des

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 1

2007 CISA Review Course

Chapter 4

IT Service Delivery and Support


Process Area Overview

4.1 Information Systems Operations4.1.1 Management of IS Operations4.1.2 IT Service Management4.1.3 Infrastructure Operations4.1.4 Monitoring Use of Resources4.1.5 Support / Help Desk4.1.6 Change Management Process4.1.7 Program Library Management Systems4.1.8 Library Control Software4.1.9 Release Management4.1.10 Quality Assurance4.1.11 Information Security Management



4.2 Information Systems Hardware4.2.1 Computer Hardware Components and Architecture4.2.2 Hardware Maintenance Program4.2.3 Hardware Monitoring Preocedures4.2.4 Capacity Management

4.3 IS Architecture and Software4.3.1 Operating Systems4.3.2 Access Control Software4.3.3 Data Communications Software4.3.4 Data Management4.3.5 Database Management System4.3.6 Tape and Disk Management Systems



4.3.7 Utility Programs

4.3.8 Software Licensing Issues

4.4 IS Network Infrastructure4.4.1 Enterprise Network Architectures

4.4.2 Type of Networks

4.4.3 Network Services

4.4.4 Network Standards and Protocols

4.4.5 OSI Architecture

4.4.6 Application of the OSI Model in Network Architectures


Process Area Overview4.5 Auditing Infrastructure and Operations

4.5.1 Hardware Reviews 4.5.2 Operating System Reviews4.5.3 Database Reviews4.5.4 Network Infrastructure and Implementation Reviews4.5.5 Network Operating Control Reviews4.5.6 IS Operations Reviews4.5.7 Lights-out Operations4.5.8 Problem Management Reporting Reviews4.5.9 Hardware Availability and Utilization Reporting Reviews4.5.10 Scheduling Reviews

4.6 Chapter 4 Case Study4.6.1 Case Study Scenario4.6.2 Case Study Questions


Chapter Objective

The objective of this area is to ensure that the CISA

candidate understands and can provide assurance

that the IT service management practices will

ensure the delivery of the level of services required

to meet the organization’s objectives.


Chapter Summary

According to the CISA Certification

Board, this area represents 14 % of the

CISA examination

(approximately 28 questions).


4.1.1 Management of IS Operations

Control functions

4.1 Information 4.1 Information Systems OperationsSystems Operations


4.1.2 IT Service Management

• Service level Abnormal job termination reports Operator problem reports Output distribution reports Console logs Operator work schedules



4.1.2 IT Service Management (cont.)

• Service level Abnormal job termination reports Operator problem reports Output distribution reports Console logs Operator work schedules



4.1.3 Infrastructure Operations

• Lights-out Operations (Automated Unattended Operations)

• Input / output control function

• Job accounting

• Scheduling

• Job Scheduling Software




4.1.3 Infrastructure Operations (cont.)



• Job accounting

• Scheduling







• Job accounting

• Scheduling







• Job accounting

• Scheduling







• Job accounting

• Scheduling



4.1.4 Monitoring use of Resources

• Process of Incident Handling• Problem Management• Detection, Documentation, Control, Resolution and

Reporting of Abnormal Conditions



4.1.4 Monitoring use of Resources (cont.)

• Process of Incident Handling• Problem Management• Detection, Documentation, Control, Resolution and

Reporting of Abnormal Conditions



4.1.5 Support/Help Desk

• Prioritize the issues, and forward them to the appropriate managers, accordingly

• Follow up on unresolved problems.

• Close out resolved problems, noting proper authorization to close out the problem by the user.



4.1.6 Change Management Process

• System, operations and program documentation

• Job preparation, scheduling and operating instructions

• System and program test

• Data file conversion.

• System conversion



4.1.7 Program Library Management Systems

• Integrity

• Update

• Reporting

• Interface



4.1.8 Library Control Software

• Executable and source code integrity; each production executable module should have one corresponding source module

• Source code comparison; is an effective and easy-to-use method for tracing changes to programs.




4.1.8 Library Control Software (cont.)

• Executable and source code integrity; each production executable module should have one corresponding source module

• Source code comparison; is an effective and easy-to-use method for tracing changes to programs.


4.1.9 Release Management

• Major releases• Minor software releases• Emergency software fixes



4.1.10 Quality Assurance

Verify that system changes are authorized, tested and implemented in a controlled manner prior to being introduced into the production environment.



4.1.11 Information Security Management

• Performing risk assessments on information assets

• Performing business impact analyses

• Conducting security assessments on a regular basis

• Implementing a formal vulnerability management process



Chapter 4 Question 1

When reviewing a service level agreement for an outsourced computer center an IS auditor should FIRST determine that:

A. the cost proposed for the services is reasonable.B. security mechanisms are specified in the agreement.C. the services in the agreement are based on an analysis of business needs.D. audit access to the computer center is allowed under the agreement.


Which of the following is the MOST effective method for an IS auditor to use in testing the program change management process?

A. Trace from system generated information to the change management documentation.B. Examine change management documentation for evidence of accuracy.C. Trace from the change management documentation to a system generated audit trail.D. Examine change management documentation for evidence of completeness.



A university’s IT department and financial services office (FSO) have an existing service level agreement that requires availability during each month to exceed 98 percent. FSO has analyzed availability and noted that it has exceeded 98 percent for each of the last 12 months, but has averaged only 93 percent during month-end closing. Which of the following options BEST reflects the course of action FSO should take?

A. Renegotiate the agreement.B. Inform IT that it is not meeting the required availability standard.C. Acquire additional computing resources.D. Streamline the month-end closing process.



4.2.1 Computer Hardware Components

and Architectures

• Processing Components

• Input/Output Components

• Types of Computers

4.2 Information 4.2 Information Systems HardwareSystems Hardware


4.2.1 Computer Hardware Components and Architectures

Types of Computers (cont.)

Supercomputers

Large (mainframes) Midrange computer Microcomputer (personal computers, PC Notebook / laptop computers Personal digital assistant (PDA)




Types of Computers (cont.)

Supercomputers

Large (mainframes) Midrange computer Microcomputer (personal computers, PC Notebook / laptop computers Personal digital assistant (PDA)




• Common Characteristics of Different Types of Computers

MultitaskingMultiprocessingMultiusingMultithreading




• Common Computer Roles

Print servers

File servers

Program (application) servers

Web servers




• Common Computer Roles (cont.)

Proxy servers

Database servers

Appliances (specialized devices)




• Universal Serial Bus

• Memory Cards

• Radio Frequency Identification

• Write Once and Read Many




• Universal Serial Bus

• Memory Cards

• Radio Frequency Identification

• Write Once and Read Many



4.2.2 Hardware Maintenance Program

• Reputable service company

• Maintenance schedule

• Maintenance cost

• Maintenance performance history, planned

and exceptional



4.2.3 Hardware Monitoring Procedures

• Availability reports

• Hardware error reports

• Utilization reports



4.2.4 Capacity Management• CPU utilization (processing power)• Computer storage utilization• Telecommunications and WAN bandwidth

utilization• Terminal utilization• I/O channel utilization• Number of users• New technologies• New applications• Service level agreements



Which one of the following provides the BEST method for determining the level of performance provided by similar information-processing-facility environments?

A. User satisfactionB. Goal accomplishment C. BenchmarkingD. Capacity and growth planning



The key objective of capacity planning procedures is to ensure that:

A. available resources are fully utilized. B. new resources will be added for new applications in a timely manner. C. available resources are used efficiently and effectively. D. utilization of resources does not drop below 85%.



4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

• Operating systems

• Software Control Features or Parameters

• Data communication software• Data management

• Database management system (DBMS)

• Tape and Disk Management System

• Utility Programs

• Software Licensing Issues


4.3.1 Operating systems Defines user interfaces

Permits users to share hardware

Permits users to share data

Inform users of any error…

Permits recovery from system error

Communicates completion of a process

Allows system file management

Allows system accounting management



4.3.1 Operating systems (cont.)

Defines user interfaces

Permits users to share hardware

Permits users to share data

Inform users of any error…

Permits recovery from system error

Communicates completion of a process

Allows system file management

Allows system accounting management



Software Control Features or Parameters

• Data management• Resource management• Job management• Priority setting



Software Integrity Issues

• Protect itself from deliberate and inadvertent modification.

• Ensure that privileged programs cannot be interfered with by user programs.

• Provide for effective process isolation.



Software Integrity Issues (cont.)

• Protect itself from deliberate and inadvertent modification.

• Ensure that privileged programs cannot be interfered with by user programs.

• Provide for effective process isolation.



Activity Logging and Reporting Options

• Data file versions used for production processing.• Program accesses to sensitive data• Programs scheduled and run• Utilities or service aids usage• Operating system operation• Changes to system parameters and libraries• Databases• Access control



4.3.2 Access Control Software

• Prevent unauthorized access to data• Unauthorized use of system functions and programs • Unauthorized updates/changes to data • Detect or prevent unauthorized attempts to access

computer resources.



4.3.3 Data communication software

• Transmits information or data

• Consists of three components

The transmitter (source)The transmission path (channel or line)The receiver (the sink)



4.3.4 Data management

• File Organization

Sequential

Indexed sequential

Direct random access



4.3.5 Database management system

(DBMS)

• DBMS architecture

• Detailed DBMS metadata architecture

• Data dictionary/directory system (DD/DS)

• Database structure

• Database controls



4.3.5 Database management system (DBMS) (cont.)
























4.3.6 Tape and Disk Management System

An automated tape management system (TMS)

or disk management system (DMS) is specialized system software that tracks and lists tape/disk

resources needed for data center processing.



4.3.7 Utility Programs

• Understanding application systems

• Assessing or testing data quality

• Testing a program’s ability to function correctly and maintain data integrity

• Assisting in faster program development

• Improving operational efficiency



4.3.8 Software Licensing Issues

• Documented policies and procedures that guard against unauthorized use or copying of software.

• Listing of all standard, used and licensed application and system software.

• Centralizing control and automated distribution and the installation of software

• Requiring that all PCs be diskless workstations and access applications from a secured LAN

• Regularly scanning user PCs



When conducting an audit of client-server database security, the IS auditor should be MOST concerned about the availability of:

A. system utilities.B. application program generators.C. systems security documentation.D. access to stored procedures.



The PRIMARY benefit of database normalization is the:

A. minimization redundancy of information in tables required to satisfy users’ needs.B. ability to satisfy more queries.C. maximization of database integrity by providing information in more than one table.D. minimization of response time through faster processing of information.



4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

Telecommunications links for networks can be:• Analog• Digital

Methods for transmitting signals over analog telecommunication links are:

• Baseband• Broadband network


4.4.1 Enterprise Network Architectures

Today’s networks are part of a large, centrally-managed, inter-networked architecture solution of high-speed local- and wide-area computer networks serving organizations’ client-server-based environments. Such architectures may include clustering common types of IT functions together in network segments each uniquely identifiable and specialized to task.



4.4.2 Types of Networks

• Personal Area Networks (PANs)

• Local area networks (LANs)

• Wide area networks (WANS)

• Storage Area Networks (SANs)



4.4.3 Networks Services• File sharing• E-mail services• Print services• Remote access services• Terminal emulation software (TES)• Directory services• Network management



4.4.4 Network Standards and Protocols

• Critical Success Factors

InteroperabilityAvailabilityFlexibilityMaintainability



ISO/OSI: is a proof of a concept model composed of seven layers, each specifying particular specialized tasks or functions

Objective: to provide a set of open system standards for equipment manufacturers and to provide a benchmark to compare different communication systems




Functions of the layers of the ISO/OSI Model

–Application layer–Presentation layer

–Session layer

–Transport layer

–Network layer

–Data link layer

–Physical layer


Functions of the layers of the ISO/OSI Model

–Application layer–Presentation layer

–Session layer

–Transport layer

–Network layer

–Data link layer

–Physical layer

4.4 Information Systems Network 4.4 Information Systems Network

InfrastructureInfrastructure


4.4.5 OSI Architecture

The International Organization for Standardization formulated the OSI model to establish standards for vendors developing protocols supporting open system architecture.




4.4.6 Application of the OSI Model in

Network Architectures

• Local Area Network (LAN)

• Wide Area Network (WAN)

• Wireless Networks

• Public “Global” Internet Infrastructure




Network physical media specifications

– Local Area Network (LAN)• Copper (twisted-pairs) circuits

• Fiber-optic systems

• Radio Systems (wireless)

– Wide Area Network (WAN)• Fiber-optic systems

• Microwave radio systems

• Satellite radio link systems



LAN Components

– Repeaters

– Hubs

– Bridges

– Switches

– Routers



WAN Message transmission

techniques

– Message switching

– Packet switching

– Circuit switching

– Virtual circuits

– WAN dial-up services



WAN Components

– WAN switch

– Routers

– Modems



WAN Technologies

– Point to point protocol

– X.25

– Frame Relay

– Integrated services digital network (ISDN)

– Asynchronus transfer mode

– Multiprotocol label switching

– Digital suscriber lines

– Virtual Private Networks



Wireless Networks

– Wireless Wide Area Network (WWAN)

– Wireless Local Area network (WLAN)

– Wireless Personal Area Network (WPAN)

– Wireless ad hoc networks




Wireless Access: Exposures

– Interception of sensitive information

– Loss or theft of devices

– Misuse of devices

– Loss of data contained in devices

– Distraction caused by devices

– Possible health effects of device usage

– Wireless user authentication

– File security

– Interoperability

– Use of wireless subnets



Network Administration and Control

• Network performance metrics

• Network management issues

• Network management tools



Network Administration and Control (cont.)

• Network performance metrics

• Network management issues

• Network management tools



Applications in a Networked

Environment

• Client-Server Technology

• Middleware



Applications in a Networked

Environment (cont.)

• Client-Server Technology

• Middleware



An IS auditor when reviewing a network used for Internet communications will FIRST examine the:

A. validity of password change occurrences.B. architecture of the client-server application.C. network architecture and design.D. firewall protection and proxy servers.



Which of the following would allow a company to extend its enterprise’s intranet across the Internet to its business partners?

A. Virtual private network B. Client-serverC. Dial-up accessD. Network service provider



Which of the following statements relating to packet switching networks is correct?

A. Packets for a given message travel the same route.B. Passwords cannot be embedded within the packet.C. Packet lengths are variable and each packet contains the same amount of information.D. The cost charged for transmission is based on the packet, not the distance or route traveled.



4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

4.5.1 Hardware Reviews

– Review the capacity management procedures

– Review the hardware acquisition plan

– Review the PC acquisition criteria

– Review (hardware) change management controls


4.5.2 Operating System Reviews

– Interview technical service and other personnel

– Review system software selection procedures

– Review the feasibility study and selection process

– Review cost-benefit analysis of system software procedures

– Review controls over the installation of changed system software



4.5.2 Operating System Reviews (cont)

– Review system software maintenance activities

– Review system software change controls

– Review systems documentation

– Review and test system software implementation

– Review authorization documentation

– Review system software security



4.5.3 Database Reviews

– Design

– Access

– Administration

– Interfaces

– Portability

– Database-supported IS controls

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure

and Operationsand Operations


4.5.4 Network infrastructure and implementation reviews

– Review controls over network implementations

• Physical controls

• Environmental controls

• Logical security controls



4.5.5 Network Operating Control Reviews

– Appropriate implementation, conversion and acceptance test plans– Implementation and testing plans for the network’s hardware and

communications links– Operating provisions for distributed data processing networks– All sensitive files / datasets have been identified– Procedures established to assure effective controls over hardware

and software– Adequate restart and recovery mechanisms



4.5.5 Network Operating Control Reviews (cont)

– The IS distributed network has been designed to assure that failure of service at any one site will have a minimal effect

– All changes made to the operating systems software used by the network are controlled

– Individuals have access only to authorized applications, transaction processors and datasets

– System commands affecting more than one network site are restricted to one terminal and to an authorized individual

– Encryption is being used on the network to encode sensitive data– Appropriate security policies and procedures have been

implemented



4.5.6 IS Operations Reviews

– Computer operations

– File handling procedures

– Data entry control



4.5.6 IS Operations Reviews (cont.)

– Computer operations

– File handling procedures

– Data entry control



4.5.7 Lights Out Operations

– Remote access to the master console

– Contingency plans

– Program change controls

– Assurance that errors are not hidden



4.5.8 Problem Management Reporting Reviews– Reviews of the procedures used for recording, evaluating, and

resolving or escalating any problem – Reviews of the performance records – Reviews of the reasons for delays in application program

processing – Reviews of the procedures used by the IS department to collect

statistics regarding online processing performance – The determination that significant and recurring problems have

been identified and actions are being taken – The determination that processing problems were resolved – Reviews of operations documentation– Reviews of help desk call logs



4.5.9 Hardware availability and utilization

Reporting Reviews – Review the problem log

– Review the preventive maintenance schedule

– Review the control and management of equipment

– Review the hardware availability and utilization reports

– Review the workload schedule and the hardware availability

and utilization reports



4.5.10 Scheduling Reviews – Review the console log– Review the schedule– Determine whether the scheduling of rush/rerun jobs is consistent– Determine whether critical applications have been identified– Determine whether scheduling procedures are used to facilitate optimal

use of computer resources– Determine whether the number of personnel assigned to each shift is

adequate– Review the procedures for collecting, reporting and analyzing key

performance indicators



4.6 Chapter 4: Case Study4.6 Chapter 4: Case Study4.6.1 Case Study Scenario

The IS auditor has recently been asked to perform an external and internal network security assessment for an organization that processes health benefit claims. The organization has a complex network infrastructure with multiple local area and wireless networks, a Frame Relay network crosses international borders. Additionally, there is an Internet site that is accessed by doctors and hospitals. The Internet site has both open areas and sections containing medical claim information that requires an ID and password to access. An Intranet site is also available that allows employees to check on the status of their personal medical claims and purchase prescription drugs at a discount using a credit card. The frame relay network carries unencrypted nonsensitive statistical data that are sent to regulatory agencies but do not include any customer identifiable information. The last review of network security was performed more than five years ago.


4.6 Chapter 4: Case Study4.6 Chapter 4: Case StudyAt that time, numerous exposures were noted in the areas of firewall

rule management and patch management for application servers. Internet applications were also found to be susceptible to SQL injection. It should be noted that wireless access as well as the Intranet portal had not been installed at the time of the last review. Since the last review, a new firewall has been installed and patch management is now controlled by a centralized mechanism for pushing patches out to all servers. Internet applications have been upgraded to take advantage of newer technologies. Additionally, an intrusion detection system has been added, and reports produced by this system are monitored on a daily basis. Traffic over the network involves a mixture of protocols, as a number of legacy systems are still in use. All sensitive network traffic traversing the Internet is first encrypted prior to being sent. Traffic on the internal local area and wireless networks is encoded in hexadecimal so that no data appears in cleartext. A number of devices also utilize Bluetooth to transmit data between PDAs and laptop computers.


4.6.2 Case Study Questions

1. In performing an external network security assessment, which of the following should normally be performed FIRST?A. ExploitationB. EnumerationC. ReconnaissanceD. Vulnerability scanning


4.6.2 Case Study Questions

2. Which of the following presents the GREATEST risk to the organization?A. Not all traffic traversing the Internet is encrypted.B. Traffic on internal networks is unencrypted.C. Cross-border data flow is unencrypted.D. Multiple protocols are being used.

des

Documents

information systems

operations reviews

operations control functions

information systems

disk management systems

data management

operating systems

scheduling reviews