assumptions and prior
experience, will take the appropriate action to complete the task. AI has a variety of
capabilities, including speech recognition, logical reasoning, and creative responses.
Expert systems are designed to solve complex problems by reasoning about
knowledge, represented primarily as if–then rules rather than through conventional
procedural code.
 17

Expert systems are composed of two main components: a knowledge base and inference
rules. A knowledge base is the combined subject knowledge and experiences of the human
experts. The inference rules are a set of logical judgments applied to the knowledge base
each time a user describes a situation to the expert system.

Group Decision Support System

A Group Decision Support System, or GDSS, consists of interactive software that allows
for making decisions by a group of participants. The goal of a GDSS is to improve the
productivity of a group to come to a decision. A GDSS is sometimes also referred to as a
'computerized collaborative work system.'

EXAMPLE
Many decisions in an organization require the collaboration and participation of multiple
individuals. For example, consider a company manufacturing electronic consumer products,
such as TVs, DVD players, MP3 players, car stereos, etc. The company is losing market
share to the competition. The company needs to decide whether to keep selling its existing
range of products, focus only on its best-selling products or add new types of products.
This decision requires the input from a number of different units within the organization, such
as marketing, engineering, manufacturing, etc. Let's say the CEO of the company has set up a
task force to develop a recommendation. Each unit in the organization is represented by one
of its managers. How is the task force going to work together to come up with the best
decision?
There are a number of ways for the group members to collaborate. They can have meetings to
share information and discuss the decisions that need to be made. If meeting face-to-face is
not practical, they can use a technology, like videoconferencing. They can also communicate
with each other by e-mail to share ideas and provide updates.
While these approaches can be productive, many decisions in today's world are very complex
and require a lot of different considerations. Having access to the same information can
contribute to better decision making. However, this can quickly become overwhelming, and
not all participants may have the time, skill or interest to analyze all this information. Imagine
having to read through hundreds of pages of a document just to prepare for a meeting.
One strategy not to get bogged down by complexity and information overload is to use
computer-based tools for group decision making.
 18

Characteristics of a GDSS
A GDSS has a number of unique characteristics to support a group of participants in their
decision-making process:

i. Special design to support creative thinking, effective communications and decision-

making techniques

ii. Easy-to-use so participants from different backgrounds can all participate effectively

iii. Flexible so it can incorporate the different perspectives and decision-making styles of
the different participants

iv. Automated record keeping for future review and analysis

v. Parallel communication to allow multiple participants to contribute simultaneously

The most important characteristic, however, is that it provides support for a group to come to
a decision. A number of different approaches can be used.
Artificial intelligence (AI)

AI is the intelligence exhibited by machines or software. It is also the name of the

academic field of study which studies how to create computers and computer software that
are capable of intelligent behavior.
Major AI researchers and textbooks define this field as "the study and design of
intelligent agents", in which an intelligent agent is a system that perceives its environment
and takes actions that maximize its chances of success.
John McCarthy, who coined the term in 1955, defines it as "the science and
engineering of making intelligent machines"
 19

MIS DSS

1. MIS is normally used only with 1. DSS can handle unstructured problems
structured problems

2. MIS usually emphasizes information 2. DSS emphasizes actual decision and

only decision making styles

3. MIS is typically oriented towards printed 3. DSS reports are usually screen oriented,
reports and documents with the capability to generate reports on a
printer

4. MIS gives an indirect support system DSS gives a direct support system that
that users regularly produced reports provide interactive reports on screen

DIFFERENCE B/W DSS &

ES(Expert Systems)

PRESIDENCY52
COLLEGE
 20

DATA WAREHOUSE & DATA MINING

To store all the necessary decision-making data, DSSs or EISs often use extremely large
databases, called data warehouses. A data warehouse stores and manages the data required
to analyze historical(past) and current business circumstances from various operational
databases of an organization for business analysis, market research, decision support and data
mining applications.
Data mining (sometimes called data or knowledge discovery) is the process of analyzing
data from different perspectives and summarizing it into useful information - information that
can be used to increase revenue, cuts costs, or both. Data mining software is one of a number
of analytical tools for analyzing data. It allows users to analyze data from many different
dimensions or angles, categorize it, and summarize the relationships identified. Technically,
data mining is the process of finding correlations (relationships) or patterns among dozens of
fields in large relational databases.

DATA MINING-Example
One Midwest grocery chain used the data mining capacity of Oracle software to analyze
local buying patterns. They discovered that when men bought diapers on Thursdays and
Saturdays, they also tended to buy beer. Further analysis showed that these shoppers typically
did their weekly grocery shopping on Saturdays. On Thursdays, however, they only bought a
few items. The retailer concluded that they purchased the beer to have it available for the
upcoming weekend. The grocery chain could use this newly discovered information in
various ways to increase revenue. For example, they could move the beer display closer to
the diaper display. And, they could make sure beer and diapers were sold at full price on
Thursdays.
Example: IBM Predictive Analysis, Customer Analytics

INFORMATION SYSTEMS AT LEVELS OF MANAGEMENT

Marketing
Marketing

Production
Production Human
HumanResource
Resource
Operations
Operations Functio Management
Management
nal
Busines
s
Systems
Accounting
Accounting Finance
Finance
 21

1.Accounting Information System:

Record business transactions, produce periodic financial statements, and create reports
required by law.
 Record and report the flow of funds through an organization
 Produce financial statements
 Forecasts of future conditions

2.Financial Information System:

Organize budgets, manage the flow of cash, analyze investments, and make decisions that
could reduce interest payments and increase revenues.
Support business managers and professionals in decisions concerning
 The financing of a business
 The allocation and control of financial resources within a business

Financial
Financial
Information
Information
Systems
Systems
Financial
Financial
Planning
Planning
 22

3.Marketing Information System:

Analyze demand for various products in different regions and population groups, promotion
and sales of products or services, sales forecast, advertising, sales performance of marketing
personnel.
a. A customer-focused marketing process
b. Using the Internet, intranets, and extranets
c. To establish two-transactions
d. Between a company and its customers or potential customers
Goal:
a. to profitably attract and keep customers
b. who will become partners with the business
c. in creating, purchasing and improving products and services

Marketing
Marketing
Information
Information
Systems
Systems
Customer
Customer
Sales
SalesForce
Force Sales
Sales
Interactive Relationship
Relationship
Automation
Automation Management
Management
Marketing Management
Management
Market Advertising
Market Advertising Product
Research and and Product
Research and and Management
Forecasting Promotions Management
Forecasting Promotions
4.Human Resources Management Information System(HRIS):
Help with record keeping and employee evaluation, forecasting and planning the personnel
needs of an organization, maintaining an adequate and satisfactory work force, controlling the
personnel policies.
 Information systems designed to support
i. Planning to meet the personnel needs of the business
ii. Development of employees to their full potential
iii. Control of all personnel policies and programs
iv. Recruiting employees using the corporate website and commercial recruiting
services
v. Posting messages in selected Internet newsgroups
vi. Communicating with job applicants via e-mail
 23

Staffing Training & Compensation

Manpower
Development
Succession Administration
Contract
StrategicPlanning planning costing
Labor Force
Systems Tracking Performance Salary forecast
Labor Cost appraisal Compensation
Training
plans
Tactical Analysis effectiveness
Turnover Benefits
Systems Analysis effectiveness Analysis
Career Payroll
Recruitment Skill assessment
matching
Operatio Workforce control
Performance
Benefits
nal Planning evaluation
Administration
System
s
5.Manufacturing/Production Information System:
i. Allocate resources such as personnel, raw material, and time
ii. Control inventory,
iii. process customer orders,
iv. prepare production schedules,
v. perform quality assurance, and prepare shipping documents
vi. Support the production/operations function
vii. Includes all activities concerned with planning and control of producing goods or
services
 24

Intranet

Remote
Worker
Supplier

Extranet
DEVELOPING INFORMATION SYSTEMS

Information Systems Development

 25

Steps in the Systems Development Process

Systems Development Life Cycle (SDLC) - describes the life of an information system
from conception to retirement.
1. System identification, selection, and planning
2. System analysis
3. System design
4. System implementation
5. System maintenance

Phase 1- System identification, selection, and planning

 Determine if a new system is needed
 Three primary tasks:
a. Define the problem
by observation and interview, determine what information is needed by whom,
when, where and why
b. Suggest alternative solutions
c. Prepare a short report
 Undertake only those projects critical to mission, goals, and objectives
 Select a development project from all possible projects that could be performed
 Different evaluation criteria used to rank potential projects
Evaluation criteria
 26

Strategic alignment: The extent to which the project is viewed as helping the organization
achieve its strategic objectives an d long-term goal.
Potential benefits: The extent to which the project is viewed as improving profits, customer
service, and the duration of the benefits
Potential costs and resource availability: The number and types of resources the project
requires and their availability
Project size / duration: The number of individuals and the length of time needed to
complete the project
Technical difficulty / risks: The level of technical difficulty involved to complete the project
within a given time and resources

Phase 2- System analysis

Collecting System Requirements: Requirement collection is process of gathering and
organizing information from users, managers, business processes, an documents to
understand how a proposed system should work
System analysts use a variety of techniques to collect system requirements
i. Interviews: analysts interview people
ii. Questionnaires: analysts design and administer surveys.
iii. Observations: analysts observe workers at selected times
iv. Document analysis: analysts study business documents
In depth study of the existing system to determine what the new system should do. Expand on
data gathered in Phase 1
In addition to observation and interviews, examine:
i. Formal lines of authority (org chart)
ii. Standard operating procedures
iii. How information flows
iv. Reasons for any inefficiencies

Phase 3- System Design

Uses specifications from the systems analysis to design alternative systems
Evaluate alternatives based upon:
i. Economic feasibility - Do benefits justify costs?
ii. Technical feasibility - Is reliable technology and training available?
iii. Operational feasibility - Will the managers and users support it?
Designing includes:-
i. Designing forms and reports
ii. Designing interfaces and dialogues
iii. Designing databases and files
iv. Designing processing and logic

Phase 4- System Implementation

i. Build the system to the design specifications
ii. Develop the software
-Purchase off-the-shelf software OR
-Write custom software
iii. Acquire the hardware
iv. Test the new system
-Module (unit) test - tests each part of system
- Integration testing - tests system as one unit
v. Create manuals for users and operators
 27

vi. Convert from old system to new system

vii. Train users
viii. Compile final documentation
ix. Evaluate the new system

Phase 5- System Maintenance

Maintenance process steps:
i. Obtain maintenance request
ii. Transform requests into changes
iii. Design changes
iv. Implement changes
Types of changes:
i. Physical repair of the system
ii. Correction of new bugs found (corrective)
iii. System adjustments to environmental changes
iv. Adjustments for users’ changing needs (adaptive)
v. Changes to user better techniques when they become available (perfective)

Maintenance types:
i. Corrective maintenance
ii. Adaptive maintenance
iii. Perfective maintenance
iv. Preventive maintenance

Enterprise resource planning (ERP)

 Enterprise resource planning (ERP) is business management software that allows an
organization to use a system of integrated applications to manage the business.

 Being Specific ERP systems are large computer systems that integrate application
programs in accounting (i.e., accounts receivable), sales (i.e., order booking),
manufacturing (i.e., product shipping) and the other functions in the firm.
This integration is accomplished through a database shared by all the application
programs.
 A typical ERP system will use multiple components of computer hardware and
software to achieve the integration.
 A key ingredient of most ERP systems is the use of a unified database to store data for
various system modules.
 Broken down into business processes
i. HRM
ii. Distribution
iii. Financials
iv. Manufacturing

Advantage or Reasons for adopting ERP

i. Integrate financial information.
ii. Integrate customer order information.
iii. Standardize and speed up operations processes.
iv. Reduce inventory.
v. Standardize Human Resources information .
vi. Common definitions.
 28

vii. Common database.

viii. Update one module, automatically updates others.
ix. ERP systems reflect a specific way of doing business.
x. Must look at your value chains, rather than functions.

Vendors of ERP
i. SAP - Systems Applications Products in Data Processing
ii. BAAN
iii. Peoplesoft
iv. Oracle
v. J.D. Edwards

Limitations of ERP
i. High cost.
ii. Forced change of processes.
iii. Very complex software.
iv. Lack of trained people.
v. Flexibility of software system upgrades.
vi. Implementation timelines.
vii. Availability of internal technical knowledge and resources.
viii. Education and training.
ix. Implementation strategy and execution.
x. Resistance to change.

Cloud Computing
Distributed computing on internet Or delivery of computing service over the internet.
Eg: Yahoo!, GMail, Hotmail
It has three components
i. Client computers ii. Distributed Servers iii. Datacenters

i. Clients
Clients are the device that the end user interact with cloud.
three types of clients:
i. Mobile
ii. Thick
iii. Thin (Most Popular)
 29

ii. Distributed servers

Often servers are in geographically different places, but server acts as if they are working
next to each other.

iii. Datacenter
It is collection of servers where application is placed and is accessed via internet.

Why cloud service is popular?

i. Reduce the complexity of networks.
ii. Do not have to buy software licenses.
iii. Customization.
iv. Cloud providers that have specialized in a particular area (such as e-mail) can bring
advanced services that a single company might not be able to afford or develop.
v. scalability, reliability, and efficiency.
vi. Info. at cloud are not easily lost.
MODULE – 2--IT-GRC (Governance, Risk and Compliance)

IT-GRC (Governance, Risk and Compliance)

Governance, risk management, and compliance or GRC is the umbrella term covering an
organization's approach across three areas: Governance, risk management, and compliance.
Governance, Risk Management, and Compliance (GRC) are three pillars that work together
for the purpose of assuring that an organization meets its objectives.

Governance —Exercise of authority; control; government; arrangement

i. Governance- is the combination of processes established and executed by the board of
directors that are reflected in the organization's structure and how it is managed and led
toward achieving goals.

ii. Governance- describes the overall management approach through which senior
executives direct and control the entire organization, using a combination of
management information and hierarchical management control structures.

iii. Governance- activities ensure that critical management information reaching the
executive team is sufficiently complete, accurate and timely to enable appropriate
management decision making, and provide the control mechanisms to ensure that
strategies, directions and instructions from management are carried out systematically
and effectively.

Different types of governance exist:

i. Corporate governance
ii. Project governance
iii. Information technology governance
iv. Environmental governance
v. Economic and financial governance
Each type has one or more sources of guidance, each with similar goals but often varying
terms and techniques for their achievement.

Corporate Governance Of Information Technology

Scope
 30

 This standard provides guiding principles for directors of organizations (including

owners, board members, directors, partners, senior executives, or similar) on the
effective, efficient, and acceptable use of Information Technology (IT) within their
organizations.

 This standard applies to the governance of management processes (and decisions)

relating to the information and communication services used by an organization. These
processes could be controlled by IT specialists within the organization or external
service providers, or by business units within the organization

Corporate Governance Of Information Technology

Principles
i. Principle 1: Responsibility
ii. Principle 2: Strategy
iii. Principle 3: Acquisition
iv. Principle 4: Performance
v. Principle 5: Conformance
vi. Principle 6: Human Behaviour

Corporate governance of information technology

Model
Directors should govern IT through three main tasks:
a) Evaluate the current and future use of IT.
b) Direct preparation and implementation of plans and policies to ensure that use of IT meets
business objectives.
c) Monitor conformance to policies, and performance against the plans.

Risk management-
i.Risk management- is predicting and managing risks that could hinder the organization to
achieve its objectives.
ii. Risk management- is the set of processes through which management identifies,
analyzes, and, wherever necessary, responds appropriately to risks that might adversely affect
realization of the organization's business objectives. The response to risks typically depends
on their perceived gravity, and involves controlling, avoiding, accepting or transferring them
to a third party.
Whereas organizations routinely manage a wide range of risks (e.g. technological risks,
commercial/financial risks, information security risks etc.), external legal and regulatory
compliance risks are arguably the key issue in GRC.

Compliance
i.Compliance- with the company's policies and procedures, laws and regulations, strong and
efficient governance is considered key to an organization's success.
ii.Compliance- means conforming with stated requirements. At an organizational level, it is
achieved through management processes which identify the applicable requirements (defined
for example in laws, regulations, contracts, strategies and policies), assess the state of
compliance, assess the risks and potential costs of non-compliance against the projected
expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions
deemed necessary.
INFORMATION SECURITY
What is Information Security?
 31

“Information Security protects information from a wide range of threats in order to ensure
business continuity, minimise business damage and maximise return on investment and
business opportunities.”
The Changing Phase of Information Security
Traditional View
i. The domain of a System Administrator
ii. Task of Purchasing a Firewall
iii. Implementing Security Controls was not a compulsion
Modren view
ii. The Domain of the Business Owner
iii. Task of Finding out what is AT RISK and finding right solutions for the same
iv. Business and Security can’t be separated
v. Security Team Consists of Top Management, IT Managers and a Dedicated
Information Security Manager
vi. Plan, Do, Check and Act Model
vii. Integration of Quality Systems Like ISO, CMMI etc with Information Security
Models
Basic components

Confidentiality: Protecting information from unauthorized parties.

Integrity: Protecting information from modification by unauthorized users.
Availability: Making the information available to authorized users.

Information system audit standards – ISO (International Organization for

Standardization) 27001

ISO/IEC 27001 - Information security management

The ISO 27000 family of standards helps organizations keep information assets secure. Using
this family of standards will help your organization manage the security of assets such as
financial information, intellectual property, employee details or information entrusted to you
by third parties.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an
information security management system (ISMS).
i. It’s a International Standard for Information Security Management
ii. It consists of various Specification for information Security Management
iii. Code of Practice for Information Security Management
iv. Basis for contractual relationship
v. Basis for third party certification
vi. Can be Certified by Certification Bodies
vii. Applicable to all industry Sectors
viii. Emphasis on prevention

Plan Do Check Act Cycle (PDCA)

 32

Plan Do Check Act

Cycle (PDCA)
Plan
Establish
the ISMS

Interest Implement Maintain Interest

ed and operate and improve ed
the ISMS the ISMS
parties parties
Do Act

Monitor and
review the
Informatio ISMS Managed
n security informatio
Check
requireme n security
nts and
22
expectatio
ns
ISO17799:2005 /ISO27001 (earlier
ISO17799:2005 /ISO27001 (earlier BS7799) Framework

BS7799) Framework

Incident
Management

Information
Information
Security
Security
Management
Management
System
System

Tech Mahindra Certified for

since March 2005 23

1. Security Policy
Objective:
 33

 Information security policy.

Covers:
 Information security policy document
 Review of Informational Security Policy
2. Organization of information security
Objective:
 Internal Organization
 External Parties
Covers:
 Management commitment to information security
 Information security coordination
 Allocation of information security responsibilities
 Authorization process for information processing facilities
 Confidentiality agreements
 Contact with authorities
 Contact with special interest groups
 Independent review of information security
 Identification of risks related to external parties
 Addressing security when dealing with customers
 Addressing Security in third party agreements

3.Asset Management
Objective:

 Responsibility for assets

 Information classification
Covers:
 Inventory of assets
 Ownership of assets
 Acceptable use of assets
 Classification guidelines
 Information labelling and handling

4. Human Resource Security

Objective:
 Prior to employment
 During employment
 Termination or change of employment
Covers:
 Roles and responsibilities
 Screening
 Terms and conditions of employment
 Management responsibilities
 Information security awareness, education and training
 Disciplinary process
 Termination responsibilities
 34

 Return of assets
 Removal of access rights

5. Physical and Environmental Security

Objective:
 Secure Areas
 Equipment Security
Covers:
 Physical Security Perimeter
 Physical entry Controls
 Securing Offices, rooms and facilities
 Protecting against external and environmental threats
 Working in Secure Areas
 Public access delivery and loading areas
 Cabling Security
 Equipment Maintenance
 Securing of equipment off-premises
 Secure disposal or re-use of equipment
 Removal of property

6. Communications & Operations Management

Objective:
 Operational Procedures and responsibilities
 Third party service delivery management
 System planning and acceptance
 Protection against malicious and mobile code
 Backup
 Network Security Management
 Media handling
 Exchange of Information
 Electronic Commerce Services
 Monitoring
Covers:
 Documented Operating procedures
 Change management
 Segregation of duties
7. Access Controls
Objective:
 Business Requirement for Access Control
 User Access Management
 User Responsibilities
 Network Access Control
 35

 Operating system access control

 Application and Information Access Control
 Mobile Computing and teleworking
Covers:
 Access Control Policy
 User Registration
 Privilege Management
 User Password Management
 Review of user access rights
 Password use

8. Information systems acquisition, development and maintenance

Objective:
 Security requirements of information systems
 Correct processing in applications
 Cryptographic controls
 Security of system files
 Security in development and support processes
 Technical Vulnerability Management
Covers:
 Security requirements analysis and specification
 Input data validation
 Control of internal processing
 Message integrity
 Output data validation
 Policy on use of cryptographic controls
 Key management
 Control of operational software
 Protection of system test data
9. Information Security Incident Management
Objective:
 Reporting information security events and weaknesses
 Management of information security incidents and improvements
Covers:
 Reporting information security events
 Reporting security weaknesses
 Responsibilities and procedures
 Learning from information security incidents
 Collection of evidence

10. Business Continuity Management

Objective:
 Information security aspects of business continuity management
Covers:
 Including information security in the business continuity management process
 Business continuity and risk assessment
 36

 Developing and implementing continuity plans including information security

 Business continuity planning framework
 Testing, maintaining and re-assessing business continuity plans
11.compliance
Objective
 Compliance with legal requirements
 Compliance with security policies and standards, and technical compliance
 Information Systems audit considerations
Covers:
 Identification of applicable legislation
 Intellectual property rights (IPR)
 Protection of organizational records
 Data protection and privacy of personal information
 Prevention of misuse of information processing facilities
 Regulation of cryptographic controls
 Compliance with security policies and standards
 Technical compliance checking
 Information systems audit controls
 Protection of information system audit tools

INFORMATION SYSTEM AUDIT STANDARDS-ISO 27001

What is an ISMS?
An ISMS is a systematic approach to managing sensitive company information so that it
remains secure. It includes people, processes and IT systems by applying a risk management
process.
 It can help small, medium and large businesses in any sector keep information assets
secure.

 An information security management system (ISMS) is a set of policies concerned

with information security management or IT related risks.

 The governing principle behind an ISMS is that an organization should design, implement
and maintain a coherent set of policies, processes and systems to manage risks to its
information assets, thus ensuring acceptable levels of information security risk.

Need for an ISMS:

i. Information technology security administrators should expect to devote approximately
one-third of their time addressing technical aspects. The remaining two-thirds should
be spent developing policies and procedures, performing security reviews and
analyzing risk, addressing contingency planning and promoting security awareness;
ii. Security depends on people more than on technology;
iii. Employees are a far greater threat to information security than outsiders;
iv. Security is like a chain. It is only as strong as its weakest link;
v. The degree of security depends on three factors: the risk you are willing to take, the
functionality of the system and the costs you are prepared to pay;
vi. Security is not a status or a snapshot, but a running process.
vii. These facts inevitably lead to the conclusion that security administration is a
management issue, and not a purely technical issue
 37

The establishment, maintenance and continuous update of an ISMS provide a strong

indication that a company is using a systematic approach for the identification, assessment
and management of information security risks. Critical factors of ISMS:
i. Confidentiality: Protecting information from unauthorized parties.
ii. Integrity: Protecting information from modification by unauthorized users.
iii. Availability: Making the information available to authorized users.

The development of an ISMS framework based on ISO/IEC 27001:2005 entails the

following six steps:
i. Definition of security policy,
ii. Definition of ISMS scope,
iii. Risk assessment (as part of risk management),
iv. Risk management,
v. Selection of appropriate controls and
vi. Statement of applicability

COBIT
Control Objectives for Information and Related Technology (COBIT) is a framework
created by ISACA for information technology (IT) management and IT governance. It is a
supporting toolset that allows managers to bridge the gap between control requirements,
technical issues and business risks

COBIT: Governance of
Enterprise IT (GEIT)
Val
IT
Ris
2.0
k
(2008)

IT 2012
(200
9)
COBIT 5 in Overview
COBIT 5 brings together the five principles that allow the enterprise to build an effective
governance and management framework based on a holistic set of seven enablers that
optimises information and technology investment and use for the benefit of stakeholders.

COBIT 5 Principles
 38

Governance (and Management) in COBIT 5

 Governance ensures that enterprise objectives are achieved by evaluating stakeholder
needs, conditions and options; setting direction through prioritisation and decision
making; and monitoring performance, compliance and progress against agreed
direction and objectives (EDM).
 Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve the enterprise objectives (PBRM).
Risk Management in COBIT 5
 The GOVERNANCE domain contains five governance processes, one of which
focuses on stakeholder risk-related objectives: Ensure risk optimisation.
 The MANAGEMENT Align, Plan and Organise domain contains a risk-related
process: Manage risk.
Compliance in COBIT 5
 The MANAGEMENT Monitor, Evaluate and Assess domain contains a
compliance focused process:
 Monitor, evaluate and assess compliance with external requirements.

The COBIT components include:

i. Framework: Organize IT governance objectives and good practices by IT domains
and processes, and links them to business requirements
ii. Process descriptions: A reference process model and common language for everyone
in an organization. The processes map to responsibility areas of plan, build, run and
monitor.
iii. Control objectives: Provide a complete set of high-level requirements to be
considered by management for effective control of each IT process.
iv. Management guidelines: Help assign responsibility, agree on objectives, measure
performance, and illustrate interrelationship with other processes
 39

v. Maturity models: Assess maturity and capability per process and helps to address
gaps.
CMM-Capability Maturity Model
Capability Maturity Model is a bench-mark for measuring the maturity of an organization’s
software process. It is a methodology used to develop and refine an organization’s software
development process. CMM can be used to assess an organization against a scale of five
process maturity levels based on certain Key Process Areas (KPA). It describes the maturity
of the company based upon the project the company is dealing with and the clients. Each
level ranks the organization according to its standardization of processes in the subject area
being assessed.
A maturity model provides:
 A place to start
 The benefit of a community’s prior experiences
 A common language and a shared vision
 A framework for prioritizing actions
 A way to define what improvement means for your organization
In CMMI models with a staged representation, there are five maturity levels designated
by the numbers 1 through 5 as shown below:
i. Initial
ii. Managed
iii. Defined
iv. Quantitatively Managed
v. Optimizing

Maturity levels consist of a predefined set of process areas. The maturity levels are
measured by the achievement of the specific and generic goals that apply to each
predefined set of process areas. The following sections describe the characteristics of
each maturity level in detail.
 40

Maturity Level 1 – Initial: Company has no standard process for software development. Nor
does it have a project-tracking system that enables developers to predict costs or finish dates
with any accuracy.
In detail we can describe it as given below:
i. At maturity level 1, processes are usually ad hoc and chaotic.
ii. The organization usually does not provide a stable environment. Success in these
organizations depends on the competence and heroics of the people in the
organization and not on the use of proven processes.
iii. Maturity level 1 organizations often produce products and services that work but
company has no standard process for software development. Nor does it have a
project-tracking system that enables developers to predict costs or finish dates with
any accuracy.
iv. Maturity level 1 organizations are characterized by a tendency to over commit,
abandon processes in the time of crisis, and not be able to repeat their past successes.

Maturity Level 2 – Managed: Company has installed basic software management processes
and controls. But there is no consistency or coordination among different groups.
In detail we can describe it as given below:
i. At maturity level 2, an organization has achieved all the specific and generic goals of
the maturity level 2 process areas. In other words, the projects of the organization
have ensured that requirements are managed and that processes are planned,
performed, measured, and controlled.
ii. The process discipline reflected by maturity level 2 helps to ensure that existing
practices are retained during times of stress. When these practices are in place,
projects are performed and managed according to their documented plans.
iii. At maturity level 2, requirements, processes, work products, and services are
managed. The status of the work products and the delivery of services are visible to
management at defined points.
iv. Commitments are established among relevant stakeholders and are revised as needed.
Work products are reviewed with stakeholders and are controlled.
v. The work products and services satisfy their specified requirements, standards, and
objectives.
Maturity Level 3 – Defined: Company has pulled together a standard set of processes and
controls for the entire organization so that developers can move between projects more easily
and customers can begin to get consistency from different groups.
In detail we can describe it as given below:
i. At maturity level 3, an organization has achieved all the specific and generic goals.
ii. At maturity level 3, processes are well characterized and understood, and are
described in standards, procedures, tools, and methods.
iii. A critical distinction between maturity level 2 and maturity level 3 is the scope of
standards, process descriptions, and procedures. At maturity level 2, the standards,
process descriptions, and procedures may be quite different in each specific instance
of the process (for example, on a particular project). At maturity level 3, the standards,
process descriptions, and procedures for a project are tailored from the organization’s
set of standard processes to suit a particular project or organizational unit.
iv. The organization’s set of standard processes includes the processes addressed at
maturity level 2 and maturity level 3. As a result, the processes that are performed
across the organization are consistent except for the differences allowed by the
tailoring guidelines.
v. Another critical distinction is that at maturity level 3, processes are typically
described in more detail and more rigorously than at maturity level 2.
 41

vi. At maturity level 3, processes are managed more proactively using an understanding
of the interrelationships of the process activities and detailed measures of the process,
its work products, and its services.

Maturity Level 4 – Quantitatively Managed: In addition to implementing standard

processes, company has installed systems to measure the quality of those processes across all
projects.
In detail we can describe it as given below:
i. At maturity level 4, an organization has achieved all the specific goals of the process
areas assigned to maturity levels 2, 3, and 4 and the generic goals assigned to
maturity levels 2 and 3.
ii. At maturity level 4 Sub-processes are selected that significantly contribute to overall
process performance. These selected sub-processes are controlled using statistical and
other quantitative techniques.
iii. Quantitative objectives for quality and process performance are established and used
as criteria in managing processes. Quantitative objectives are based on the needs of
the customer, end users, organization, and process implementers. Quality and process
performance are understood in statistical terms and are managed throughout the life of
the processes.
iv. For these processes, detailed measures of process performance are collected and
statistically analyzed. Special causes of process variation are identified and, where
appropriate, the sources of special causes are corrected to prevent future occurrences.
v. Quality and process performance measures are incorporated into the organizations
measurement repository to support fact-based decision making in the future.
vi. A critical distinction between maturity level 3 and maturity level 4 is the predictability
of process performance. At maturity level 4, the performance of processes is
controlled using statistical and other quantitative techniques, and is quantitatively
predictable. At maturity level 3, processes are only qualitatively predictable.
Maturity Level 5 – Optimizing: Company has accomplished all of the above and can
now begin to see patterns in performance over time, so it can tweak its processes in order
to improve productivity and reduce defects in software development across the entire
organization.
In detail we can describe it as given below:
i. At maturity level 5, an organization has achieved all the specific goals of the process
areas assigned to maturity levels 2, 3, 4, and 5 and the generic goals assigned to
maturity levels 2 and 3.
ii. Processes are continually improved based on a quantitative understanding of the
common causes of variation inherent in processes.
iii. Maturity level 5 focuses on continually improving process performance through both
incremental and innovative technological improvements.
iv. Quantitative process-improvement objectives for the organization are established,
continually revised to reflect changing business objectives, and used as criteria in
managing process improvement.
v. The effects of deployed process improvements are measured and evaluated against the
quantitative process-improvement objectives. Both the defined processes and the
organization’s set of standard processes are targets of measurable improvement
activities.
vi. Optimizing processes that are agile and innovative depends on the participation of an
empowered workforce aligned with the business values and objectives of the
organization.
 42

vii. The organization’s ability to rapidly respond to changes and opportunities is enhanced
by finding ways to accelerate and share learning. Improvement of the processes is
inherently part of everybody’s role, resulting in a cycle of continual improvement.
viii. A critical distinction between maturity level 4 and maturity level 5 is the type of
process variation addressed. At maturity level 4, processes are concerned with
addressing special causes of process variation and providing statistical predictability
of the results. Though processes may produce predictable results, the results may be
insufficient to achieve the established objectives. At maturity level 5, processes are
concerned with addressing common causes of process variation and changing the
process (that is, shifting the mean of the process performance) to improve process
performance (while maintaining statistical predictability) to achieve the established
quantitative process-improvement objectives.

HIPAA
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The
primary goal of the law is to make it easier for people to keep health insurance, protect the
confidentiality and security of healthcare information and help the healthcare industry control
administrative costs.
HIPAA is divided into different titles or sections that address a unique aspect of health
insurance reform. Two main sections are Title I dealing with Portability and Title II that
focuses on Administrative Simplification.

The act, which was signed into law by President Bill Clinton in August 1996,
contains five sections, or titles:

1. HIPAA Title I protects health insurance coverage for individuals who lose or
change jobs. It also prohibits group health plans from denying coverage to
individuals with specific diseases and pre-existing conditions, and from
setting lifetime coverage limits.
2. HIPAA Title II directs the U.S. Department of Health and Human Services to
establish national standards for processing electronic healthcare transactions.
It also requires healthcare organizations to implement secure electronic access
to health data and to remain in compliance with privacy regulations set by
HHS.
3. HIPAA Title III includes tax-related provisions and guidelines for medical
care.
4. HIPAA Title IV further defines health insurance reform, including provisions
for individuals with pre-existing conditions and those seeking continued
coverage.
5. HIPAA Title V includes provisions on company-owned life insurance and
treatment of those who lose their U.S. citizenship for income tax purposes.

In IT circles, adhering to HIPAA Title II is what most people mean when they refer
to HIPAA compliance. Also known as the Administrative Simplification provisions,
Title II includes the following HIPAA compliance requirements:
 43

i. National Provider Identifier Standard. Each healthcare entity, including

individuals, employers, health plans and healthcare providers, must have a
unique 10-digit national provider identifier number, or NPI.
ii. Transactions and Code Sets Standards. Healthcare organizations must
follow a standardized mechanism for electronic data interchange (EDI) in
order to submit and process insurance claims.

HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually
Identifiable Health Information, this rule establishes national standards to protect
patient health information.

HIPAA Security Rule. The Security Standards for the Protection of Electronic
Protected Health Information sets standards for patient data security.

HIPAA Enforcement Rule. This rule establishes guidelines for investigations into
HIPAA compliance violations.

In 2013, the HIPAA Omnibus Rule was put in place by HHS to implement
modifications to HIPAA in accordance with guidelines set in 2009 by the Health
Information Technology for Economic and Clinical Health (HITECH) Act concerning
the responsibilities of business associates of covered entities. The omnibus rule also
increased penalties for HIPAA compliance violations to a maximum of $1.5 million
per incident.

HIPAA violations can prove quite costly for healthcare organizations. First, the
HIPAA Breach Notification Rule within the omnibus set of regulations requires
covered entities and any affected business associates to notify patients following a
data breach. In addition to the notification costs, healthcare organizations can
encounter fines after HIPAA audits mandated by the HITECH Act and conducted by
the Office for Civil Rights (OCR). Providers could also face criminal penalties
stemming from violations of the HIPAA privacy and security rules.

WHO DOES IT AFFECT?

 All organizations that deal with a person’s
health information:
 Providers (Hospitals, Clinics and Physicians)
 Health Plans
 Health Care Clearing houses
Notice of Privacy Practices
i. Provides individual notice of all of the ways the organization uses and shares a
patient’s health information
ii. Explains a patient’s rights to confidentiality and access to his/her information
iii. Is posted prominently in the organization and on the organization’s Web site
Safeguarding Patient Information
 The Release of Patient Information:

i. HIPAA allows us to share patient information with any of the patient’s health care
providers without an authorization from the patient.
 44

ii. If you are presented with an authorization to release medical information, contact the
Health Information Management Department.

 Releasing Confidential Information

You cannot share information with the patient’s family, friends or anyone else
without written authorization from the patient except:
 The patient’s guardian, durable power of attorney for healthcare, or next of kin (if the
patient is incapacitated).
 For operations of the hospital (ex. quality assurance, incident reports, teaching and
education of residents and students).
 To enable our organization to get paid for services rendered.
 When there is a legal duty to report (ex. child abuse, domestic violence, gunshot or
stab wounds).
 To another healthcare provider that has treated the patient to enable that provider to
get paid for their services.

What is Confidential Information?

Any information about a patient that is written, saved on a computer, or electronic media
(disks, CDs, etc.), or spoken is Protected Health Information (PHI). PHI includes:
 Name Medical history
 Age Medications
 E-Mail Observations of Health
 Social Security # Medical Record Number
 Address Any Unique Identifier
 Phone Number The fact that the patient is in the hospital
 Diagnosis

Statement on Auditing Standards

Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as
SAS 70, is an auditing statement issued by the Auditing Standards Board of the American
Institute of Certified Public Accountants (AICPA) with its content codified as AU 324. As of
June 2011, the Statement on Standards for Attestation Engagements No. 16, reporting on
Controls at a Service Organization, SSAE 16, replaces SAS 70. SAS 70 provides guidance to
service auditors when assessing the internal control of a service organization and issuing a
service auditor’s report. SAS 70 also provides guidance to auditors of financial statements of
an entity that uses one or more service organizations. Service organizations are typically
entities that provide outsourcing services that impact the control environment of their
customers. Examples of service organizations are insurance and medical claims processors,
trust companies, hosted data centers, application service providers (ASPs), managed security
providers, credit processing organizations and clearinghouses.

There are two types of service auditor reports.

A Type I service auditor’s report
 45

It includes the service auditor's opinion on the fairness of the presentation of the service
organization's description of controls that had been placed in operation and the suitability of
the design of the controls to achieve the specified control objectives.
A Type II service auditor’s report
It includes the information contained in a Type I service auditor's report and also includes the
service auditor's opinion on whether the specific controls were operating effectively during
the period under review.
Difference between Type I and Type II Engagements
i. Type I reports are issued for a specific date and are limited to an inquiry into and
observation of the controls
ii. Type II reports are issued after a minimum six-month testing period have been
completed and is focused on the operating effectiveness of controls
iii. Type I consists of inquiry and observation controls
iv. Type II would include testing of controls
Type I vs. Type II Reports

Information Type I Type II

SAS 70 Service Auditor’s Report Required Required

Description of Controls Required Required

Information provided by the service auditor Optional Required

(a detailed listing of controls and testing of operating
effectiveness)

Information provided by the service organization Optional Optional

User organization control considerations (controls that Optional Optional

user organizations have in place)

FEATURES-
i. Statement on Auditing Standards (SAS) No. 70, Service Organizations, was a widely
recognized auditing standard developed by the American Institute of Certified Public
Accountants (AICPA). A service auditor's examination performed in accordance with
 46

SAS No. 70 (also commonly referred to as a "SAS 70 Audit") represents that a service
organization has been through an in-depth examination of their control objectives and
control activities, which often include controls over information technology and
related processes. In today's global economy, service organizations or service
providers must demonstrate that they have adequate controls and safeguards when
they host or process data belonging to their customers. In addition, the requirements
of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even
more important to the process of reporting on the effectiveness of internal control
over financial reporting.

ii. For nearly 18 years, SAS No. 70 was the authoritative guidance that allowed service
organizations to disclose their control activities and processes to their customers and
their customers' auditors in a uniform reporting format. The issuance of a service
auditor's report prepared in accordance with SAS No. 70 signifies that a service
organization has had its control objectives and control activities examined by an
independent accounting and auditing firm. The service auditor's report, which
includes the service auditor's opinion, is issued to the service organization at the
conclusion of a SAS 70 examination.

iii. SAS No. 70 provides guidance to enable an independent auditor ("service auditor") to
issue an opinion on a service organization's description of controls through a Service
Auditor's Report (see below). SAS 70 does not specify a pre-determined set of control
objectives or control activities that service organizations must achieve. Service
auditors are required to follow the AICPA's standards for fieldwork, quality control,
and reporting. A SAS 70 Audit is not a "checklist" audit.

iv. SAS No. 70 is generally applicable when an independent auditor ("user auditor") is
planning the financial statement audit of an entity ("user organization") that obtains
services from another organization ("service organization"). Service organizations that
impact a user organization's system of internal controls could be application service
providers, bank trust departments, claims processing centers, data centers, third party
administrators, or other data processing service bureaus.

v. In an audit of a user organization's financial statements, the user auditor obtains an

understanding of the entity's internal control sufficient to plan the audit as required in
SAS No. 55, Consideration of Internal Control in a Financial Statement Audit.
Identifying and evaluating relevant controls is generally an important step in the user
auditor's overall approach. If a service organization provides transaction processing,
data hosting, IT infrastructure or other data processing services to the user
organization, the user auditor may need to gain an understanding of the controls at the
service organization in order to properly plan the audit and evaluate control risk. st
 47

vi. In 2011, Statement on Standards for Attestation Engagements (SSAE) No. 16 took
effect and replaced SAS 70 as the authoritative guidance for performing a service
auditor's examination. SSAE 16 established a new attestation standard (AT 801) to
contain the professional guidance. You can learn more about SSAE 16 at
www.ssae16.com. At the same time, the AICPA also launched a new Service
Organization Controls (SOC) reporting framework designed to allow practitioners to
provide different types of reports depending on the needs of service organization and
their stakeholders.
Candidates for SAS 70 Audits
i. Claims processing centers
ii. Trust/benefit plan administrators
iii. Data centers
iv. Application service providers
v. Payroll processors
vi. Internet service providers

SAS 70 Certified Advantages:

Benefits to Service Organizations-
i. Unqualified opinions demonstrate that your organization has effective controls
ii. Decreases business interruption by removing other audits throughout the year for
purposes of satisfying user organizations
iii. Primary benefit to a company is that it eliminates the need for the company to
perform its own audit of each of its third-party service provider’s internal controls
iv. Ability to leverage SAS 70 certification into a market differentiator against existing
competitors who are vying for outsourcing contracts from user organizations
v. User organizations are able to gain a greater understanding and assurance of the
internal controls in place at service organizations
vi. Shows that they have taken steps in developing and implementing controls throughout
the identified platform being used to process transactions for user organizations
vii. Type I and II reports assist external auditor for user organizations by cutting down on
the time and costs of having to inquire on controls at service organizations

Why SAS 70 audits are unique

i. The scope of the engagement and the voluminous amount of information included in
the final service auditor’s report
ii. SAS 70 auditors focus on general and application controls, as well as operational and
Human Resources issues, security guidelines and business continuity plans
iii. Only a CPA or accounting firm can sign off and issue a SAS 70 service auditor’s
report
iv. Only a seasoned accountant should be considered as a primary source for SAS 70
engagements

Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S.
Congress to protect shareholders and the general public from accounting errors and
fraudulent practices in the enterprise, as well as improve the accuracy of corporate
disclosures. The U.S. Securities and Exchange Commission (SEC) administers the act, which
sets deadlines for compliance and publishes rules on requirements.
 48

i. The Sarbanes-Oxley Act was enacted in response to a series of high-profile financial

scandals that occurred in the early 2000s at companies including Enron, WorldCom
and Tyco that rattled investor confidence. The act, drafted by U.S. Congressmen Paul
Sarbanes and Michael Oxley, was aimed at improving corporate governance and
accountability. Now, all public companies must comply with SOX.

ii. The Sarbanes-Oxley Act not only affects the financial side of corporations, but also IT
departments charged with storing a corporation's electronic records. The act is not a
set of business practices and does not specify how a business should store records;
rather, it defines which records should be stored and for how long. SOX states that all
business records, including electronic records and electronic messages, must be saved
for "not less than five years." The consequences for noncompliance are fines,
imprisonment or both.

iii. IT departments are increasingly tasked with creating and maintaining a corporate
records archive in a cost-effective fashion that satisfies the requirements put forth by
the legislation.
Section 802 of Sarbanes-Oxley contains the three rules that affect the management of
electronic records.
The first rule deals with the destruction, alteration or falsification of records, and the
resulting penalties.
The second rule defines the retention period for records storage. Best practices indicate that
corporations securely store all business records using the same guidelines set for public
accountants.
The third rule refers to the type of business records that need to be stored, including all
business records and communications, including electronic communications.

iv. The bill, which contains eleven sections, was enacted as a reaction to a number of
major corporate and accounting scandals, including Enron and Worldcom. The
sections of the bill cover responsibilities of a public corporation’s board of directors,
adds criminal penalties for certain misconduct, and required the Securities and
Exchange Commission to create regulations to define how public corporations are to
comply with the law.
v.
 49

MODULE – 3 Overview Of Specific Section Of IT ACT

IT ACT 2008
i. In the year 2000,India enacted its first law on Information Technology namely, the
Information Technology Act, 2000.
ii. The IT Act ,2000 is based on the Model law of E-commerce adopted by UNCITRAL
in 1996.
iii. The preamble to the IT Act ,2000 points out a three fold objective , firstly, to provide
legal recognition for transactions carried out through electronic means, secondly, to
facilitate the electronic filing of documents with government agencies, and thirdly to
amend certain Acts, interalia, the Indian Penal Code,1860, Indian Evidence Act, 1872
.
iv. The IT Act, 2000 gave legal validity and recognition to electronic documents and
digital signatures and enabled conclusion of legally valid & enforceable e-contracts.
v. It also provided a regulatory regime to supervise the Certifying Authorities issuing
digital signature certificates and created civil and criminal liabilities for contravention
of the provisions of the IT Act,2000.
vi. With the passage of time, as technology developed further and new methods of
committing crime using Internet & computers surfaced, the need was felt to amend
the IT Act,2000 to insert new kinds of cyber offences and plug in other loopholes that
posed hurdles in the effective Enforcement of the IT Act,2000 .
vii. This led to the passage of the Information Technology ( Amendment) Act, 2008 which
was made effective from 27 October 2009. The IT Amendment) Act,2008 has brought
marked changes in the IT Act,2000 on several counts

Overview of Specific Section of IT Act 2008 Different sections

1. Electronic signatures introduced: With the passage of the IT (Amendment)

Act,2008 India has become technologically neutral due to adoption of electronic
signatures as a legally valid mode of executing signatures. This includes digital
signatures as one of the modes of signatures and is far broader in ambit covering
biometrics and other new forms of creating electronic signatures.
2. Corporate responsibility introduced in S.43A: The corporate responsibility for data
protection is incorporated in S 43A in the amended IT ACT, 2000 where by corporate
bodies handling sensitive personal information or data in a computer resource are
under an obligation to ensure adoption of “reasonable security practices” to maintain
its secrecy, failing which they may be liable to pay damages.
3. Important definitions added : Two very important definitions are added to the IT
Act through IT Amendment Act, 2008 - Section 2(ha) - “Communication device “
and Section 2 (w) – “ intermediary ”. Although cell phones and other devices used
to communicate would fall under the definition of computer in the IT Act. This
amendment removes any ambiguity and brings within the ambit of the Act all
communication devices, cellphones, ipods or other devices used to communicate,
send or transmit any text, video, audio or image. The insertion of “intermediary”
similarly clarifies of service providers that come within its definition that includes
telecom service providers, network service providers, internet service providers,
webhosting service providers, search engines, online payment sites, online auction
sites, online market places and cyber cafes.
4. New cybercrimes as offences under amended Act: Many cybercrimes for which no
express provisions existed in the IT Act,2000 now stand included by the IT
(Amendment ) Act, 2008. Sending of offensive or false messages (s 66A), receiving
 50

stolen computer resource (s 66B), identity theft (s 66C), cheating by personation (s

66D), violation of privacy (s 66E). A new offence of Cyber terrorism is added in
Section 66 F which prescribes punishment that may extend to imprisonment for life .
Section 66 F covers any act committed with intent to threaten unity ,integrity, security
or sovereignty of India or cause terror by causing DoS attacks, introduction of
computer contaminant, unauthorized access to a computer resource, stealing of
sensitive information, any information likely to cause injury to interests of
sovereignty or integrity of India , the security, friendly relations with other states,
public order, decency , morality, or in relation to contempt of court, defamation or
incitement to an offence , or to advantage of any foreign nation, group of individuals
or otherwise .
5. Power to block unlawful websites should be exercised with caution-Section 69A
has been inserted in the IT Act by the amendments in 2008 and gives power to Central
government or any authorized officer to direct any agency or intermediary(for reasons
recorded in writing ) to block websites in special circumstances as applicable in
Section 69.Under this Section the grounds on which such blocking is possible are
quite wide. In this respect, the Information Technology (Procedure and Safeguards for
Blocking for Access of Information by Public ) Rules, 2009 were passed vide GSR
781(E) dated 27 Oct 2009 whereby websites promoting hate content, slander,
defamation, promoting gambling, racism, violence and terrorism, pornography,
violent sex can reasonably be blocked.
6. Section 69B added to confer Power to collect, monitor traffic data: As a result of
the amendments in 2008 , Section 69 B confers on the Central government power to
appoint any agency to monitor and collect traffic data or information generated
,transmitted, received, or stored in any computer resource in order to enhance its
cyber-security and for identification, analysis, and prevention of intrusion or spread of
computer contaminant in the country . The Information Technology (procedure and
safeguard for monitoring and collecting traffic data or information ) Rules, 2009 have
been laid down to monitor and collect the traffic data or information for cyber security
purposes under Section 69B .It places responsibility to maintain confidentiality on
intermediaries, provides for prohibition of monitoring or collection of data without
authorization.
7. Significance of the term “Critical Information Infrastructure ” Section 70 has a
very important definition added by the IT (amendment) Act,2008. The explanation to
Section 70 defines what is “critical information infrastructure". It encompasses the
computer resource the destruction of which not only has an adverse impact on defense
of India but also economy, public health or safety. This is very significant step as
today our IT infrastructure may also be used to manage certain services offered to
public at large, destruction of which may directly affect public health and safety .
Hence, their protection is equally important as is the maintaining of security and
sovereignty of India.
8. Liability of Intermediary amended- The earlier section 79 made network service
providers liable for third party content only when it fails to prove that the offence was
committed without his knowledge or that he had exercised due diligence to prevent
the commission of such offence or contravention. The burden of proof was on the
network service provider. The amended Section 79 states that the
intermediary(mediator) shall not be liable for any third party information if it is only
providing access to a communication system over which information made available
by third parties is transmitted or temporarily stored or hosted or the intermediary does
not initiate the transmission, select the receiver and select or modify the information
contained in transmission. It provides that the Intermediary shall be liable if he has
 51

conspired or abetted or induced, whether by threats or promise or otherwise in the

commission of the unlawful act ( Section 79(3)(a).
9. Examiner of Electronic Evidence created- With amendments in 2008, Section 79 A
is added that empowers the Central government to appoint any department or agency
of Central or State government as Examiner of Electronic Evidence. This agency will
play a crucial role in providing expert opinion on electronic form of evidence. The
explanation to the Section has an inclusive definition of “electronic form evidence”
that means any information of probative value that is either stored or transmitted in
electronic form and includes computer evidence, digital audio, digital video,
cellphones , digital fax machines. With the increasing number of cybercrime cases it
will become necessary to set up atleast one Examiner of Electronic Evidence in each
State. The CFSIL laboratory in Hyderabad is playing similar role at present in
cybercrime cases where forensic study of hard discs and other computer accessories,
digital equipment is undertaken to provide expert opinion on the digital evidence
analyzed .

What is an Electronic Contract?

Many transactions and other forms of trade are now conducted electronically. When a bank’s
customer withdraws money or uses an ATM for other purposes, an electronic transaction
takes place. More and more business is now done electronically, often with the parties never
physically meeting each other. Online shops, for example, allow potential customers to
browse, select and purchase goods without ever asking a salesperson for advice or assistance.
Negotiations, giving quotes or submitting tenders for work may all be done electronically and
indeed are. A great deal of information is now passed electronically within organizations and
from one organization to another. This all raises a number of legal questions, specifically
with regard to electronic contracts. Some of the most important issues include whether an
electronic contract is valid, that is, whether it must comply with certain formalities, whether
electronic signatures are admissible as evidence of intent and agreement, and what law
applies to an electronic contract (if it is between international parties).

A "cyber", or electronic contract is a contract created wholly or in part through

communications over computer networks. A cyber-contract can be created entirely by the
exchange of e-mails where an offer and an acceptance are evident or they can be made by a
combination of electronic communications, paper documents, faxes and oral discussions.

Electronic contracts can add the element of speed and efficiency to the contracting process.

LEGAL REQUIREMENTS FOR ELECTRONIC CONTRACTS:

1.Authenticity
2.Integrity
3. No repudiation
4.Writing and signature
5.Confidentiality
1. AUTHENTICITY
Authenticity is concerned with the source or origin of a communication. Who is the
message from? Is it genuine or a forgery? Every party to an electronic contract must
have confidence in the authenticity of the messages it receives. A party who fails to
verify the other party's identity in any transaction may have no recourse if a fraud is
perpetrated. Communications that cannot be authenticated in a tangible form may not
be used as evidence in a court room.
 52

2. INTEGRITY
Integrity is concerned with the accuracy and completeness of the communication.
Both senders and receivers of electronic communications must be able to tell: is the
message sent identical to the message received?, is the message complete or has
something been lost in transmission?, has the message been altered in any way either
in transmission or in storage? Messages sent over the Internet pass through many
routing stations and packet-switching nodes. Hence, there are many opportunities for
messages to be altered along the way to their final destination.
3. NONREPUDIATION
Nonrepudiation is concerned with holding the sender to the communication he or she
sent. The sender should not be able to deny having sent the communication if he or
she did, in fact, send it, or to claim that the contents of the communication as received
are not the same as what the sender sent if, in fact, they are what was sent. When a
contract is in dispute, the party relying on it must be able to prove that the other side
actually agreed to the deal.
4. WRITING AND SIGNATURE
As a general rule, contracts do not have to be in writing or even signed by either party
to be enforceable. Contracts may be formed by conduct of the parties and may be oral
unless they fall under the Statute of Frauds. The Statute of Frauds is a series of
statutes that have been passed in most states that require that certain types of contracts
must be in writing to be enforceable.
5. A signature is "any symbol executed or adopted by a party with present intention to
authenticate a writing”. Therefore, a signature need not be ink on paper -- rather, the
issue is the intent of the signer. A symbol or code on an electronic record, intended as
a signature by the signer, should meet the statute of frauds requirement.
6. CONFIDENTIALITY:
Confidentiality is concerned with controlling the disclosure of information. Corporate
meeting planners for instance may not want the general public to know about the
content of the upcoming meeting that concerns a new product. Suppliers may not
want everyone to know the special rates being quoted to a particular group.

Digital Signature
A digital signature is a mathematical scheme for demonstrating the authenticity of a digital
message or document. A valid digital signature gives a recipient reason to believe that the
message was created by a known sender, such that the sender cannot deny having sent the
message (authentication and non-repudiation) and that the message was not altered in transit
(integrity). Digital signatures are commonly used for software distribution, financial
transactions, and in other cases where it is important to detect forgery or tampering
OR
A digital signature (not to be confused with a digital certificate) is a mathematical technique
used to validate the authenticity and integrity of a message, software, or digital document.
The digital equivalent of a handwritten signature or stamped seal, but offering far more
inherent security, a digital signature is intended to solve the problem of tampering and
impersonation in digital communications. Digital signatures can provide the added assurances
of evidence to origin, identity and status of an electronic document, transaction or message,
as well as acknowledging informed consent by the signer.

 Digital signatures are based on public key cryptography, also known as asymmetric
cryptography. Using a public key algorithm such as RSA, one can generate two keys
that are mathematically linked: one private and one public. To create a digital signature,
 53

signing software (such as an email program) creates a one-way hash of the electronic
data to be signed. The private key is then used to encrypt the hash.

 A sender must first create a public-private key pair before an electronic communication
can be digitally signed. The sender discloses his or her public key to the recipient. The
private key is kept confidential by the sender and is used for the purpose of creating a
digital signature.

Cybercrime
Cybercrime, also called computer crime, the use of a computer as an instrument to further
illegal ends, such as committing fraud, trafficking in child pornography and intellectual
property, stealing identities, or violating privacy. Cybercrime, especially through the Internet,
has grown in importance as the computer has become central to commerce, entertainment,
and government.
OR
Cyber crime encompasses any criminal act dealing with computers and networks (called
hacking). Additionally, cyber crime also includes traditional crimes conducted through the
Internet. For example; hate crimes, telemarketing and Internet fraud, identity theft, and credit
card account thefts are considered to be cyber crimes when the illegal activities are
committed through the use of a computer and the Internet.

Types of Cyber Crime

1. Hacking
2. Child Pornography
3. Denial of Service Attacks
4. Virus Dissemination
5. Computer Vandalism
6. Cyber Terrorism
7. Software Piracy
8. Web jacking

1. Hacking: Hacking has been defined as "Deliberately gaining unauthorised access to an

information system."
 Hackers Invade Privacy
 Hackers Destroy "Property" in the Form of Computer Files or Records
 Hackers Injure Other Computer Users by Destroying Information Systems
 Code Hackers - They know computers inside out. They can make the computer do
nearly anything they want it to
 Crackers - They break into computer systems. Circumventing Operating Systems and
their security is their favourite past time. It involves breaking the security on software
applications.
 Cyber Punks - They are the masters of cryptography.
 Phreakers - They combine their in-depth knowledge of the Internet and the mass
telecommunications system

2. Child Pornography: This would include pornographic websites; pornographic magazines

produced using computers (to publish and print the material) and the Internet (to download
and transmit pornographic pictures, photos, writings etc).
 54

3. Denial of Service Attacks: This is an act by the criminals who floods the bandwidth of the
victims network or fills his E-mail box with spam mail depriving him of the service he/she is
entitled to access or provide. Many DOS attacks, such as the ping of death and Tear drop
attacks.
 A denial of service (DoS) attack is a malicious attempt to make a server or a network
resource unavailable to users, usually by temporarily interrupting or suspending the
services of a host connected to the Internet.
 A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented
packets to a target machine. Since the machine receiving such packets cannot
reassemble them due to a bug in TCP/IP fragmentation reassembly, the packets
overlap one another, crashing the target network device.

4. Virus Dissemination/Virus Builders: Virus incidents have resulted in significant and data
loss at some stage or the other. The loss could be on account of: -
 Viruses - A virus is a programm that may or may not attach itself to a file and
replicate itself. It can attack any area: from corrupting the data of the file that it
invades, using the computer's processing resources in attempt to crash the machine
and more.
 Worms - Worms may also invade a computer and steal its resources to replicate
themselves. They use the network to spread themselves. "Love bug“ is a recent
example
 Trojan horse - Trojan horse is dicey. It appears to do one thing but does something
else. The system may accept it as one thing. Upon execution, it may release a virus,
worm or logic bomb.
5. Computer Vandalism: Damaging or destroying data rather than stealing or misusing them
is called cyber vandalism. These are program that attach themselves to a file and then
circulate.
6. Cyber terrorism: Terrorist attacks on the Internet is by distributed denial of service
attacks, hate website and hate E-mails, attacks on service network etc.,
7. Software Piracy: Theft of software through illegal copying of genuine programs or the
counterfeiting and distribution of products intended to pass for the original.
8.Web Jacking: This occurs when someone forcefully takes control of a website (by
cracking the password and later changing it). The actual owner of the website does not have
any more control over what appears on that website.

What is a Certifying Authority?

A Certifying Authority is a trusted body whose central responsibility is to issue, revoke,
renew and provide directories of Digital Certificates.
The IT Act 2000 gives details of who can act as a CA (Certifying Authority). Accordingly a
prospective CA has to establish the required infrastructure, get it audited by the auditors
appointed by the office of Controller of Certifying Authorities, and only based on complete
compliance of the requirements, a license to operate as a Certifying Authority can be
 55

obtained. The license is issued by the Controller of Certifying Authority, Ministry of

Information Technology, Government of India.

Certifying Authorities issue Digital Certificates that are appropriate to specific purposes or
applications. Certificate Policies describe the different classes of certificates issued by the
CA, the procedures governing their issuance and revocation and terms of usage of such
certificates and among other things the rules governing the different uses of these certificates.

Computer Forensics / Cyber Fraud Investigation

Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence from a particular computing device in a way that is suitable for
presentation in a court of law.

Forensic process: Computer forensic investigations usually follow the standard digital
forensic process or phases: acquisition, examination, analysis and reporting. Investigations
are performed on static data (i.e. acquired images) rather than "live" systems. This is a change
from early forensic practices where a lack of specialist tools led to investigators commonly
working on live data.

ITIL-Information Technology Infrastructure Library

ITIL, formerly known as the Information Technology Infrastructure Library, is a set of
practices for IT service management (ITSM) that focuses on aligning IT services with the
needs of business. In its current form (known as ITIL 2011 edition), ITIL is published as a
series of five core volumes, each of which covers a different ITSM lifecycle stage. Although
ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management
Standard for IT service management, there are some differences between the ISO 20000
standard and the ITIL framework.
ITIL describes processes, procedures, tasks, and checklists which are not organization-
specific, but can be applied by an organization for establishing integration with the
organization's strategy, delivering value, and maintaining a minimum level of competency. It
allows the organization to establish a baseline from which it can plan, implement, and
measure. It is used to demonstrate compliance and to measure improvement.

ITIL 2007 has five volumes, published in May 2007, and updated in July 2011 as ITIL
2011 for consistency:
The Five Volumes :
i. ITIL Service Strategy: understands organizational objectives and customer needs.
ii. ITIL Service Design: turns the service strategy into a plan for delivering the business
objectives.
iii. ITIL Service Transition: develops and improves capabilities for introducing new
services into supported environments
iv. ITIL Service Operation: manages services in supported environments.
v. ITIL Continual Service Improvement: achieves services incremental and large-scale
improvements

ISAE 3402/SA
International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on
Controls at a Service Organization, was issued in December 2009 by the International
Auditing and Assurance Standards Board (IAASB), which is part of the International
Federation of Accountants (IFAC).
 56

ISAE 3402 was developed to provide an international assurance standard for allowing public
accountants to issue a report for use by user organizations and their auditors (user auditors)
on the controls at a service organization that are likely to impact or be a part of the user
organization’s system of internal control over financial reporting.

Cyber Security
Cyber Security involves protection of sensitive personal and business information through
prevention, detection and response to different online attacks. Cyber security actually
preventing the attacks, cyber security.

Computer security is that branch of information technology which deals with the protection
of data on a network or a stand-alone desktop. As every organization is dependent on
computers, the technology of its security requires constant development.

Different types of computer security:

Hardware Security
Threat:
Even if the computer is not plugged into a network, a person can open its cabinet and gain
access to the hard drives, steal them and misuse or destroy the data saved on them or, damage
the device altogether. It is also necessary to remember that in case one dissembles his
computer hardware, the risk of losing coverage of warranty becomes very high.
Protection:
The security of computer hardware and its components is also necessary for the overall
protection of data. If a stand-alone system contains some important or classified information,
it should be kept under constant surveillance. Locking system for a desktop and a security
chain for a laptop are basic security devices for your machine. Certain disk locks are
available in various sizes, which control the removal of the CPU cover protecting internal
components of the system. For example, you will find disk/tape drive lock, computer case
lock with cable and padlock, security cables, etc. A disk lock guards all the internal access
points located on the CPU and protects them.

Software Security:
Network Security:
Computer networks are an integral part of any organization these days, as they facilitate the
free flow of data and services to the authorized users. However, such networks also pose a
security threat in case the data is classified and confidential, thus making network security a
vital necessity.

Threats:
As the data is available only for authorized users, it is possible for hackers to pretend to be
one, by providing the correct user name and password. Computer network security can be
disrupted or encroached in the following ways:

Denial of Service: Denial-of-service is meant to disable a computer or a network and can be

executed with limited resources. It is one of the most common forms of attacks by hackers
and can effectively disable the whole network of an organization. Denial of service attack
makes a computer resource unavailable to its intended user. To carry out this kind of attack,
hackers generally flood a network or the access routers with bogus traffic. They also make
attempts to disrupt connections between two machines and prevent individuals from
accessing a service.
 57

Trojan Horse :Trojan horse is common and one of the most potential threats to computer
security. They are malicious and security-breaking programs, disguised as something which is
considered as non-malicious by the security software. They are a useful tool for hackers who
try to break into private networks. Hackers generally attach Trojan horse to a file, which
triggers a virus or remotely controlled software, giving the hacker complete control over the
computer.

Viruses and Worms :Viruses and worms are well-known for their destructive nature and the
property of replicating themselves. They are basically pieces of computer program codes,
which are written by hackers and other computer geniuses.

Sniffing: Sniffing is the act of intercepting TCP/IP packets while they are getting transferred
on a network. The interception generally takes place through simple eavesdroping done by a
hacker.
Protection:
Firewall:
It is one of the most essential type of network security in today's world of Internet. Firewall is
a filter that prevents fraud websites from accessing your computer and damaging the data.
However, a firewall is not a great option for securing the servers on the Internet because the
main objective of a server is granting access to unknown users to connect to various web
pages.

Security Software
Along with firewall, installing a good anti-virus and security software to enhance the security
level of the computer system is a good protection method.

Data Security:
Threat:
Although uncommon, hardware malfunction can prove to be a major threat to your data in the
computer. The life span of hard disks is always limited because of surrounding factors and
this can amount to a severe loss of all your files saved on the disk, if there is no proper
backup of those files made on any other system.
Protection:
Keep Backup:
It is important to avoid data and information loss in case of hard disk crashes. The only
solution is to regularly keep backups of all the data on other media such as magnetic tapes,
CD-ROM, etc. It is a good practice to store the media off-site and in case of a disk crash,
restore the information from the backup media onto the new disk. In case a backup media is
not affordable, one should try to store the files on at least two different media devices. These
media devices should be systematically kept at a place which is safe and secured, as the
information contained may be confidential. People usually have backup for database files,
spreadsheet files and large documents. As the technical constraints are always there, it is
better to take regular backups, in order to avoid any loss of information.

Clean-up Software
Install a software program on the computer that will clear all the old, unused files and registry
keys. It will also help to detect malware and save the computer from a severe damage caused
by it. Keep the system in the loop of latest updates and security alerts or else, it will become
vulnerable to security threats.
 58

It is important to keep a record of technical support consultants and software documentations,

like manuals and guides to make them accessible to the staff members of the company.

Firewall
 A firewall is a network security system, either hardware or software based, that controls
incoming and outgoing network traffic based on a set of rules.
 A firewall acts to provide secured access between two networks. A firewall may be
implemented as a standalone hardware device or in the form of a software on a client
computer or a proxy server
 The two types of firewall are generally known as the hardware firewall and the software
firewall
 A computer may be protected by both a hardware and a software firewall
 59

MODULE – 4 DBMS
DBMS
INTRODUCTION

Database is a collection of related data. Database management system is software

designed to assist the maintenance and utilization of large scale collection of data. DBMS
came into existence in 1960 by Charles. Integrated data store which is also called as the first
general purpose DBMS. Again in 1960 IBM brought IMS-Information management system.
In 1970 Edgor Codd at IBM came with new database called RDBMS. In 1980 then came
SQL Architecture- Structure Query Language. In 1980 to 1990 there were advances in DBMS
e.g. DB2, ORACLE

Database

 Database may be defined in simple terms as a collection of data.

 A database is a collection of related data.
 The database can be of any size and of varying complexity.
 A database may be generated and maintained manually or it may be compute.

Examples of Database

i. Telephone book
ii. T.V. Guide
iii. Airline reservation system
iv. Motor vehicle registration records
v. Papers in your filing cabinet
vi. Files on your computer hard drive.

Why do we need a database?

i. Keep records of our:

a. Clients
b. Staff
c. Volunteers
ii. To keep a record of activities and interventions;
iii. Keep sales records;
iv. Develop reports;
v. Perform research
Elements of database:

i. Database is logically related data. The elements of database are data, data items,
relationships, constraints and schema.
 60

ii. Data: A collection of facts, such as values or measurements. Eg-Data about Students,
Teachers and Courses, audio, video etc.,
iii. Data Items: Unit of data contained in a record, describing a particular attribute/field
(such as name, age, address) of a particular entity

NOTE: Data that have been processed in such a way as to increase the knowledge of the
person who uses the data is known as Information.

• Relationships: A relationship, in the context of databases, is a situation that exists

between two relational database tables when one table has a foreign key that
references the primary key of the other table. (STUDENT & COURSE)
• Constraints are rules that define correct database states. Eg- Regno field cannot have
value 0.
• Schema describes overall description of data and relationships(defines tables, fields in
each table and the relationship b/w fields and tables)

SCHEMA EXAMPLE

Database management system (DBMS)

 61

A database management system (DBMS) such as Access, FileMaker, Lotus Notes,

Oracle or SQL Server provided with the software tools to organize that data in a flexible
manner. It includes tools to add, modify or delete data from the database, ask questions (or
queries) about the data stored in the database and produce reports summarizing selected
contents.

What is the ultimate purpose of a database management system?

Definition-DBMS

• A Database Management System (DBMS) is a collection of program that enables user

to create and maintain a database.
• The DBMS is hence a general purpose software system that facilitates the process of
defining constructing and manipulating database for various applications.

Advantages of DBMS

i. Data sharing & Multiple Access: In database, data is stored in a centralized area and
it can be accessed by different users. So data can be accessed by users and they can
insert, update, select the data from or to the database. Therefore, data can be shared in
the database.

ii. Data consistency: In database, consistency of data is maintained because multiple

people are accessing the data. So modification done for one data in one department
should not effect the other departments. So proper locking mechanism is maintained
for all the departments data in a database to maintain the consistency.

iii. Reliability: Database can be accessed by different users. However due to some
hardware failures or software failures or some improper accessing of data may cause
loss of data. In such cases, a backup copy of database is maintained and this should be
the copy of recently taken backup. By doing this, reliable information can be provided
to the users.

iv. Data Security & Privacy: Data and information to an organization is important
.Security is a concept used to protect the database from accidental misuse or damages.
Privacy includes authorizations, which allow a certain user to access only that portion
of the database on which he/she is allowed to perform valid operations. With proper
implementation of privacy and security, the different users who should access which
portion of the database can be clearly defined.

v. Integration: If the database is integrated properly then it is possible to share common

& important information among different applications. Proper integration and
structuring eliminates the need to have redundant data in a database.
 62

vi. Data Independence: In a DBMS system, the application programs are independent of
the structure of data. Because the structure of the data with its definition is present in
system catalog(file), any changes in the structure of data will not affect the access
programs. This property is called program data independence.

vii. Data Redundancy: Redundancy is a concept where the same data get repeated in
various portions of the database due to certain inconsistent operations. Control in
redundancy is the basic necessity of any database.

viii. Flexibility: DBMS must be flexible to accept any structural changes. Suppose the end
user needs change, accordingly the database has to be changed to meet the needs of
the user. Most DBMS allow alterations in their structure without affecting the stored
data and existing application programs.

Disadvantages of DBMS

i. The main disadvantage is in terms of the cost. The cost basically includes cost for
development, cost to upgrade the hardware and the cost to maintain the system
ii. Additional processing involved to implement concepts such as data integrity, data
security, data sharing etc.,
iii. Complex procedures have to be used to incorporate concepts of backup and recovery.

Types of Database Management Systems (DBMS)

i. File management system: Here the data is stored in form of flat files. This files
stores data without indexing. This system lack flexibility in data manipulation.
ii. Related database management system {RDBMS}: It manipulates data in more
sophisticated ways. RDBMS avoids redundancy in data and defines the relationship
between sets of data. The relationship is a common element {unique identifier}
between tables. In RDBMS, data is stored in the form of tables.

Applications of DBMS

i. Computerized library systems

ii. Automated teller machine(ATM)
iii. Flight reservation system.
iv. Computerized Inventory System
v. Distributed Database
vi. Multimedia Database Systems
vii. Mobile Databases

Distributed Database:
A distributed database is a database in which storage devices are not all attached to a
common processing unit such as the CPU. It may be stored in multiple computers, located in
the same physical location; or may be dispersed over a network of interconnected computers.
Collections of data (e.g. in a database) can be distributed across multiple physical locations.

A distributed database can reside on network servers on the Internet, on corporate

intranets or extranets, or on other company networks. Because data is stored across multiple
 63

computers, distributed databases improve performance at end-user worksites by allowing

transactions to be processed on many machines, instead of being limited to one.

Multimedia Database Systems:

Multimedia database are collection of data type such as text, graphics, images,
animations, video, audio etc.,. Multimedia applications are usually meant for presentations to
execute complex design task, intelligent health care network, knowledge
dissemination(distribution), education and training, marketing, advertising, entertainment,
travel etc.,

Mobile Databases:
A mobile database is either a stationary (fixed) database that can be connected to by a
mobile computing device - such as smart phones or PDAs - over a mobile network, or a
database which is actually carried by the mobile device. This could be a list of contacts, price
information, distance travelled, financial marketing reporting etc.,

Drawbacks of Using File Systems

1. Data redundancy and inconsistency

2. Multiple file formats, duplication of information in different files
3. Difficulty in accessing data
4. Need to write a new program to carry out each new task
5. Data isolation — multiple files and formats
6. Integrity problems
a. Integrity constraints (e.g. account balance > 0) become “buried” in program
code rather than being stated explicitly
b. Hard to add new constraints or change existing ones
7. Atomicity of updates
a. Failures may leave database in an inconsistent state with partial updates
carried out
b. Example: Transfer of funds from one account to another should either
complete or not happen at all
8. Concurrent access by multiple users
a. Concurrent accessed needed for performance
b. Uncontrolled concurrent accesses can lead to inconsistencies
c. Example: Two people reading a balance and updating it at the same time

9. Security problems
a. Hard to provide user access to some, but not all, data
b. Database systems offer solutions to all the above problems

Difference between File system & DBMS

FILE SYSTEM: DBMS

1. File system is a collection of data.
Any management with the file
system, user has to write the
procedures
2. File system gives the details of the
1. DBMS is a collection of data and
user is not required to write the
procedures for managing the
database.
2. DBMS provides an abstract view of
 64

data representation and Storage of data that hides the details.

data. 3. DBMS is efficient to use since there
3. In File system storing and retrieving are wide varieties of sophisticated
of data cannot be done efficiently. techniques to store and retrieve the
4. Concurrent access to the data in the data.
file system has many problems like 4. DBMS takes care of Concurrent
5. Reading the file while other deleting access using some form of locking.
some information, updating some 5. DBMS has crash recovery
information mechanism, DBMS protects user
6. File system doesn’t provide crash from the effects of system failures.
recovery mechanism. 6. DBMS has a good protection
7. Eg. While we are entering some data mechanism.
into the file if System crashes then
content of the file is lost
8. Protecting a file under file system is
very difficult.

RDBMS

A relational database management system is a database management system used to manage

relational databases. A relational database is one where tables of data can have relationships
based on primary and foreign keys.

Functions of DBMS

i. Data Definition: The DBMS provides functions to define the structure of the data in
the application. These include defining and modifying the record structure, the type
and size of fields and the various constraints to be satisfied by the data in each field.

ii. Data Manipulation: Once the data structure is defined, data needs to be inserted,
modified or deleted. These functions which perform these operations are part of
DBMS. These functions can handle plashud and unplashud data manipulation needs.
Plashud queries are those which form part of the application. Unplashud queries are
ad-hoc queries which performed on a need basis.

iii. Data Security & Integrity: The DBMS contains modules which handle the security
and integrity of data in the application.

iv. Data Recovery and Concurrency: Recovery of the data after system failure and
concurrent access of records by multiple users is also handled by DBMS.

v. Data Dictionary Maintenance: Maintaining the data dictionary which contains the
data definition of the application is also one of the functions of DBMS.

vi. Performance: Optimizing the performance of the queries is one of the important
functions of DBMS

Users for a DBMS:

 65

i. The END User who uses the application. Ultimately he is the one who actually puts
the data into the system into use in business. This user need not know anything about
the organization of data in the physical level.

ii. System Analyst & The Application Programmers: Application Programmers are
who develops the application programs. He/She has more knowledge about the data
and its structure. He/she can manipulate the data using his/her programs. System
Analyst also known as Software Engineers, determines the requirement off end user
and develop specifications(requirements) for transactions.

iii. The Data base Administrator (DBA) who is like the super-user of the system. The
job of DBA is to plan, design, create, modify and maintain the database with special
emphasis on security and integrity.

iv. Database Designer: are those who identify the data to be stored in the database and
choosing appropriate structures to represent and store these data

Types of End Users

i. CASUAL END USERS: are the end users who occasionally access the database.
Each time they may require different information from the database.-Ex-Bank
Managers
ii. NAÏVE OR PARAMETRIC END USERS: are the end users who constantly make
use of the database, querying and updating database. Ex-Bank Clerk, Reservation
Clerk-Airlines etc.,
iii. SOPHISTICATED END USERS: include engineers, scientists, business analyst,
who thoroughly familiarize with the facilities of DBMS to meet their requirements
iv. STAND-ALONE USERS: Maintain personal database by using readymade packages
that provide easy to use using menu or graphics based interface. Ex-Tax package

Role of Database Administrator

i. Defining the schema: The DBA defines the schema which contains the structure of
the data in the application. The DBA determines what data needs to be present in the
system and how this data has to be presented and organized.
ii. Liaising with users: The DBA needs to interact continuously with the users to
understand the data in the system and its use.
iii. Defining Security & Integrity checks: The DBA finds about the access restrictions
to be defined and defines security checks accordingly. Data Integrity checks are
defined by the DBA.
iv. Defining Backup/Recovery Procedures: The DBA also defines procedures for
backup and recovery. Defining backup procedure includes specifying what data is to
be backed up, the periodicity of taking backups and also the medium and storage
place to backup data.
v. Monitoring performance: The DBA has to continuously monitor the performance of
the queries and take the measures to optimize all the queries in the application.

Simplified Database System Environment

 66

Components of Database System Environment:

i. Application programs or queries written by users or programmers.

ii. Software to process these queries or application programs.
iii. Software to access the stored data.
iv. DBMS catalog which contains the stored database definition or metadata.
v. The physical stored database.

vi. Stored Database Definition (Metadata) is the location where data type, structure,
constraints for the data specified by the database designer is stored.

vii. Stored database is the physical location in memory where the database is stored.

viii. Application programs/queries that are written by the user or programmer are
processed by the DBMS software so as to perform the required function.

ix. Whenever a request to access data is made, a part of the DBMS software first refers to
the metadata to access the structure and hence determines the size and position so as
to access data from the stored database.

Architecture of DBMS
 67

The three levels of the architecture are three different views of the data:
i. External - individual user view
ii. Conceptual - community user view
iii. Internal - physical or storage view

i.External - individual user view:

The external level is the view that the individual user of the database has. This view is
often a restricted view of the database and the same database may provide a number of
different views for different classes of users. In general, the end users and even the
application programmers are only interested in a subset of the database. For example, a
department head may only be interested in the departmental finances and student enrolments
but not the library information.
ii.Conceptual - community user view:
The conceptual view is the information model of the enterprise and contains the view
of the whole enterprise without any concern for the physical implementation. The conceptual
view is the overall community view of the database and it includes all the information that is
going to be represented in the database. The conceptual view is defined by the conceptual
schema which includes definitions of each of the various types of data.

iii.Internal - physical or storage view:

The internal view is the view about the actual physical storage of data. It tells us what
data is stored in the database and how.

DATA MODELS

Data model is a collection of concepts that can be used to describe the structure of a database
which provides the necessary means to achieve the abstraction. The structure of a database
means that holds the data.
 data types
 relationships
 68

 constraints

Types of Data Models

i. High Level- Conceptual data model.

ii. Low Level – Physical data model.
iii. Relational or Representational
iv. Object-oriented Data Models.
v. Object-Relational Models.

 High Level-conceptual data model: User level data model is the high level or
conceptual model. This provides concepts that are close to the way that many users
perceive data.

 Low level-Physical data model : provides concepts that describe the details of how
data is stored in the computer model. Low level data model is only for Computer
specialists not for end-user.

 Representation data model: It is between High level & Low level data model which
provides concepts that may be understood by end-user but that are not , too far
removed from the way data is organized by within the computer.

The most common data models/ Representation data model/(5 fundamental database
structure) are:

a. Relational Model/structure: The Relational Model uses a collection of tables both

data and the relationship among those data. Each table have multiple column and each
column has a unique name . For example, Relational database comprising of two
tables Customer –Table & Account Table

b. Network Model/structure: The data in the network model are represented by

collection of records and relationships among data are represented by links, which can
be viewed as pointers.
 69

c. Hierarchical Model /structure: A hierarchical data model is a data model which the
data is organized into a tree like structure. The structure allows repeating information
using parent/child relationships: each parent can have many children but each child
only has one parent. All attributes of a specific record are listed under an entity type.

d. Object-oriented Data Models/structure:

 Several models have been proposed for implementing in a database system.
 One set comprises models of persistent O-O Programming Languages such as C++
(e.g., in OBJECTSTORE or VERSANT), and Smalltalk (e.g., in GEMSTONE).

e. Multidimensional structure: A multidimensional database is a computer software

system designed to allow for the efficient and convenient storage and retrieval of large
volumes of data that is (1) intimately related and (2) stored, viewed and analyzed
from different perspectives. These perspectives are called dimensions.
Multidimensional databases have become the most popular database structure for the
analytical databases that support online analytical processing capabilities.

RECENT TRENDS IN DATABASE

Recent database trends include the growth of distributed databases and the emergence
of object-oriented and hyper-media databases.

a. Distributed databases: The growth of distributed processing and networking has

been accompanied by a movement towards distributed database. A distributed
database is one, which is stored in more than one physical location. Parts of the
database are stored physically in one location, and other parts are stored and
maintained in other locations.

b. Object Oriented and Hybrid Models: These models have emerged in an attempt to
store, search and manipulate data about objects, which have complex inner data
 70

structures. Object-oriented database management systems (OODBMS) are systems

which are designed from scratch, whereas hybrid DBMS are some combination of
RDBMS and OODBMS.

c. Multidimensional structure: A multidimensional database is a computer software

system designed to allow for the efficient and convenient storage and retrieval of large
volumes of data that is (1) intimately related and (2) stored, viewed and analyzed
from different perspectives. These perspectives are called dimensions.
Multidimensional databases have become the most popular database structure for the
analytical databases that support online analytical processing capabilities.

d. Data Warehouse :A data warehouse is a database, with tools, that stores current and
historical data of potential interest to managers throughout the company. The data
originates in many core operational systems and external sources and are copied into
the data warehouse databases as often as needed. The data is standardized and
consolidated so that it can be used across the enterprise for management analysis and
decision-making.

e. Linking Databases to the Web : There are a number of advantages to using the Web
to access an organization's internal database. Web browser software is extremely easy
to use, requiring much less training than even user-friendly database query tools. The
web interface requires no changes to the legacy database.
f. Mobile Database: A mobile database is either a stationary database that can be
connected to by a mobile computing device - such as smart phones or PDAs - over a
mobile network, or a database which is actually carried by the mobile device. This
could be a list of contacts, price information, distance travelled, or any other
information.

g. Spatial Database: A spatial database is a database that is optimized to store and

query data that represents objects defined in a geometric space. Most spatial databases
allow representing simple geometric objects such as points, lines and polygons. Some
spatial databases handle more complex structures such as 3D objects, topological
coverages, linear networks etc.,

h. On-Line Analytical Processing Database (OLAP): OLAP is an approach to

answering multi-dimensional analytical (MDA) queries swiftly. OLAP is part of the
broader category of business intelligence, which also encompasses relational
database, report writing and data mining. Typical applications of OLAP include
business reporting for sales, marketing, management reporting, business process
management (BPM), budgeting and forecasting, financial reporting and similar
areas, with new applications coming up, such as agriculture. OLAP tools enable users
to analyze multidimensional data interactively from multiple perspectives.

i. SQL: Structured Query Language is a special-purpose programming language

designed for managing data held in a relational database management system
(RDBMS). SQL is a declarative programming language designed for creating and
querying relational database management systems. SQL is relatively simple language,
but it’s also very powerful.

DBMS Languages
 71

i. Data Definition Language (DDL)

ii. Data Manipulation Language (DML)
iii. Data Control Language(DCL)
iv. Transaction Control Language(TCL)

 High-Level or Non-procedural Languages: These include the relational language

• SQL
• May be used in a standalone way or may be embedded in a programming
language

 Low Level or Procedural Languages:

• These must be embedded in a programming language

NOTE: In some DBMSs, separate storage definition language (SDL) and view definition
language (VDL) are used to define internal and external schemas.

i. Data Definition Language (DDL): Used by the DBA and database designers to
specify the conceptual schema of a database(database structure)
In many DBMSs, the DDL is also used to define internal and external schemas
(views). DDL Commands: CREATE, ALTER, DROP, TRUNCATE,
RENAME

ii. Data Manipulation Language (DML): Used to specify database retrievals and
updates .DML commands (data sublanguage) can be embedded in a general-purpose
programming language (host language), such as COBOL, C, C++, or Java. DML
Operations: SELECT, INSERT, UPDATE, DELETE, LOCK TABLE

iii. Data Control Language(DCL): A data control language is a computer language and
a subset of SQL, used to control access to data in a database. Ex: GRANT-gives user’s
access privileges & REVOKE-withdraw access privileges.

iv. Transaction Control Language(TCL): Used to manage the changes made by DML
statements. Ex-COMMIT-save work done, ROLLBACK-restore database to original
since the last COMMIT.

Types of DML:

 High Level or Non-procedural Language:

For example, the SQL relational language are “set”-oriented and specify what data to retrieve
rather than how to retrieve it. Also called declarative languages.

 Low Level or Procedural Language:

• Retrieve data one record-at-a-time;
• Constructs such as looping are needed to retrieve multiple records, along with
positioning pointers.

COMPONENTS OF DBMS
 72

i. Data Dictionary: is a more general software utility used by designers, users and
administrators for information resource management. It is an electronic document
which contain data elements. It describes the data, their characteristics, identifies data
origin, ownership, security, and methods of accessing of data.

ii. Data Mining: Data mining (sometimes called data or knowledge discovery) is the
process of analyzing data from different perspectives and summarizing it into useful
information - information that can be used to increase revenue, cuts costs, or both.
Data mining software is one of a number of analytical tools for analyzing data. It
allows users to analyze data from many different dimensions or angles, categorize it,
and summarize the relationships identified.

iii. Data warehousing: stores and manages the data required to analyze historical(past)
and current business circumstances from various operational databases of an
organization for business analysis, market research, decision support and data mining
applications.
iv. Data Marts: A data mart is a body of DSS data for a department that has an
architectural foundation of a data warehouse. It can be regarded as subset of Data
Warehouse.

Structured Query Language(SQL)

SQL is a standard language for accessing and manipulating databases.

• What Can SQL do?

i. SQL can execute queries against a database

ii. SQL can retrieve data from a database
iii. SQL can insert records in a database
iv. SQL can update records in a database
v. SQL can delete records from a database
vi. SQL can create new databases
vii. SQL can create new tables in a database
viii. SQL can create stored procedures in a database
ix. SQL can create views in a database
x. SQL can set permissions on tables, procedures, and views

DATATYPES SUPPORTED IN SQL

i. Character datatypes: The char datatype is used when a fixed length character string is
required. It can store alphanumeric values
ii. Varchar2 datatypes: The varchar2( ) datatype supports a variable length character
string. It also stores alphanumeric values.
iii. Long datatypes: This datatype is used to store variable character length. Maximum
size is 2GB
iv. Number datatypes: The number datatypes can store positive numbers, negative
numbers, zero
v. Date datatypes: Date datatype is used to store data and time in a table. Default date
datatype is “dd-mon-yy”.
vi. Raw datatypes: Raw datatype is used to store byte oriented data like binary data or
byte strings
 73

vii. Long raw datatypes: Long Raw datatype is used to store binary data of variable
length, which can have a maximum size of 2GB.
viii. LOB datatypes: LOB is otherwise know as Large Object Data types. This can store
unstructured information such as sound clips, video files etc., upto 4 gigabytes in size.
ix. CLOB: A column with its datatype as CLOB stores character objects with single byte
characters. It cannot contain character sets of varying widths.

SQL CREATE TABLE Statement

• The CREATE TABLE Statement:

• The CREATE TABLE statement is used to create a table in a database.

The data type specifies what type of data the column can hold.

CREATE TABLE Example…

SQL Constraints
 Constraints are used to limit the type of data that can go into a table.
 Constraints can be specified when a table is created (with the CREATE TABLE
statement) or after the table is created (with the ALTER TABLE statement).
 We will focus on the following constraints:

i. NOT NULL
ii. UNIQUE
iii. PRIMARY KEY
iv. FOREIGN KEY
v. CHECK
vi. DEFAULT
SQL Constraints
 74

SQL NOT NULL Constraint

• The NOT NULL constraint enforces a column to NOT accept NULL values.
• The NOT NULL constraint enforces a field to always contain a value. This means that
you cannot insert a new record, or update a record without adding a value to this field.

SQL PRIMARY KEY Constraint

• The PRIMARY KEY constraint uniquely identifies each record in a database table.
• Primary keys must contain unique values.
• A primary key column cannot contain NULL values.
• Each table should have a primary key, and each table can have only one primary key.

SQL FOREIGN KEY Constraint on CREATE TABLE

SQL INSERT INTO Statement

• The INSERT INTO statement is used to insert a new row in a table.

• It is possible to write the INSERT INTO statement in two forms.
 75

SQL INSERT INTO Example

Insert Data Only in Specified Columns

SQL UPDATE Statement

The UPDATE statement is used to update records in a table.

SQL DELETE Statement

The DELETE statement is used to delete records in a table.

 76

Delete All Rows

It is possible to delete all rows in a table without deleting the table. This means that the table
structure, attributes, and indexes will be intact:

The SQL SELECT DISTINCT Statement

The DISTINCT keyword can be used to return only distinct (different) values.

The WHERE Clause

The WHERE clause is used to extract only those records that fulfill a specified criterion.
 77

Operators Allowed in the WHERE Clause

The AND & OR Operators

• The AND operator displays a record if both the first condition and the second
condition is true.
• The OR operator displays a record if either the first condition or the second condition
is true

The TRUNCATE TABLE Statement

What if we only want to delete the data inside the table, and not the table itself?

Then, use the TRUNCATE TABLE statement:

SQL ORDER BY Keyword

• The ORDER BY keyword is used to sort the result-set by a specified column.

• The ORDER BY keyword sort the records in ascending order by default.
• If you want to sort the records in a descending order, you can use the DESC keyword.
 78

SQL ORDER BY Keyword

SQL ALTER TABLE Statement

• The ALTER TABLE statement is used to add, delete, or modify columns in an

existing table.
• SQL ALTER TABLE Syntax
• To add a column in a table, use the following syntax:

• To delete a column in a table, use the following syntax (notice that some database
systems don't allow deleting a column):

• To change the data type of a column in a table, use the following syntax
 79

SQL AVG() Function

The AVG() function returns the average value of a numeric column.

SQL MAX() Function

The MAX() function returns the largest value of the selected column.

SQL MIN() Function

The MIN() function returns the smallest value of the selected column.

SQL SUM () Function

The SUM () function returns the total sum of a numeric column.

 80

SQL Wildcards

SQL LIKE Operator

The LIKE operator is used to search for a specified pattern in a column.

SQL GROUP BY Statement

The GROUP BY statement is used in conjunction with the aggregate functions to group the
result-set by one or more columns.
 81

SQL HAVING Clause

The HAVING clause was added to SQL because the WHERE keyword could not be used
with aggregate functions.

SQL JOIN

 The JOIN keyword is used in an SQL statement to query data from two or more
tables, based on a relationship between certain columns in these tables.
 Tables in a database are often related to each other with keys.
 82

 A primary key is a column (or a combination of columns) with a unique value for
each row. Each primary key value must be unique within the table. The purpose is to
bind data together, across tables, without repeating all of the data in every table.

Different SQL JOINs

 SIMPLE JOIN: Return rows when there is at least one match in both tables
 LEFT JOIN: Return all rows from the left table, even if there are no matches in the
right table
 RIGHT JOIN: Return all rows from the right table, even if there are no matches in the
left table
 FULL JOIN: Return rows when there is a match in one of the tables

SIMPLE JOIN

Simple join is the most common type of join. It retrieves rows from two tables having
common column and is further classified into equi-join and non equi-join.
EQUI-JOIN: A join which is based on equalities, is called an equi-join. The equi-join
combines rows that have equivalent values for the specified columns.

Example: Select odate, del_date, itemcode, qty_ord, qty_deld from order_master,

order_detail where
order_master.orderno=order_detail.orderno;

NON EQUI-JOIN: A non equi-join specifies the relationship between columns belonging to
different tables by making use of relational operators (>, <, <=, >=,,<>) other than =

Example: select itemdesc, max_level, qty_ord, qty_deld from itemfile, order_detail where
((itemfile.max_level < order_detail.qty_ord) and
itemfile.itemcode=order_detail.itemcode));

SQL UNION Operator

 The UNION operator is used to combine the result-set of two or more SELECT
statements.
 Notice that each SELECT statement within the UNION must have the same number
of columns. The columns must also have similar data types. Also, the columns in each
SELECT statement must be in the same order. Note: The UNION operator selects
only distinct values by default. To allow duplicate values, use UNION ALL.

SQL CREATE INDEX Statement

 The CREATE INDEX statement is used to create indexes in tables.

 Indexes allow the database application to find data fast; without reading the whole
table.
 An index can be created in a table to find data more quickly and efficiently.
 The users cannot see the indexes, they are just used to speed up searches/queries.

SQL CREATE INDEX Syntax:

 83

CREATE UNIQUE INDEX index_name

ON table_name (column_name)

CREATE INDEX Example:

CREATE INDEX Pindex
ON Persons (LastName)
CREATE INDEX PIndex
ON Persons (LastName, FirstName)

SQL Views

 In SQL, a view is a virtual table based on the result-set of an SQL statement.

 A view contains rows and columns, just like a real table. The fields in a view are
fields from one or more real tables in the database.

SQL Dropping a View

 SQL DROP VIEW Syntax:

DUPLICATE TABLE

create table xyz_new as select * from xyz;

Which copies the structure and the data, but what if I just want the structure?

Just use a where clause that won't select any rows:

create table xyz_new as select * from xyz where 1=0;
 84

MODULE – 5 Spread sheet software (EXCEL)

Spread Sheet

 It is a highly interactive computer program that consist of a collection of rows and

columns – Eg: EXCEL
 The intersection of a row and column is called cell.
 A cell can hold a number , text or formulas that perform a calculation using one or
more other cells.
 Sheet: it can be worksheet, chart sheet, macro sheet, custom dialog box.
 Workbook: consists of many spread sheets.

INTRODUCTION to MS-EXCEL

 Excel comes under the spread sheet.

 Is a computer program used to enter, analyze, and present quantitative data.
 Excel is a computer program used to create electronic spreadsheets.

Features of MS-Excel:-

1. Hyperlink:- One file can be linked to another file or page with the use of Excel
2. Clip art:- Images, audio, video clips can be added here
3. Charts:- Various types of charts can be added and show to the clients about product
evaluation. For example which product sale is more or less in this month.
4. Tables:- Tables are created with different fields eg -name, age, address, roll no, and thus
add a table to fill these values.
5. Functions:- MATHEMATICAL: Add, subtract, div, multiply.
LOGICAL: average, sum, mod, product can be added
6.Images and Backgrounds:- Images and backgrounds can be added in sheet
7. Macros:- Macros are used for recording events for further use.
8. Database:- Add database from other sources with data feature
9. Sorting and Filter:- It is possible to sort and filter data so that repetitions can be removed
10. Data Validations:- In data tools, data validations can be used to check for accuracy of
input data
11. Grouping:- This features helps to group, ungroup subtotal etc.,
12: Page layout:- In this themes, colors, sheets, margins, size, backgrounds, breaks, print,
titles, sheets height, width, scaling, gridness, headings, views, bring to front of font or back
alignment etc can be used.

Worksheet
i. It is the area where data is entered and used in excel .
ii. A worksheet is also called as a spread sheet.
iii. It is made up of row and columns.
iv. The rows are numbered and columns are named as a cell.
v. There are a 65536 rows and 256 columns.

Overview of the Excel Screen

 85

i. Microsoft Excel consists of workbooks. Within each workbook, there is an infinite

number of worksheets.
ii. Each worksheet contains columns and rows.
iii. Where a column and a row intersect is called the cell. For example, cell B6 is located
where column B and row 6 meet. You enter your data into the cells on the worksheet.
iv. The tabs at the bottom of the screen represent different worksheets within a workbook.
You can use the scrolling buttons on the left to bring other worksheets into view.
v. The Name Box indicates what cell you are in. This cell is called the “active cell.” This
cell is highlighted by a black box.
vi. The “=” is used to edit your formula on your selected cell.
vii. The Formula Bar indicates the contents of the cell selected. If you have created a
formula, then the formula will appear in this space.

Types of data used in excel

i. Value or numeric data.

ii. Text or character data(labels)
iii. Formulas.

File Menu

i. When first opening Excel a worksheet will automatically appear. However, if you
desire to open a file that you previously worked on go to the “File” option located in
the top left corner. Select “Open.”
ii. To create a new worksheet go to the “File” option and select “New.”
iii. To save the work created go to the “File” option and select “Save.”
iv. To close an existing worksheet go to the “File” option and select “Close.”
v. To exit the program entirely go to the “File” option and select “Exit.”

Edit Menu

i. Among the many functions, the Edit Menu allows you to make changes to any data
that was entered. You can:
ii. Undo mistakes made. Excel allows you to undo up to the last 16 moves you made.
iii. Cut, copy, or paste information.
iv. Find information in an existing workbook
v. Replace existing information.

Format Menu

i. You can change the colors, borders, sizes, alignment, and font of a certain cell by
going to the “Cell” option in the Format Menu.
ii. You can change row and column width and height in the “Row” and “Column”
options.
iii. You can rename worksheets and change their order in the “Sheet” option.
iv. The “AutoFormat” option allows you to apply pre-selected colors, fonts, and sizes to
entire worksheets.

View Menu

i. You can change the view of your work so that it is page by page.
 86

ii. You can insert Headers and Footers to your work.

iii. You can add comments about a specific cell for future reference.
iv. You can change the view of your work so that it is page by page.
v. You can insert Headers and Footers to your work.
vi. You can add comments about a specific cell for future reference.

Help Menu and Office Assistant

i. The Help Menu is used to answer any questions you many have with the program.
ii. You can also get online assistance if it is needed.
iii. The Office Assistant is a shortcut to the Help Menu. You can ask the assistant a
question and it will take you directly to an index of topics that will help you solve
your problem.

Excel Worksheets

With Excel, you will be working with different worksheets within a workbook. Often
times it is necessary to name the different worksheets so that it is easier to find them. To do
so you must:
1_Double click to highlight an existing worksheet
2_Type in what you would like to rename the worksheet

Entering Formulas

• When entering numerical data, you can command Excel to do any mathematical
function.
• Start each formula with an equal sign (=). To enter the same formulas for a range of
cells, use the colon sign “:”

ADDITION FORMULAS

 To add cells together use the “+” sign.

To sum up a series of cells, highlight the cells, then click the auto sum button. The answer
will appear at the bottom of the highlighted box.

SUBTRACTION FORMULAS
• To subtract cells, use the “-” sign.

DIVISION FORMULAS
• To divide cells, use the “/” sign.
MULTIPLICATION FORMULAS
• To multiply cells, use the “*” sign.

Formatting Workbooks

i. To add borders to cells, you can select from various border options.
ii. To add colors to text or cells, you can select the text color option or the cell fill
option, then select the desired color.
iii. To change the alignment of the cells, highlight the desired cells and select any of
the three alignment options.
 87

iv. To check the spelling of your data, highlight the desired cells and click on the
spell check button.
v. When entering dollar amounts, you can select the cells you desire to be currency
formatted, then click on the “$” button to change the cells.
vi. You can bold, italicize, or underline any information in the cells, as well as change
the styles and fonts of those cells.
vii. To check the spelling of your data, highlight the desired cells and click on the
spell check button.
viii. When entering dollar amounts, you can select the cells you desire to be currency
formatted, then click on the “$” button to change the cells.
ix. You can bold, italicize, or underline any information in the cells, as well as change
the styles and fonts of those cells.

Creating Charts

i. With the Excel program you can create charts with the “Chart Wizard.”
ii. Step 1: Choose a chart type.
iii. Step 2: Highlight the data that you wish to be included in the chart.
iv. Step 3: Change chart options. Here you can name the chart and the axes, change the
legend, label the data points, and many other options.
v. Step 4: Choose a location for the chart.

Freezing Panes

If you need the information in one column to freeze, while still being able to scroll
through the rest of the data follow these instructions:

Step 1: Highlight a specific column.

Step 2: Go to the Window Menu and click “Freeze Panes.”
Step 3: The cells to the left of the highlighted column should be frozen while you are still
able to scroll about the rest of the worksheet (Notice that column A remains while column H
is next to it).

Printing

i. When printing a worksheet you have a few options.

ii. You can go to “Page Setup” to change the features of your work (the margins, the
paper size, the tabs, etc.) This will affect how your project will be printed.
iii. You can select “Print Area,” which allows yaou to only print a highlighted area.
iv. You can preview your printing job by selecting “Print Preview.”
v. Finally, you can print your job by going to the File Menu and selecting “Print,” or you
can use the shortcut button.

Basic functions
i. Mathematical functions.
ii. Date and time functions.
 88

iii. Statistical functions.

iv. Logical Functions
v. Financial functions.
Mathematical functions
89
 90

Excel Log Function Examples

 91

Results:
Formulas:

Excel Mod Function Examples

The Excel SQRT Function

 92

The Excel SUM Function

Results:

Excel Power Function Examples

 93

Date and time functions

Date Function
Examples
 94

Month Function
Examples
 Year Function
95

Examples

Time Function
Examples
 Hour Function
96

Examples

Minute Function
Examples
Second Function
97

Examples

Statistical functions
98
Excel Average Function
99

Examples

Count Function Examples

• Note, in the above example:

• The numbers and the date, 01/01/2010 are counted by the function.
 100

• The text value "text", the logical value FALSE, and the error value #N/A are not
counted by the function.
• The example in cell C3 uses two ranges that intersect, and both ranges include the cell
A1. In this case, Excel counts the cell A1 (which DOES contain a numeric value)
twice - once for each range that it is contained in.

Excel Frequency Function Examples

• Cells A2 - A11 of the spreadsheet on the left contain the ages of a group of children.
The formula bar at the top of the spreadsheet shows the Excel Frequency function
used to count the number of children falling into three different age ranges.
• The bins, specified in cells B2 - B3, specify the maximum values for the first two
ranges. Therefore, in this example, the ages are to be split into the ranges 0-4 years, 5-
8 years and 9 years+.
• The Frequency function in this example returns an array of length 3, and so it has
been entered into cells C2-C4 of the spreadsheet. The format of the function is shown
in the formula bar at the top of the spreadsheet - note that the curly braces indicate
that the function has been entered as an Array Formula.

Large Function Examples

 101

Excel Max Function Example

Excel Min Function Example

Var Function Example

 102

In probability theory and statistics, variance measures how far a set of numbers is spread out.
A variance of zero indicates that all the values are identical. Variance is always non-negative:
a small variance indicates that the data points tend to be very close to the mean (expected
value) and hence to each other, while a high variance indicates that the data points are very
spread out around the mean and from each other.

Excel Countif Function Examples

range - The range of cells that should be tested against the supplied criteria and counted if
the criteria is satisfied.
criteria - A user-defined condition that is tested against each of the cells in the range.

Excel Countif Function Examples

 103

Counta Function Examples

 104

Note that, if a cell contains an empty text string or a formula that returns an empty text string,
this cell is counted as a non-blank by the Counta function.

Excel Median Function Examples

Excel Median Function Examples

 105

Mode Function Examples

 106

Mode Function Examples-Result

Excel Correl Function Example

Percentile Function Examples:

PERCENTILE( array, k )
array - The range of data values for which you want to calculate the k'th percentile
 107

k - The value (between 0 and 1) of the required percentile

Percentile Function Examples

• Note that in the above examples:

• The value of k can be input as a decimal or a percentage - for example, value 0.2 in
cell B1, is the same as 20%, - the 20th percentile
• The 50th percentile (see cell B3) falls between the values of 3 and 4. Therefore, Excel
has interpolated, to produce the result 3.5

Rank Function Examples

i. number - The value for which you want to find the rank
ii. ref - An array of values containing the supplied number
iii. [order] - An optional argument which defines whether the ref list should be ordered in
ascending or descending order
The [order] argument can take the value 0 or 1, meaning : 0 - denotes descending
order 1 - denotes ascending order
iv. If the [order] argument is omitted, it will take the default value of 0 (ie. descending
order). Any non-zero value is treated as the value 1 (ie. ascending order)

v. Note that, in the above examples:

vi. the functions in cells B1 and B2 are the same - The order argument is omitted in cell
B1 and so it takes the default value of 0 (descending order)
vii. as the supplied array contains two values equal to 9, when the array is in descending
order, the number 9 has rank 2 (see the example in cell B4). However, as there are two
9's in the array, these account for positions 2 and 3 in the descending ordered array,
and so the next value, 8, has rank 4 (see cell B5)
 108

Quartile Function Examples

i. array - The range of data values for which you want to calculate the specified quartile
ii. quart - An integer between 0 and 4, representing the required quartile.
(if the supplied value of quart is not an integer, it is truncated)

iii. Note that in the above examples:

iv. The 1st quartile (calculated in cell B2) falls halfway between the values of 1 and 2.
Therefore, Excel has interpolated the data, to produce the result 1.5
v. Similarly, the 3rd quartile (calculated in cell B4) falls halfway between the values of 4
and 5. Therefore Excel has interpolated the data, to produce the result, 4.5

Logical Functions
 109

Excel And Function Examples

Excel Or Function Examples Excel Or Function Examples

Excel Not Function Examples

Excel If Function Examples

 110

Nesting the Excel If Function

=IF(A1=1,"red", IF(A1=2,"blue", IF(A1=3,"green", IF(A1=4,"brown",

IF(A1=5,"purple", IF(A1=6,"orange", IF(A1=7,"yellow",
IF(A1=8,"grey", IF(A1=9,"pink", "black" ) ) ) ) ) ) ) ) )

Xor Function Examples

1 FALSE
2 TRUE
3 TRUE
4 FALSE
5 FALSE
6 TRUE

NOTE:
The Xor function returns TRUE if an odd number of the supplied conditions evaluate to
TRUE, and returns FALSE otherwise.
111
 112

Financial Functions
 113

The syntax of the function is : FV( rate, nper, [pmt], [pv], [type] ) Where the arguments
are as follows:

 rate - The interest rate, per period

 nper - The number of periods for the lifetime of the annuity
 [pmt] - An optional argument that specifies the payment per period
 (if the [pmt] argument is omitted, the [pv] argument must be supplied)
 [pv] - An optional argument that specifies the present value of the annuity - i.e. the
amount that a series of future payments is worth now
 (if the [pv] argument is omitted, it takes on the default value 0. Also, if [pv] is
omitted, the [pmt] argument must be supplied)
 [type] - An optional argument that defines whether the payment is made at the start or
the end of the period.
 The type argument can have the value 0 or 1, meaning:
 0-the payment is made at the end of the period
1 - the payment is made at the beginning of the period
 If the type argument is omitted, it takes on the default value of 0 (denoting payments
made at the end of the period).

FV Function Example
 114

Note that, in this example:

 The payments are made monthly, so we have had to convert the annual interest rate of
5% into the monthly rate (= 5%/12), and the 5-year period needs to be input as a
number of months (= 60)
 As the present value is zero, and the payment is to be made at the end of the month,
the [pv] and [type] arguments can be omitted from the above function.
 As the monthly payments are paid out, they are input to the function as negative
values.

The syntax of the function is : PV( rate, nper, pmt, [fv], [type] ) where the arguments are
as follows:

i. rate - The interest rate, per period

ii. nper - The number of periods for the lifetime of the annuity or investment
iii. pmt - An optional argument that specifies the payment per period (if the pmt
argument is omitted, the [fv] argument must be supplied)
iv. [pv] - An optional argument that specifies the future value of the annuity, at the end of
nper payments .if the [fv] argument is omitted, it takes on the default value 0.
v. [type] - An optional argument that defines whether the payment is made at the start or
the end of the period.
vi. The type argument can have the value 0 or 1, meaning:
vii. 0 - the payment is made at the end of the period
1 - the payment is made at the beginning of the period
viii. If the type argument is omitted, it takes on the default value of 0 (denoting payments
made at the end of the period).

PV Function Example
 115

Note that, in this example:

• The payments are made monthly, so we have had to convert the annual interest rate of
5% into the monthly rate (=5%/12), and the 5-year period needs to be input as a
number of months (=60)
• As the forecast value is zero, and the payment is to be made at the end of the month,
the [fv] and [type] arguments can be omitted from the above function.
• As the initial investment is paid out, the calculated present value is a negative cash
amount.

The syntax of the function is : PMT( rate, nper, pv, [fv], [type] ) where the arguments are as
follows:
i. rate - The interest rate, per period
ii. nper - The number of periods over which the loan or investment is to be paid
iii. pv - The present value of the loan / investment
iv. [fv] - An optional argument that specifies the future value of the loan / investment,
at the end of nper payments -If omitted, [fv] takes on the default value of 0
v. [type] - An optional argument that defines whether the payment is made at the
start or the end of the period.
vi. The type argument can have the value 0 or 1, meaning:
vii. 0 - the payment is made at the end of the period
1 - the payment is made at the beginning of the period
viii. If the type argument is omitted, it takes on the default value of 0 (denoting
payments made at the end of the period).

PMT Function Example

 116

Note that in this example:

 The payments are made monthly, so we have had to convert the annual interest rate of
5% into the monthly rate (=5%/12), and the number of years into months (=5*12).
 As the forecast value is zero, and the payment is to be made at the end of the month,
the [fv] and [type] arguments can be omitted from the above functions.
 The returned payments are negative values, as these represent outgoing payments (for
the individual taking out the loan).

The syntax of the function is : RATE( nper, pmt, pv, [fv], [type], [guess] ) where the
arguments are as follows:

i. nper - The number of periods over which the loan or investment is to be paid
ii. pmt - The (fixed) payment amount per period
iii. pv - The present value of the loan / investment
iv. [fv] - An optional argument that specifies the future value of the loan / investment, at
the end of nper payments -If omitted, [fv] takes on the default value of 0
v. [type] - An optional argument that defines whether the payment is made at the start or
the end of the period.
vi. The type argument can have the value 0 or 1, meaning:
vii. 0 - the payment is made at the end of the period
1 - the payment is made at the beginning of the period
viii. If the type argument is omitted, it takes on the default value of 0 (denoting payments
made at the end of the period).
ix. [guess] - An initial estimate at what the rate will be.
x. If this argument is omitted, it will take on the default value of 10% (=0.1)
xi. (Note this is only a value for Excel to start off working with - Excel then uses an
iterative procedure to converge to the correct rate)

RATE Function Example

 117

In the above example:

 As the payments are made on a monthly basis, the number of periods must be
expressed in months (5 years = 60 months).
 As the payments are outgoing payments, the pmt argument is a negative value.
 The returned interest rate is a monthly rate. This can be converted to an annual
interest rate by multiplying by 12 (as shown in cell A4).

The format of the function is :

RECEIVED( settlement, maturity, investment, discount, [basis] ) where the arguments are as
shown in the table below:

i. settlement - The security's settlement date (ie. the date that the coupon is purchased)
ii. maturity - The security's maturity date (ie. the date that the coupon expires)
iii. investment - The initial amount invested into the security
iv. discount - The security's discount rate
v. [basis] - An optional argument which defines the day count basis to be used in the
calculation.

Possible values of the [basis] argument, and their meanings are:

 118

RECEIVED Function Example

 The formula in the above spreadsheet returns the value $1,290.32.

 Note that, in this example, the [basis] argument is omitted and so takes on the default
of 0 (and therefore uses the US (NASD) 30/360 basis)
 Note also that, as recommended by Microsoft, the dates are not typed directly into the
function. Instead, in this example, the Excel Date function has been used.

NPV Function Example

 119

The format of the function is : NPV( rate, value1, [value2], [value3], ... )
i. rate - The discount rate over one period
ii. value1, [value2], ... - Numeric values, representing payments and income, where :
iii. negative values are treated as payments
iv. positive values are treated as income

The syntax of the function is : NPER( rate, pmt, pv, [fv], [type] )
i. rate - The interest rate, per period
ii. pmt - The amount paid per period
iii. pv - The present value of the loan
iv. [fv] - An optional argument that specifies the future value of the loan, after the final
payment ,If omitted, [fv] takes on the default value of 0
v. [type] - An optional argument that defines whether the payment is made at the start or
the end of the period.
vi. The type argument can have the value 0 or 1, meaning:
vii. 0 - the payment is made at the end of the period
1 - the payment is made at the beginning of the period
viii. If the type argument is omitted, it takes on the default value of 0 (denoting payments
made at the end of the period).

Nper Function Examples

 120

Note that in this example:

 The payment for the loan is input as a negative value, as this represents an outgoing
payment (for the individual taking out the loan)
 The payments are made monthly, so we have had to convert the annual interest rate of
4% into the monthly rate (=4%/12). Also the returned value from the Nper function is
in months - i.e. the result (rounded to the nearest whole month) is 55 months = 4
years, 7 months.
 As the forecast value is zero, and the payment is to be made at the end of the month,
the [fv] and [type] arguments can be omitted from the above function.

The syntax of the function is : IPMT( rate, per, nper, pv, [fv], [type] ) Where the arguments
are as follows:
i. rate - The interest rate, per period
ii. per - The period for which the interest payment is to be calculated (must be an integer
between 1 and nper)
iii. nper - The number of periods over which the loan or investment is to be paid
iv. pv - The present value of the loan / investment
v. [fv] - An optional argument that specifies the future value of the loan / investment, at
the end of nper payments ,If omitted, [fv] takes on the default value of 0
vi. [type] - An optional argument that defines whether the payment is made at the start or
the end of the period.
vii. The type argument can have the value 0 or 1, meaning:
viii. 0 - the payment is made at the end of the period
1 - the payment is made at the beginning of the period
ix. If the type argument is omitted, it takes on the default value of 0 (denoting payments
made at the end of the period).

IPMT Function Examples

 121

Note that in this example:

 The payments are made monthly, so we have had to convert the annual interest rate of
5% into the monthly rate (=5%/12), and the number of years into months (=5*12).
 As the forecast value is zero, and the payment is to be made at the end of the month,
the [fv] and [type] arguments can be omitted from the above functions.
 The returned interest payments are negative values, as these represent outgoing
payments (for the individual taking out the loan).

The format of the function is: DB (cost, salvage, life, period, [month]) where the arguments
are as shown in the table below:

i. cost - The initial cost of the asset

ii. salvage - The value of the asset at the end of the depreciation
iii. life - The number of periods over which the asset is to be depreciated
iv. period - The period number for which we want to calculate the depreciation
v. [month] - An optional argument that is used to specify a partial year for the first
period of depreciation
vi. If the [month] argument is supplied, this should be a integer that specifies how many
months of the year are used in the calculation of the first period of depreciation.
vii. The number of months in the last period of depreciation is then calculated as 12 -
[month]

Excel DB Function Example

• In the example below, the DB function is used to find the yearly depreciation of an
asset that cost $10,000 at the start of year 1, and has a salvage value of $1,000 after 5
years.
• Note that, in this example, the yearly rate of depreciation, calculated from the
equation 1-(Salvage/Cost)^(1/Life) is calculated to be 36.9%
 122

The format of the function is: SLN(cost, salvage, life)

i. cost - The initial cost of the asset

ii. salvage - The value of the asset at the end of the depreciation
iii. life - The number of periods over which the asset is to be depreciated

SLN Function Examples

SYD Function Example

 123

The format of the function is :

i. SYD( cost, salvage, life, per )
ii. where the arguments are as shown in the table below:
iii. cost - The initial cost of the asset
iv. salvage - The value of the asset at the end of the depreciation
v. life - The number of periods over which the asset is to be depreciated
vi. per - The period number for which you want to calculate the depreciation
Irr Function Example

The syntax of the function is: IRR(values, [guess]) where the arguments are as follows:

 values - A reference to a range of cells containing the series of cash flows (investment
and net income values) (must contain at least one negative and at least one positive
value)
 [guess] - An initial guess at what you think the IRR might be. This is an optional
argument, which, if omitted, takes on the default value of 10% (=0.1)

 In the spreadsheet below, the cash flow for an investment is shown in cells B1 - B6.
The initial investment of $100 is shown in cell B1 and the net income over the next 5
years is shown in cells B2 - B6.
 The IRR function in cell D2 shows the calculation of the Internal Rate of Return after
3 years and the function in cell D4 shows the Internal Rate of Return after 5 years.

Keyboard Shortcuts
 124

Here are some basic keyboard shortcuts:

 Shift + arrow key = highlight information

 CTLR + A = Select All
 CTRL + C = Copy Information
 CTRL + X = Cut Information
 CTRL + V = Paste Information
 CTRL + Z = Undo Information
 HOME = Move to the beginning of the worksheet
 Excel Functions List.htm

VLOOKUP FUNCTION

VLOOKUP is one of Excel's built-in functions. The function is used when it is required to
find a value in the left-hand column of a vertical array of data, and return the corresponding
value from another column in the same array. OR Looks up a supplied value in the first
column of a table, and returns the corresponding value from another column.
Vlookup Syntax: The syntax for the Excel Vlookup function is: VLOOKUP (lookup_value,
table_array, col_index_num, [range_lookup]) where the function arguments are:

i. lookup_value - The value that you want to search for

ii. table_array - The array of data that is to be searched for the lookup value. The
Vlookup function searches in the left-most column of the table_array
iii. col_index_num - The column number of the supplied table_array, that you want to
return a value from
iv. [range_lookup] - An optional logical argument, which can be set to TRUE or FALSE,
meaning:
v. TRUE - Find the closest match below the lookup_value if the exact value is not found
(Note: with this option, the left-hand column of the table_array must be in ascending
order)
vi. FALSE - Find an exact match to the lookup_value - if an exact is not found, the
function returns an error
vii. If the [range_lookup] value is omitted, it takes the default value of TRUE

Vlookup Example with Exact Match

 125

Vlookup Example With Closest Match

Vlookup Example With Closest Match

HLOOKUP FUNCTION
 126

Looks up a supplied value in the first row of a table, and returns the corresponding value
from another row.

HLOOKUP (lookup_value, table_array, row_index_num, [range_lookup])

i. lookup_value - The value that you want to look for, in the first row of the supplied
data array
ii. table_array - The data array or table, that you want to search the first row of, for the
supplied lookup_value
iii. row_index_num - The row number, within the supplied array, that you want the
corresponding value to be returned from
iv. [range_lookup] - An optional logical argument, which can be set to TRUE or FALSE,
meaning :
v. TRUE - if the function cannot find an exact match to the supplied lookup_value, it
should use the closest match below the supplied value (Note: If range_lookup is set to
TRUE, the top row of the table_array must be in ascending order)
vi. FALSE - if the function cannot find an exact match to the supplied lookup_value, it
should return an error
Sorting data

Sorting data is an integral part of data analysis. Suppose to put a list of names in
alphabetical order, compile a list of product inventory levels from highest to lowest, or order
rows by colors or icons, sorting data helps to quickly visualize and understand the data better,
organize and find the data that is required, and ultimately make more effective decisions.

Conditional Formatting

Conditional Formatting allows you to change the appearance of a cell, depending on

certain conditions.

Filtering Data

Filtering hides the rows or columns containing data that do not meet the filter criteria
defined.

Excel Pivot Tables

Excel Pivot Tables are tables, that are produced by Excel, to summarize large amounts
of data in a spreadsheet.

Pivot table report feature enables you to structure and summarize the data from worksheet
lists in a variety of ways. Pivot tables are flexible as they enable you to easily filter fields or
move them in and out of column and row areas.
Creating a pivot table report
Below is the database about Income and Expenditure of three different countries for the first
quarter of the year.
Steps in creating a pivot table report in Excel 2007
1. Creating a pivot table comprises of 3 steps.
2. Keep your cursor somewhere on the database
 127

3. Go to Insert option then click on the pivot table where you can see two drop down’s i.e
pivot table and pivot chart. Click on the pivot table (Refer the below screenshot)

4. Once you click on the pivot table then you will get the below screenshot, from the below
screenshot select the options as selected in the screenshot (Always selected by default) and
always chose the option new worksheet so that you can see your output in the new sheet.
Then say ok from the below screenshot.
5. Once you click on ok it will directly take you to the layout below.

6. From the above screenshot at the right hand side you can see the 4 variable names which
are field buttons in pivot table. These are the variables which we need to drag and drop in the
below 4 chambers( Report filter, Column labels area, Row labels area and Value area)
7. Now drag and drop the variables as below. ( Refer the below screenshot)
8. Once you drag & drop the variables then your pivot results appear as below

9. Once you get the results you can interchange the variables from column to row and row to
column area and view the view information the way you want.
10. Pivot table by default gives the sum of the data, in case you want to change it to average,
product and other summary functions then click on the field settings and select the option and
say ok

Goal Seek
Goal seek is a problem solving feature in excel which helps to find the solutions to complex
problems with what if analysis.
Example:
Suppose you are a agent for a travel company. You’re working with a excel sheet that details
booking information to Hong Kong
Note: Ensure that the data is formula oriented.
Below screenshots says that we have already reached total bookings of 112,500 by charging a
deposit fee of 150 / person, but our expected target is 140,000. So increase the deposit fee to
reach the target by using goal seek.
Steps
1. Click on Tools – Goal seek.
2. Once you get the goal seek dialogue box. Select cell C6 in set target cell because this is our
current output
 128

3. Then type manually the expected output/ target i.e. 140,000 in To value column.
4. Then select cell B6 in By changing value column because that acts as a changing variable.
(See the below screenshot)
5. You have succeeded in reaching the desired target. (Refer below screenshot)

What-if analysis
What-if analysis is the process of changing the values in cells to see how those changes will
affect the outcome of formulas on the worksheet.
Three kinds of what-if analysis tools come with Excel:
 scenarios,
 data tables, and
 Goal Seek.
Scenarios and data tables take sets of input values and determine possible results. A data
table works only with one or two variables, but it can accept many different values for those
variables. A scenario can have multiple variables, but it can accommodate only up to 32
values. Goal Seek works differently from scenarios and data tables in that it takes a result and
determines possible input values that produce that result.
In addition to these three tools, you can install add-ins that help you perform what-if analysis,
such as the Solver add-in.

The Solver add-in is similar to Goal Seek, but it can accommodate more variables. You can
also create forecasts by using the fill handle and various commands that are built into Excel.
For more advanced models, you can use the Analysis Pack add-in.

1. Use scenarios to consider many different variables

A scenario is a set of values that Excel saves and can substitute automatically in cells on a
worksheet. You can create and save different groups of values on a worksheet and then switch
to any of these new scenarios to view different results.
For example, suppose you have two budget scenarios: a worst case and a best case. You can
use the Scenario Manager to create both scenarios on the same worksheet, and then switch
between them. For each scenario, you specify the cells that change and the values to use for
that scenario. When you switch between scenarios, the result cell changes to reflect the
different changing cell values.

Worst case scenario

1. Changing cells
2. Result cell

Best case scenario

1. Changing cells
 129

2. Result cell
If several people have specific information in separate workbooks that you want to use in
scenarios, you can collect those workbooks and merge their scenarios.
After you have created or gathered all the scenarios that you need, you can create a scenario
summary report that incorporates information from those scenarios. A scenario report
displays all the scenario information in one table on a new worksheet.

Scenario summary report

NOTE: Scenario reports are not automatically recalculated. If you change the values of a
scenario, those changes will not show up in an existing summary report. Instead, you must
create a new summary report.

2. Use Goal Seek to find out how to get a desired result

If you know the result that you want from a formula, but you are not sure what input value
the formula requires to get that result, you can use the Goal Seek feature. For example,
suppose that you need to borrow some money. You know how much money you want, how
long a period you want in which to pay off the loan, and how much you can afford to pay
each month. You can use Goal Seek to determine what interest rate you must secure in order
to meet your loan goal.

NOTE: Goal Seek works with only one variable input value. If you want to determine more
than one input value, for example, the loan amount and the monthly payment amount for a
loan, you should instead use the Solver add-in.

3. Use data tables to see the effects of one or two variables on a formula
If you have a formula that uses one or two variables, or multiple formulas that all use one
common variable, you can use a data table to see all the outcomes in one place. Using data
tables makes it easy to examine a range of possibilities at a glance. Because you focus on
only one or two variables, results are easy to read and share in tabular form. If automatic
recalculation is enabled for the workbook, the data in data tables immediately recalculates; as
a result, you always have fresh data.
 130

A one-variable data table

A data table cannot accommodate more than two variables. If you want to analyze more than
two variables, you can use scenarios. Although it is limited to only one or two variables, a
data table can use as many different variable values as you want. A scenario can have a
maximum of 32 different values, but you can create as many scenarios as you want.