In-depth summary, Detailed Chapter-wise Content with

Examples and Mnemonics. – 38 Pages

DIGITAL ECOSYSTEM
& CONTROLS
SPOM: SET - D

SHAH ALI
2025
SET–D: Digital Ecosystem & Controls

Exam Preparation: Digital Ecosystem & Controls - Detailed

Chapter-wise Content with Examples and Mnemonics
Here's an in-depth summary, organized chapter-wise, with detailed content, specific
examples, and helpful mnemonics to enhance your understanding and retention for
the exam.

Unit 1: Governance and Management of Digital Ecosystem

Chapter 1: Concepts of Governance and IT Strategy
● Governance Overview:
○ Definition: Governance refers to the framework of accountability,
established through decision-making processes and control mechanisms,
that ensures an organization achieves its objectives. It clarifies who makes
decisions, who is accountable, and how controls are implemented.
○ Types of Governance:
■ Corporate Governance: The system by which companies are directed
and controlled. It involves a set of relationships between a company's 1
management, its board, its shareholders, and other stakeholders. 2 It
provides the structure through which the objectives of the company are
set, and the means of attaining those objectives and monitoring
performance are determined.
■ Enterprise Governance: A broader concept encompassing corporate
governance, risk management, and compliance across the entire
enterprise. It focuses on value creation for stakeholders by balancing
performance with conformance.
■ IT Governance: A subset of enterprise governance, specifically focusing
on the effective and efficient use of IT to support business objectives. It
ensures that IT investments deliver value, IT risks are managed
appropriately, and IT operations are aligned with the overall business
strategy.
○ Mnemonic for Governance Types: C.E.I.T.
■ Corporate Governance (Board/Shareholders)
■ Enterprise Governance (Entire Org's Value Creation)
■ IT Governance (IT for Business Value)
○ Example: A company's Corporate Governance board decides to expand into
new international markets. This strategic decision then drives the IT
Governance framework to ensure that the necessary IT infrastructure, secure
data handling systems, and local compliance requirements are met to support
this expansion, contributing to overall Enterprise Governance.

SHAH ALI 1
SET–D: Digital Ecosystem & Controls
● Aligning IT Strategy with Business Strategy:
○ Importance: Critical for maximizing business value from IT investments.
Misalignment can lead to wasted resources, missed opportunities, and
competitive disadvantage.
○ Steps:
1. Understand Business Objectives: Deep comprehension of the
organization's mission, vision, and strategic goals.
2. Assess Current IT Capabilities: Evaluate existing IT infrastructure,
applications, resources, and their performance.
3. Identify Gaps: Determine what IT capabilities are missing or inadequate
to support the business objectives.
4. Define Target IT Capabilities: Outline the desired future state of IT that
will enable business strategy.
5. Develop IT Strategy and Roadmap: Formulate a plan, including specific
initiatives, timelines, resource allocation, and metrics, to achieve the
target IT capabilities.
○ Example: A healthcare provider decides to improve patient care by offering
telemedicine services (Business Strategy). The IT strategy must then focus on
developing a secure, reliable, and user-friendly telemedicine platform,
ensuring data privacy compliance, and integrating it with existing patient
record systems.
● Frameworks to Support IT Governance:
○ COBIT (Control Objectives for Information and Related Technologies): A
globally recognized framework for governance and management of
enterprise IT. It provides a comprehensive model to help organizations
achieve their objectives through the effective and efficient use of information
and technology.
■ Key Principles of COBIT 5:
1. Meeting Stakeholder Needs: Customizing enterprise goals into IT-
related goals and then into enabler goals.
2. Covering the Enterprise End-to-End: Integrates IT governance into
enterprise governance, covering all functions and processes.
3. Applying a Single, Integrated Framework: Provides a holistic view
of IT governance and management.
4. Enabling a Holistic Approach: Considers seven enablers (Principles,
Policies & Frameworks; Processes; Organizational Structures; Culture,
Ethics & Behaviour; Information; Services, Infrastructure &
Applications; People, Skills & Competencies).
5. Separating Governance from Management: Clearly distinguishes
between governance (setting direction, monitoring) and management

SHAH ALI 2
SET–D: Digital Ecosystem & Controls
(planning, executing, controlling).
■ 5 Domains (Mnemonic: A.B.D.M. for the acronyms, or All Beautiful
Damsels Make Excellent Auditors for the full names):
■ APO (Align, Plan, Organize): Addresses the overall organization,
strategy, and supporting IT activities. Focuses on strategic alignment,
IT service portfolio management, enterprise architecture.
■ Example: Defining the IT strategy roadmap to support digital
transformation initiatives.
■ BAI (Build, Acquire, Implement): Focuses on defining, acquiring, and
implementing IT solutions and services. Covers requirements
definition, solution development, change management, and testing.
■ Example: Developing a new mobile application for customer
engagement, ensuring it meets all specified functional and non-
functional requirements.
■ DSS (Deliver, Service, Support): Addresses operational delivery and
support of IT services, including security and business process
operations. Covers service requests, incident management, problem
management, security services.
■ Example: Ensuring the continuous availability of critical business
applications and providing prompt resolution to user issues.
■ MEA (Monitor, Evaluate, Assess): Deals with performance
monitoring, compliance, and governance. Covers monitoring
performance, internal control, compliance with external requirements,
and assuring governance.
■ Example: Regularly reviewing IT performance metrics and
conducting internal audits to ensure compliance with data privacy
regulations.
○ ITIL (Information Technology Infrastructure Library): A widely accepted
framework providing a set of detailed practices for IT service management
(ITSM). It aims to align IT services with the needs of the business.
■ Key Concepts/Phases:
1. Service Strategy: Defines the perspective, position, plans, and
patterns that a service provider needs to execute to meet 3 the
business outcomes.
2. Service Design: Designs new or changed services and processes for
service management. Focuses on designing effective and efficient
services.
3. Service Transition: Builds and deploys IT services. Ensures that
changes to services and service management processes are
coordinated.

SHAH ALI 3
SET–D: Digital Ecosystem & Controls
4. Service Operation: Delivers and supports IT services on an ongoing
basis. Manages the daily activities of the IT services.
5. Continual Service Improvement (CSI): Creates and maintains value
for customers through better design, introduction, and operation of
services.
■ Example: Implementing ITIL's "Incident Management" process (under
Service Operation) to standardize how IT issues (e.g., system crashes) are
reported, categorized, prioritized, and resolved to minimize disruption to
users.
○ ISO 27001 (Information Security Management System - ISMS): An
international standard that provides a framework for establishing,
implementing, maintaining, and continually improving an Information Security
Management System4 within an organization.
■ Focus: Protecting the confidentiality, integrity, and availability (CIA triad)
of information.
■ Requirements: Covers risk assessment, risk treatment, security controls,
internal audits, management review, and continuous improvement.
■ Example: An organization achieves ISO 27001 certification by
demonstrating that it has a systematic approach to managing sensitive
company and customer information, protecting it from unauthorized
access, loss, and damage.

Chapter 2: Governance, Risk and Compliance (GRC) Framework

● GRC Fundamentals:
○ Governance: The system by which the organization is directed and
controlled. It defines responsibilities, decision-making rights, and internal
controls.
○ Risk: The effect of uncertainty on objectives. It is the possibility of an event
occurring that will have an impact on the achievement of objectives. Risks can
be positive (opportunities) or negative (threats).
○ Compliance: Adhering to relevant laws, regulations, internal policies, and
ethical standards.
○ Integration: GRC is a holistic approach to managing an organization's overall
governance, enterprise risk management, and compliance with regulations. It 6
aims to integrate these functions to improve decision-making and reduce
redundant efforts.

SHAH ALI 4
SET–D: Digital Ecosystem & Controls
● Risk Concepts:
○ Asset: Anything of value to the organization (e.g., data, hardware, software,
people, reputation).
○ Vulnerability: A weakness in an asset or control that could be exploited by a
threat. (e.g., unpatched software, weak password policy).
○ Threat: A potential cause of an unwanted incident, which may result in harm
to a system or organization. (e.g., hacker, natural disaster, malware).
○ Risk: The likelihood of a threat exploiting a vulnerability and the impact of
that exploitation. (Risk = Likelihood x Impact).
○ Exposure: The extent of potential loss from a risk event.
○ Safeguard/Control: A measure put in place to reduce risk.
● Sources of Risk:
○ Internal: Human error, system failure, internal fraud, inadequate policies,
operational inefficiencies.
○ External: Natural disasters, cyber-attacks, market fluctuations, regulatory
changes, supply chain disruptions.
● Levels of Risk:
○ Enterprise Level: Risks affecting the entire organization's strategic
objectives (e.g., market entry of a disruptive technology).
○ Business Unit Level: Risks specific to a department or division (e.g., a sales
team missing its targets).
○ Process Level: Risks inherent in specific operational processes (e.g., errors
in data entry in the billing process).
● Types of Risk:
○ Strategic Risk: Risks related to the organization's strategic decisions and
objectives, affecting long-term goals.
■ Example: A company failing to innovate and being surpassed by
competitors (like Kodak's failure to adapt to digital photography).
○ Operational Risk: Risks arising from inadequate or failed internal processes,
people, and systems, or from external events.
■ Example: Data entry errors, system downtime, employee fraud, supply
chain disruptions.
○ Financial Risk: Risks related to financial transactions, market movements,
credit, and liquidity.
■ Example: Fluctuations in exchange rates impacting profit margins,
difficulty in collecting receivables.
○ Compliance Risk: Risks of non-compliance with laws, regulations, and
internal policies.
■ Example: Penalties for violating data privacy laws like GDPR or DPDPA.

SHAH ALI 5
SET–D: Digital Ecosystem & Controls
○ Reputational Risk: Risks associated with damage to an organization's
reputation or brand image.
■ Example: Negative media coverage due to a product defect or data
breach.
○ Cyber Risk: Risks related to cyber-attacks, data breaches, and other digital
security incidents.
■ Example: Ransomware attack encrypting critical business data.
● Risk Management Strategies (Mnemonic: A.R.S.A. - Avoid, Reduce, Share,
Accept):
○ Avoidance: Eliminating the activity that gives rise to the risk.
■ Example: Deciding not to enter a high-risk market.
○ Reduction/Mitigation: Implementing controls to lower the likelihood or
impact of the risk.
■ Example: Implementing firewalls and intrusion detection systems to
reduce cyber-attack risk.
○ Sharing/Transfer: Transferring the risk to a third party.
■ Example: Purchasing insurance against property damage, outsourcing IT
services.
○ Acceptance: Acknowledging the risk and its potential impact, and taking no
action to mitigate it, usually because the cost of mitigation outweighs the
potential loss.
■ Example: Accepting the risk of a minor, infrequent software bug that has
minimal impact.
● Malicious Attacks & Software and Countermeasures:
○ Phishing: Deceptive emails/messages to trick users into revealing sensitive
information.
■ Countermeasure: User training, email filters, multi-factor authentication.
○ Denial of Service (DoS)/Distributed DoS (DDoS): Overwhelming a system
with traffic to make it unavailable.
■ Countermeasure: Load balancers, firewalls, DDoS protection services.
○ Malware (Malicious Software):
■ Viruses: Self-replicating programs that attach to legitimate files.
■ Worms: Self-replicating, standalone malware that spreads across
networks.
■ Trojan Horses: Disguised as legitimate software, performs malicious
activities.
■ Ransomware: Encrypts data and demands payment for decryption key.
■ Spyware: Gathers information secretly.
■ Adware: Displays unwanted advertisements.
■ Rootkits: Hides malicious processes on a system.

SHAH ALI 6
SET–D: Digital Ecosystem & Controls
■ Countermeasures: Antivirus/anti-malware software, regular patching,
network segmentation, strong access controls, user awareness training,
data backups.

Chapter 3: Enterprise Risk Management Framework

● ERM Overview:
○ Definition: A process, effected by an entity's board of directors,
management, and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity,
and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives (COSO).
○ Benefits of ERM:
■ Increased Positive Outcomes and Reduced Negative Surprises: By
proactively identifying and managing risks and opportunities.
■ Improved Resource Deployment: Optimizing allocation of capital and
operational resources.
■ Enhanced Enterprise Resilience: Ability to withstand and recover from
adverse events, ensuring survival and growth.
■ Better Decision Making: Integrating risk information into strategic and
operational decisions.
■ Improved Organizational Learning: Continuous adaptation based on
risk experiences.
● COSO ERM Framework (COSO Enterprise Risk Management—Integrating
with Strategy and Performance):
○ Five Components (Mnemonic: I.O.E.R.C.I.M. - Internal Environment,
Objective Setting, Event Identification, Risk Assessment, Risk Response,
Control Activities, Information & Communication, Monitoring 7
Activities):
1. Internal Environment: The tone of an organization, influencing risk
consciousness. Includes ethical values, risk appetite, organizational
structure, assignment of authority and responsibility.
2. Objective Setting: Establishing strategic, operations, reporting, and
compliance objectives. Risks are identified and assessed relative to these
objectives.
3. Event Identification: Identifying internal and external events that could
affect the achievement of objectives. Events can be risks or
opportunities.
4. Risk Assessment: Analyzing identified risks for likelihood and impact.
Includes inherent risk (risk before controls) and residual risk (risk after
controls).

SHAH ALI 7
SET–D: Digital Ecosystem & Controls
5. Risk Response: Selecting appropriate responses to risks: Avoidance,
Reduction, Sharing, Acceptance.
6. Control Activities: Policies and procedures to ensure that risk responses
are effectively carried out (e.g., authorization, reconciliations, segregation
of duties).
7. Information & Communication: Identifying, capturing, and
communicating relevant information in a timely manner. Internal and
external communication is crucial.
8. Monitoring Activities: Ongoing evaluations or separate evaluations to
ascertain whether the components of ERM are present and functioning
effectively.
● PIML Cycle (Plan, Implement, Measure, Learn): A continuous improvement
cycle for implementing and maturing ERM.
○ Plan: Define the ERM scope, objectives, policies, and procedures.
○ Implement: Put the ERM framework into practice, integrate it into daily
operations.
○ Measure: Monitor and assess the effectiveness of risk responses and the
ERM program.
○ Learn: Review performance, identify areas for improvement, and adapt the
ERM approach based on lessons learned.

Chapter 4: Information System Security Policy

● Components of an Information System:
○ Hardware: Physical components (e.g., servers, computers, network devices).
○ Software: Programs and applications (e.g., operating systems, databases,
business applications).
○ Network: Communication infrastructure connecting components (e.g.,
internet, LAN, WAN).
○ Data: Raw facts and figures, processed information (e.g., customer records,
financial transactions).
○ People: Users, operators, administrators, developers who interact with the
system.
○ Procedures: Policies, guidelines, and instructions for system usage and
operation.
● Need for Protection of Information Systems:
○ Confidentiality: Protect sensitive information from unauthorized disclosure.
○ Integrity: Ensure information is accurate, complete, and protected from
unauthorized modification.
○ Availability: Ensure information and systems are accessible to authorized
users when needed.

SHAH ALI 8
SET–D: Digital Ecosystem & Controls
○ Compliance: Meet legal and regulatory requirements.
○ Reputation: Safeguard organizational image and trust.
○ Financial Impact: Prevent financial losses due to fraud, data breaches, or
system downtime.
● Information Security Principles (Mnemonic: C.I.A. Triad):
○ Confidentiality: Ensuring that information is accessible only to those
authorized to have access.
■ Threats: Unauthorized access, eavesdropping, social engineering.
■ Controls: Encryption, access controls (passwords, MFA), data
classification.
■ Example: Protecting customer credit card details using encryption.
○ Integrity: Safeguarding the accuracy and completeness of information and
processing methods.
■ Threats: Unauthorized modification, data corruption, malware.
■ Controls: Hashing, digital signatures, version control, access controls,
input validation.
■ Example: Ensuring that financial transactions are not altered without
proper authorization.
○ Availability: Ensuring that authorized users have timely and uninterrupted
access to information and resources.
■ Threats: DoS attacks, hardware failures, power outages, natural disasters.
■ Controls: Redundancy, backups, disaster recovery plans, load balancing,
regular maintenance.
■ Example: Implementing redundant servers to ensure a website remains
accessible even if one server fails.
● Information Security Policy: A formal statement of management's intent
regarding information security.
○ Purpose: To provide a framework for information security, define
responsibilities, and outline acceptable use of IT resources.
○ Key Elements:
■ Scope and Objectives: What the policy covers and aims to achieve.
■ Roles and Responsibilities: Who is accountable for what aspects of
security.
■ Acceptable Use Policy (AUP): Rules for using company IT resources.
■ Access Control Policy: How access rights are granted and managed.
■ Data Classification Policy: How data is categorized based on sensitivity.
■ Password Policy: Requirements for strong passwords.
■ Incident Response Policy: Procedures for handling security incidents.
■ Compliance Statement: Adherence to laws and regulations.
○ Standards, Guidelines, Procedures:

SHAH ALI 9
SET–D: Digital Ecosystem & Controls
■Standards: Mandatory rules specifying how a policy is to be implemented
(e.g., "All passwords must be at least 12 characters").
■ Guidelines: Recommended actions to achieve security objectives (e.g., "It
is recommended to change passwords every 90 days").
■ Procedures: Step-by-step instructions for performing tasks securely
(e.g., "Steps for resetting a user's password").
● Monitoring of Information Security:
○ Tools: Intrusion Detection Systems (IDS), Security Information and Event
Management (SIEM) systems, vulnerability scanners, audit logs.
○ Techniques: Regular security audits, penetration testing, vulnerability
assessments, security awareness training, continuous monitoring.

Chapter 5: Business Continuity Planning and Disaster Recovery Planning

● BCM (Business Continuity Management):
○ Definition: A holistic management process that identifies potential threats to
an organization and the impacts to business operations those threats, if
realized, might8 cause, and which provides a framework for building
organizational resilience with the capability of an effective response that
safeguards the interests of its key stakeholders, reputation, brand, and value-
creating activities.9
○ Objectives: To ensure that critical business functions can continue to
operate during and after a disruption.
○ Phases: Policy and Program Management, Business Impact Analysis, Risk
Assessment, Strategy Development, Plan Development, Training & Testing,
Maintenance.
● BCP (Business Continuity Plan):
○ Definition: A documented collection of procedures and information that is
developed, compiled, and maintained in readiness for use in an incident to
enable an organization10 to continue to deliver its critical products and
services at an acceptable predefined11 level following a disruption.
○ Development Process:
1. Business Impact Analysis (BIA): Identifies critical business functions
and the impact of their disruption (e.g., financial, reputational).
Determines RTO (Recovery Time Objective – maximum tolerable
downtime) and RPO (Recovery Point Objective – maximum tolerable data
loss).
2. Risk Assessment: Identifies potential threats and vulnerabilities.
3. Strategy Development: Develops strategies to recover critical functions
(e.g., alternate sites, redundant systems).
4. Plan Development: Documenting procedures for response, recovery,

SHAH ALI 10
SET–D: Digital Ecosystem & Controls
and resumption.
5. Training & Testing: Regularly training staff and testing the plan to ensure
effectiveness.
6. Maintenance: Reviewing and updating the plan periodically.
○ Key Elements: Emergency contact lists, incident response procedures,
communication plans, recovery teams, vital records management, alternate
site arrangements.
● DRP (Disaster Recovery Plan):
○ Definition: A documented process or set of procedures to recover and
protect a business IT infrastructure in the event of 12 a disaster. It is a subset
of BCP, focusing specifically on IT systems.
○ Focus: Rapid recovery of IT hardware, software, and data.
○ Types of Recovery Sites:
■ Hot Site: A fully equipped off-site data center that has all the necessary
hardware, software, and connectivity to immediately resume operations.
(Highest cost, fastest recovery).
■ Warm Site: A partially equipped site with basic infrastructure but requires
additional hardware/software installation. (Moderate cost, moderate
recovery time).
■ Cold Site: A basic space with power and connectivity but no equipment.
Requires significant time and effort to set up. (Lowest cost, slowest
recovery).
● Incident Management Plan (IMP):
○ Definition: A structured approach to responding to and managing security
incidents.
○ Steps:
1. Preparation: Establishing policies, procedures, and teams.
2. Detection & Analysis: Identifying and analyzing incidents.
3. Containment: Limiting the damage and preventing spread.
4. Eradication: Removing the cause of the incident.
5. Recovery: Restoring affected systems and data.
6. Post-Incident Activity: Lessons learned, documentation, process
improvement.
● Types of Backups: Critical for data recovery and business continuity.
○ Full Backup: Copies all selected data (files, folders, drives) every time.
■ Advantages: Simplest to restore (single backup set).
■ Disadvantages: Most time-consuming, requires most storage space.
○ Incremental Backup: After an initial full backup, only backs up data that has
changed since the last backup (full or incremental).
■ Advantages: Fastest backup time, uses least storage space.

SHAH ALI 11
SET–D: Digital Ecosystem & Controls
■ Disadvantages: Slowest restore time (requires original full backup + all
subsequent incremental backups in sequence).
○ Differential Backup: After an initial full backup, only backs up data that has
changed since the last full backup.
■ Advantages: Faster backup than full, faster restore than incremental
(requires only full backup + last differential backup).
■ Disadvantages: Uses more storage space than incremental, backup time
increases over time until next full backup.
○ Mirror Backup: Creates an exact replica of the source data at the time of the
backup. Old or deleted files on the source are also deleted from the mirror.
■ Advantages: Fastest restore, clean copy.
■ Disadvantages: No versioning, accidental deletion/corruption on source
immediately affects mirror.
○ Mnemonic for Backup Types: F.I.D.M. (Full, Incremental, Differential, Mirror)
- "Find It, Duplicate Many!"

Unit 2: Information Systems Life Cycle

Chapter 6: System Development Life Cycle (SDLC)
● Need for SDLC: SDLC provides a structured, phased approach for developing,
maintaining, and enhancing information systems. It is essential because it:
○ Ensures that system development aligns with business objectives and user
requirements.
○ Helps manage the complexity of large projects.
○ Reduces risks by identifying and addressing issues early in the process.
○ Controls costs and timelines.
○ Ensures quality, maintainability, and scalability of the developed system.
○ Facilitates communication and collaboration among stakeholders.
● SDLC Phases and Activities:
○ Mnemonic for Phases: P.R.D.D.T.I.M. (Pretty Red Dragons Don't Talk, I
Must) - This mnemonic helps remember the initial letter of each phase.
1. Preliminary Investigation (Feasibility Study):
■ Objective: To determine the feasibility of a proposed project and
define its scope.
■ Activities:
■ Identify the problem or opportunity.
■ Conduct a high-level analysis of current systems.
■ Assess feasibility dimensions:
■ Technical Feasibility: Can the project be implemented with
existing or acquire-able technology? (e.g., Do we have the

SHAH ALI 12
SET–D: Digital Ecosystem & Controls
tech stack for a real-time analytics dashboard?)
■ Economic Feasibility: Is the project financially viable? (Cost-
benefit analysis, ROI). (e.g., Will the cost of developing a new
ERP system be justified by the expected efficiency gains?)
■ Operational Feasibility: Will the proposed system work within
the organization's existing structure and culture? (e.g., Will
employees adapt to the new automated workflow?)
■ Schedule Feasibility: Can the project be completed within a
reasonable timeframe? (e.g., Can the new mobile banking app
be launched before the competitor's next update?)
■ Legal & Political Feasibility: Does the project comply with
laws and regulations, and is it supported by management and
stakeholders? (e.g., Does the system comply with new data
privacy laws?)
■ Behavioral Feasibility: Considers the human element and
resistance to change. (e.g., Will employees be willing to adopt
a new system that changes their daily tasks?)
■ Deliverable: Feasibility Report.
2. System Requirement Analysis:
■ Objective: To gather, analyze, and document detailed user
requirements.
■ Activities:
■ Fact-Finding Techniques: Interviews, questionnaires,
observation, document analysis, prototyping, brainstorming.
■ Requirement Elicitation: Identifying what the system must do.
■ Requirement Classification:
■ Functional Requirements: What the system does (e.g., "The
system shall allow users to register an account," "The system
shall process payments").
■ Non-Functional Requirements: How the system performs
(e.g., "The system shall respond within 2 seconds," "The
system shall be available 99.9% of the time," "The system shall
encrypt sensitive data").
■ Requirement Documentation: Creating a Software Requirements
Specification (SRS) document.
■ Deliverable: Software Requirements Specification (SRS).
3. System Designing:
■ Objective: To translate requirements into a detailed system blueprint.
■ Activities:
■ Logical Design: Defines the system's abstract structure and

SHAH ALI 13
SET–D: Digital Ecosystem & Controls
processes (e.g., data flows, process models).
■ Physical Design: Specifies actual hardware, software, network
configurations, database structures, user interfaces, and security
measures.
■ Architecture Design: High-level structure of the system (e.g.,
client-server, microservices).
■ Database Design: Designing schemas, tables, relationships.
■ User Interface (UI)/User Experience (UX) Design: Creating
wireframes, mockups, and prototypes for intuitive interaction.
■ Security Design: Incorporating security controls at every level.
■ Deliverable: System Design Document (SDD).
4. System Development (Coding):
■ Objective: To build the system based on the design specifications.
■ Activities:
■ Coding: Writing program code using selected programming
languages and adhering to coding standards.
■ Hardware Procurement: Acquiring necessary servers,
workstations, network devices.
■ Network Setup: Configuring network infrastructure.
■ Unit Testing: Initial testing of individual modules by developers.
■ Deliverable: Developed Software Modules.
5. System Testing:
■ Objective: To verify that the system meets requirements and is free
of defects.
■ Activities:
■ Test Plan Creation: Defining test cases, expected results, and
testing environment.
■ Execution of Tests: Running various types of tests.
■ Defect Logging and Tracking.
■ Types of Testing:
■ Unit Testing: Tests individual components or modules in isolation.
(e.g., testing a single function to calculate tax).
■ Integration Testing: Tests how different modules interact and
communicate. (e.g., testing if the login module correctly passes
user data to the profile module).
■ System Testing: Tests the complete and integrated system to
evaluate its compliance with specified requirements. (e.g., testing
an entire e-commerce system from user registration to order
fulfillment).
■ User Acceptance Testing (UAT): Final testing conducted by end-

SHAH ALI 14
SET–D: Digital Ecosystem & Controls
users to ensure the system meets business needs and is fit for
purpose. (e.g., Business users testing a new HR system to confirm
it handles employee onboarding correctly).
■ Regression Testing: Ensures that new changes or bug fixes have
not negatively impacted existing functionality. (e.g., after fixing a
bug in the payment gateway, re-testing the entire checkout
process).
■ Performance Testing: Evaluates system speed, responsiveness,
and stability under a particular workload. (e.g., checking how many
concurrent users a website can handle).
■ Security Testing: Identifies vulnerabilities in the system. (e.g.,
penetration testing to find weak points in network security).
6. System Implementation:
■ Objective: To convert from the old system to the new one and make
the new system operational.
■ Activities:
■ Data Migration: Transferring data from the old system to the new
system.
■ User Training: Educating end-users on how to use the new
system.
■ System Deployment: Installing and configuring the system in the
production environment.
■ Conversion Strategies:
■ Direct Cutover (Big Bang): Old system is immediately
replaced by the new system. (High risk, low cost).
■ Parallel Conversion: Both old and new systems run
simultaneously for a period. (Low risk, high cost).
■ Phased Conversion: New system is introduced in stages or
modules. (Moderate risk and cost).
■ Pilot Conversion: New system is implemented in a small part
of the organization first. (Lower risk, allows learning).
■ Deliverable: Operational System.
7. Post Implementation Review and Maintenance:
■ Objective: To evaluate the system's performance, benefits realized,
and ensure its ongoing functionality.
■ Activities:
■ Performance Evaluation: Assessing whether the system meets
its objectives and delivers expected benefits.
■ User Feedback Collection.
■ System Audits.

SHAH ALI 15
SET–D: Digital Ecosystem & Controls

■ Types of Maintenance:
■ Corrective Maintenance: Fixing errors or bugs found after
deployment. (e.g., patching a software vulnerability).
■ Adaptive Maintenance: Modifying the system to adapt to
changes in the environment (e.g., new operating system,
regulatory changes).
■ Perfective Maintenance: Enhancing the system by adding new
features, improving performance, or optimizing code based on
user feedback. (e.g., adding a new reporting feature requested by
management).
■ Preventive Maintenance: Making changes to prevent future
problems or improve system reliability. (e.g., refactoring code,
updating documentation).

Chapter 7: System Acquisition and Development Methodologies

● System Acquisition: The process of obtaining an information system.
○ Internal Development: Building the system in-house using an organization's
own resources.
○ External Acquisition: Procuring systems or components from external
vendors.
■ COTS (Commercial Off-The-Shelf) Software: Pre-built, ready-to-use
software available for purchase.
■ Custom Development: Contracting an external vendor to build a system
specifically for the organization's needs.
○ Evaluation of IT Proposals: A systematic process to assess vendor
proposals for software or hardware acquisition, considering factors like
functionality, cost, vendor reputation, support, scalability, and security.
● SDLC Models: Different approaches to organize and execute the SDLC phases.
○ Waterfall Model:
■ Description: A linear, sequential model where each phase must be
completed before the next phase begins. Flows downwards like a
waterfall.
■ Phases: Requirements → Design → Implementation → Veri cation →
Maintenance.
■ Advantages: Simple, easy to understand and manage, clear stages, good
for small projects with stable requirements.
■ Disadvantages: Inflexible, difficult to accommodate changes, errors
found late are costly, not suitable for complex or evolving projects.
■ Suitability: Projects with clear, stable, and well-understood
requirements, where upfront planning is extensive.

SHAH ALI 16
SET–D: Digital Ecosystem & Controls
■Example: Developing software for a well-defined embedded system.
○ Prototyping Model:
■ Description: An iterative model where a working prototype (a preliminary
version of the system) is built quickly, demonstrated to the user, and
refined based on feedback.
■ Advantages: User involvement, early feedback, reduced risk of incorrect
requirements, better understanding of user needs, potential for faster
development.
■ Disadvantages: Users may expect the prototype to be the final system,
may lead to insufficient analysis, can result in "throwaway" code.
■ Suitability: Projects where requirements are unclear or complex, user
interface is critical, or when rapid user validation is needed.
■ Example: Designing a new mobile banking app where user experience is
paramount.
○ Incremental Model:
■ Description: Develops the system in small, manageable increments or
releases. Each increment adds new functionality.
■ Advantages: Faster initial delivery of core functionality, early customer
feedback, lower risk of project failure, easy to manage changes.
■ Disadvantages: Requires careful planning of increments, potential for
integration issues if not managed well, full system vision may evolve.
■ Suitability: Projects where core functionality can be delivered first, and
additional features can be added in subsequent releases.
■ Example: Developing an ERP system where modules like inventory, sales,
and accounting are delivered sequentially.
○ Spiral Model:
■ Description: A risk-driven model that combines elements of both
prototyping and waterfall. It is iterative, with each "spiral" addressing a
new set of risks.
■ Phases (per spiral): Planning → Risk Analysis → Engineering →
Evaluation.
■ Advantages: Strong emphasis on risk management, good for large and
complex projects, allows for changes, user feedback at each spiral.
■ Disadvantages: Complex to manage, high cost, requires expertise in risk
assessment, not suitable for small projects.
■ Suitability: Large, high-risk projects with evolving requirements, or when
costs and risks need careful monitoring.
■ Example: Developing mission-critical defense systems or large-scale
enterprise software.

SHAH ALI 17
SET–D: Digital Ecosystem & Controls
○ RAD (Rapid Application Development) Model:
■ Description: Focuses on rapid prototyping, iterative development, and
extensive user involvement using specialized tools and techniques (e.g.,
CASE tools, code generators).
■ Phases: Requirements Planning → User Design → Construction →
Cutover.
■ Advantages: Fast delivery, increased user involvement, early feedback,
adaptable to changes.
■ Disadvantages: Requires highly skilled developers and users, intense
commitment from both, not suitable for systems requiring high technical
performance.
■ Suitability: Projects with well-defined scopes, where rapid delivery is
crucial, and components can be modularized.
■ Example: Developing a new customer relationship management (CRM)
system for a sales team.
○ Agile Model:
■ Description: An iterative and incremental approach that emphasizes
flexibility, collaboration, customer satisfaction, and rapid delivery of
working software in short cycles (sprints).
■ Principles: Individuals and interactions over processes and tools; working
software over comprehensive documentation; customer collaboration
over contract negotiation; responding to change over following a plan. 5
■ Advantages: High flexibility, early and continuous delivery, strong
customer involvement, adaptability to changing requirements, improved
team morale.
■ Disadvantages: Less predictable for fixed-scope projects, requires
active customer participation, documentation may be less formal, can be
difficult to scale to very large teams.
■ Suitability: Projects with evolving requirements, where rapid iterations
and constant feedback are valued, and for cross-functional teams.
■ Example: Developing new features for a dynamic web application or a
mobile game.

SHAH ALI 18
SET–D: Digital Ecosystem & Controls
Unit 3:
Chapter 9: Information Technology Tools
● IS vs. IT:
○ Information Technology (IT): Refers to the technology itself – the hardware,
software, networking components, and telecommunications infrastructure
that enables the storage, processing, and transmission of information. It's the
tools and systems.
○ Information Systems (IS): A broader concept that encompasses IT along
with people, processes, and data. It's the system that leverages IT to support
business operations, decision-making, and achieve organizational goals. IS
focuses on how technology is used to create, manage, and distribute
information.
○ Mnemonic: IS is the System (people, process, data, and IT), IT is just the
Tech (hardware, software, network).
● Information Systems Audit (ISA):
○ Objective: To evaluate the integrity, reliability, security, and effective use of
information systems and the data they process. It assesses whether IT
controls are adequate and effective in achieving business objectives and
ensuring compliance with regulations.
○ Factors Influencing ISA:
■ Organizational structure and IT governance.
■ IT infrastructure and systems complexity.
■ Internal controls (both general and application controls).
■ Regulatory and legal compliance requirements (e.g., data privacy laws).
■ Business processes and their reliance on IT.
■ Risk landscape and potential threats to IT assets.
○ Steps in an ISA:
1. Planning: Define audit scope, objectives, methodology, and resources.
Gain understanding of the IT environment and business processes.
2. Fieldwork (Data Collection): Gather evidence through interviews,
document review, observation, and use of audit tools (CAATs).
3. Analysis and Evaluation: Analyze collected evidence, identify control
weaknesses, assess risks, and determine the effectiveness of controls.
4. Reporting: Communicate audit findings, conclusions, and
recommendations to management.
5. Follow-up: Verify that management has implemented corrective actions
for identified deficiencies.
● IT Audit Tools (Computer Assisted Audit Techniques - CAATs): Software
tools and techniques used by auditors to automate audit procedures, process
data, and analyze IT systems.

SHAH ALI 19
SET–D: Digital Ecosystem & Controls
○ Mnemonic for CAATs: I.T. P.E.S.T. C.I.S. (A slightly modified mnemonic for
better recall: Integrated Test Facility, Parallel Simulation, Embedded Audit
Module/SCARF, Snapshots, Test Data, Continuous and Intermittent
Simulation).
○ Integrated Test Facility (ITF): Involves creating a dummy entity (e.g., a
fictitious employee or customer) within the organization's live production
system and processing test transactions through it. This allows auditors to
test application controls without disturbing live data.
■ Example: Creating a dummy employee in the payroll system to test if
maximum payment limits are enforced correctly.
○ Test Data: Using hypothetical, controlled transactions to test the system's
logic and controls. Auditors prepare specific test data, input it into the
system, and compare the actual output with predefined expected results.
■ Example: Inputting a transaction with an invalid date or amount to check if
the system performs proper validation checks.
○ Parallel Simulation: Auditors write their own program (or use a generalized
audit software) to process the same live data that the organization's
application processes. The results from the auditor's program are then
compared with the output of the organization's application to identify
discrepancies.
■ Example: An auditor processes a batch of sales orders using their own
calculation logic and compares the calculated commissions with those
generated by the company's sales commission system.
○ Embedded Audit Module (EAM) / System Control Audit Review File (SCARF):
A program module embedded within the application system itself. It
continuously monitors and collects data on transactions that meet specific
criteria (e.g., high-value transactions, transactions with unusual patterns) and
stores them in a SCARF for later review.
■ Example: A SCARF module in a banking application automatically flags all
transactions exceeding $10,000 for auditor review.
○ Transaction Tagging: Involves attaching a special identifier (tag) to specific
transactions as they enter the system. This tag allows auditors to trace the
processing path of these transactions through various modules and
applications.
■ Example: Tagging a specific customer's order to follow its journey from
order placement, inventory check, payment processing, to shipping.
○ Continuous and Intermittent Simulation (CIS): Similar to EAM/SCARF but
focuses on real-time monitoring and immediate flagging of anomalies. It uses
a "snapshot" technique to capture the state of the system at various points
during transaction processing.

SHAH ALI 20
SET–D: Digital Ecosystem & Controls
■ Example: A CIS system immediately alerts auditors if a user attempts to
access a highly sensitive database during non-business hours.
● Business Processes - Risks & Controls:
○ Procure to Pay (P2P) Cycle: The entire process from requisitioning
goods/services to making payment to the vendor.
■ Risks: Unauthorized purchases, incorrect vendor invoices, duplicate
payments, fraud (e.g., kickbacks).
■ Controls:
■ Segregation of Duties (SoD): Separating the roles of requisitioning,
purchasing, receiving, and payment. (e.g., the person approving
purchase orders cannot also process payments).
■ Three-Way Matching: Matching purchase order (PO), goods receipt
note (GRN), and vendor invoice before payment is approved.
■ Approved Vendor List: Only purchasing from pre-approved vendors.
■ Budgetary Controls: Ensuring purchases are within budget limits.
■ Automated Payment Processing: Reducing manual errors and fraud.
■ Example: An ERP system automatically blocks payment if the invoice
amount does not match the purchase order and goods receipt.
○ Order to Cash (O2C) Cycle: The entire process from receiving a customer
order to receiving cash payment.
■ Risks: Orders not fulfilled, incorrect billing, revenue leakage, uncollectible
accounts, unauthorized sales returns.
■ Controls:
■ Credit Checks: Assessing customer creditworthiness before granting
credit.
■ Order Authorization: Approving sales orders based on credit limits
and product availability.
■ Accurate Billing: Automated generation of invoices based on sales
orders and delivery.
■ Reconciliation of Accounts Receivable: Regularly matching
customer payments with outstanding invoices.
■ Sales Returns Authorization: Requiring approval for all sales returns.
■ Example: A system automatically puts an order on hold if the
customer exceeds their credit limit until further approval.
○ Inventory Cycle: Management of raw materials, work-in-progress, and
finished goods.
■ Risks: Theft, obsolescence, damage, inaccurate inventory records,
overstocking/understocking.
■ Controls:
■ Physical Security: Locked warehouses, surveillance cameras, access

SHAH ALI 21
SET–D: Digital Ecosystem & Controls
controls.
■ Regular Stock Counts: Periodic or continuous inventory counts to
reconcile with system records.
■ Segregation of Duties: Separating inventory custody from record-
keeping.
■ Automated Inventory Management System: Tracking movements,
reorder points, and valuation.
■ Damage/Obsolescence Review: Regular assessment and write-off
of damaged or obsolete stock.
■ Example: Using RFID tags to track inventory in real-time, reducing
manual counting errors and theft.
○ Human Resources (HR) & Payroll Cycle: Managing employees from hiring
to termination, including payroll processing.
■ Risks: Payroll fraud (ghost employees, inflated hours), unauthorized
access to sensitive employee data, incorrect deductions/payments, non-
compliance with labor laws.
■ Controls:
■ Background Checks: For new hires.
■ Segregation of Duties: Separating HR (hiring/termination) from
payroll processing.
■ Access Controls: Restricting access to HR and payroll systems to
authorized personnel.
■ Independent Payroll Review: Reconciliation of payroll reports before
payment.
■ Time Tracking Systems: Automated timekeeping to reduce manual
errors and fraud.
■ Example: Implementing a biometric time-tracking system to prevent
"buddy punching" and ensure accurate work hours for payroll.
○ Fixed Assets Cycle: Management of long-term tangible assets (e.g.,
buildings, machinery).
■ Risks: Misappropriation/theft, incorrect capitalization or depreciation,
unauthorized disposal, inadequate maintenance leading to premature
asset failure.
■ Controls:
■ Physical Tagging: Attaching unique identifiers to assets.
■ Periodic Physical Verification: Comparing physical assets to asset
register.
■ Authorization for Acquisition and Disposal: Requiring formal
approval for all fixed asset transactions.
■ Depreciation Calculation Review: Ensuring correct depreciation

SHAH ALI 22
SET–D: Digital Ecosystem & Controls
methods and useful lives.
■ Maintenance Schedules: Regular preventive maintenance.
■ Example: A fixed asset management system automatically calculates
depreciation and flags assets due for maintenance.
○ General Ledger (GL) Cycle: Recording and summarizing all financial
transactions.
■ Risks: Errors in financial reporting, unauthorized journal entries, incorrect
account classifications, lack of audit trail.

■ Controls:
■ Chart of Accounts: Standardized account structure.
■ Access Controls: Restricting who can post journal entries.
■ Automated Journal Entry Approval Workflow.
■ Reconciliation of Sub-ledgers: Regularly matching GL balances with
subsidiary ledgers (e.g., accounts receivable, accounts payable).
■ Audit Trails: Detailed logs of all transactions and changes.
■ Independent Review of Journal Entries: Especially for manual or
unusual entries.
■ Example: An ERP system automatically generates journal entries for
common transactions and requires multi-level approval for manual
adjustments to sensitive accounts.
Unit 4:

Chapter 10: Digital Data and Analysis

● Data Protection Principles: Fundamental guidelines for handling personal data
responsibly.
○ Mnemonic: L.C.D.F.A.T.D. (Let's Create Data For All That's Due)
■ Lawfulness, fairness, and transparency: Data must be processed lawfully,
fairly, and transparently concerning the data subject.
■ Collection limitation: Personal data should be collected only for specified,
explicit, and legitimate purposes and not further processed in a manner
that is incompatible with those13 purposes.
■ Data minimization: Data collected should be adequate, relevant, and
limited to what is necessary in relation to the purposes for which they are
processed.14
■ Fundamental right to privacy: Recognizing privacy as a core right that
needs protection in the digital age.
■ Accuracy: Personal data should be accurate and, where necessary, kept
up to date.

SHAH ALI 23
SET–D: Digital Ecosystem & Controls
■ Transparency and accountability: Data controllers must be transparent
about their data processing activities and accountable for compliance.
■ Data retention limitation: Personal data should be kept in a form that
permits identification of data subjects for no longer than is necessary for
the purposes for15 which the personal data are processed.
○ Example: A mobile app collects user location data (collection limitation) only
after obtaining explicit consent (lawfulness, fairness, transparency) and uses
it solely to provide location-based services (data minimization, purpose
limitation). The app also provides users with options to view and delete their
data (transparency, data retention limitation).

● Data Analysis and Tools:

○ Data Analysis: The process of inspecting, cleansing, transforming, and
modeling data with the goal of discovering useful information, informing 16
conclusions, and supporting decision-making. It involves several sub-
processes:
■ Data Collection: Gathering raw data from various sources.
■ Data Cleansing (Data Cleaning): Identifying and correcting errors,
inconsistencies, and inaccuracies in data (e.g., handling missing values,
removing duplicates).
■ Data Integration: Combining data from different sources into a unified
view.
■ Data Transformation: Converting data into a format suitable for analysis.
■ Data Visualization: Presenting data graphically to highlight patterns and
insights.
○ Data Security Tools: Technologies and practices designed to protect data
from unauthorized access, use, disclosure, disruption, modification, or
destruction.17
■ Mnemonic: F.I.E.A.A. (Firewalls, IDS/IPS, Encryption, Antivirus, Access
Control) - "FIEAA, Secure Your Data!"
■ Firewalls: Network security devices that monitor and filter incoming
and outgoing network traffic based on predefined security rules. 18
■ Intrusion Detection Systems (IDS) / Intrusion Prevention Systems
(IPS): IDS monitors network or system activities for malicious activity
or policy violations and alerts. IPS does the same but can also take
action to block detected threats.
■ Encryption: The process of converting information or data into a code
to prevent unauthorized access. Uses cryptographic keys.
■ Antivirus/Anti-malware Software: Detects, prevents, and removes
malicious software like viruses, worms, Trojans, and ransomware.
■ Access Control Systems: Manage who can access what resources and

SHAH ALI 24
SET–D: Digital Ecosystem & Controls
under what conditions. Includes user authentication (passwords,
biometrics) and authorization (role-based access control, least
privilege).
○ Data Assurance: A comprehensive approach to ensuring the reliability,
integrity, and security of data throughout its lifecycle, from creation to
disposal. It involves verifying data quality, completeness, and consistency,
and ensuring that controls are in place to protect it.
● Data Analytics: The science of analyzing raw data to make conclusions about
that information. It goes beyond BI by often incorporating more advanced
statistical and machine learning techniques for future-oriented insights.
○ Types of Data Analytics (Mnemonic: 4 Ps of Analytics: D.D.P.P. -
Descriptive, Diagnostic, Predictive, Prescriptive):
■ Descriptive Analytics: "What happened?" Summarizes historical data to
explain past events.
■ Example: Sales reports showing monthly revenue, average customer
spending.
■ Diagnostic Analytics: "Why did it happen?" Explores data to find the root
cause of past events.
■ Example: Analyzing a sudden drop in website traffic to identify the
specific marketing campaign or technical issue that caused it.
■ Predictive Analytics: "What will happen?" Uses historical data and
statistical models to forecast future outcomes.
■ Example: Forecasting next quarter's sales based on past trends and
economic indicators, predicting customer churn.
■ Prescriptive Analytics: "What should we do?" Recommends actions to
optimize outcomes, based on predictions.
■ Example: Suggesting optimal pricing strategies for products to
maximize profit, recommending personalized product bundles to
customers.
● IT Act 2000 based Regulatory Compliances: The Information Technology Act,
2000 (India) provides legal recognition for electronic transactions and aims to
promote e-commerce and e-governance. It also contains provisions related to
cybercrime and data protection.
○ Key Provisions:
■ Legal validity for electronic records and digital signatures.
■ Offences and penalties related to hacking, data theft, cyber fraud, and
other cybercrimes.
■ Provisions for sensitive personal data (though more extensively covered
by DPDPA).
■ Role of certifying authorities for digital signatures.

SHAH ALI 25
SET–D: Digital Ecosystem & Controls
○ Example: A company must comply with IT Act 2000 provisions to ensure the
legal validity of its online contracts and to implement reasonable security
practices to protect customer data.
● Digital Personal Data Protection Act, 2023 (DPDPA): India's landmark
legislation for personal data protection, drawing parallels with global regulations
like GDPR.
○ Major Highlights:
■ Consent-based Data Processing: Requires explicit, informed, and
unambiguous consent from the data principal (individual) before
processing their personal data, except in certain legitimate uses.
■ Obligations of Data Fiduciaries: Organizations (data fiduciaries)
collecting and processing personal data have duties to protect data,
notify data breaches, ensure data accuracy, and erase data when no
longer needed.
■ Rights of Data Principals: Individuals have rights to access their data,
correct inaccuracies, erase data, and nominate a person to exercise their
rights in case of death or incapacity.
■ Cross-border Data Transfer: Allows transfer of personal data outside
India to notified countries or territories, subject to certain conditions.
■ Significant Penalties: Imposes substantial financial penalties for non-
compliance, including failure to implement reasonable security
safeguards or notify data breaches.
■ Establishment of Data Protection Board of India: An independent body
to enforce the provisions of the Act.
○ Example: Under DPDPA, a banking app must clearly ask for user consent to
access their contacts, explain why it needs access, and allow the user to
revoke consent later. If the bank experiences a data breach, it is obligated to
notify affected customers and the Data Protection Board.
● Challenges in Privacy:
○ For Users:
■ Lack of Transparency: Difficulty understanding complex privacy policies
and how their data is used.
■ Data Control: Feeling of losing control over their personal information
once it's online.
■ Targeted Advertising/Tracking: Constant online tracking by advertisers.
■ Identity Theft/Fraud: Vulnerability to cybercrime due to data breaches.
○ For Businesses:
■ Regulatory Compliance: Navigating complex and evolving data
protection laws across jurisdictions.
■ Cybercrime: Protecting against sophisticated cyber-attacks and data

SHAH ALI 26
SET–D: Digital Ecosystem & Controls
breaches.
■ Data Governance: Managing vast amounts of diverse data while
ensuring quality and security.
■ Balancing Personalization and Privacy: Providing tailored experiences
without infringing on privacy.
■ Employee Awareness: Ensuring all employees understand and adhere to
data protection policies.
○ Example: A user might be concerned about a fitness app sharing their health
data with third-party advertisers without clear consent (user challenge).
Simultaneously, the app developer faces the business challenge of complying
with strict health data privacy regulations while also seeking to monetize data
for better user experiences.

Chapter 11: Business Intelligence

● Business Intelligence (BI):
○ Definition: BI is a technology-driven process for analyzing data and
presenting actionable information to help executives, managers, and other
corporate end-users make informed business decisions. 19 It encompasses a
wide range of tools, applications, and methodologies that enable
organizations to collect data from internal and external sources, prepare it for
analysis, develop and run queries,20 and create reports, dashboards, and data
visualizations.21
○ Functionalities:
■ Reporting: Creating structured reports (e.g., daily sales, quarterly
financial statements).
■ Dashboards: Interactive visual displays of key performance indicators
(KPIs) and metrics.
■ Online Analytical Processing (OLAP): A technology that enables users
to easily and selectively extract and view data from different points of
view.
■ Data Mining: Discovering patterns, trends, and anomalies in large
datasets to predict future outcomes.
■ Benchmarking: Comparing an organization's performance metrics to
industry best practices or competitors.
■ Querying: Asking specific questions of data to retrieve relevant
information.
● Usage of BI Tools: Organizations leverage BI tools for various strategic and
operational benefits:
○ Improved Decision-Making: Providing accurate, timely, and relevant

SHAH ALI 27
SET–D: Digital Ecosystem & Controls
insights.
○ Identifying Opportunities and Risks: Spotting emerging market trends or
potential threats.
○ Gaining Customer Insights: Understanding customer behavior, preferences,
and segmentation.
○ Optimizing Operations: Identifying inefficiencies, streamlining processes,
and improving resource allocation.
○ Monitoring Performance: Tracking KPIs against targets and identifying
areas needing attention.
○ Reducing Business Costs: Pinpointing areas of wasteful spending.
○ Competitive Advantage: Analyzing competitors and market dynamics to
identify strategic positioning.
○ Enhanced Reporting and Compliance: Generating accurate reports for
regulatory needs and internal stakeholders.
● BI Tools & Techniques:
○ Data Warehousing: A central repository of integrated data from one or more
disparate sources, used for reporting and data analysis. It's designed for
analytical queries rather than transactional processing.
○ ETL (Extract, Transform, Load): A three-step process used to move data
from various sources into a data warehouse or data mart.
■ Extract: Reading data from source systems.
■ Transform: Converting the extracted data into a suitable format for
analysis (e.g., cleansing, aggregation, standardization).
■ Load: Writing the transformed data into the target data warehouse.
■ Mnemonic for ETL: Every Transform Load.
○ Data Mining: The process of discovering patterns, associations, and
anomalies in large datasets using techniques from statistics, machine
learning, and database systems.
○ OLAP (Online Analytical Processing): Software technology that allows
users to analyze information from multiple database systems at once. Enables
"slice and dice" data, drilling down, and rolling up.
○ Dashboards and Reporting Tools: Visual interfaces that display key metrics
and data visualizations, providing a quick overview of performance. Reporting
tools generate static or interactive reports.
● BI Life Cycle: A systematic approach to implementing BI solutions.
1. Analyze Business Requirements: Understand what information
stakeholders need for decision-making.
2. Design Data Model: Create conceptual, logical, and physical data models for
the data warehouse.
3. Design Physical Schema: Define the actual database structures, tables, and

SHAH ALI 28
SET–D: Digital Ecosystem & Controls
relationships.
4. Build Data Warehouse: Populate the data warehouse using ETL processes.
5. Develop ETL Processes: Create the routines to extract, transform, and load
data into the warehouse.
6. Develop Reports & Dashboards: Create visualizations, reports, and
dashboards based on the analyzed data.
7. Deployment & Maintenance: Deploy the BI solution to users and provide
ongoing support, monitoring, and updates.
○ Mnemonic for BI Life Cycle: A.D.D.B.D.D.M. (A Detailed Data Blueprint
Designs Dazzling Dashboards, Daily Maintenance)
● BI vs. Data Analytics:
○ Business Intelligence (BI): Primarily descriptive and diagnostic. It focuses on
"what happened?" and "why did it happen?" using historical data to provide
insights into past and current performance. It is backward-looking and
focuses on reporting and dashboards.
○ Data Analytics: A broader field that encompasses BI. It includes descriptive
and diagnostic analytics but also extends to predictive ("what will happen?")
and prescriptive ("what should we do?") analytics. It uses more advanced
statistical models, machine learning, and AI to uncover deeper insights and
make future-oriented recommendations. It is forward-looking and focuses on
forecasting and optimization.

Unit 5:

Chapter 12: Digital Economy

ABCD of FinTech
● FinTech Introduction:
○ Definition: FinTech, short for Financial Technology, refers to the innovative
use of technology to improve and automate the delivery and use of financial
services. It covers a wide range of innovations, from mobile banking and
online investing to cryptocurrencies and artificial intelligence-powered
lending platforms.
○ Scope: Cuts across multiple segments like lending, payments, investment
management, insurance, and compliance.
● ABCD Technologies: The four foundational technologies driving FinTech
innovation.
○ A - Artificial Intelligence (AI):
■ Definition: The simulation of human intelligence in machines that are
programmed to think, learn, and solve problems like humans. AI involves

SHAH ALI 29
SET–D: Digital Ecosystem & Controls
developing algorithms22 that enable computers to perform tasks such as
pattern recognition, decision-making, and natural language
understanding.
■ Classification based on Capabilities:
■ Narrow/Weak AI: Designed and trained for a specific task. These are
the most common and currently existing forms of AI.
■ Example: Voice assistants (Siri, Alexa) for specific commands,
image recognition systems for facial detection, recommendation
engines on e-commerce sites.
■ General AI (AGI - Artificial General Intelligence): Hypothetical AI that
can understand, learn, and apply intelligence to any intellectual task
that a human can perform. It possesses cognitive abilities comparable
to a human. (Not yet achieved).
■ Super AI (ASI - Artificial Super Intelligence): Hypothetical AI that would
far surpass human intelligence and capabilities in virtually every field,
including scientific creativity, general wisdom, and social skills. 23 (Not
yet achieved).
■ Mnemonic: N.G.S. (Narrow, General, Super) - "AI is NGS (Next
Generation Smarts)."
■ Deep Learning: A subset of machine learning that uses artificial neural
networks with multiple layers (hence "deep") to learn complex patterns
from24 large amounts of data. It excels at tasks like image and speech
recognition.
■ Working: Neural networks are inspired by the human brain, consisting
of interconnected nodes (neurons) that process data. Deep learning
networks have many hidden layers between the input and output
layers, allowing them to learn hierarchical representations of data.
■ Example: Used in fraud detection to identify intricate patterns in
transaction data that traditional methods might miss, or in natural
language processing for chatbots that understand nuances in human
speech.
■ Working of AI (Key Sub-fields):
■ Machine Learning (ML): Algorithms that allow systems to learn from
data without explicit programming.
■ Natural Language Processing (NLP): Enables computers to
understand, interpret, and generate human language.
■ Computer Vision: Allows computers to25 "see" and interpret visual
information from images and videos.
○ B - Blockchain:
■ Definition: A decentralized, distributed, and immutable ledger technology

SHAH ALI 30
SET–D: Digital Ecosystem & Controls
(DLT) that records transactions across many computers so that the
record cannot be altered retroactively without the alteration26 of all
subsequent blocks and the consensus of the network. Each "block"
contains27 a timestamped list of transactions and is linked to the previous
block using cryptography.
■ Working of Blockchain:
1. Transaction: A new transaction is initiated (e.g., money transfer, data
record).
2. Block Creation: Transactions are bundled together into a "block."
3. Validation: The new block is broadcast to all participants in the
network, and they validate the transactions using consensus
mechanisms (e.g., Proof of Work, Proof of Stake).
4. Hashing: Once validated, a unique cryptographic hash is generated
for the block, which includes the hash of the previous block.
5. Chain Addition: The new block is added to the end of the existing
chain, making the ledger immutable.
6. Distribution: The updated ledger is distributed to all nodes on the
network.
■ Advantages:
■ Transparency: All participants have access to the same ledger,
enhancing trust.
■ Security: Cryptographic hashing and immutability make it highly
resistant to tampering.
■ Decentralization: No single central authority controls the network,
reducing single points of failure.
■ Efficiency: Can streamline processes by eliminating intermediaries
and reducing manual reconciliation.
■ Traceability: Provides a clear and verifiable audit trail of all
transactions.
■ Example: Cryptocurrencies like Bitcoin use blockchain to record
transactions. In supply chain management, blockchain can track the origin
and movement of goods, ensuring authenticity and reducing fraud. 28
Smart contracts on blockchain can automatically execute terms of an
agreement when conditions are met (e.g., releasing payment when goods
are received).
○ C - Cloud Computing:
■ Definition: The on-demand delivery of computing services—including
servers, storage, databases, networking, software, analytics, and
intelligence—over29 the Internet ("the cloud") with pay-as-you-go
pricing.30 It offers greater flexibility, scalability, and efficiency than

SHAH ALI 31
SET–D: Digital Ecosystem & Controls
traditional on-premise IT infrastructure.
■ Types of Cloud Deployment (Mnemonic: P.P.H. - Public, Private,
Hybrid):
■ Public Cloud: Services are owned and operated by a third-party cloud
service provider (e.g., Amazon Web Services (AWS), Microsoft Azure,
Google Cloud Platform) and offered over the public internet to
multiple customers.
■ Advantages: High scalability, cost-effective (no hardware to buy),
less maintenance.
■ Example: Using Google Drive for file storage or accessing a web-
based email service like Gmail.
■ Private Cloud: Cloud infrastructure operated solely for a single
organization. It can be physically located on the company's premises
or hosted by a third-party provider.
■ Advantages: Greater control, enhanced security, customizable to
specific needs.
■ Example: A large bank setting up its own cloud environment for
sensitive financial data.
■ Hybrid Cloud: Combines public and private clouds, allowing data and
applications to be shared between them. This offers flexibility to move
workloads between environments.
■ Advantages: Flexibility, scalability, better cost management by
using public cloud for non-sensitive data and private for sensitive
data.
■ Example: A retail company uses a private cloud for its core
accounting system and a public cloud to handle seasonal spikes in
e-commerce traffic.
■ Service Models (Mnemonic: I.P.S. - IaaS, PaaS, SaaS) - "Cloud
Service is IPS (Internet Provided Service)."
■ IaaS (Infrastructure as a Service): Provides virtualized computing
resources over the internet, including virtual machines, storage, 31
networks, and operating systems. The user manages applications and
data, while the provider manages the underlying infrastructure.
■ Example: Renting virtual servers from AWS EC2 or Azure VMs
instead of buying and maintaining physical servers.
■ PaaS (Platform as a Service): Provides a complete development and
deployment environment in the cloud. It includes IaaS components
plus tools, programming languages, databases, and web servers.
Users manage applications and data; the provider manages the
platform infrastructure.

SHAH ALI 32
SET–D: Digital Ecosystem & Controls
■ Example: Google App Engine or Heroku, where developers can
deploy and run applications without worrying about the underlying
servers or operating systems.
■ SaaS (Software as a Service): Provides ready-to-use software
applications over the internet on a subscription basis. The provider
manages all underlying infrastructure, platforms, and software.
■ Example: Gmail, Salesforce (CRM), Microsoft 365, Dropbox. Users
simply access the application via a web browser or mobile app.
○ D - Big Data:
■ Definition: Refers to extremely large, complex, and diverse datasets that
cannot be easily processed or analyzed using traditional data processing
applications. It requires specialized tools and technologies to extract
value.
■ Characteristics (The 3/5 Vs):
■ Volume: The sheer amount of data generated and stored. It's not just
big; it's vast (terabytes, petabytes, exabytes).
■ Velocity: The speed at which data is generated, collected, and
processed. This often requires real-time or near real-time analysis.
■ Variety: The different forms and types of data, both structured (e.g.,
databases) and unstructured (e.g., text, images, videos, social media
posts).
■ (Often also includes: Veracity: The trustworthiness or quality of the
data, and Value: The potential to derive meaningful insights and
business benefits from the data).
■ Mnemonic: 3 Vs - V.V.V. (Very, Very Vast).
■ Benefits/Usage of Big Data:
■ Customer Insights: Understanding customer behavior, preferences,
and sentiment for personalized marketing and product development.
■ Fraud Detection: Identifying unusual patterns in financial
transactions or network activity to detect fraud in real-time.
■ Risk Management: Analyzing vast datasets to assess and mitigate
various business risks (e.g., credit risk, market risk).
■ Operational Efficiency: Optimizing supply chains, predicting
equipment failures, and improving logistics.
■ Personalized Services: Delivering tailored recommendations and
services in finance, healthcare, and retail.
■ Predictive Maintenance: Using sensor data from machinery to
predict when maintenance is needed.
■ Obstacles in Adoption:
■ Data Quality: Ensuring accuracy, consistency, and completeness of

SHAH ALI 33
SET–D: Digital Ecosystem & Controls
data.
■ Privacy Concerns: Protecting sensitive personal data in large
datasets.
■ Security: Securing massive and diverse data stores from breaches.
■ Infrastructure Costs: High investment in hardware, software, and
specialized tools.
■ Skilled Personnel: Shortage of data scientists, analysts, and
engineers with Big Data expertise.
■ Integration Challenges: Combining data from disparate sources.
■ Example: A credit card company uses Big Data analytics to monitor
billions of transactions in real-time, identifying fraudulent activities by
spotting unusual spending patterns that deviate from a customer's normal
behavior.

Chapter 13: Emerging Technologies

● E-business:
○ Definition: Refers to the conducting of business activities over the internet,
encompassing a wide range of online commercial activities, including buying
and selling products or services (e-commerce), managing supply chains,
processing electronic payments, and collaborating with partners.
○ Risks:
■ Online Security Risks: Phishing, malware, ransomware, denial-of-service
(DoS) attacks, leading to system downtime or data breaches.
■ Unauthorized Access: Compromised user accounts, hacking into
business systems.
■ Data Privacy Breaches: Exposure of sensitive customer or business
data.
■ Reputational Damage: Negative customer experiences or security
incidents impacting brand image.
■ System Reliability: Website crashes, slow performance leading to lost
sales.
○ Controls:
■ Strong Data Privacy & Security Policies: Comprehensive policies for
data handling, access, and protection.
■ Staff Training: Educating employees on security best practices, phishing
awareness.
■ Secure Authentication: Multi-factor authentication (MFA), strong
password policies.
■ Firewalls and IDS/IPS: Network security measures to filter traffic and
detect intrusions.

SHAH ALI 34
SET–D: Digital Ecosystem & Controls
■ Encryption: Protecting data in transit and at rest.
■ Regular Vulnerability Assessments & Penetration Testing: Identifying
and remediating security weaknesses.
■ Incident Response Plan: A defined process for handling security
incidents.
○ Example: An online fashion retailer implements two-factor authentication for
customer logins and uses SSL/TLS encryption for all transactions to mitigate
risks like unauthorized access and data interception.
● Digital Payments:
○ Definition: Electronic methods of transferring funds or making payments,
eliminating the need for physical cash or checks. They leverage digital
platforms, mobile devices, and secure networks.
○ Types: Unified Payments Interface (UPI), mobile wallets (e.g., Google Pay,
Paytm), credit/debit cards, Net Banking (NEFT, RTGS, IMPS), QR code
payments, cryptocurrency payments.
○ Advantages:
■ Convenience: Payments can be made anytime, anywhere with an internet
connection.
■ Speed: Transactions are often instantaneous or near-instantaneous.
■ Reduced Cash Handling: Minimizes the risks associated with carrying
and managing physical cash.
■ Wider Reach: Facilitates cross-border transactions and access to
financial services for unbanked populations.
■ Transaction Tracking: Provides digital records of all transactions for
easier reconciliation and budgeting.
■ Offers & Rewards: Often come with discounts, cashback, or loyalty
programs.
○ Disadvantages:
■ Security Risks: Susceptibility to cyberattacks, phishing, fraud, and data
breaches.
■ Dependence on Technology: Requires internet connectivity and working
devices; system outages can halt transactions.
■ Digital Divide: Not everyone has access to technology or the internet,
excluding certain populations.
■ Transaction Fees: Some digital payment methods may incur fees for
merchants or users.
■ Privacy Concerns: Centralized platforms may collect extensive user
transaction data.
○ Example: A small vendor in a rural area accepts payments via UPI QR codes,
allowing customers to pay directly from their bank accounts using their

SHAH ALI 35
SET–D: Digital Ecosystem & Controls
mobile phones, increasing convenience and reducing the need for cash
change.
● Internet of Things (IoT):
○ Definition: A network of interconnected physical objects ("things")
embedded with sensors, software, and other technologies that enable them
to collect and exchange data over the internet. These "things" can 32 be
anything from smart home devices to industrial machinery.
○ Paradigms:
■ Device Connectivity: Connecting billions of devices to the internet.
■ Data Collection: Sensors gather vast amounts of real-time data (e.g.,
temperature, location, pressure).
■ Cloud Platforms: Storing and processing the collected data on cloud
infrastructure.
■ Analytics: Applying data analytics and AI to derive insights from IoT data.
○ Applications in Finance and Accounting:
■ Smart Contracts: IoT devices can trigger automated actions on a
blockchain-based smart contract (e.g., insurance payout automatically
issued upon sensor data indicating a weather event).
■ Automated Auditing: Real-time data from IoT devices can provide more
accurate and timely audit evidence (e.g., verifying asset location,
monitoring operational compliance).
■ Real-time Asset Tracking & Valuation: IoT sensors on assets (e.g.,
vehicles, equipment) can provide real-time location, usage, and condition
data, improving asset management, depreciation accuracy, and security.
■ Personalized Banking/Insurance: Data from wearables or smart homes
can enable insurers to offer personalized premiums based on health
habits or home security.
■ Supply Chain Finance: Tracking goods via IoT can enable immediate
financing or payment upon specific delivery milestones.
○ Example: An insurance company offers discounted premiums to homeowners
who install smart home security systems (IoT devices) that provide real-time
alerts and data on security events.
● Quantum Computing:
○ Definition: A new type of computing that uses the principles of quantum
mechanics (superposition, entanglement, quantum tunneling) to perform
calculations. Unlike classical computers that use bits (0 or 1), quantum
computers use qubits, which can represent 0, 1, or both simultaneously,
allowing them to process vast amounts of information much faster for
specific types of problems.

SHAH ALI 36
SET–D: Digital Ecosystem & Controls
○ Advantages in Financial Organizations:
■ Complex Financial Modeling: Rapidly solving highly complex
optimization problems for portfolio management, risk assessment, and
derivatives pricing.
■ Faster Fraud Detection: Identifying sophisticated fraudulent patterns
that are too complex for classical computers.
■ Optimizing Trading Strategies: Developing and executing highly
optimized algorithmic trading strategies.
■ Breaking Current Encryption: A significant long-term threat as quantum
computers could potentially break many current public-key encryption
standards. This also drives the development of post-quantum
cryptography.
○ Example: A financial firm uses quantum computing to run complex Monte
Carlo simulations for risk analysis of diverse investment portfolios, achieving
results in minutes that would take classical supercomputers days.
● RegTech (Regulatory Technology):
○ Definition: The use of technology to enhance regulatory processes and
compliance. It aims to help financial institutions and other businesses manage
regulatory compliance more efficiently, accurately, and cost-effectively.
○ Focus Areas:
■ Anti-Money Laundering (AML): Automating the detection of suspicious
transactions and reporting.
■ Know Your Customer (KYC): Streamlining customer onboarding and
identity verification processes.
■ Fraud Detection: Using AI and machine learning to identify fraudulent
activities in real-time.
■ Regulatory Reporting: Automating the generation and submission of
regulatory reports to authorities.
■ Compliance Monitoring: Continuously monitoring transactions and
activities for adherence to internal policies and external regulations.
○ Example: A bank implements a RegTech solution that uses AI to analyze
millions of transactions daily, automatically flagging patterns that could
indicate money laundering, thereby reducing manual review and improving
compliance.
● Mobile Computing:
○ Definition: A generic term referring to the ability to access information and
resources from virtually anywhere, at any time, using wireless technologies
and portable devices such as smartphones, tablets, and laptops. It involves
portable hardware, software, and communication technologies that enable
computing on the go.

SHAH ALI 37
SET–D: Digital Ecosystem & Controls
○ Benefits:
■ Increased Productivity: Employees can work remotely and access
critical information from any location.
■ Flexibility: Supports flexible work arrangements and quick response
times.
■ Real-time Access: Provides immediate access to data, reports, and
communications.
■ Enhanced Collaboration: Facilitates teamwork through mobile
communication and document sharing tools.
■ Improved Customer Service: Allows field agents to access customer
information and update records on-site.
■ Location-based Services: Enables navigation, localized advertising, and
relevant information delivery.
○ Example: A sales representative uses a company-issued tablet to access the
CRM system during a client visit, update lead information in real-time, and
process orders on the spot, significantly improving efficiency.

Good luck with your studies!

SHAH ALI 38