This document discusses information systems operations and infrastructure. It covers topics like IT service management, incident and problem management, change management, capacity management, hardware and software components, network architecture, disaster recovery planning, and the role of auditing. The key points are managing IT operations effectively through proper processes, monitoring infrastructure performance, ensuring adequate capacity, and having disaster recovery plans and testing in place.

1. 2016 CISA® Review Course
Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA
[PECB Certified Trainer]

2. Quick Reference Review
• Key elements of IT service delivery
• Incident handling
• Client server technology
• BCP/DRP
• Data backup and recovery

3. 4.2 Information Systems Operations

4. 4.2.1 Management of IS Operations
• IS management has the overall responsibility for all operations within the IS department
• Involves allocation of resources, adherence to standards, procedures, monitoring of IS operation

7. 4.2.2 IT Service Management (ITSM)
• ITSM – comprises of processes and procedures for efficient and effective delivery of IT services to
business
• Processes managed through SLA (Service Level Agreement)

8. Service Level
• An agreement between IT and the customer (end user)
• SLA details the services to be provided
• Service Level Management (SLM) is the process of defining, agreeing upon,
documenting and managing levels of service that are required and cost justified
• SLM is to maintain and improve customer satisfaction and to improve the services
delivered to the customer
• Tools to monitor the efficiency and effectiveness of services provided by IS
personnel
• Exception Reports
• System and Application logs

9. 4.2.3 Infrastructure Operations
• IT operations are processes and activities that support and manage the entire IT
infrastructure, systems, applications and data, focusing on day-to-day activities

10. Job Scheduling
• Job schedule is created that lists the jobs that must be run and order in which they
are run, including any dependencies
• Job scheduling software to be used to schedule tape backups and other
maintenance activities
• Sets up daily work schedules and automatically determines which jobs are to be
submitted to the system for processing

11. 4.2.4 Incident and Problem Management
• Incident Management is reactive and its objective is to respond and resolve issues as
quickly as possible
• Problem Management aims to resolve issues through the investigation and in-depth
analysis of a major incident, or several incidents of similar nature, in order to identify the
root cause
• Problem Management objective is to “reduce” the number and/or severity of incidents,
while incident management objective is to “return” the effected business process back to
normal as quickly as possible

12. Detection, Documentation, Control,
Resolution and Reporting

13. 4.2.5 Support/Helpdesk

14. 4.2.6 Change Management Process
• Used when changing hardware, upgrading to new releases of off-the-shelf
applications and configuring various network devices
• Often categorized into emergency changes, major changes, minor changes

15. 4.2.7 Release Management
• Process through which software is made available to users
• Consist of new or changed software required

17. 4.2.8 Quality Assurance
• QA personnel verify that system changes are authorized, tested and implemented
in a controlled manner prior to being introduced into the production environment

18. 4.2.9 Information Security Management
• Includes various security processes to protect the information assets
• Should be integrated in all IT operation processes

19. 4.2.10 Media Sanitization
• Establishes the controls, techniques and processes necessary to preserve the
confidentiality of sensitive information stored on media to be reused, transported,
or discarded
• “Sanitization” involved the eradication of information recorded on storage media
to the extent of providing reasonable assurance that residual content cannot be
salvaged or restored

20. 4.3 Information Systems Hardware
• Key audit considerations such as capacity management, system monitoring,
maintenance of hardware

21. 4.3.1 Computer Hardware Components &
Architectures
• Processing Components
• CPU, RAM, ROM
• Input/output Components
• Mouse, keyboard, touch screen
• Common Enterprise Back-end Devices
• Print Servers
• File Servers
• Web Servers
• Application Servers
• Database Servers
• Universal Serial Bus (USB)
• Memory Cards/Flash Drives

23. Risks & Security Control
• Viruses and other malicious software
• Data Theft
• Data and Media Loss
• Corruption of Data
• Loss of Confidentiality
• Encryption
• Granular Control
• Educate Security Personnel
• Enforce the “Lock Desktop” policy
• Update the antivirus policy

24. Radio Frequency Identification (RFID)
• RFID uses radio waves to identify “tagged” objects within a limited radius
• “Tag” consists of a microchip and an antenna
• “Microchip” stores information along with an ID to identify a product
• The other part of the “tag” is the “antenna” which transmits the information to
the RFID reader
RFID Applications:
• Asset Management
• Tracking
• Supply Chain Management (SCM)

25. Risks & Security Control
• Business Process Risk
• Business Intelligence Risk
• Privacy Risk
• Management
• Operational
• Technical

26. 4.3.2 Hardware Maintenance Program

27. 4.3.3 Hardware Monitoring Procedures
• Availability Reports
• Hardware Error Reports
• Utilization Reports

28. 4.3.4 Capacity Management
• Planning and monitoring of computing and network resources to ensure that the available
resources are used effectively and efficiently

29. 4.4 IS Architecture and Software
• A collection of computer programs used in the design, processing and control of all computer
applications used to operate and maintain the computer system
• Comprised of system utilities and programs, the system software ensures the integrity of the
system
• Access control software
• Data communications software
• Database management software
• Program library management systems
• Tape and disk management systems
• Network management software
• Job scheduling software
• Utility programs

30. 4.4.1 Operating Systems
• OS contains programs that interface between the user, processor and application software
• Provides the primary means of managing the sharing and use of computer resources such
as processors, real memory, and I/O devices

31. 4.4.2 Access Control Software

32. 4.4.3 Data Communications Software
• Used to transmit messages or data from one point to another

33. 4.4.4 Data Management

34. 4.4.5 Database Management System
• DMBS aids in organizing, controlling and using the data needed by application programs
• Primary functions include reduced data redundancy, decreased access time and basic
security over sensitive data

36. 4.4.6Tape and Disk Management Systems (DMS)
• A specialized system software that tracks and lists tape/disk resources needed for data
center processing
• A TMS/DMS minimizes computer operator time and errors caused by locating improper
files
• Systems include the data set name and specific tape reel or disk drive location, creation
date, effective date, retention period, expiration date and contents information

37. 4.4.7 Utility Programs

38. 4.4.8 Software Licensing Issues

39. 4.4.9 Digital Rights Management (DRM)
• DRM refers to access control technologies that can be used by hardware
manufacturers, publishers, copyright holders and individuals to impose limitations
on the usage of digital content and devices
• Used by companies like Sony, Apple Inc., Microsoft, BBC

40. 4.5 IS Network Infrastructure

41. 4.5.1 Enterprise Network Architectures

42. 4.5.2Types of Networks

43. 4.5.3 Network Services
• Functional features made possible by appropriate OS
applications
• Allow orderly utilization of the resources on the network

44. 4.5.4 Network Standards and Protocols

45. 4.5.5 OSI Architecture
• OSI (Open Systems Interconnection), benchmark standard for network architecture
• Composed of 7 layers, each layer specifying particular specialized tasks or functions
• Objective of OSI model is to provide a protocol suite used to develop data-networking protocols
and other standards to facilitate multivendor interoperability

47. 4.6 Auditing Infrastructure and Operations
• IS auditor to perform audits and specific reviews of hardware, OS, databases, networks, IS
operations and problem management reporting

48. 4.6.1 Hardware Reviews

49. 4.6.2 OS Reviews

50. 4.6.3 Database Reviews

51. 4.6.4 Network Infrastructure and
Implementation Reviews

52. 4.6.5 IS Operations Reviews

53. 4.6.6 Scheduling Reviews

54. 4.6.7 Problem Management & Reporting Reviews

55. 4.7 Disaster Recovery Planning (DRP)
• Establish to manage availability and restore critical processes/IT services in the
event of interruption
• Importance and urgency of the business processes and IT services is defined
through performing a BIA and assigning RTO, RPO
• Ultimate goal is to respond to incidents that may impact people and the ability of
operations to deliver goods and services

56. 4.7.1 RPO, RTO
Recovery Point Objective (RPO):
• Determined based on acceptable data loss in case of disruption of operations
• Indicates the earliest point in time in which it is acceptable to recover the data
Recovery Time Objective (RTO):
• Determined based on acceptable downtime in case of a disruption of operations
• Indicates the earliest point in time at which the business operations must resume after disaster

58. 4.7.2 Recovery Strategies
• A recovery strategy identifies the best way to recover a system in case of interruption, including
disaster, and provides guidance based on which detailed recovery procedures can be developed

59. 4.7.3 Recovery Alternatives

60. 4.7.4 Development of Disaster Recovery Plans

61. 4.7.5 Organization and Assignment of
Responsibilities

63. 4.7.6 Backup and Restoration
• To ensure that the critical activities of an organization are not interrupted in the event of a disaster,
secondary and storage media are used to store software application files and associated data for
backup purposes
Offsite Library Controls

65. Backup Schemes

66. Self-Assessment Questions
1. Which of the following provides the BEST method for determining
the level of performance provided by similar information processing
facility environments?
a) User satisfaction
b) Goal accomplishment
c) Benchmarking
d) Capacity and growth planning

67. Self-Assessment Questions
2. For mission critical systems with a low tolerance to interruption and
a high cost of recovery, the IS auditor would, in principle,
recommend the use of which of the following recovery options?
a) Mobile site
b) Warm site
c) Cold site
d) Hot site

68. Self-Assessment Questions
3. The key objective of capacity planning procedures is to ensure that:
a) Available resources are fully utilized
b) New resources will be added for new applications in a timely manner
c) Available resources are used efficiently and effectively
d) Utilization of resources does not drop below 85 percent

69. Self-Assessment Questions
4. An IS auditor should be involved in:
a) Observing tests of the DRP
b) Developing the DRP
c) Maintaining the DRP
d) Reviewing the DR requirements of supplier contracts

70. Answers
1. c) Benchmarking
2. d) Hot site
3. c) Available resources are used efficiently and effectively
4. a) Observing tests of the disaster recovery plan