Friday, February 18, 2011

Reflections by CA Final Students of Hyderabad on 4 day ISCA Class held at Hyderabad Branch of SIRC of ICAI

Roja @ Hello Sir, Good morning, Am really very happy that i have attended a good session.To the date ISCA used to be a very boring n a very dry subject for me but after attending the four days session its my most favourite subject now.The way you taught the subject made us to know how to deal with such subjects.Now it became easy for me to even read the rest of the theory subjects of CA Final course.Thank you very much sir. Please keep on conducting the sessions and please do keep posting the information regarding your classes. Have a nice day Sir

SANTOSH @ Good Morning Sir, It was really wonder insight into the subject of What is the all about the ISCA subject. We come to know the subject's core objective i.e. what it is?, how important to this world were only infomation is processed and documentated for further usage.
Thank you Sir, for making this subject so easy to study and understand its application. Your lively interaction has help to gain an advantage which can't be expressed in words.
thank you sir once again.



Tuesday, February 15, 2011

PAN - Its Relevance

PAN - Permanent Account Number - The 10 Digit Alphanumerical Sequence



Let’s take a look at the breakdown of the 10 digit alphanumerical sequence:


1. The first five fields are called the core fields and are alphabetical in nature.


2. The first three letters of the core field are an alphabetical series running from AAA to ZZZ.


3. The forth character of the PAN must be one of the following, depending on the type of assesse:


C – Company


P – Person


H — HUF (Hindu Undivided Family)


F — Firm (including LLP)


A — Association of Persons (AOP)


T — AOP (Trust)


B — Body of Individuals (BOI)


L — Local Authority


J — Artificial Juridical Person


G — Govt


(Example – Company = AAACA; Artificial Juridical Person = AAAJA; HUF = AAAHA; etc.)


4. The fifth character of the PAN is the first character of the following:


a) Your surname in the case of “P” or;


b) For all others you would use the first letter of the name of the Entity, Trust, Society, Organization, HUF, etc.


(Example - Gopal Krishna Raju [Personal] = AAAPR4444A; Gopal Krishna Raju [HUF] = AAAHG4444A; General Firm = AAAFG4444A; etc.)


5. The next four numbers are sequential numbers running from 0001 to 9999.


6. The last digit is an alphabetic check digit.


Nowadays, DOI (Date of Issue) of PAN Card is mentioned at the right (vertical) hand side of the photo on pan card.

Monday, February 7, 2011

Digital Signature - A Monograph

Digital Signature – Introduction:


A digital signature is an electronic identification of a person or entity created by using a public key algorithm and intended to verify to a recipient the integrity of the data and the identity of the sender. To verify the integrity of the data, a cryptographic hashing algorithm is computed against the entire message, which generates a small fixed string message usually about 128 bits in length. This process, also referred to as a digital signature algorithm, creates a message digest (i.e. smaller extrapolated version of the original message).

Encryption:


Encryption is the process of converting a plaintext message into a secure-coded form of text, called cipher text, which decryption (the reverse process), to plaintext. This is done via a mathematical function and a special encryption / decryption password called the key. In many countries, encryption is subject to governmental laws and regulations.

Encryption generally is used to:

1. Protect data in transit over networks from unauthorized interception and manipulation (confidentiality)

2. Protect information stored on computers from unauthorized viewing and manipulation (integrity)

3. Deter and detect accidental or intention alterations of data

4. Verify genuineness of a transaction or document (authentication)

Encryption is limited in that it cannot prevent the loss of data and its programs can be compromised. Therefore, encryption should be regarded as an essential, but incomplete, form of access control that should be incorporated into an organisation’s overall computer security program.

Key elements of encryption systems include:

1. Encryption algorithm: A mathematically based function or calculation that encrypts / decrypts data

2. Encryption Keys: A piece of information that is used within an encryption algorithm (calculation) to make the encryption or decryption

3. Key length: A predetermined length for the key. The longer the key, the more difficult it is to compromise in a brute-force attack (an intruder launches an attack, using many of the password cracking tools available at little or no cost, on encrypted passwords to gain unauthorized access on an organisation’s network systems) where all possible key combinations are tried.

Effective encryption systems depend upon algorithm strength, secrecy and the difficulty of compromising a key, the existence of back doors by which an encrypted file can be decrypted without knowing the key, the ability to decrypt an entire cipher text message if the way a portion of it decrypts is known (called a known-text attack), and the properties of the plaintext known by a perpetrator.

Most encrypted transactions over the Internet use a combination of private / public keys, secret keys, hash functions (fixed values derived mathematically from a text message) and digital certificates to achieve confidentiality, message integrity, authentication and non-repudiation by either sender or recipient (also known as Public Key Infrastructure). This encryption process allows data to be stored and transported with reduced exposure, so a company’s corporate data are secure as they move across the Internet or other networks. There are two types of cryptographic systems: symmetric or private key, and asymmetric or public key cryptographic systems.

Private Key Encryption (Symmetric Cryptosystem):


Private Key cryptographic systems are based on a symmetric encryption algorithm, which uses a secret (private) key to encrypt the plaintext to the cipher text and the same key to decrypt the ciphertext to the corresponding plaintext. In this case the key is symmetric because the encryption key is the same as the decryption key.

The most common private key cryptographic system is the Data Encryption Standard (DES). DES is a standard encryption / decryption technique published by the US National Bureau of Standards (NBS) in 1977 (the predecessor of the US National Institute of Standards and Technology). DES is based on a public algorithm that operates on plaintext in blocks (strings or groups) of bits. This type of algorithm is known as a block cipher. DES uses blocks of 64 bits. A key of 56 bits is used for the encryption and decryption of plaintext. An additional 8 bits are used for parity checking. Any 56-bit number can be used as a key and there are 72,057,594,037,927,936 (i.e. 256) possible keys in the key space.

There are two main advantages to private key cryptosystems. The first is that the user has to use only one key for both encryption and decryption. The second is that private key cryptosystems are generally less complicated and therefore use up less processing power than asymmetric techniques. This makes private key cryptosystems ideally suited for bulk data encryption. The major disadvantage of this approach is how to get the keys into the hands of those with whom you want to exchange data, particularly in e-commerce environments, where customers are unknown, untrusted entities. Also, a symmetric key cannot be used to sign electronic documents or messages due to the fact that the mechanism is based on a shared secret.

Public Key Encryption (Asymmetric cryptosystem):


Public key cryptographic systems developed for key distributions solve the problem of getting symmetric keys into the hands of two people, who do not know each other, but who want to exchange information in a secure manner. Based on an asymmetric encryption process, two keys work together as a pair. One key is used to encrypt data; the other is used to decrypt data. Either key can be used to encrypt or decrypt, but once the key has been used to encrypt data, only its partner can be used to decrypt the data (even the key that used to encrypt the data cannot be used to decrypt it).

The keys are asymmetric in that they are inversely related to each other. Based on mathematical integer factorization, the idea is to generate a single product from two large prime numbers (viz. 100 digit prime numbers), where it is impracticable to factor and recover the two factors. This integer factorization process forms the basis for public key cryptography (i.e. function easy to compute in one direction, but very difficult or impractical in the other direction). The system involves modular arithmetic, exponentiation, and large prime numbers thousands of bits long. Since the keys are large numbers (e.g. 1024 bits), they are used for short messages such as encrypting symmetric keys or creating digital signatures.

A common form of asymmetric encryption is RSA. RSA is a public key cryptosystem for both encryption and authentication; it was invented in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman (RSA stands for the initials of their last names). It works as follows: take two large primes, p and q, and find their product n = p x q; n is called the modulus. Choose a number, e, less than n and relatively prime to (p-1) x (q-1), which means that e and (p-1) x (q-1) have no common factors except 1. Find another number d, such that (ed–1) is divisible by (p-1) x (q-1). The values e and d are called the public and private exponents, respectively. The public key is the pair (n, e); and the private key is (n, d). The factors p and q may be kept with the private key, or destroyed.


It is extremely unlikely that one could obtain the private key d from the public key (n, e). if one could factor n into p and q, however, then one could obtain the private key d. Thus, the security of RSA is related to the assumption that factoring is difficult.

Generally, with asymmetric encryption, one key p the secret or private key – is known only to one person; the other key – the public key – is known by many people. In other words, a message that as been sent enciphered by the secret key of the sender can be deciphered by anyone with the public key, but could only have come from the sender. This forms the basis of authentication and nonrepudiation (i.e. the sender cannot later claim that he/she did not generate the message). A message that has been enciphered using the public key of the receiver can be generated by anyone, but can only be read by the receiver. This is the basis of confidentiality. A message that has been encrypted twice, first by the sender’s secret key and secondly by the receiver’s public key achieves both authentication and confidentiality objectives.

Data Integrity (Hash Algorithm):

A digital signature is an electronic identification of a person or entity by using a public key algorithm and intended to verify to a recipient the integrity of the data and the identity of the sender. To verify the integrity of the data, a cryptographic hashing algorithm is computed against the entire message, which generates a small fixed string message usually about 128 bits in length. This process, also referred to as a digital signature algorithm, creates a message digest (i.e. smaller extrapolated version of the original message).



This algorithm is a one-way function unlike private and public key encryption algorithms. The process of creating message digests cannot be reversed. They are meant for digital signature applications where a large electronic document or string of characters, such as a word processor text, a spreadsheet, a database record, the content of a hard disk or a jpg image, has to be compressed in a secure manner before being signed with the private key. The digest algorithm takes a message of arbitrary length and produces a 128-bit message digest.


Sender’s Authentication (Digital Signature):



The next step, which verifies the identity of the sender, is to encipher the message digest using the sender’s private key, which “signs” the document with the sender’s digital signature for message authenticity. To decipher, the receiver would use the sender’s public key, proving that the message could only have come from the sender. This process of sender authentication is known as nonrepudiation, because the sender cannot later claim that they did not generate the message.

Once decrypted, the receiver will recompute the hash using the same hashing algorithm on the electronic document and compare the results with what was sent to ensure the integrity of the message. Therefore, digital signature is a cryptographic method that ensures:



Data integrity – Any change to the plaintext message would result in the recipient failing to compute the same message hash.
Authentication – The recipient can ensure that the message has been sent by the claimed sender has the secret key.
Nonrepudiation – The claimed sender cannot deny generating and sending the message.


Wednesday, February 2, 2011

FCRA, 2010 - Role of Chartered Accountants

Friends,

I am presenting a paper on FCRA, 2010 (Foreign Contribution Regulation Act, 2010) and its role for Chartered Accountants on 3rd February 2011 at Tirunelveli Branch of SIRC of ICAI in the morning and also at Tuticorin Branch of SIRC of ICAI in the afternoon.

Tirunelveli Branch of SIRC of ICAI and Tuticorin Branch of SIRC of ICAI are the two branches in South part of Tamilnadu. Out of 34 branches in South India, 11 are in Tamilnadu. Tirunelveli branch in one of the oldest SIRC branches of Tamilnadu.

The material circulated for the participants (both in word and PPT) will be made available in this blog the day after tommorrow.

GKR

Tuesday, February 1, 2011

ISCA - CA Final - Short Notes on ITIL

ITIL


ITIL is an acronym for Information Technology Infrastructure Library. ITIL are a series of books and training manuals that outline and explain the practices that are the most beneficial to IT services (usually manager focused). The goal of ITIL is for managers to have extremely high standards in IT value, as well as high financial quality in day to day IT operations. ITIL procedures are supplier independent and include instructional materials on IT infrastructure, operations and development issues.

It should be noted that the acronym ITIL is a registered trademark, and the books included in the ITIL library are copyrighted as well.

ITIL has had a long history of development, and many IT professionals believe that ITIL grew out of the yellow books, which were best practices and guidelines that were used in IBM during the 1980's, however it wasn't until the middle of the 1990's that ITIL become a formal library of IT best practice frameworks. The newest version of ITIL (version 3) is set to be released in May of 2007. The ITIL v3 has been anticipated by many IT professionals all over the world for the last few years. It is expected that five core texts will be packaged in the publication, they include: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement

The original ITIL library included several books that covered specific themes in IT Service Management. However, after the original publication, the books in the library grew to over 30 volumes. Since 30 volumes can be cumbersome, difficult to read and digest and expensive to purchase as a complete set, the second version of ITIL has been consolidated.

ITIL v2 was packaged differently; version 2 was sold in sets that related to process guidelines and included several different aspects of IT including applications, services and IT management. It should be noted that the most popular sets being sold in ITIL v.2 include the services set, specifically Service Support and Service Delivery. While these two sets are by far the most popular, the ITIL library used as a whole is extremely comprehensive and a good foundation for any business using IT components today.

Following is a list of the books included in ITIL version 2:

  1. Introduction to ITIL: While not one of the core competencies of ITIL, this publication gives the reader a comprehensive overview of the advantages, methods used and wide array of publications available in the ITIL library. This introductory book helps both the individual and organization acquire a thorough understanding of how ITIL can be an invaluable tool when put into action.
  2. Service Delivery- Part of the IT Service Management Set, the service delivery book is primarily focused on being proactive and looking at the long term for what businesses require from its ICT (information and communications technology) provider to make sure that the proper support is being given to its businesses users. This includes Service Level Management, Capacity Management, IT Services Continuity Management, Availability Management and Financial Management.
  3. Service Support- Service Support is also part of the IT Service Management Set. This book is focused on the businesses end user and making sure that all end users of the organization have appropriate services to run and complete their tasks accordingly.
  4. ICT Infrastructure Management- ICT is an acronym for information and communications technology, this manual includes best practices for several facets of the ICT infrastructure including ICT design, planning, deployment, operations and technical support.
  5. Security Management- ITIL security management focuses on the best practices and guidelines to make sure that information is stored safely and protected against risks of hacking and theft. In today's business world, it is extremely important that sensitive data remains private and confidential.
  6. Business Perspective- This book details the best practices and addresses many issues in IT. This book tries to facilitate understanding regarding key issues in the IT along with quality management in the IS (Information Service) field.
  7. Application Management- This set includes best practices and guidelines in order to improve quality of software applications and support of these applications through the entire development life cycle.
  8. Software Asset Management- Software asset management is part of IT service management and looks at how software should be treated as an asset with value. This book details how businesses can save money through policies and procedures that underline using software expeditiously.
  9. Planning to Implement Service Management- provides business with a framework for analyzing and understanding what is needed when instituting certain IT processes and approaches. Many times a CSIP (Continuous Service Improvement Program) is implemented, along with other ITIL books and disciplines.
  10. ITIL Small Scale Implementation- This discipline is used for businesses with smaller ITIL departments. This book covers many best practices and guidelines used for larger implementation, but focuses as well on the important roles and responsibilities within a small unit and ways to avoid conflicts between ITIL priorities.

Advantages of ITIL

There are several benefits for using the Information Technology Infrastructure Library for many of your IT business needs and one main benefit is that through the guidelines and best practices that are taught in the library, your business can save a tremendous amount of money once implemented.

Another advantage of ITIL is that it will help your IT department organize and manage many different disciplines using one comprehensive volume. ITIL is the leader in IT guidelines and best practice publications; it has been tested in real world environments for over a decade and is proven to work.

Disadvantages of ITIL

While the advantages usually far outweigh the disadvantages, there are a couple of criticisms that are worth noting including the idea that most IT professionals consider ITIL a holistic approach to IT management. While ITIL is comprehensive, even the publication itself does not consider itself a holistic approach to IT management.

In addition, there are also accusations by some IT professionals that following only the ITIL due to its acceptance by many IT managers as the authoritative source has actually led to many businesses to skip pragmatic solutions for their specific business needs. Finally, another criticism of ITIL is that while some topics are covered extensively and are of high value, other topics may not receive enough emphasis with quality being uneven in certain publications.

(Please give your suggestions / comments / feedback below).

16th February 2011 - Hyderabad Branch of SIRC of ICAI

Friends,

I am in Hyderabad on 16th February 2011 (Wednesday) for Hyderabad Branch of SIRC of ICAI addressing a Continuing Professional Education Seminar in the evening at the Branch Premises (Brahmayya Hall) at 6:00 PM on the following topic:

"Business Continuity Planning for a Chartered Accountant Firm".

Kindly join me on the day for a enlightening session. Please do come with list of questions for wise deliberations.

GKR