CISA summary Version 1.0 Christian Reina, CISSP This document may be used only for informational, training and noncommercial purposes. You are free to copy, distribute, publish and alter this document under the conditions that you give credit to the original author. 2010 ‐ Christian Reina, CISSP.
Risk Management IT Management Practices “Collection of top-down activities intended to control the IT Seek, identify, and manage risk. organization from a strategic perspective.” Accept 1. Personnel Management Policy Mitigate a. Hiring: Background check, Employee Policy Priorities Transfer Manual, Job Description Standards Avoid b. Employee Development: Training, Vendor Management Performance evaluation, Career path Program/Project Management Risk Management Program c. Mandatory vacations: Audit, cross training, Objectives: reduce costs, incidents reduced risk IT Strategy Committee Scope d. Termination Advise board of directors on strategies. Authority: Executive level of commitment e. Transfers and reassignments 2. Sourcing Resources: a. Insource Balanced Scorecard Policies, processes, procedures, and records Measure performance and effectiveness. b. Outsource: risks, SLA, policy, governance Business contribution: Perception from Non-IT (service level agreements, change Risk Management Process executives management, security, quality, audits), SaaS User: Satisfaction 3. Change Management 1. Asset Identification: Equipment, information, records, a. Request Operational excellence: downtime, defects, support reputation, personnel b. Review tickets o Grouping Assets c. Approve Innovation: increase IT value w/ innovation o Sources of asset data: Interviews, IT d. Perform change systems, Online data e. Verify change Information Security Governance o Organizing data: Business process, 4. Financial Management Roles and responsibilities Geography, OU, Sensitivity, Regulated a. Develop Board of Directors: risk appetite and risk management 2. Risk Analysis b. Purchase Steering Committee: Operational strategy for security o Threat analysis: All threats with realistic c. RentDomain 1 – IT Governance and risk management opportunity of occurrence 5. Quality Management CISO: conducting risk assessment, developing security o Vulnerability Identification: Ranked by a. Software development policy, vulnerability management, incident severity or criticality b. Software acquisition management, compliance o Probability analysis: Requires research to c. Service desk Employees: Comply with policies develop best guesses d. IT operations o Impact analysis: Study of estimating the e. Security Enterprise Architecture (EA) impact of specific threats on specific assets f. Standards: Map business functions into the IT environment as a model. o Qualitative: Subjective using numeric scale i. ISO 9000: Superseded by ISO Activities to ensure business needs are met o Quantitative: 9001:2008 Quality Management Asset Value (AV) System Zachman Model Exposure Factor (EF) ii. ISO 20000: IT Service IT Systems and environments are described at a high, functional Single Loss Expectancy (SLE): AV Management for organization level, and then in increasing detail x EF adopting ITIL Annualized rate of occurrence iii. ITIL DFD (ARO) 1. Service Delivery Illustrate the flow of information Annualized loss expectancy (ALE): 2. Control Processes SLE x ARO 3. Release Processes 3. Risk Treatments 4. Relationship Processes o Risk Mitigation 5. Resolution Processes o Risk Transfer 6. Security Management o Risk Avoidance a. Security Governance o Risk Acceptance b. Risk Assessment o Residual Risk c. Incident Management d. Vulnerability Management e. Access and Identity management f. Compliance management
g. BCP 3. Reviewing Outsourcing 7. Performance Management a. Distance a. COBIT b. Lack of audit contract terms b. SEI CMMI c. Lack of cooperation Roles and Responsibilities 1. Executive Management: CIO, CTO, CSO, CISO, CPO 2. Software Development: Architect, Analyst, developer, programmer, tester 3. Data Management: architect, DBA, analyst 4. Network Management: architect, engineer, administrator, telecom 5. Systems Management: architect, engineer, storage, systems administrator 6. Operations: manager, analyst, controls analyst, data entry, media librarian 7. Security Operations: architect, engineer, analyst, account management, auditor 8. Service Desk: Help desk, technical support Segregation of Duties Controls 1. Transaction authorization 2. Split custodyDomain 1 – IT Governance 3. Workflow: extra approval 4. Periodic reviews Auditing IT Governance 1. Reviewing Documentation and Records: a. IT Charter, strategy b. IT org chart c. HR/IT performance d. HR promotion policy e. HR manuals f. Life-cycle processes and procedures g. IT operations procedures h. IT procurement process i. Quality management documents 2. Reviewing Contracts a. Service levels b. Quality levels c. Right to audit rd d. 3 party audit e. Conformance to policies, laws, regulations f. Incident notification g. Liabilities h. Termination terms i. Protection of PII
Assess and evaluate the effectiveness of IT Provide Appropriate Tools Required to Intercept and 3. Serve in the interest of stakeholders in a Obstruct Terrorism Act (PATRIOT) 2001 lawful and honest manner, while maintaining Sarbanes-Oxley Act 2002 high standards of conduct and character, and AUDIT MANAGEMENT Federal Information Security Management Act (FISMA) not engage in acts discreditable to the 2002 profession. The Audit Charter: Define roles and responsibilities. Sufficient Controlling the Assault of Non-Solicited Pornography 4. Maintain the privacy and confidentiality of authority and Marketing Act (CAN-SPAM) 2003 information obtained in the course of their California Privacy Act SB1386 2003 duties unless disclosure is required by legal The Audit Program: scope, objectives, resources, procedures Identity Theft and Assumption Deterrence Act 2003 authority. Such information shall not be used Basel II 2004 for personal benefit or released to Strategic Audit Planning: inappropriate parties. Payment Card Industry Data Security Standard (PCI- Factors: Business goals and objectives, Initiatives, DSS) 2004 5. Maintain competency in their respective fields market conditions, changes in technology, regulatory and agree to undertake only those activities, North American Electric Reliability Corporation (NERC) requirements. which they can reasonably expect to 1968/2006 Changes in Audit Activities: New internal audits, new complete with professional competence. Massachusetts Security Breach Law 2007 6. Inform appropriate parties of the results of external audits, increase in audit scope, impact on business process work performed; revealing all significant facts Canadian Regulations: Resource planning: Budget and manpower known to them. Interception of Communications Section 184 7. Support the professional education of Unauthorized Use of Computer, Section 342.1 stakeholders in enhancing their Audit and Technology: Continue learning about new technologies Privacy Act 1983 understanding of information systems security Personal Information Protection and Electronic and control. Audit Laws and Regulations: Documents Act (PIPEDA) Characteristics: Security, Integrity, Privacy European Regulations Audit Standards Computer Security and Privacy Regulations: o Categories: Computer trespass, protection of Convention for the Protection of Individuals with Regard sensitive information, collection and use of to Automatic Processing of Personal Data 1981 S1, Audit Charter information, law enforcement investigative Computer Misuse Act (CMA) 1990 S2, Independence powers Directive on the Protection of Personal Data 2003 S3, Professional Ethics and Standards European Union S4, Professional Competencemain 2 – The Audit Process o Consequences: Loss of reputation, competitive advantage, sanctions, lawsuits, Data Protection Act (DPA) 1998 S5, Planning fines, prosecution Regulation of Investigatory Powers Act 2000 S6, Performance of Audit Work Anti-Terrorism Crime and Security Act 2001 S7, Reporting “An organization should take a systematic approach to determine Privacy and Electronic Communications Regulations S8, Follow-up Activities the applicability of regulations as well as the steps required to 2003 S9, Irregularities and Illegal Acts attain compliance and remain in this state. “ Fraud Act 2006 S10, IT Governance Police and Justice Act 2006 S11, Use of Risk Assessment in Audit Planning US Regulations: S12, Audit Materiality Access Device Fraud 1984 Other Regulations S13, Use the Work of Other Experts Computer Fraud and Abuse Act 1984 Cybercrime Act 2001 Australia S14, Audit Evidence Electronic Communications Act 1986 Information Technology Act 2000 India S15, IT Controls Electronic Communications Privacy Act (ECPA) 1986 S16, E-Commerce Computer Security Act 1987 ISACA AUDITING STANDARS Computer Matching and Privacy Protection Act 1988 Audit Guidelines Communications Assistance for Law Enforcement Act Code of Ethics: (CALEA) 1994 G1, Using the Work of Other Auditors Economic and Protection of Proprietary Information Act Members and ISACA certification holders shall: G2, Audit Evidence Requirement 1996 G3, Use of Computer-Assisted Audit Techniques Health Insurance Portability and Accountability Act 1. Support the implementation of, and encourage compliance with, appropriate (CAATs) (HIPPA) 1996 G4, Outsourcing of IS Activities to Other Organizations Children’s Online Privacy Protection Act (COPPA) 1998 standards, procedures and controls for information systems. G5, Audit Charter Identity Theft and Assumption Deterrence Act 1998 G6, Materiality Concepts for Auditing IS 2. Perform their duties with objectivity, due Gramm-Leach-Bliley Act 1999 G7, Due Professional Care diligence and professional care, in Federal Energy Regulatory Commission (FERC) accordance with professional standards and G8, Audit Documentation best practices.
G9, Audit Considerations for Irregularities and Illegal P10, Business Application Change Control PERFORMING AN AUDIT Acts P11, Electronic Funds Transfer G10, Audit Sampling Formal Planning: G11, Effect of Pervasive IS Controls RISK ANALYSIS o Purpose G12, Organizational Relationship and Independence o Scope G13, Use of Risk Assessment in Audit Planning Evaluating Business Processes o Risk Analysis G14, Application Systems Review Identifying Business Risks o Audit procedures G15, Planning Risk Mitigation o Resources G16, Effect of Third Parties on an Organization’s IT Countermeasures Assessment o Schedule Controls Monitoring Types G17, Efect of Nonaudit Role on the IS Auditor’s o Operational Independence INTERNAL CONTROLS o Financial o IS audit G18, IT Governance o Administrative G19, Irregularities and Illegal Acts o Compliance G20, Reporting o Forensic G21, Enterprise Resource Planning (ERP) Systems o Service provider Review o Pre-audit G22, Business to Consumer (B2C) E-Commerce Compliance vs. Substantive Testing Review o Compliance: Determine if control procedures G23, SDLC Review have been properly designed and G24, Internet Banking implemented and operating properly. G25, Review of VPN o Substantive: Determine accuracy and G26, Business Process Reengineering (BRP) Review integrity of transactions that flow through G27, Mobile Computing processes and information systems G28, Computer Forensics Audit Methodology G29, Post-implementation Review o Audit SubjectDomain 2 – The Audit Process G30, Competence o Audit Objective G31, Privacy o Audit type G32, BCP o Audit Scope G33, General Consideration on the Use of the Internet o Pre-Audit planning G34, Responsibility, Authority, and Accountability o Audit SoW G35, Follow up Activities Control Classification o Audit Procedures G36, Biometric Controls o Types: Technical, Administrative, Physical o Communication plan o Classes: Preventative, Detective, Deterrent, o Report preparation G37, Configuration Management Corrective, Compensating, Recovery o Wrap-up G38, Access Controls o Categories: Manual, Automatic o Post-audit Follow-up G39, IT Organization Internal Control Objectives: Statements of desired Audit Evidence G40, Review of Security Management Practices outcomes from business operations. Protection of IT o Independence of the evidence provider assets, Availability of IT systems o Qualifications of the evidence provider Audit Procedures o IS Control Objectives: Protection of o Objectivity information from unauthorized personnel, P1, Risk Assessment Integrity of Operating Systems o Timing P2, Digital Signature and Key management Gathering Evidence General Computing Controls: GCCs are controls that Org Chart P3, IDS apply across all applications and services. Passwords o P4, Viruses o Review dept and project charters are encrypted, Strong passwords o rd Review 3 party contracts P5, Control Risk Self-Assessment IS Controls: Each GCC is mapped to a specific IS o Review IS policies and procedures P6, Firewall control on each system type. o Review IS Standards P7, Irregularities and Illegal Acts P8, Security Assessment (Pen test, vulnerability analysis) P9, Encryption
o Review IS documentation o Ownership of controls o Personnel Interviews o Improved employee awareness o Passive observation o Improved relationship between Observing Personnel departments and auditors o Real tasks Disadvantages o Skills and experience o Mistaken as a substitute for internal audit o Security awareness o May be considered extra work o Segregation of Duties o May be considered an attempt by an Sampling auditor to shrug off responsibilities o Statistical: Reflect the entire population o Lack of employee involvement has no o Judgmental: Subjectively selects samples results based on established criteria Life Cycle o Attribute: Samples are examined and a o Identify and assess risks specific attribute is chosen o Identify and assess controls o Variable: Determine the characteristic of a o Develop questionnaire or workshop given population to determine total value o Analyze completed questionnaire o Stop-or-go: Sampling can stop at the earliest o Control remediation possible time due to low risk and rate of o Awareness training exceptions o Discovery: Trying to find at least one exception in a population o Stratified: Create different classes and review one attribute common to all classes Computer-Assisted Audit: CAATs help examine and evaluate data across complex environmentsDomain 2 – The Audit Process Reporting Audit Results o Cover letter o Intro o Summary o Description o Listing of systems and processes examined o Listing of interviewees o Listing of evidence obtained o Explanation of sampling technique o Description of findings and recommendations Audit Risk o Control risk: undetected error by an internal control o Detection risk: IS auditor will overlook errors o Inherent risk: Inherent risks exist independent of the audit. o Overall audit risk: summation of all of the residual risks o Sampling risk: sampling technique will not detect Materiality: A monetary threshold in financial audits CONTROL SELF-ASSESSMENT Methodology used by an organization to review key business objectives, and the key controls designed to manage those risks. Advantages o Risks detected earlier o Improvement of internal controls
Organization’s methodologies and practices for the development Managing Projects Other costs: development tools, and management of software, infrastructure, and business o Managing the project schedule workstations, servers, software processes. o Recording task completion licenses, network devices, training, o Running project meetings equipment PORTFOLIO AND PROGRAM MANAGEMENT: o Tracking project expenditures o Scheduling Project Tasks: Critical phase o Communicating project status Gantt Chart A program is an organization of many large, complex activities, Project Roles and Responsibilities Program Evaluation and Review and can be thought of as a set of projects that work to fulfill one or o Senior management: support the approval of Technique (PERT) more key business objectives or goals. the project Critical path Methodology (CPM): It o IT steering committee: Commission the is important to identify the critical Starting a Program: feasibility study, approve project path in a project, because this o Program charter o Project manager allows the project manager to o Identification of available resources o Project team members understand which tasks are most Running a Program: o End-user management: Assign staff to the likely to impact the project schedule o Monitoring project schedules project team. Support development of cases and to determine when the project o Managing project budgets o End users will finally conclude. o Managing resources o Project sponsor: define project objectives, Timebox Management: A period in o Identifying and managing conflicts provide budget which a project must be completed. o Creating status reports o Systems development management o Project Records: Project Portfolio Management o System developers Project plans Security manager Project changesDomain 3 – IT LifeCycle Management o Executive sponsor o o Program manager o IT Operations Meetings agendas and minutes o Project manager Project Planning Resource consumption o Start and end dates Task identification Task information o Names of participants Task estimation o Project Documentation: Helps users, support o Objectives or goals that the project supports Task resources staff, IT operations, developers, and auditors o Budget Task dependencies o Project Change Management: The o Resources Milestone tracking procedures for making changes to the project o Dependencies Task tracking should be done in two basic steps: Business Case development o Estimating and sizing software projects The project team should identify the o Business problem Object Breakdown Structure (OBS) specific use, impact, and remedy. o Feasibility study results Work Breakdown Structure (WBS) Make a formal request o High-level project plan Source Lines of Code (SLOC): This change request should be o Budget accurate estimate based on presented to management along o Metrics previous analysis for the time to with its impact. Management o Risks develop a program. should make a decision. COCOMO: Constructive Cost o Project closure PROJECT MANAGEMENT Model method for estimating Project debrief software development projects Project documentation archival Organizing Projects Management review Direct report: Project team leader Training Influencer: Influence members but Formal turnover to users, does not manage them directly operations and support Pure project: Given authority o Methodologies Matrix: Authority over each project Project Management Body of team member Knowledge (PMBOK): Process o Initiating a project based Developing Project Objectives Processes: o Object Breakdown Structure (OBS): Visual Function Point Analysis (FPA): o Inputs representation of the system, software, or time-proven estimation technique o Techniques application, in a hierarchical form. for larger software projects. It o Outputs o Work Breakdown Structure (WBS): Logical studies the detailed design representation of the high-level and detailed specifications for an application tasks that must be performed to complete the program and counts the number of project. user inputs, user outputs, user queries, files, and external interfaces.
Process groups Access control o Unit testing: by developers during the coding Initiating Encryption phase. Should be a part of the development Planning Data validation of each module in the application. Executing Audit logging o System testing: end to end testing. Includes Controlling and Security operational requirements interface testing, migration testing. monitoring o DR/BCP Requirements o Functional testing: Verification of functional Closing o Privacy Requirements requirements o Projects IN Controlled Environments o RFP Process: Request For Proposal o User Acceptance Testing (UAT): In most (PRINCE2): Project management framework Requirements cases, it is a formal step to find out if Starting up a project (SU) Vendor financial stability organization accepts the software developed rd Planning (PL) Product roadmap by a 3 party. Initiating a project (IP) Experience o Quality Assurance Testing (QAT): Directing a project (DP) Vision 6. Implementation Controlling a stage (CS) References o Planning: Managing product delivery (MP) Questions for clients: Prepare physical space for Managing Stage Boundaries (SB) Satisfaction with production systems Closing a project (CP) installation Build production systems Scrum: Iterative and incremental Satisfaction with Install application software process most commonly used to migration Migrate data project manage an agile software Satisfaction with support o Training: development effort. Satisfaction with long- End users Domain 3 – IT LifeCycle Management Scrum master: this is the term roadmap Customers project manager What went well Support staff Product owner: This is What did not go well Trainers the customer Contract negotiation o Data migration Record counts Team Closing the RFP Batch totals Users 3. Design: A top down approach Checksums Stakeholders 4. Development: o Cutover Managers Coding the application Developing program and system Parallel level documents Geographic SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC) Module by module Developing user procedures Working with users Roll-back 1. Feasibility Study: Determine whether a specific o Rollback Planning change or set of changes in business processes and Developing in a software acquisition setting: 7. Post Implementation underlying applications is practical to undertake. o Implementation review o Time required to develop / acquire software Customizations System adequacy o A comparison between the cost of developing Interfaces of other Security review the application vs buying systems Issues o Whether an existing system can meet the Authentication ROI business need Reports o Software maintenance o Whether the application supports strategic Debugging business objectives Correct operations Development Risks o Whether a solution can be developed that is Input validation o Application inadequacy compatible with other IT systems Proper output validation o Project risk o The impact of the proposed changes to the Resource usage o Business inefficiency business on regulatory compliance Source Code Management (SCM) o Market changes o Whether future requirements can be met by Protection the system Control Development Approaches and Techniques 2. Requirements: Characteristics of a new application or Version control o Agile Development changes being made. Recordkeeping o Prototyping o Business functional requirements: Must have 5. Testing to support the business o Technical requirements and standards: Use the same basic technologies already in use as well as formal technical standards. o Security and Regulatory Requirements: Authentication Authorization
o Rapid Application Development (RAD) 4. Development o Existence o Data Oriented System Development (DOSD) 5. Testing o Consistency o Object-Oriented System Development (OO) 6. Implementation o Length o Component based development: CORBA, 7. Monitoring o Check digits DCOM, SOA 8. Post-implementation o Spelling o Web-Based Application Development: HTML, o Unwanted characters SOAP, XML Benchmarking a Process o Batch controls o Reverse Engineering Plan Error handling Research o Batch rejection System Development Tools Measure and observe o Transaction rejection o Computer-Aided Software Engineering Analyze o Request re-input (CASE) Adapt: understand the fundamental reasons why other Upper CASE: requirements organizations’ measurements are better than its own. gathering, DFDs, interfaces Improve Processing Controls Lower CASE: Creation of program source code and data schemas Capability Maturity Models Editing Fourth Generation LanguagesDomain 3 – IT LifeCycle Management o Calculations Software Engineering Institute Capability Maturity Model o Run-to-run totals INFRASTRUCTURAL DEVELOPMENT AND (SEI CMM) IMPLEMENTATION o Limit checking o Initial o Batch totals o Repeatable o Manual recalculation 1. Review of existing architecture o Defined 2. Requirements o Reconciliation o Managed o Hash values a. Business functional requirements Optimizing b. Technical requirements and standards o Data file controls Capability Maturity Model Integration (CMMI): An o Data file security c. Security and regulatory requirements aggregation of these other models into an overall d. Privacy requirements o Error handling maturity model. o Internal and external labeling 3. Design ISO 15504: Software Process Improvement and o Data file version a. Procurement Capability dEtermination (SPICE). o Source files 4. Testing o Level 0 incomplete o Transaction logs 5. Implementation 6. Maintenance o Level 1 performed Processing errors o Level 2 managed o Level 3 established MAINTAINING INFORMATION SYSTEMS o Level 4 predictable Output Controls o Level 5 optimizing Change Management Process Change request APPLICATION CONTROLS Controlling special forms Change review Report distribution and receipt Perform change Input Controls Reconciliation Emergency changes Authorization Retention o User access controls Configuration Management o Workstation identification Recovery: stored independent of the systems o Approved transactions and batches themselves o Source documents Consistency: It will simplify administration, reduce Input validation mistakes, and result in less unscheduled downtime. o Type checking o Range and value checking BUSINESS PROCESSES Business Process Life Cycle (BPLC) 1. Feasibility study 2. Requirements definition 3. Design
Auditing Software Acquisition AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE Auditing Change Management Auditing Project Management Auditing Development Auditing Configuration Management Auditing the Feasibility StudyDomain 3 – IT LifeCycle Management Auditing Requirements AUDITING BUSINESS CONTROLS Auditing Implementation Identify the key processes in an organization and to understand the controls that are in place or should be in place that govern the integrity of those processes AUDITING APPLICATION CONTROLS Transaction Flow Auditing Post-Implementation Auditing Design Observations
Data Integrity Testing: Used to confirm whether an application properly accepts, processes, and stores information. Testing Online Processing Systems: Auditing ApplicationsDomain 3 – IT LifeCycle Management Continuous Auditing: Several techniques are available to perform online auditing:
IT organizations are effective if their operations are effective. IT o Program checkout o Cloud Computing: dynamically scalable and organizations are service organizations – their existence is to o Program check in usually virtualized serve the organization and support its business processes. o Version control Data Communication Software o Code analysis File Systems: Directories, files, FAT, NTFS, HFS INFORMATION SYSTEMS OPERATIONS Quality Assurance (Hierarchical File System) ISO 9660 (CD-ROM, DVD), Security Management UDF (Universal Disk Format) Domain 4 – IT Service Delivery & Infrastructure Management and control of operations o Policies, procedures, processes, and Database Management Systems o Process and procedures standards o Relational DB Management (rDBMS): o Standards o Risk Assessments Primary key, one or more indexes, referential o Resource allocation o Impact analysis integrity, Encryption, Audit logging, access o Process management o Vulnerability management controls, IT Service management (ITSM) o Object Database (ODBMS): Represented as o Service desk objects, Data and the programming method o Incident mgt INFORMATION SYSTEMS HARDWARE are contained in an object, o Problem mgt o Hierarchical Database : Top-down o Change mgt Computer usage Media Management System: Tape management o Configuration mgt o Types: supercomputer, mainframe, midrange, systems (TMS) or Disk Management Systems (DMS) o Release mgt: ITIL terms used to describe server, desktop, laptop, mobile Utility software SDLC. Used for changes in a system such o Uses: app server, web server, file server, db o Software and data design as: server, print server, test server, thin client, o Software development Incidents and problem resolution thick client, workstation o Software testing Enhancements Computer architecture o Security testing Subsystem patches and changes o CPU: CISC (Complex Instruction Set o Data management o Service-level mgt Computer), RISC (Reduced Instruction Set o System health o Financial mgt Computer), Single processor, Multi-processor o Network o Capacity mgt o Bus: PCI, PC Card, MBus, Sbus Periodic measurements o Main Storage NETWORK INFRASTRUCTURE Considering planned changes o Secondary Storage: Program storage, data Understanding long-term strategies storage, temporary files, OS, virtual memory, Network Architecture Changes in technology o Firmware: Flash, EPROM, PROM, ROM, o Physical network architecture o Service continuity mgt EEPROM o Logical network architecture o Availability mgt o I/O and Networking o Data flow architecture Effective change mgt o Multi-computer: Blade computers, grid o Network standards and services Effective application testing computing, server clusters, virtual servers Types of networks Resilient architecture Hardware maintenance o Personal Area Network (PAN): up to 3 meters Serviceable components Hardware monitoring and use to connect peripherals for use by an Infrastructure Operations individual o Running scheduled jobs o LAN o Restarting failed jobs/processes INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE o Campus Area Network (CAN) o Facilitating backup jobs o Metropolitan Area Network (MAN) o Monitoring systems/apps/networks Computer Operating Systems o WAN Monitoring Access to peripherals Network-based Services: email, print, file storage, Software Program Library Management: System that Storage mgt remote access, directory, terminal emulation, time is used to store and manage access to an Process mgt synch, network authentication, web security, anti- organization’s application source and object code Resource allocation malware, network management o Access and authorization controls Communication Network Models Security o OSI: Application, presentation, session, o OS Virtualization transport, network, data link, physical o Clustering: using special software o TCP/IP: Link, internet, transport, application o Grid Computing: a form of distributed Network Technologies computing o LAN Physical topology: Star, Ring, Bus