Chapter 4 IT Service Delivery and Support

1
ISACA
The recognized global leaders in IT
governance, control, security and assurance
2
Chapter 4 IT Service Delivery and Support
2008 CISA? Review Course
3
Chapter Outline

• 4.1 Introduction
• 4.2 Information Systems Operations
• 4.3 Information Systems Hardware
• 4.4 IS Architecture and Software
• 4.5 IS Network Infrastructure
• 4.6 Auditing Infrastructure and Operations

4
4.1.1 Course Objectives

• Review outline of Chapter 4
• Discuss Task and Knowledge Statements
• Discuss specific topics within the chapter
• Case studies
• Sample questions

5
Exam Relevance

• Ensure that the CISA candidate
• Understands and can provide assurance that the
  IT service management practices will ensure the
  delivery of the level of services required to
  meet the organizations objectives.
• The content area in this chapter will
• represent approximately 14 of
• the CISA examination
• (approximately 28 questions).

6
4.1.2 Chapter 4 Task Statements

• T4.1 Evaluate service-level management practices
  to ensure that the level of service from internal
  and external service providers is defined and
  managed.
• T4.2 Evaluate operations management to ensure
  that IT support functions effectively meet
  business needs.
• T4.3 Evaluate data administration practices to
  ensure the integrity and optimization of
  databases.
• T4.4 Evaluate the use of capacity and performance
  monitoring tools and techniques to ensure that
  changes made to the organizations production
  environment are adequately controlled and
  documented.

7
4.1.2 Chapter 4 Task Statements (continued)

• T4.5 Evaluate change, configuration and release
  management practices to ensure that changes made
  to the organizations production environment are
  adequately controlled and documented.
• T4.6 Evaluate problem and incident management
  practices to ensure that incidents, problems or
  errors are recorded, analyzed and resolved in a
  timely manner.
• T4.7 Evaluate the functionality of the IT
  infrastructure (e.g., network components,
  hardware, system software) to ensure that it
  supports the organizations objectives.

8
4.1.3 Chapter 4 Knowledge Statements
KS4.1 Knowledge of service-level management
practices KS4.2 Knowledge of operations
management best practices (e.g., workload
scheduling, network services management,
preventive maintenance) KS4.3 Knowledge of
systems performance monitoring processes, tools
and techniques (e.g., network analyzers, system
utilization reports, load balancing) KS4.4 Knowled
ge of the functionality of hardware and network
components (e.g., routers, switches, firewalls,
peripherals) KS4.5 Knowledge of database
administration practices
9
4.1.3 Chapter 4 Knowledge Statements (continued)
KS4.6 Knowledge of the functionality of system
software, including operating systems, utilities
and database management systems KS4.7 Knowledge
of capacity planning and monitoring
techniques KS4.8 Knowledge of processes for
managing scheduled and emergency changes to the
production systems and/or infrastructure
including change, configuration, release and
patch management practices
10
4.1.3 Chapter 4 Knowledge Statements (continued)

• KS4.9 Knowledge of incident/problem management
  practices(e.g., help desk, escalation procedures
  and tracking)
• KS4.10 Knowledge of software licensing and
  inventory practices
• KS4.11 Knowledge of system resiliency tools and
  techniques(e.g., fault-tolerant hardware,
  elimination of single point of failure and
  clustering)

11
4.2 Information Systems Operations

• IS operations are in charge of the daily support
  of an organizations IS hardware and software
  environment.
• IS operations include
• Management of IS operations
• Infrastructure support including computer
  operations
• Technical support/help desk
• Information security management

12
4.2.1 Management of IS Operations

• Operations management functions include
• Resource allocation
• Standards and procedures
• IS operation processes monitoring

13
Practice Question

• 4-1 Which one of the following provides the BEST
  method for determining the level of performance
  provided by similar information processing
  facility environments?
• A. User satisfaction
• B. Goal accomplishment
• C. Benchmarking
• D. Capacity and growth planning

14
Practice Question

• 4-1 Which one of the following provides the BEST
  method for determining the level of performance
  provided by similar information processing
  facility environments?
• A. User satisfaction
• B. Goal accomplishment
• C. Benchmarking
• D. Capacity and growth planning

15
4.2.2 IT Service Management

• Service level
• Abnormal job termination reports
• Operator problem reports
• Output distribution reports
• Console logs
• Operator work schedules

16
Practice Question

• 4-2 When reviewing a service level agreement for
  an outsourced computer center an IS auditor
  should FIRST determine that
• A. The cost proposed for the services is
  reasonable
• B. Security mechanisms are specified in the
  agreement
• C. The services in the agreement are based on an
  analysis of business needs
• D. Audit access to the computer center is allowed
  under the agreement.

17
Practice Question

• 4-2 When reviewing a service level agreement for
  an outsourced computer center an IS auditor
  should FIRST determine that
• A. The cost proposed for the services is
  reasonable
• B. Security mechanisms are specified in the
  agreement
• C. The services in the agreement are based on an
  analysis of business needs
• D. Audit access to the computer center is allowed
  under the agreement.

18
Practice Question

• 4-3 A universitys IT department and financial
  services office (FSO) have an existing service
  level agreement that requires availability during
  each month to exceed 98 percent. The FSO has
  analyzed availability and noted that it has
  exceeded 98 percent for each of the last 12
  months, but has averaged only 93 percent during
  month-end closing. Which of the following options
  BEST reflects the course of action the FSO should
  take?
• A. Renegotiate the agreement.
• B. Inform IT that it is not meeting the required
  availability standard.
• C. Acquire additional computing resources.
• D. Streamline the month-end closing process.

19
Practice Question

• 4-3 A universitys IT department and financial
  services office (FSO) have an existing service
  level agreement that requires availability during
  each month to exceed 98 percent. The FSO has
  analyzed availability and noted that it has
  exceeded 98 percent for each of the last 12
  months, but has averaged only 93 percent during
  month-end closing. Which of the following options
  BEST reflects the course of action the FSO should
  take?
• A. Renegotiate the agreement.
• B. Inform IT that it is not meeting the required
  availability standard.
• C. Acquire additional computing resources.
• D. Streamline the month-end closing process.

20
4.2.3 Infrastructure Operations

• Lights-out Operations (Automated Unattended
  Operations)
• Input / output control function
• Job accounting
• Scheduling
• Job Scheduling Software

21
4.2.4 Monitoring Use or Resources

• Process of Incident Handling
• Problem Management
• Detection, Documentation, Control, Resolution and
  Reporting of Abnormal Conditions

22
4.2.5 Support / Help Desk

• Prioritize the issues, and forward them to the
  appropriate managers, accordingly
• Follow up on unresolved problems.
• Close out resolved problems, noting proper
  authorization to close out the problem by the
  user.

23
4.2.6 Change Management Process

• System, operations and program documentation
• Job preparation, scheduling and operating
  instructions
• System and program test
• Data file conversion.
• System conversion

24
Practice Question

• 4-4 Which of the following is the MOST effective
  method for an IS auditor to use in testing the
  program change management process?
• A. Trace from system-generated information to the
  change management documentation.
• B. Examine change management documentation for
  evidence of accuracy.
• C. Trace from the change management documentation
  to a system-generated audit trail.
• D. Examine change management documentation for
  evidence of completeness.

25
Practice Question

• 4-4 Which of the following is the MOST effective
  method for an IS auditor to use in testing the
  program change management process?
• A. Trace from system-generated information to the
  change management documentation.
• B. Examine change management documentation for
  evidence of accuracy.
• C. Trace from the change management documentation
  to a system-generated audit trail.
• D. Examine change management documentation for
  evidence of completeness.

26
4.2.7 Program Library Management Systems

• Integrity
• Update
• Reporting
• Interface

27
4.2.8 Library Control Software

• Executable and source code integrity
• each production executable module should have one
  corresponding source module
• Source code comparison
• an effective and easy-to-use method for tracing
  changes to programs

28
4.2.9 Release Management

• Major releases
• Minor software releases
• Emergency software fixes

29
4.3.1 Computer Hardware Components and
Architectures

• Common Computer Roles
• Print servers
• File servers
• Proxy servers
• Database servers
• Appliances (specialized devices)

30
4.3.1 Computer Hardware Components and
Architectures (continued)

• Universal Serial Bus
• Memory Cards/Flash Drives
• Radio Frequency Identification (RFID)
• Write Once and Read Many

31
4.3.1 Computer Hardware Components and
Architectures (continued)

• Universal Serial Bus
• Memory Cards/Flash Drives
• Radio Frequency Identification (RFID)
• Write Once and Read Many

32
4.3.2 Hardware Maintenance Program

• Reputable service company
• Maintenance schedule
• Maintenance cost
• Maintenance performance history, planned and
  exceptional

33
4.3.3 Hardware MonitoringProcedures

• Monitor the effective use of hardware
• Availability reports
• Hardware error reports
• Utilization reports
• Asset/fleet management reports

34
4.3.4 Capacity Management

• CPU utilization (processing power)
• Computer storage utilization
• Telecommunications and WAN bandwidth utilization
• Terminal utilization
• I/O channel utilization
• Number of users
• New technologies
• New applications
• Service level agreements

35
Practice Question

• 4-5 The key objective of capacity planning
  procedures is to ensure that
• A. Available resources are fully utilized.
• B. New resources will be added for new
  applications in a timely manner.
• C. Available resources are used efficiently and
  effectively.
• D. Utilization of resources does not drop below
  85 percent.

36
Practice Question

• 4-5 The key objective of capacity planning
  procedures is to ensure that
• A. Available resources are fully utilized.
• B. New resources will be added for new
  applications in a timely manner.
• C. Available resources are used efficiently and
  effectively.
• D. Utilization of resources does not drop below
  85 percent.

37
4.4 IS Architecture and Software

• Operating systems
• Software Control Features or Parameters
• Access control software
• Data communications software
• Data management
• Database management system (DBMS)
• Tape and Disk Management System
• Utility Programs
• Software Licensing Issues

38
4.4.1 Operating System

• Defines user interfaces
• Permits users to share hardware
• Permits users to share data
• Inform users of any error
• Permits recovery from system error
• Communicates completion of a process
• Allows system file management
• Allows system accounting management

39
4.4.1 Operating Systems(continued)

• Software Control Features or Parameters
• Data management
• Resource management
• Job management
• Priority setting

40
4.4.2 Access Control Software

• Designed to prevent
• Unauthorized access to data
• Unauthorized use of systems functions and
  programs
• Unauthorized updates/changes to data

41
4.4.3 Data CommunicationsSoftware

• Used to transmit messages or data from one point
  to another.
• Interfaces with the operating system, application
  programs, telecommunications systems, network
  control system

42
4.4.4 Data Management

• File Organization
• Sequential
• Indexed sequential
• Direct random access

43
4.4.5 Database ManagementSystem (DBMS)

• DBMS architecture
• Detailed DBMS metadata architecture
• Data dictionary/directory system (DD/DS)
• Database structure
• Database controls

44
4.4.5 Database ManagementSystem (DBMS)
(continued)

• DBMS architecture
• Detailed DBMS metadata architecture
• Data dictionary/directory system (DD/DS)
• Database structure
• Database controls

45
4.4.5 Database Management System (DBMS)
(continued)

• DBMS architecture
• Detailed DBMS metadata architecture
• Data dictionary/directory system (DD/DS)
• Database structure
• Database controls

46
4.4.5 Database Management System (DBMS)
(continued)

• DBMS architecture
• Detailed DBMS metadata architecture
• Data dictionary/directory system (DD/DS)
• Database structure
• Database controls

47
Practice Question

• 4-6 The PRIMARY benefit of database normalization
  is the
• A. minimization redundancy of information in
  tables required to satisfy users needs.
• B. ability to satisfy more queries.
• C. maximization of database integrity by
  providing information in more than one table.
• D. minimization of response time through faster
  processing of information.

48
Practice Question

• 4-6 The PRIMARY benefit of database normalization
  is the
• A. minimization redundancy of information in
  tables required to satisfy users needs.
• B. ability to satisfy more queries.
• C. maximization of database integrity by
  providing information in more than one table.
• D. minimization of response time through faster
  processing of information.

49
4.4.6 Tape and Disk Management Systems

• Tracks and lists tape/disk resources needed for
  data center processing
• Minimizes computer operator time and errors
• Improve space efficiency by consolidating
  fragmented free spaces
• Provide inventory control over tapes,
  identification of offsite rotation of backup
  media and security features to control tape
  access.

50
4.4.7 Utility Programs

• Functional Areas
• Understanding application systems
• Assessing or testing data quality
• Testing a programs ability to function correctly
  and maintain data integrity
• Assisting in faster program development
• Improving operational efficiency

51
4.4.8 Software Licensing Issues

• Documented policies and procedures that guard
  against unauthorized use or copying of software.
• Listing of all standard, used and licensed
  application and system software.
• Centralizing control and automated distribution
  and the installation of software
• Requiring that all PCs be diskless workstations
  and access applications from a secured LAN
• Regularly scanning user PCs

52
4.5 IS Network Infrastructure

• Telecommunications links for networks can be
• Analog
• Digital
• Methods for transmitting signals over analog
  telecommunication links are
• Baseband
• Broadband network

53
4.5.1 Enterprise NetworkArchitectures

• Todays networks are
• part of a large, centrally-managed,
  inter-networked architecture solution high-speed
  local- and wide-area computer networks serving
  organizations client-server-based environments.

54
4.5.2 Types of Networks

• Personal Area Networks (PANs)
• Local area networks (LANs)
• Wide area networks (WANS)
• Storage Area Networks (SANs)

55
4.5.3 Network Services

• File sharing
• E-mail services
• Print services
• Remote access services
• Terminal emulation software (TES)
• Directory services
• Network management

56
4.5.4 Network Standardsand Protocols

• Critical Success Factors
• Interoperability
• Availability
• Flexibility
• Maintainability

57
4.5.4 Network Standards andProtocols (continued)

• ISO/OSI
• Is a proof of a concept model composed of seven
  layers, each specifying particular specialized
  tasks or functions
• Objective
• To provide a set of open system standards for
  equipment manufacturers and to provide a
  benchmark to compare different communication
  systems

58
4.5.5 OSI Architecture

• Functions of the layers of the ISO/OSI Model
• Application layer
• Presentation layer
• Session layer
• Transport layer
• Network layer
• Data link layer
• Physical layer

59
4.5.6 Application of the OSI Modelin Network
Architectures

• Local Area Network (LAN)
• Wide Area Network (WAN)
• Wireless Networks
• Public Global Internet Infrastructure

60
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Local Area Network (LAN)
• Wide Area Network (WAN)
• Wireless Networks
• Public Global Internet Infrastructure

61
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• LAN Components
• Repeaters
• Hubs
• Bridges
• Switches
• Routers

62
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Local Area Network (LAN)
• Wide Area Network (WAN)
• Wireless Networks
• Public Global Internet Infrastructure

63
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• WAN Message transmission techniques
• Message switching
• Packet switching
• Circuit switching
• Virtual circuits
• WAN dial-up services

64
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Network physical media specifications
• Local Area Network (LAN)
• Copper (twisted-pairs) circuits
• Fiber-optic systems
• Radio Systems (wireless)
• Wide Area Network (WAN)
• Fiber-optic systems
• Microwave radio systems
• Satellite radio link systems

65
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Network physical media specifications
• Local Area Network (LAN)
• Copper (twisted-pairs) circuits
• Fiber-optic systems
• Radio Systems (wireless)
• Wide Area Network (WAN)
• Fiber-optic systems
• Microwave radio systems
• Satellite radio link systems

66
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• WAN Components
• WAN switch
• Routers
• Modems

67
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• WAN Technologies
• Point to point protocol
• X.25
• Frame Relay
• Integrated services digital network (ISDN)
• Asynchronous transfer mode
• Multiprotocol label switching
• Digital subscriber lines
• Virtual Private Networks

68
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• WAN Technologies
• Point to point protocol
• X.25
• Frame Relay
• Integrated services digital network (ISDN)
• Asynchronous transfer mode
• Multiprotocol label switching
• Digital subscriber lines
• Virtual Private Networks

69
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• WAN Technologies
• Point to point protocol
• X.25
• Frame Relay
• Integrated services digital network (ISDN)
• Asynchronous transfer mode
• Multiprotocol label switching
• Digital subscriber lines
• Virtual Private Networks

70
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• WAN Technologies
• Point to point protocol
• X.25
• Frame Relay
• Integrated services digital network (ISDN)
• Asynchronous transfer mode
• Multiprotocol label switching
• Digital subscriber lines
• Virtual Private Networks

71
Practice Question

• 4-7 Which of the following would allow a company
  to extend its enterprises intranet across the
  Internet to its business partners?
• A. Virtual private network
• B. Client-server
• C. Dial-up access
• D. Network service provider

72
Practice Question

• 4-7 Which of the following would allow a company
  to extend its enterprises intranet across the
  Internet to its business partners?
• A. Virtual private network
• B. Client-server
• C. Dial-up access
• D. Network service provider

73
Practice Question

• 4-8 Which of the following statements relating to
  packet switching networks is CORRECT?
• A. Packets for a given message travel the same
  route.
• B. Passwords cannot be embedded within the
  packet.
• C. Packet lengths are variable and each packet
  contains the same amount of information.
• D. The cost charged for transmission is based on
  the packet, not the distance or route traveled.

74
Practice Question

• 4-8 Which of the following statements relating to
  packet switching networks is CORRECT?
• A. Packets for a given message travel the same
  route.
• B. Passwords cannot be embedded within the
  packet.
• C. Packet lengths are variable and each packet
  contains the same amount of information.
• D. The cost charged for transmission is based on
  the packet, not the distance or route traveled.

75
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Wireless Networks
• Wireless Wide Area Network (WWAN)
• Wireless Local Area Network (WLAN)
• Wireless Personal Area Network (WPAN)
• Wireless ad hoc Networks
• Wireless Application Protocol (WAP)

76
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Wireless Networks
• Wireless Wide Area Network (WWAN)
• Wireless Local Area Network (WLAN)
• Wireless Personal Area Network (WPAN)
• Wireless ad hoc Networks
• Wireless Application Protocol (WAP)

77
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Wireless Access Exposures
• Interception of sensitive information
• Loss or theft of devices
• Misuse of devices
• Loss of data contained in devices
• Distraction caused by devices
• Possible health effects of device usage
• Wireless user authentication
• File security
• WEP security encryption
• Interoperability
• Use of wireless subnets
• Translation point

78
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Wireless Access Exposures
• Interception of sensitive information
• Loss or theft of devices
• Misuse of devices
• Loss of data contained in devices
• Distraction caused by devices
• Possible health effects of device usage
• Wireless user authentication
• File security
• WEP security encryption
• Interoperability
• Use of wireless subnets
• Translation point

79
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• TCP/IP Internet World Wide Web Services
• URL
• Common gateway scripts
• Cookie
• Applets
• Servlets
• Bookmark

80
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Network Administration and Control
• Network performance metrics
• Network management issues
• Network management tools

81
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Network Administration and Control
• Network performance metrics
• Network management issues
• Network management tools

82
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Network Administration and Control
• Network performance metrics
• Network management issues
• Network management tools

83
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Applications in a Networked Environment
• Client-Server Technology
• Middleware

84
4.5.6 Application of the OSI Model in Network
Architectures (continued)

• Applications in a Networked Environment
• Client-Server Technology
• Middleware

85
4.6 Auditing Infrastructure and Operations

• Hardware Reviews
• Operating System Reviews
• Database Reviews
• Network Infrastructure and Implementation Reviews
• Network Operating Control Reviews
• IS Operations Reviews
• Lights-Out Operations
• Problem Management Reporting Reviews
• Hardware Availability and Utilization Reporting
  Reviews
• Scheduling Reviews

86
4.6.1 Hardware Reviews

• Review the capacity management procedures
• Review the hardware acquisition plan
• Review the PC acquisition criteria
• Review (hardware) change management controls

87
4.6.1 Hardware Reviews - continued

• Review the capacity management procedures
• Review the hardware acquisition plan
• Review the PC acquisition criteria
• Review (hardware) change management controls

88
4.6.2 Operating System Reviews

• Interview technical service and other personnel
• Review system software selection procedures
• Review the feasibility study and selection
  process
• Review cost-benefit analysis of system software
  procedures
• Review controls over the installation of changed
  system software

89
4.6.2 Operating System Reviews - continued

• Interview technical service and other personnel
• Review system software selection procedures
• Review the feasibility study and selection
  process
• Review cost-benefit analysis of system software
  procedures
• Review controls over the installation of changed
  system software

90
4.6.2 Operating System Reviews (continued)

• Review system software maintenance activities
• Review system software change controls
• Review systems documentation
• Review and test system software implementation
• Review authorization documentation
• Review system software security

91
4.6.2 Operating System Reviews (continued)

• Review system software maintenance activities
• Review system software change controls
• Review systems documentation
• Review and test system software implementation
• Review authorization documentation
• Review system software security

92
4.6.3 Database Reviews

• Design
• Access
• Administration
• Interfaces
• Portability
• Database-supported IS controls

93
4.6.3 Database Reviews - continued

• Design
• Access
• Administration
• Interfaces
• Portability
• Database-supported IS controls

94
Practice Question

• 4-9 When conducting an audit of client-server
  database security, the IS auditor should be most
  concerned about the availability of
• A. System utilities.
• B. Application program generators.
• C. System security documentation.
• D. Access to stored procedures.

95
Practice Question

• 4-9 When conducting an audit of client-server
  database security, the IS auditor should be most
  concerned about the availability of
• A. System utilities.
• B. Application program generators.
• C. System security documentation.
• D. Access to stored procedures.

96
4.6.4 Network Infrastructure and Implementation
Reviews

• Review controls over network implementations
• Physical controls
• Environmental controls
• Logical security controls

97
4.6.4 Network Infrastructure and Implementation
Reviews

• Review controls over network implementations
• Physical controls
• Environmental controls
• Logical security controls

98
4.6.4 Network Infrastructure and Implementation
Reviews - continued

• Review controls over network implementations
• Physical controls
• Environmental controls
• Logical security controls

99
4.6.4 Network Infrastructure and Implementation
Reviews - continued

• Review controls over network implementations
• Physical controls
• Environmental controls
• Logical security controls

100
4.6.4 Network Infrastructure and Implementation
Reviews - continued

• Review controls over network implementations
• Physical controls
• Environmental controls
• Logical security controls

101
4.6.4 Network Infrastructure and Implementation
Reviews - continued

• Review controls over network implementations
• Physical controls
• Environmental controls
• Logical security controls

102
4.6.5 Network OperatingControl Reviews

• Appropriate implementation, conversion and
  acceptance test plans
• Implementation and testing plans for the
  networks hardware and communications links
• Operating provisions for distributed data
  processing networks
• All sensitive files / datasets have been
  identified
• Procedures established to assure effective
  controls over hardware and software
• Adequate restart and recovery mechanisms

103
4.6.5 Network Operating ControlReviews
(continued)

• The IS distributed network has been designed to
  assure that failure of service at any one site
  will have a minimal effect
• All changes made to the operating systems
  software used by the network are controlled
• Individuals have access only to authorized
  applications, transaction processors and datasets
• System commands affecting more than one network
  site are restricted to one terminal and to an
  authorized individual
• Encryption is being used on the network to encode
  sensitive data
• Appropriate security policies and procedures have
  been implemented

104
4.6.6 IS Operating Reviews

• Computer operations
• File handling procedures
• Data entry control

105
4.6.6 IS Operating Reviews

• Computer operations
• File handling procedures
• Data entry control

106
4.6.6 IS Operating Reviews(continued)

• Computer operations
• File handling procedures
• Data entry control

107
4.6.7 Lights Out Operations

• Remote access to the master console
• Contingency plans
• Program change controls
• Assurance that errors are not hidden

108
4.6.8 Problem ManagementReporting Reviews

• Reviews of the procedures used for recording,
  evaluating, and resolving or escalating any
  problem
• Reviews of the performance records
• Reviews of the reasons for delays in application
  program processing
• Reviews of the procedures used by the IS
  department to collect statistics regarding online
  processing performance
• The determination that significant and recurring
  problems have been identified and actions are
  being taken
• The determination that processing problems were
  resolved
• Reviews of operations documentation
• Reviews of help desk call logs

109
4.6.9 Hardware Availability andUtilization
Reporting Reviews

• Review the problem log
• Review the preventive maintenance schedule
• Review the control and management of equipment
• Review the hardware availability and utilization
  reports
• Review the workload schedule and the hardware
  availability and utilization reports

110
4.5.10 Scheduling Reviews

• Review the console log
• Review the schedule
• Determine whether the scheduling of rush/rerun
  jobs is consistent
• Determine whether critical applications have been
  identified
• Determine whether scheduling procedures are used
  to facilitate optimal use of computer resources
• Determine whether the number of personnel
  assigned to each shift is adequate
• Review the procedures for collecting, reporting
  and analyzing key performance indicator

111
Chapter 4 - Case StudyScenario

• The IS auditor has recently been asked to perform
  an external and internal network security
  assessment for an organization that processes
  health benefit claims. The organization has a
  complex network infrastructure with multiple
  local area and wireless networks, a Frame Relay
  network crosses international borders.
  Additionally, there is an Internet site that is
  accessed by doctors and hospitals.
• The Internet site has both open areas and
  sections containing medical claim information
  that requires an ID and password to access. An
  Intranet site is also available that allows
  employees to check on the status of their
  personal medical claims and purchase prescription
  drugs at a discount using a credit card. The
  frame relay network carries unencrypted
  nonsensitive statistical data that are sent to
  regulatory agencies but do not include any
  customer identifiable information. The last
  review of network security was performed more
  than five years ago.

112
Chapter 4 Case Study

• At that time, numerous exposures were noted in
  the areas of firewall rule management and patch
  management for application servers. Internet
  applications were also found to be susceptible to
  SQL injection. It should be noted that wireless
  access as well as the Intranet portal had not
  been installed at the time of the last review.
• Since the last review, a new firewall has been
  installed and patch management is now controlled
  by a centralized mechanism for pushing patches
  out to all servers. Internet applications have
  been upgraded to take advantage of newer
  technologies. Additionally, an intrusion
  detection system has been added, and reports
  produced by this system are monitored on a daily
  basis.
• Traffic over the network involves a mixture of
  protocols, as a number of legacy systems are
  still in use. All sensitive network traffic
  traversing the Internet is first encrypted prior
  to being sent. Traffic on the internal local area
  and wireless networks is encoded in hexadecimal
  so that no data appears in cleartext. A number of
  devices also utilize Bluetooth to transmit data
  between PDAs and laptop computers.

113
Chapter 4 Case Study

• 1. In performing an external network security
  assessment, which of the following should
  normally be performed FIRST?
• A. Exploitation
• B. Enumeration
• C. Reconnaissance
• D. Vulnerability scanning

114
Chapter 4 Case Study

• 1. In performing an external network security
  assessment, which of the following should
  normally be performed FIRST?
• A. Exploitation
• B. Enumeration
• C. Reconnaissance
• D. Vulnerability scanning

115
Chapter 4 Case Study

• 2. Which of the following presents the GREATEST
  risk to the organization?
• Not all traffic traversing the Internet is
  encrypted.
• Traffic on internal networks is unencrypted.
• Cross-border data flow is unencrypted.
• Multiple protocols are being used.

116
Chapter 4 Case Study

• 2. Which of the following presents the GREATEST
  risk to the organization?
• Not all traffic traversing the Internet is
  encrypted.
• Traffic on internal networks is unencrypted.
• Cross-border data flow is unencrypted.
• Multiple protocols are being used.