Successfully reported this slideshow.

des

2,412 views

Published on

  • Be the first to comment

des

  1. 1. 2007 CISA  Review Course <ul><li>Chapter 4 </li></ul><ul><li>IT Service Delivery and Support </li></ul>
  2. 2. Process Area Overview <ul><li>4.1 Information Systems Operations </li></ul><ul><ul><li>4.1.1 Management of IS Operations </li></ul></ul><ul><ul><li>4.1.2 IT Service Management </li></ul></ul><ul><ul><li>4.1.3 Infrastructure Operations </li></ul></ul><ul><ul><li>4.1.4 Monitoring Use of Resources </li></ul></ul><ul><ul><li>4.1.5 Support / Help Desk </li></ul></ul><ul><ul><li>4.1.6 Change Management Process </li></ul></ul><ul><ul><li>4.1.7 Program Library Management Systems </li></ul></ul><ul><ul><li>4.1.8 Library Control Software </li></ul></ul><ul><ul><li>4.1.9 Release Management </li></ul></ul><ul><ul><li>4.1.10 Quality Assurance </li></ul></ul><ul><ul><li>4.1.11 Information Security Management </li></ul></ul>
  3. 3. Process Area Overview <ul><li>4.2 Information Systems Hardware </li></ul><ul><ul><li>4.2.1 Computer Hardware Components and Architecture </li></ul></ul><ul><ul><li>4.2.2 Hardware Maintenance Program </li></ul></ul><ul><ul><li>4.2.3 Hardware Monitoring Preocedures </li></ul></ul><ul><ul><li>4.2.4 Capacity Management </li></ul></ul><ul><li>4.3 IS Architecture and Software </li></ul><ul><ul><li>4.3.1 Operating Systems </li></ul></ul><ul><ul><li>4.3.2 Access Control Software </li></ul></ul><ul><ul><li>4.3.3 Data Communications Software </li></ul></ul><ul><ul><li>4.3.4 Data Management </li></ul></ul><ul><ul><li>4.3.5 Database Management System </li></ul></ul><ul><ul><li>4.3.6 Tape and Disk Management Systems </li></ul></ul>
  4. 4. Process Area Overview <ul><ul><li>4.3.7 Utility Programs </li></ul></ul><ul><ul><li>4.3.8 Software Licensing Issues </li></ul></ul><ul><li>4.4 IS Network Infrastructure </li></ul><ul><ul><li>4.4.1 Enterprise Network Architectures </li></ul></ul><ul><ul><li>4.4.2 Type of Networks </li></ul></ul><ul><ul><li>4.4.3 Network Services </li></ul></ul><ul><ul><li>4.4.4 Network Standards and Protocols </li></ul></ul><ul><ul><li>4.4.5 OSI Architecture </li></ul></ul><ul><ul><li>4.4.6 Application of the OSI Model in Network Architectures </li></ul></ul>
  5. 5. Process Area Overview <ul><li>4.5 Auditing Infrastructure and Operations </li></ul><ul><ul><li>4.5.1 Hardware Reviews </li></ul></ul><ul><ul><li>4.5.2 Operating System Reviews </li></ul></ul><ul><ul><li>4.5.3 Database Reviews </li></ul></ul><ul><ul><li>4.5.4 Network Infrastructure and Implementation Reviews </li></ul></ul><ul><ul><li>4.5.5 Network Operating Control Reviews </li></ul></ul><ul><ul><li>4.5.6 IS Operations Reviews </li></ul></ul><ul><ul><li>4.5.7 Lights-out Operations </li></ul></ul><ul><ul><li>4.5.8 Problem Management Reporting Reviews </li></ul></ul><ul><ul><li>4.5.9 Hardware Availability and Utilization Reporting Reviews </li></ul></ul><ul><ul><li>4.5.10 Scheduling Reviews </li></ul></ul><ul><li>4.6 Chapter 4 Case Study </li></ul><ul><ul><li>4.6.1 Case Study Scenario </li></ul></ul><ul><ul><li>4.6.2 Case Study Questions </li></ul></ul>
  6. 6. Chapter Objective <ul><li>The objective of this area is to ensure that the CISA candidate understands and can provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives. </li></ul>
  7. 7. Chapter Summary <ul><li>According to the CISA Certification Board, t his area represents 14 % of the </li></ul><ul><li>CISA examination </li></ul><ul><li>(approximately 28 questions). </li></ul>
  8. 8. <ul><li>4.1.1 Management of IS Operations </li></ul><ul><ul><li>Control functions </li></ul></ul>4.1 Information Systems Operations
  9. 9. <ul><li>4.1.2 IT Service Management </li></ul><ul><ul><li>Service level </li></ul></ul><ul><ul><ul><li>Abnormal job termination reports </li></ul></ul></ul><ul><ul><ul><li>Operator problem reports </li></ul></ul></ul><ul><ul><ul><li>Output distribution reports </li></ul></ul></ul><ul><ul><ul><li>Console logs </li></ul></ul></ul><ul><ul><ul><li>Operator work schedules </li></ul></ul></ul>4.1 Information Systems Operations
  10. 10. <ul><li>4.1.2 IT Service Management (cont.) </li></ul><ul><ul><li>Service level </li></ul></ul><ul><ul><ul><li>Abnormal job termination reports </li></ul></ul></ul><ul><ul><ul><li>Operator problem reports </li></ul></ul></ul><ul><ul><ul><li>Output distribution reports </li></ul></ul></ul><ul><ul><ul><li>Console logs </li></ul></ul></ul><ul><ul><ul><li>Operator work schedules </li></ul></ul></ul>4.1 Information Systems Operations
  11. 11. <ul><li>4.1.3 Infrastructure Operations </li></ul><ul><ul><ul><li>Lights-out Operations (Automated Unattended Operations) </li></ul></ul></ul><ul><ul><ul><li>Input / output control function </li></ul></ul></ul><ul><ul><ul><li>Job accounting </li></ul></ul></ul><ul><ul><ul><li>Scheduling </li></ul></ul></ul><ul><ul><ul><li>Job Scheduling Software </li></ul></ul></ul>4.1 Information Systems Operations
  12. 12. <ul><li>4.1.3 Infrastructure Operations (cont.) </li></ul><ul><ul><ul><li>Lights-out Operations (Automated Unattended Operations) </li></ul></ul></ul><ul><ul><ul><li>Input / output control function </li></ul></ul></ul><ul><ul><ul><li>Job accounting </li></ul></ul></ul><ul><ul><ul><li>Scheduling </li></ul></ul></ul><ul><ul><ul><li>Job Scheduling Software </li></ul></ul></ul>4.1 Information Systems Operations
  13. 13. <ul><li>4.1.3 Infrastructure Operations (cont.) </li></ul><ul><ul><ul><li>Lights-out Operations (Automated Unattended Operations) </li></ul></ul></ul><ul><ul><ul><li>Input / output control function </li></ul></ul></ul><ul><ul><ul><li>Job accounting </li></ul></ul></ul><ul><ul><ul><li>Scheduling </li></ul></ul></ul><ul><ul><ul><li>Job Scheduling Software </li></ul></ul></ul>4.1 Information Systems Operations
  14. 14. <ul><li>4.1.3 Infrastructure Operations (cont.) </li></ul><ul><ul><ul><li>Lights-out Operations (Automated Unattended Operations) </li></ul></ul></ul><ul><ul><ul><li>Input / output control function </li></ul></ul></ul><ul><ul><ul><li>Job accounting </li></ul></ul></ul><ul><ul><ul><li>Scheduling </li></ul></ul></ul><ul><ul><ul><li>Job Scheduling Software </li></ul></ul></ul>4.1 Information Systems Operations
  15. 15. <ul><li>4.1.3 Infrastructure Operations (cont.) </li></ul><ul><ul><ul><li>Lights-out Operations (Automated Unattended Operations) </li></ul></ul></ul><ul><ul><ul><li>Input / output control function </li></ul></ul></ul><ul><ul><ul><li>Job accounting </li></ul></ul></ul><ul><ul><ul><li>Scheduling </li></ul></ul></ul><ul><ul><ul><li>Job Scheduling Software </li></ul></ul></ul>4.1 Information Systems Operations
  16. 16. <ul><li>4.1.4 Monitoring use of Resources </li></ul><ul><ul><ul><li>Process of Incident Handling </li></ul></ul></ul><ul><ul><ul><li>Problem Management </li></ul></ul></ul><ul><ul><ul><li>Detection, Documentation, Control, Resolution and Reporting of Abnormal Conditions </li></ul></ul></ul>4.1 Information Systems Operations
  17. 17. <ul><li>4.1.4 Monitoring use of Resources (cont.) </li></ul><ul><ul><ul><li>Process of Incident Handling </li></ul></ul></ul><ul><ul><ul><li>Problem Management </li></ul></ul></ul><ul><ul><ul><li>Detection, Documentation, Control, Resolution and Reporting of Abnormal Conditions </li></ul></ul></ul>4.1 Information Systems Operations
  18. 18. <ul><ul><li>4.1.5 Support/Help Desk </li></ul></ul><ul><ul><li>Prioritize the issues, and forward them to the appropriate managers, accordingly </li></ul></ul><ul><ul><li>Follow up on unresolved problems. </li></ul></ul><ul><ul><li>Close out resolved problems, noting proper authorization to close out the problem by the user. </li></ul></ul>4.1 Information Systems Operations
  19. 19. <ul><li>4.1.6 Change Management Process </li></ul><ul><li>System, operations and program documentation </li></ul><ul><li>Job preparation, scheduling and operating instructions </li></ul><ul><li>System and program test </li></ul><ul><li>Data file conversion. </li></ul><ul><li>System conversion </li></ul>4.1 Information Systems Operations
  20. 20. <ul><li>4.1.7 Program Library Management Systems </li></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Update </li></ul></ul><ul><ul><li>Reporting </li></ul></ul><ul><ul><li>Interface </li></ul></ul>4.1 Information Systems Operations
  21. 21. <ul><li>4.1.8 Library Control Software </li></ul><ul><ul><li>Executable and source code integrity ; each production executable module should have one corresponding source module </li></ul></ul><ul><ul><li>Source code comparison ; is an effective and easy-to-use method for tracing changes to programs. </li></ul></ul>4.1 Information Systems Operations
  22. 22. <ul><li>4.1.8 Library Control Software (cont.) </li></ul><ul><ul><li>Executable and source code integrity ; each production executable module should have one corresponding source module </li></ul></ul><ul><ul><li>Source code comparison ; is an effective and easy-to-use method for tracing changes to programs. </li></ul></ul>4.1 Information Systems Operations
  23. 23. <ul><li>4.1.9 Release Management </li></ul><ul><ul><li>Major releases </li></ul></ul><ul><ul><li>Minor software releases </li></ul></ul><ul><ul><li>Emergency software fixes </li></ul></ul>4.1 Information Systems Operations
  24. 24. 4.1.10 Quality Assurance Verify that system changes are authorized, tested and implemented in a controlled manner prior to being introduced into the production environment. 4.1 Information Systems Operations
  25. 25. 4.1.11 Information Security Management • Performing risk assessments on information assets • Performing business impact analyses • Conducting security assessments on a regular basis • Implementing a formal vulnerability management process 4.1 Information Systems Operations
  26. 26. Chapter 4 Question 1 When reviewing a service level agreement for an outsourced computer center an IS auditor should FIRST determine that:   A. the cost proposed for the services is reasonable. B. security mechanisms are specified in the agreement. C. the services in the agreement are based on an analysis of business needs. D. audit access to the computer center is allowed under the agreement.
  27. 27. Which of the following is the MOST effective method for an IS auditor to use in testing the program change management process?   A. Trace from system generated information to the change management documentation. B. Examine change management documentation for evidence of accuracy. C. Trace from the change management documentation to a system generated audit trail. D. Examine change management documentation for evidence of completeness. Chapter 4 Question 2
  28. 28. A university’s IT department and financial services office (FSO) have an existing service level agreement that requires availability during each month to exceed 98 percent. FSO has analyzed availability and noted that it has exceeded 98 percent for each of the last 12 months, but has averaged only 93 percent during month-end closing. Which of the following options BEST reflects the course of action FSO should take?   A. Renegotiate the agreement. B. Inform IT that it is not meeting the required availability standard. C. Acquire additional computing resources. D. Streamline the month-end closing process. Chapter 4 Question 3
  29. 29. <ul><li>4.2.1 Computer Hardware Components </li></ul><ul><li>a n d Architectures </li></ul><ul><ul><ul><li>Processing Components </li></ul></ul></ul><ul><ul><ul><li>Input/Output Components </li></ul></ul></ul><ul><ul><ul><li>Types of Computers </li></ul></ul></ul>4.2 Information Systems Hardware
  30. 30. <ul><li>4.2.1 Computer Hardware Components a n d Architectures </li></ul><ul><li>Types of Computers (cont.) </li></ul><ul><ul><li>Supercomputers </li></ul></ul><ul><ul><li>Large (mainframes) </li></ul></ul><ul><ul><li>Midrange computer </li></ul></ul><ul><ul><li>Microcomputer (personal computers, PC </li></ul></ul><ul><ul><li>Notebook / laptop computers </li></ul></ul><ul><ul><li>Personal digital assistant (PDA) </li></ul></ul>4.2 Information Systems Hardware
  31. 31. <ul><li>4.2.1 Computer Hardware Components a n d Architectures </li></ul><ul><li>Types of Computers (cont.) </li></ul><ul><ul><li>Supercomputers </li></ul></ul><ul><ul><li>Large (mainframes) </li></ul></ul><ul><ul><li>Midrange computer </li></ul></ul><ul><ul><li>Microcomputer (personal computers, PC </li></ul></ul><ul><ul><li>Notebook / laptop computers </li></ul></ul><ul><ul><li>Personal digital assistant (PDA) </li></ul></ul>4.2 Information Systems Hardware
  32. 32. <ul><li>4.2.1 Computer Hardware Components a n d Architectures </li></ul><ul><ul><li>Common Characteristics of Different Types of Computers </li></ul></ul><ul><ul><ul><ul><ul><li>Multitasking </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Multiprocessing </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Multiusing </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Multithreading </li></ul></ul></ul></ul></ul>4.2 Information Systems Hardware
  33. 33. <ul><li>4.2.1 Computer Hardware Components a n d Architectures </li></ul><ul><ul><li>Common Computer Roles </li></ul></ul><ul><ul><ul><li>Print servers </li></ul></ul></ul><ul><ul><ul><li>File servers </li></ul></ul></ul><ul><ul><ul><li>Program (application) servers </li></ul></ul></ul><ul><ul><ul><li>Web servers </li></ul></ul></ul>4.2 Information Systems Hardware
  34. 34. <ul><li>4.2.1 Computer Hardware Components a n d Architectures </li></ul><ul><ul><li>Common Computer Roles (cont.) </li></ul></ul><ul><ul><ul><li>Proxy servers </li></ul></ul></ul><ul><ul><ul><li>Database servers </li></ul></ul></ul><ul><ul><ul><li>Appliances (specialized devices) </li></ul></ul></ul>4.2 Information Systems Hardware
  35. 35. <ul><li>4.2.1 Computer Hardware Components a n d Architectures </li></ul><ul><ul><li>Universal Serial Bus </li></ul></ul><ul><ul><li>Memory Cards </li></ul></ul><ul><ul><li>Radio Frequency Identification </li></ul></ul><ul><ul><li>Write Once and Read Many </li></ul></ul>4.2 Information Systems Hardware
  36. 36. <ul><li>4.2.1 Computer Hardware Components a n d Architectures </li></ul><ul><ul><li>Universal Serial Bus </li></ul></ul><ul><ul><li>Memory Cards </li></ul></ul><ul><ul><li>Radio Frequency Identification </li></ul></ul><ul><ul><li>Write Once and Read Many </li></ul></ul>4.2 Information Systems Hardware
  37. 37. <ul><li>4.2.2 Hardware Maintenance Program </li></ul><ul><ul><ul><li>Reputable service company </li></ul></ul></ul><ul><ul><ul><li>Maintenance schedule </li></ul></ul></ul><ul><ul><ul><li>Maintenance cost </li></ul></ul></ul><ul><ul><ul><li>Maintenance performance history, planned and exceptional </li></ul></ul></ul>4.2 Information Systems Hardware
  38. 38. <ul><li>4.2.3 Hardware Monitoring Procedures </li></ul><ul><ul><ul><li>Availability reports </li></ul></ul></ul><ul><ul><ul><li>Hardware error reports </li></ul></ul></ul><ul><ul><ul><li>Utilization reports </li></ul></ul></ul>4.2 Information Systems Hardware
  39. 39. <ul><li>4.2.4 Capacity Management </li></ul><ul><ul><li>CPU utilization (processing power) </li></ul></ul><ul><ul><li>Computer storage utilization </li></ul></ul><ul><ul><li>Telecommunications and WAN bandwidth utilization </li></ul></ul><ul><ul><li>Terminal utilization </li></ul></ul><ul><ul><li>I/O channel utilization </li></ul></ul><ul><ul><li>Number of users </li></ul></ul><ul><ul><li>New technologies </li></ul></ul><ul><ul><li>New applications </li></ul></ul><ul><ul><li>Service level agreements </li></ul></ul>4.2 Information Systems Hardware
  40. 40. Which one of the following provides the BEST method for determining the level of performance provided by similar information-processing-facility environments?   A. User satisfaction B. Goal accomplishment C. Benchmarking D. Capacity and growth planning Chapter 4 Question 4
  41. 41. The key objective of capacity planning procedures is to ensure that:   A. available resources are fully utilized. B. new resources will be added for new applications in a timely manner. C. available resources are used efficiently and effectively. D. utilization of resources does not drop below 85%. Chapter 4 Question 5
  42. 42. 4.3 Information Systems Architecture and Software <ul><ul><li>Operating systems </li></ul></ul><ul><ul><li>Software Control Features or Parameters </li></ul></ul><ul><ul><li>Data communication software </li></ul></ul><ul><ul><li>Data management </li></ul></ul><ul><ul><li>Database management system (DBMS) </li></ul></ul><ul><ul><li>Tape and Disk Management System </li></ul></ul><ul><ul><li>Utility Programs </li></ul></ul><ul><ul><li>Software Licensing Issues </li></ul></ul>
  43. 43. <ul><ul><li>4.3.1 Operating systems </li></ul></ul><ul><ul><ul><li>Defines user interfaces </li></ul></ul></ul><ul><ul><ul><li>Permits users to share hardware </li></ul></ul></ul><ul><ul><ul><li>Permits users to share data </li></ul></ul></ul><ul><ul><ul><li>Inform users of any error… </li></ul></ul></ul><ul><ul><ul><li>Permits recovery from system error </li></ul></ul></ul><ul><ul><ul><li>Communicates completion of a process </li></ul></ul></ul><ul><ul><ul><li>Allows system file management </li></ul></ul></ul><ul><ul><ul><li>Allows system accounting management </li></ul></ul></ul>4.3 Information Systems Architecture and Software
  44. 44. <ul><ul><li>4.3.1 Operating systems (cont.) </li></ul></ul><ul><ul><ul><li>Defines user interfaces </li></ul></ul></ul><ul><ul><ul><li>Permits users to share hardware </li></ul></ul></ul><ul><ul><ul><li>Permits users to share data </li></ul></ul></ul><ul><ul><ul><li>Inform users of any error… </li></ul></ul></ul><ul><ul><ul><li>Permits recovery from system error </li></ul></ul></ul><ul><ul><ul><li>Communicates completion of a process </li></ul></ul></ul><ul><ul><ul><li>Allows system file management </li></ul></ul></ul><ul><ul><ul><li>Allows system accounting management </li></ul></ul></ul>4.3 Information Systems Architecture and Software
  45. 45. <ul><li>Software Control Features or Parameters </li></ul><ul><ul><ul><li>Data management </li></ul></ul></ul><ul><ul><ul><li>Resource management </li></ul></ul></ul><ul><ul><ul><li>Job management </li></ul></ul></ul><ul><ul><ul><li>Priority setting </li></ul></ul></ul>4.3 Information Systems Architecture and Software
  46. 46. <ul><li>Software Integrity Issues </li></ul><ul><li>Protect itself from deliberate and inadvertent modification. </li></ul><ul><li>Ensure that privileged programs cannot be interfered with by user programs. </li></ul><ul><li>Provide for effective process isolation. </li></ul>4.3 Information Systems Architecture and Software
  47. 47. <ul><li>Software Integrity Issues (cont.) </li></ul><ul><li>Protect itself from deliberate and inadvertent modification. </li></ul><ul><li>Ensure that privileged programs cannot be interfered with by user programs. </li></ul><ul><li>Provide for effective process isolation. </li></ul>4.3 Information Systems Architecture and Software
  48. 48. <ul><li>Activity Logging and Reporting Options </li></ul><ul><ul><li>Data file versions used for production processing. </li></ul></ul><ul><ul><li>Program accesses to sensitive data </li></ul></ul><ul><ul><li>Programs scheduled and run </li></ul></ul><ul><ul><li>Utilities or service aids usage </li></ul></ul><ul><ul><li>Operating system operation </li></ul></ul><ul><ul><li>Changes to system parameters and libraries </li></ul></ul><ul><ul><li>Databases </li></ul></ul><ul><ul><li>Access control </li></ul></ul>4.3 Information Systems Architecture and Software
  49. 49. <ul><li>4.3.2 Access Control Software </li></ul><ul><li>Prevent unauthorized access to data </li></ul><ul><li>Unauthorized use of system functions and programs </li></ul><ul><li>Unauthorized updates/changes to data </li></ul><ul><li>Detect or prevent unauthorized attempts to access computer resources. </li></ul>4.3 Information Systems Architecture and Software
  50. 50. <ul><li>4.3.3 Data communication software </li></ul><ul><ul><ul><ul><li>Transmits information or data </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Consists of three components </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>The transmitter (source) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>The transmission path (channel or line) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>The receiver (the sink) </li></ul></ul></ul></ul></ul>4.3 Information Systems Architecture and Software
  51. 51. <ul><li>4.3.4 Data management </li></ul><ul><ul><ul><li>File Organization </li></ul></ul></ul><ul><ul><ul><ul><li>Sequential </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Indexed sequential </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Direct random access </li></ul></ul></ul></ul>4.3 Information Systems Architecture and Software
  52. 52. <ul><li>4.3.5 Database management system </li></ul><ul><li>(DBMS) </li></ul><ul><ul><ul><li>DBMS architecture </li></ul></ul></ul><ul><ul><ul><li>Detailed DBMS metadata architecture </li></ul></ul></ul><ul><ul><ul><li>Data dictionary/directory system (DD/DS) </li></ul></ul></ul><ul><ul><ul><li>Database structure </li></ul></ul></ul><ul><ul><ul><li>Database controls </li></ul></ul></ul>4.3 Information Systems Architecture and Software
  53. 53. <ul><li>4.3.5 Database management system </li></ul><ul><li>(DBMS) (cont.) </li></ul><ul><ul><ul><li>DBMS architecture </li></ul></ul></ul><ul><ul><ul><li>Detailed DBMS metadata architecture </li></ul></ul></ul><ul><ul><ul><li>Data dictionary/directory system (DD/DS) </li></ul></ul></ul><ul><ul><ul><li>Database structure </li></ul></ul></ul><ul><ul><ul><li>Database controls </li></ul></ul></ul>4.3 Information Systems Architecture and Software
  54. 54. <ul><li>4.3.5 Database management system </li></ul><ul><li>(DBMS) (cont.) </li></ul><ul><ul><ul><li>DBMS architecture </li></ul></ul></ul><ul><ul><ul><li>Detailed DBMS metadata architecture </li></ul></ul></ul><ul><ul><ul><li>Data dictionary/directory system (DD/DS) </li></ul></ul></ul><ul><ul><ul><li>Database structure </li></ul></ul></ul><ul><ul><ul><li>Database controls </li></ul></ul></ul>4.3 Information Systems Architecture and Software
  55. 55. <ul><li>4.3.5 Database management system </li></ul><ul><li>(DBMS) (cont.) </li></ul><ul><ul><ul><li>DBMS architecture </li></ul></ul></ul><ul><ul><ul><li>Detailed DBMS metadata architecture </li></ul></ul></ul><ul><ul><ul><li>Data dictionary/directory system (DD/DS) </li></ul></ul></ul><ul><ul><ul><li>Database structure </li></ul></ul></ul><ul><ul><ul><li>Database controls </li></ul></ul></ul>4.3 Information Systems Architecture and Software
  56. 56. <ul><li>4.3.6 Tape and Disk Management System </li></ul><ul><li>An automated tape management system (TMS) or disk management system (DMS) is specialized system software that tracks and lists tape/disk resources needed for data center processing. </li></ul>4.3 Information Systems Architecture and Software
  57. 57. <ul><li>4.3.7 Utility Programs </li></ul><ul><ul><li>Understanding application systems </li></ul></ul><ul><ul><li>Assessing or testing data quality </li></ul></ul><ul><ul><li>Testing a program’s ability to function correctly and maintain data integrity </li></ul></ul><ul><ul><li>Assisting in faster program development </li></ul></ul><ul><ul><li>Improving operational efficiency </li></ul></ul>4.3 Information Systems Architecture and Software
  58. 58. <ul><li>4.3.8 Software Licensing Issues </li></ul><ul><li>Documented policies and procedures that guard against unauthorized use or copying of software. </li></ul><ul><li>Listing of all standard, used and licensed application and system software. </li></ul><ul><li>Centralizing control and automated distribution and the installation of software </li></ul><ul><li>Requiring that all PCs be diskless workstations and access applications from a secured LAN </li></ul><ul><li>Regularly scanning user PCs </li></ul>4.3 Information Systems Architecture and Software
  59. 59. When conducting an audit of client-server database security, the IS auditor should be MOST concerned about the availability of:   A. system utilities. B. application program generators. C. systems security documentation. D. access to stored procedures . Chapter 4 Question 6
  60. 60. The PRIMARY benefit of database normalization is the:   A. minimization redundancy of information in tables required to satisfy users’ needs. B. ability to satisfy more queries. C. maximization of database integrity by providing information in more than one table. D. minimization of response time through faster processing of information. Chapter 4 Question 7
  61. 61. 4.4 Information Systems Network Infrastructure <ul><li>Telecommunications links for networks can be: </li></ul><ul><li>Analog </li></ul><ul><li>Digital </li></ul><ul><li>Methods for transmitting signals over analog telecommunication links are: </li></ul><ul><li>Baseband </li></ul><ul><li>Broadband network </li></ul>
  62. 62. <ul><li>4.4.1 Enterprise Network Architectures </li></ul><ul><li>Today’s networks are part of a large, centrally-managed, inter-networked architecture solution of high-speed local- and wide-area computer networks serving organizations’ client-server-based environments. Such architectures may include clustering common types of IT functions together in network segments each uniquely identifiable and specialized to task. </li></ul>4.4 Information Systems Network Infrastructure
  63. 63. <ul><li>4.4.2 Types of Networks </li></ul><ul><ul><li>Personal Area Networks (PANs) </li></ul></ul><ul><ul><li>Local area networks (LANs) </li></ul></ul><ul><ul><li>Wide area networks (WANS) </li></ul></ul><ul><ul><li>Storage Area Networks (SANs) </li></ul></ul>4.4 Information Systems Network Infrastructure
  64. 64. <ul><li>4.4.3 Networks Services </li></ul><ul><ul><li>File sharing </li></ul></ul><ul><ul><li>E-mail services </li></ul></ul><ul><ul><li>Print services </li></ul></ul><ul><ul><li>Remote access services </li></ul></ul><ul><ul><li>Terminal emulation software (TES) </li></ul></ul><ul><ul><li>Directory services </li></ul></ul><ul><ul><li>Network management </li></ul></ul>4.4 Information Systems Network Infrastructure
  65. 65. <ul><li>4.4.4 Network Standards and Protocols </li></ul><ul><ul><li>Critical Success Factors </li></ul></ul><ul><ul><ul><ul><li>Interoperability </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Availability </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Flexibility </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Maintainability </li></ul></ul></ul></ul>4.4 Information Systems Network Infrastructure
  66. 66. <ul><li>ISO/OSI: is a proof of a concept model composed of seven layers, each specifying particular specialized tasks or functions </li></ul><ul><li>Objective : to provide a set of open system standards for equipment manufacturers and to provide a benchmark to compare different communication systems </li></ul>4.4 Information Systems Network Infrastructure
  67. 67. <ul><li>Functions of the layers of the ISO/OSI Model </li></ul><ul><ul><li>Application layer </li></ul></ul><ul><ul><li>Presentation layer </li></ul></ul><ul><ul><li>Session layer </li></ul></ul><ul><ul><li>Transport layer </li></ul></ul><ul><ul><li>Network layer </li></ul></ul><ul><ul><li>Data link layer </li></ul></ul><ul><ul><li>Physical layer </li></ul></ul>4.4 Information Systems Network Infrastructure
  68. 68. <ul><li>Functions of the layers of the ISO/OSI Model </li></ul><ul><ul><li>Application layer </li></ul></ul><ul><ul><li>Presentation layer </li></ul></ul><ul><ul><li>Session layer </li></ul></ul><ul><ul><li>Transport layer </li></ul></ul><ul><ul><li>Network layer </li></ul></ul><ul><ul><li>Data link layer </li></ul></ul><ul><ul><li>Physical layer </li></ul></ul>4.4 Information Systems Network Infrastructure
  69. 69. <ul><ul><li>4.4.5 OSI Architecture </li></ul></ul><ul><ul><ul><li>The International Organization for Standardization formulated the OSI model to establish standards for vendors developing protocols supporting open system architecture. </li></ul></ul></ul>4.4 Information Systems Network Infrastructure
  70. 70. <ul><li>4.4.6 Application of the OSI Model in Network Architectures </li></ul><ul><ul><ul><li>Local Area Network (LAN) </li></ul></ul></ul><ul><ul><ul><li>Wide Area Network (WAN) </li></ul></ul></ul><ul><ul><ul><li>Wireless Networks </li></ul></ul></ul><ul><ul><ul><li>Public “Global” Internet Infrastructure </li></ul></ul></ul>4.4 Information Systems Network Infrastructure
  71. 71. <ul><li>Network physical media specifications </li></ul><ul><ul><li>Local Area Network (LAN) </li></ul></ul><ul><ul><ul><li>Copper (twisted-pairs) circuits </li></ul></ul></ul><ul><ul><ul><li>Fiber-optic systems </li></ul></ul></ul><ul><ul><ul><li>Radio Systems (wireless) </li></ul></ul></ul><ul><ul><li>Wide Area Network (WAN) </li></ul></ul><ul><ul><ul><li>Fiber-optic systems </li></ul></ul></ul><ul><ul><ul><li>Microwave radio systems </li></ul></ul></ul><ul><ul><ul><li>Satellite radio link systems </li></ul></ul></ul>4.4 Information Systems Network Infrastructure
  72. 72. <ul><li>LAN Components </li></ul><ul><ul><li>Repeaters </li></ul></ul><ul><ul><li>Hubs </li></ul></ul><ul><ul><li>Bridges </li></ul></ul><ul><ul><li>Switches </li></ul></ul><ul><ul><li>Routers </li></ul></ul>4.4 Information Systems Network Infrastructure
  73. 73. <ul><li>WAN Message transmission techniques </li></ul><ul><ul><li>Message switching </li></ul></ul><ul><ul><li>Packet switching </li></ul></ul><ul><ul><li>Circuit switching </li></ul></ul><ul><ul><li>Virtual circuits </li></ul></ul><ul><ul><li>WAN dial-up services </li></ul></ul>4.4 Information Systems Network Infrastructure
  74. 74. <ul><li>WAN Components </li></ul><ul><ul><li>WAN switch </li></ul></ul><ul><ul><li>Routers </li></ul></ul><ul><ul><li>Modems </li></ul></ul>4.4 Information Systems Network Infrastructure
  75. 75. <ul><li>WAN Technologies </li></ul><ul><ul><li>Point to point protocol </li></ul></ul><ul><ul><li>X.25 </li></ul></ul><ul><ul><li>Frame Relay </li></ul></ul><ul><ul><li>Integrated services digital network (ISDN) </li></ul></ul><ul><ul><li>Asynchronus transfer mode </li></ul></ul><ul><ul><li>Multiprotocol label switching </li></ul></ul><ul><ul><li>Digital suscriber lines </li></ul></ul><ul><ul><li>Virtual Private Networks </li></ul></ul>4.4 Information Systems Network Infrastructure
  76. 76. <ul><li>Wireless Networks </li></ul><ul><ul><li>Wireless Wide Area Network (WWAN) </li></ul></ul><ul><ul><li>Wireless Local Area network (WLAN) </li></ul></ul><ul><ul><li>Wireless Personal Area Network (WPAN) </li></ul></ul><ul><ul><li>Wireless ad hoc networks </li></ul></ul>4.4 Information Systems Network Infrastructure
  77. 77. <ul><li>Wireless Access: Exposures </li></ul><ul><ul><li>Interception of sensitive information </li></ul></ul><ul><ul><li>Loss or theft of devices </li></ul></ul><ul><ul><li>Misuse of devices </li></ul></ul><ul><ul><li>Loss of data contained in devices </li></ul></ul><ul><ul><li>Distraction caused by devices </li></ul></ul><ul><ul><li>Possible health effects of device usage </li></ul></ul><ul><ul><li>Wireless user authentication </li></ul></ul><ul><ul><li>File security </li></ul></ul><ul><ul><li>Interoperability </li></ul></ul><ul><ul><li>Use of wireless subnets </li></ul></ul>4.4 Information Systems Network Infrastructure
  78. 78. <ul><li>Network Administration and Control </li></ul><ul><ul><ul><li>Network performance metrics </li></ul></ul></ul><ul><ul><ul><li>Network management issues </li></ul></ul></ul><ul><ul><ul><li>Network management tools </li></ul></ul></ul>4.4 Information Systems Network Infrastructure
  79. 79. <ul><li>Network Administration and Control (cont.) </li></ul><ul><ul><ul><li>Network performance metrics </li></ul></ul></ul><ul><ul><ul><li>Network management issues </li></ul></ul></ul><ul><ul><ul><li>Network management tools </li></ul></ul></ul>4.4 Information Systems Network Infrastructure
  80. 80. <ul><li>Applications in a Networked Environment </li></ul><ul><ul><ul><li>Client-Server Technology </li></ul></ul></ul><ul><ul><ul><li>Middleware </li></ul></ul></ul>4.4 Information Systems Network Infrastructure
  81. 81. <ul><ul><li>Applications in a Networked Environment (cont.) </li></ul></ul><ul><ul><ul><li>Client-Server Technology </li></ul></ul></ul><ul><ul><ul><li>Middleware </li></ul></ul></ul>4.4 Information Systems Network Infrastructure
  82. 82. Chapter 4 Question 8 An IS auditor when reviewing a network used for Internet communications will FIRST examine the:   A. validity of password change occurrences. B. architecture of the client-server application. C. network architecture and design. D. firewall protection and proxy servers .
  83. 83. Which of the following would allow a company to extend its enterprise’s intranet across the Internet to its business partners?   A. Virtual private network B. Client-server C. Dial-up access D. Network service provider Chapter 4 Question 9
  84. 84. Which of the following statements relating to packet switching networks is correct?   A. Packets for a given message travel the same route. B. Passwords cannot be embedded within the packet. C. Packet lengths are variable and each packet contains the same amount of information. D. The cost charged for transmission is based on the packet, not the distance or route traveled. Chapter 4 Question 10
  85. 85. 4.5 Auditing Infrastructure and Operations <ul><li>4.5.1 Hardware Reviews </li></ul><ul><ul><li>Review the capacity management procedures </li></ul></ul><ul><ul><li>Review the hardware acquisition plan </li></ul></ul><ul><ul><li>Review the PC acquisition criteria </li></ul></ul><ul><ul><li>Review (hardware) change management controls </li></ul></ul>
  86. 86. <ul><li>4.5.2 Operating System Reviews </li></ul><ul><ul><li>Interview technical service and other personnel </li></ul></ul><ul><ul><li>Review system software selection procedures </li></ul></ul><ul><ul><li>Review the feasibility study and selection process </li></ul></ul><ul><ul><li>Review cost-benefit analysis of system software procedures </li></ul></ul><ul><ul><li>Review controls over the installation of changed system software </li></ul></ul>4.5 Auditing Infrastructure and Operations
  87. 87. <ul><li>4.5.2 Operating System Reviews (cont) </li></ul><ul><ul><li>Review system software maintenance activities </li></ul></ul><ul><ul><li>Review system software change controls </li></ul></ul><ul><ul><li>Review systems documentation </li></ul></ul><ul><ul><li>Review and test system software implementation </li></ul></ul><ul><ul><li>Review authorization documentation </li></ul></ul><ul><ul><li>Review system software security </li></ul></ul>4.5 Auditing Infrastructure and Operations
  88. 88. <ul><li>4.5.3 Database Reviews </li></ul><ul><ul><li>Design </li></ul></ul><ul><ul><li>Access </li></ul></ul><ul><ul><li>Administration </li></ul></ul><ul><ul><li>Interfaces </li></ul></ul><ul><ul><li>Portability </li></ul></ul><ul><ul><li>Database-supported IS controls </li></ul></ul>4.5 Auditing Infrastructure and Operations
  89. 89. <ul><li>4.5.4 Network infrastructure and implementation reviews </li></ul><ul><ul><li>Review controls over network implementations </li></ul></ul><ul><ul><ul><li>Physical controls </li></ul></ul></ul><ul><ul><ul><li>Environmental controls </li></ul></ul></ul><ul><ul><ul><li>Logical security controls </li></ul></ul></ul>4.5 Auditing Infrastructure and Operations
  90. 90. <ul><li>4.5.5 Network Operating Control Reviews </li></ul><ul><ul><li>Appropriate implementation, conversion and acceptance test plans </li></ul></ul><ul><ul><li>Implementation and testing plans for the network’s hardware and communications links </li></ul></ul><ul><ul><li>Operating provisions for distributed data processing networks </li></ul></ul><ul><ul><li>All sensitive files / datasets have been identified </li></ul></ul><ul><ul><li>Procedures established to assure effective controls over hardware and software </li></ul></ul><ul><ul><li>Adequate restart and recovery mechanisms </li></ul></ul>4.5 Auditing Infrastructure and Operations
  91. 91. <ul><li>4.5.5 Network Operating Control Reviews (cont) </li></ul><ul><ul><li>The IS distributed network has been designed to assure that failure of service at any one site will have a minimal effect </li></ul></ul><ul><ul><li>All changes made to the operating systems software used by the network are controlled </li></ul></ul><ul><ul><li>Individuals have access only to authorized applications, transaction processors and datasets </li></ul></ul><ul><ul><li>System commands affecting more than one network site are restricted to one terminal and to an authorized individual </li></ul></ul><ul><ul><li>Encryption is being used on the network to encode sensitive data </li></ul></ul><ul><ul><li>Appropriate security policies and procedures have been implemented </li></ul></ul>4.5 Auditing Infrastructure and Operations
  92. 92. <ul><li>4.5.6 IS Operations Reviews </li></ul><ul><ul><li>Computer operations </li></ul></ul><ul><ul><li>File handling procedures </li></ul></ul><ul><ul><li>Data entry control </li></ul></ul>4.5 Auditing Infrastructure and Operations
  93. 93. <ul><li>4.5.6 IS Operations Reviews (cont.) </li></ul><ul><ul><li>Computer operations </li></ul></ul><ul><ul><li>File handling procedures </li></ul></ul><ul><ul><li>Data entry control </li></ul></ul>4.5 Auditing Infrastructure and Operations
  94. 94. <ul><li>4.5.7 Lights Out Operations </li></ul><ul><ul><li>Remote access to the master console </li></ul></ul><ul><ul><li>Contingency plans </li></ul></ul><ul><ul><li>Program change controls </li></ul></ul><ul><ul><li>Assurance that errors are not hidden </li></ul></ul>4.5 Auditing Infrastructure and Operations
  95. 95. <ul><li>4.5.8 Problem Management Reporting Reviews </li></ul><ul><ul><li>Reviews of the procedures used for recording, evaluating, and resolving or escalating any problem </li></ul></ul><ul><ul><li>Reviews of the performance records </li></ul></ul><ul><ul><li>Reviews of the reasons for delays in application program processing </li></ul></ul><ul><ul><li>Reviews of the procedures used by the IS department to collect statistics regarding online processing performance </li></ul></ul><ul><ul><li>The determination that significant and recurring problems have been identified and actions are being taken </li></ul></ul><ul><ul><li>The determination that processing problems were resolved </li></ul></ul><ul><ul><li>Reviews of operations documentation </li></ul></ul><ul><ul><li>Reviews of help desk call logs </li></ul></ul>4.5 Auditing Infrastructure and Operations
  96. 96. <ul><li>4.5.9 Hardware availability and utilization Reporting Reviews </li></ul><ul><ul><li>Review the problem log </li></ul></ul><ul><ul><li>Review the preventive maintenance schedule </li></ul></ul><ul><ul><li>Review the control and management of equipment </li></ul></ul><ul><ul><li>Review the hardware availability and utilization reports </li></ul></ul><ul><ul><li>Review the workload schedule and the hardware availability and utilization reports </li></ul></ul>4.5 Auditing Infrastructure and Operations
  97. 97. <ul><li>4.5.10 Scheduling Reviews </li></ul><ul><ul><li>Review the console log </li></ul></ul><ul><ul><li>Review the schedule </li></ul></ul><ul><ul><li>Determine whether the scheduling of rush/rerun jobs is consistent </li></ul></ul><ul><ul><li>Determine whether critical applications have been identified </li></ul></ul><ul><ul><li>Determine whether scheduling procedures are used to facilitate optimal use of computer resources </li></ul></ul><ul><ul><li>Determine whether the number of personnel assigned to each shift is adequate </li></ul></ul><ul><ul><li>Review the procedures for collecting, reporting and analyzing key performance indicators </li></ul></ul>4.5 Auditing Infrastructure and Operations
  98. 98. 4.6 Chapter 4: Case Study <ul><li>4.6.1 Case Study Scenario </li></ul><ul><li>The IS auditor has recently been asked to perform an external and internal network security assessment for an organization that processes health benefit claims. The organization has a complex network infrastructure with multiple local area and wireless networks, a Frame Relay network crosses international borders. Additionally, there is an Internet site that is accessed by doctors and hospitals. The Internet site has both open areas and sections containing medical claim information that requires an ID and password to access. An Intranet site is also available that allows employees to check on the status of their personal medical claims and purchase prescription drugs at a discount using a credit card. The frame relay network carries unencrypted nonsensitive statistical data that are sent to regulatory agencies but do not include any customer identifiable information. The last review of network security was performed more than five years ago. </li></ul>
  99. 99. 4.6 Chapter 4: Case Study <ul><li>At that time, numerous exposures were noted in the areas of firewall rule management and patch management for application servers. Internet applications were also found to be susceptible to SQL injection. It should be noted that wireless access as well as the Intranet portal had not been installed at the time of the last review. Since the last review, a new firewall has been installed and patch management is now controlled by a centralized mechanism for pushing patches out to all servers. Internet applications have been upgraded to take advantage of newer technologies. Additionally, an intrusion detection system has been added, and reports produced by this system are monitored on a daily basis. Traffic over the network involves a mixture of protocols, as a number of legacy systems are still in use. All sensitive network traffic traversing the Internet is first encrypted prior to being sent. Traffic on the internal local area and wireless networks is encoded in hexadecimal so that no data appears in cleartext. A number of devices also utilize Bluetooth to transmit data between PDAs and laptop computers. </li></ul>
  100. 100. 4.6.2 Case Study Questions <ul><li>1. In performing an external network security assessment, which of the following should normally be performed FIRST? </li></ul><ul><li>A. Exploitation </li></ul><ul><li>B. Enumeration </li></ul><ul><li>C. Reconnaissance </li></ul><ul><li>D. Vulnerability scanning </li></ul>
  101. 101. 4.6.2 Case Study Questions <ul><li>2. Which of the following presents the GREATEST risk to the organization? </li></ul><ul><li>A. Not all traffic traversing the Internet is encrypted. </li></ul><ul><li>B. Traffic on internal networks is unencrypted. </li></ul><ul><li>C. Cross-border data flow is unencrypted. </li></ul><ul><li>D. Multiple protocols are being used. </li></ul>

×