des

Post on 03-Dec-2014

2.339 Views

Category:

Documents

3 Downloads

Preview:

Click to see full reader

DESCRIPTION

 

TRANSCRIPT

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 1

2007 CISA Review Course

Chapter 4

IT Service Delivery and Support

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 2

Process Area Overview

4.1 Information Systems Operations4.1.1 Management of IS Operations4.1.2 IT Service Management4.1.3 Infrastructure Operations4.1.4 Monitoring Use of Resources4.1.5 Support / Help Desk4.1.6 Change Management Process4.1.7 Program Library Management Systems4.1.8 Library Control Software4.1.9 Release Management4.1.10 Quality Assurance4.1.11 Information Security Management

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 3

Process Area Overview

4.2 Information Systems Hardware4.2.1 Computer Hardware Components and Architecture4.2.2 Hardware Maintenance Program4.2.3 Hardware Monitoring Preocedures4.2.4 Capacity Management

4.3 IS Architecture and Software4.3.1 Operating Systems4.3.2 Access Control Software4.3.3 Data Communications Software4.3.4 Data Management4.3.5 Database Management System4.3.6 Tape and Disk Management Systems

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 4

Process Area Overview

4.3.7 Utility Programs

4.3.8 Software Licensing Issues

4.4 IS Network Infrastructure4.4.1 Enterprise Network Architectures

4.4.2 Type of Networks

4.4.3 Network Services

4.4.4 Network Standards and Protocols

4.4.5 OSI Architecture

4.4.6 Application of the OSI Model in Network Architectures

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 5

Process Area Overview4.5 Auditing Infrastructure and Operations

4.5.1 Hardware Reviews 4.5.2 Operating System Reviews4.5.3 Database Reviews4.5.4 Network Infrastructure and Implementation Reviews4.5.5 Network Operating Control Reviews4.5.6 IS Operations Reviews4.5.7 Lights-out Operations4.5.8 Problem Management Reporting Reviews4.5.9 Hardware Availability and Utilization Reporting Reviews4.5.10 Scheduling Reviews

4.6 Chapter 4 Case Study4.6.1 Case Study Scenario4.6.2 Case Study Questions

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 6

Chapter Objective

The objective of this area is to ensure that the CISA

candidate understands and can provide assurance

that the IT service management practices will

ensure the delivery of the level of services required

to meet the organization’s objectives.

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 7

Chapter Summary

According to the CISA Certification

Board, this area represents 14 % of the

CISA examination

(approximately 28 questions).

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 8

4.1.1 Management of IS Operations

Control functions

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 9

4.1.2 IT Service Management

• Service level Abnormal job termination reports Operator problem reports Output distribution reports Console logs Operator work schedules

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 10

4.1.2 IT Service Management (cont.)

• Service level Abnormal job termination reports Operator problem reports Output distribution reports Console logs Operator work schedules

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 11

4.1.3 Infrastructure Operations

• Lights-out Operations (Automated Unattended Operations)

• Input / output control function

• Job accounting

• Scheduling

• Job Scheduling Software

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 12

4.1 Information 4.1 Information Systems OperationsSystems Operations

4.1.3 Infrastructure Operations (cont.)

• Lights-out Operations (Automated Unattended Operations)

• Input / output control function

• Job accounting

• Scheduling

• Job Scheduling Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 13

4.1 Information 4.1 Information Systems OperationsSystems Operations

4.1.3 Infrastructure Operations (cont.)

• Lights-out Operations (Automated Unattended Operations)

• Input / output control function

• Job accounting

• Scheduling

• Job Scheduling Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 14

4.1 Information 4.1 Information Systems OperationsSystems Operations

4.1.3 Infrastructure Operations (cont.)

• Lights-out Operations (Automated Unattended Operations)

• Input / output control function

• Job accounting

• Scheduling

• Job Scheduling Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 15

4.1 Information 4.1 Information Systems OperationsSystems Operations

4.1.3 Infrastructure Operations (cont.)

• Lights-out Operations (Automated Unattended Operations)

• Input / output control function

• Job accounting

• Scheduling

• Job Scheduling Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 16

4.1.4 Monitoring use of Resources

• Process of Incident Handling• Problem Management• Detection, Documentation, Control, Resolution and

Reporting of Abnormal Conditions

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 17

4.1.4 Monitoring use of Resources (cont.)

• Process of Incident Handling• Problem Management• Detection, Documentation, Control, Resolution and

Reporting of Abnormal Conditions

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 18

4.1.5 Support/Help Desk

• Prioritize the issues, and forward them to the appropriate managers, accordingly

• Follow up on unresolved problems.

• Close out resolved problems, noting proper authorization to close out the problem by the user.

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 19

4.1.6 Change Management Process

• System, operations and program documentation

• Job preparation, scheduling and operating instructions

• System and program test

• Data file conversion.

• System conversion

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 20

4.1.7 Program Library Management Systems

• Integrity

• Update

• Reporting

• Interface

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 21

4.1.8 Library Control Software

• Executable and source code integrity; each production executable module should have one corresponding source module

• Source code comparison; is an effective and easy-to-use method for tracing changes to programs.

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 22

4.1 Information 4.1 Information Systems OperationsSystems Operations

4.1.8 Library Control Software (cont.)

• Executable and source code integrity; each production executable module should have one corresponding source module

• Source code comparison; is an effective and easy-to-use method for tracing changes to programs.

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 23

4.1.9 Release Management

• Major releases• Minor software releases• Emergency software fixes

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 24

4.1.10 Quality Assurance

Verify that system changes are authorized, tested and implemented in a controlled manner prior to being introduced into the production environment.

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 25

4.1.11 Information Security Management

• Performing risk assessments on information assets

• Performing business impact analyses

• Conducting security assessments on a regular basis

• Implementing a formal vulnerability management process

4.1 Information 4.1 Information Systems OperationsSystems Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 26

Chapter 4 Question 1

When reviewing a service level agreement for an outsourced computer center an IS auditor should FIRST determine that:

 A. the cost proposed for the services is reasonable.B. security mechanisms are specified in the agreement.C. the services in the agreement are based on an analysis of business needs.D. audit access to the computer center is allowed under the agreement.

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 27

Which of the following is the MOST effective method for an IS auditor to use in testing the program change management process?

 A. Trace from system generated information to the change management documentation.B. Examine change management documentation for evidence of accuracy.C. Trace from the change management documentation to a system generated audit trail.D. Examine change management documentation for evidence of completeness.

Chapter 4 Question 2

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 28

A university’s IT department and financial services office (FSO) have an existing service level agreement that requires availability during each month to exceed 98 percent. FSO has analyzed availability and noted that it has exceeded 98 percent for each of the last 12 months, but has averaged only 93 percent during month-end closing. Which of the following options BEST reflects the course of action FSO should take?

 A. Renegotiate the agreement.B. Inform IT that it is not meeting the required availability standard.C. Acquire additional computing resources.D. Streamline the month-end closing process.

Chapter 4 Question 3

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 29

4.2.1 Computer Hardware Components

and Architectures

• Processing Components

• Input/Output Components

• Types of Computers

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 30

4.2.1 Computer Hardware Components and Architectures

Types of Computers (cont.)

Supercomputers

Large (mainframes) Midrange computer Microcomputer (personal computers, PC Notebook / laptop computers Personal digital assistant (PDA)

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 31

4.2.1 Computer Hardware Components and Architectures

Types of Computers (cont.)

Supercomputers

Large (mainframes) Midrange computer Microcomputer (personal computers, PC Notebook / laptop computers Personal digital assistant (PDA)

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 32

4.2.1 Computer Hardware Components and Architectures

• Common Characteristics of Different Types of Computers

MultitaskingMultiprocessingMultiusingMultithreading

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 33

4.2.1 Computer Hardware Components and Architectures

• Common Computer Roles

Print servers

File servers

Program (application) servers

Web servers

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 34

4.2.1 Computer Hardware Components and Architectures

• Common Computer Roles (cont.)

Proxy servers

Database servers

Appliances (specialized devices)

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 35

4.2.1 Computer Hardware Components and Architectures

• Universal Serial Bus

• Memory Cards

• Radio Frequency Identification

• Write Once and Read Many

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 36

4.2.1 Computer Hardware Components and Architectures

• Universal Serial Bus

• Memory Cards

• Radio Frequency Identification

• Write Once and Read Many

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 37

4.2.2 Hardware Maintenance Program

• Reputable service company

• Maintenance schedule

• Maintenance cost

• Maintenance performance history, planned

and exceptional

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 38

4.2.3 Hardware Monitoring Procedures

• Availability reports

• Hardware error reports

• Utilization reports

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 39

4.2.4 Capacity Management• CPU utilization (processing power)• Computer storage utilization• Telecommunications and WAN bandwidth

utilization• Terminal utilization• I/O channel utilization• Number of users• New technologies• New applications• Service level agreements

4.2 Information 4.2 Information Systems HardwareSystems Hardware

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 40

Which one of the following provides the BEST method for determining the level of performance provided by similar information-processing-facility environments?

 A. User satisfactionB. Goal accomplishment C. BenchmarkingD. Capacity and growth planning

Chapter 4 Question 4

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 41

The key objective of capacity planning procedures is to ensure that:

 A. available resources are fully utilized. B. new resources will be added for new applications in a timely manner. C. available resources are used efficiently and effectively. D. utilization of resources does not drop below 85%.

Chapter 4 Question 5

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 42

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

• Operating systems

• Software Control Features or Parameters

• Data communication software• Data management

• Database management system (DBMS)

• Tape and Disk Management System

• Utility Programs

• Software Licensing Issues

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 43

4.3.1 Operating systems Defines user interfaces

Permits users to share hardware

Permits users to share data

Inform users of any error…

Permits recovery from system error

Communicates completion of a process

Allows system file management

Allows system accounting management

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 44

4.3.1 Operating systems (cont.)

Defines user interfaces

Permits users to share hardware

Permits users to share data

Inform users of any error…

Permits recovery from system error

Communicates completion of a process

Allows system file management

Allows system accounting management

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 45

Software Control Features or Parameters

• Data management• Resource management• Job management• Priority setting

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 46

Software Integrity Issues

• Protect itself from deliberate and inadvertent modification.

• Ensure that privileged programs cannot be interfered with by user programs.

• Provide for effective process isolation.

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 47

Software Integrity Issues (cont.)

• Protect itself from deliberate and inadvertent modification.

• Ensure that privileged programs cannot be interfered with by user programs.

• Provide for effective process isolation.

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 48

Activity Logging and Reporting Options

• Data file versions used for production processing.• Program accesses to sensitive data• Programs scheduled and run• Utilities or service aids usage• Operating system operation• Changes to system parameters and libraries• Databases• Access control

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 49

4.3.2 Access Control Software

• Prevent unauthorized access to data• Unauthorized use of system functions and programs • Unauthorized updates/changes to data • Detect or prevent unauthorized attempts to access

computer resources.

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 50

4.3.3 Data communication software

• Transmits information or data

• Consists of three components

The transmitter (source)The transmission path (channel or line)The receiver (the sink)

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 51

4.3.4 Data management

• File Organization

Sequential

Indexed sequential

Direct random access

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 52

4.3.5 Database management system

(DBMS)

• DBMS architecture

• Detailed DBMS metadata architecture

• Data dictionary/directory system (DD/DS)

• Database structure

• Database controls

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 53

4.3.5 Database management system (DBMS) (cont.)

• DBMS architecture

• Detailed DBMS metadata architecture

• Data dictionary/directory system (DD/DS)

• Database structure

• Database controls

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 54

4.3.5 Database management system (DBMS) (cont.)

• DBMS architecture

• Detailed DBMS metadata architecture

• Data dictionary/directory system (DD/DS)

• Database structure

• Database controls

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 55

4.3.5 Database management system (DBMS) (cont.)

• DBMS architecture

• Detailed DBMS metadata architecture

• Data dictionary/directory system (DD/DS)

• Database structure

• Database controls

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 56

4.3.6 Tape and Disk Management System

An automated tape management system (TMS)

or disk management system (DMS) is specialized system software that tracks and lists tape/disk

resources needed for data center processing.

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 57

4.3.7 Utility Programs

• Understanding application systems

• Assessing or testing data quality

• Testing a program’s ability to function correctly and maintain data integrity

• Assisting in faster program development

• Improving operational efficiency

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 58

4.3.8 Software Licensing Issues

• Documented policies and procedures that guard against unauthorized use or copying of software.

• Listing of all standard, used and licensed application and system software.

• Centralizing control and automated distribution and the installation of software

• Requiring that all PCs be diskless workstations and access applications from a secured LAN

• Regularly scanning user PCs

4.3 Information Systems 4.3 Information Systems Architecture and SoftwareArchitecture and Software

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 59

When conducting an audit of client-server database security, the IS auditor should be MOST concerned about the availability of:

 A. system utilities.B. application program generators.C. systems security documentation.D. access to stored procedures.

Chapter 4 Question 6

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 60

The PRIMARY benefit of database normalization is the: 

A. minimization redundancy of information in tables required to satisfy users’ needs.B. ability to satisfy more queries.C. maximization of database integrity by providing information in more than one table.D. minimization of response time through faster processing of information.

Chapter 4 Question 7

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 61

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

Telecommunications links for networks can be:• Analog• Digital

Methods for transmitting signals over analog telecommunication links are:

• Baseband• Broadband network

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 62

4.4.1 Enterprise Network Architectures

Today’s networks are part of a large, centrally-managed, inter-networked architecture solution of high-speed local- and wide-area computer networks serving organizations’ client-server-based environments. Such architectures may include clustering common types of IT functions together in network segments each uniquely identifiable and specialized to task.

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 63

4.4.2 Types of Networks

• Personal Area Networks (PANs)

• Local area networks (LANs)

• Wide area networks (WANS)

• Storage Area Networks (SANs)

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 64

4.4.3 Networks Services• File sharing• E-mail services• Print services• Remote access services• Terminal emulation software (TES)• Directory services• Network management

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 65

4.4.4 Network Standards and Protocols

• Critical Success Factors

InteroperabilityAvailabilityFlexibilityMaintainability

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 66

ISO/OSI: is a proof of a concept model composed of seven layers, each specifying particular specialized tasks or functions

Objective: to provide a set of open system standards for equipment manufacturers and to provide a benchmark to compare different communication systems

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 67

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

Functions of the layers of the ISO/OSI Model

–Application layer–Presentation layer

–Session layer

–Transport layer

–Network layer

–Data link layer

–Physical layer

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 68

Functions of the layers of the ISO/OSI Model

–Application layer–Presentation layer

–Session layer

–Transport layer

–Network layer

–Data link layer

–Physical layer

4.4 Information Systems Network 4.4 Information Systems Network

InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 69

4.4.5 OSI Architecture

The International Organization for Standardization formulated the OSI model to establish standards for vendors developing protocols supporting open system architecture.

4.4 Information Systems Network 4.4 Information Systems Network

InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 70

4.4.6 Application of the OSI Model in

Network Architectures

• Local Area Network (LAN)

• Wide Area Network (WAN)

• Wireless Networks

• Public “Global” Internet Infrastructure

4.4 Information Systems Network 4.4 Information Systems Network

InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 71

Network physical media specifications

– Local Area Network (LAN)• Copper (twisted-pairs) circuits

• Fiber-optic systems

• Radio Systems (wireless)

– Wide Area Network (WAN)• Fiber-optic systems

• Microwave radio systems

• Satellite radio link systems

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 72

LAN Components

– Repeaters

– Hubs

– Bridges

– Switches

– Routers

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 73

WAN Message transmission

techniques

– Message switching

– Packet switching

– Circuit switching

– Virtual circuits

– WAN dial-up services

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 74

WAN Components

– WAN switch

– Routers

– Modems

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 75

WAN Technologies

– Point to point protocol

– X.25

– Frame Relay

– Integrated services digital network (ISDN)

– Asynchronus transfer mode

– Multiprotocol label switching

– Digital suscriber lines

– Virtual Private Networks

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 76

Wireless Networks

– Wireless Wide Area Network (WWAN)

– Wireless Local Area network (WLAN)

– Wireless Personal Area Network (WPAN)

– Wireless ad hoc networks

4.4 Information Systems Network 4.4 Information Systems Network

InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 77

Wireless Access: Exposures

– Interception of sensitive information

– Loss or theft of devices

– Misuse of devices

– Loss of data contained in devices

– Distraction caused by devices

– Possible health effects of device usage

– Wireless user authentication

– File security

– Interoperability

– Use of wireless subnets

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 78

Network Administration and Control

• Network performance metrics

• Network management issues

• Network management tools

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 79

Network Administration and Control (cont.)

• Network performance metrics

• Network management issues

• Network management tools

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 80

Applications in a Networked

Environment

• Client-Server Technology

• Middleware

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 81

Applications in a Networked

Environment (cont.)

• Client-Server Technology

• Middleware

4.4 Information Systems Network 4.4 Information Systems Network InfrastructureInfrastructure

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 82

An IS auditor when reviewing a network used for Internet communications will FIRST examine the:

 A. validity of password change occurrences.B. architecture of the client-server application.C. network architecture and design.D. firewall protection and proxy servers.

Chapter 4 Question 8

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 83

Which of the following would allow a company to extend its enterprise’s intranet across the Internet to its business partners?

 A. Virtual private network B. Client-serverC. Dial-up accessD. Network service provider

Chapter 4 Question 9

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 84

Which of the following statements relating to packet switching networks is correct?

 A. Packets for a given message travel the same route.B. Passwords cannot be embedded within the packet.C. Packet lengths are variable and each packet contains the same amount of information.D. The cost charged for transmission is based on the packet, not the distance or route traveled.

Chapter 4 Question 10

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 85

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

4.5.1 Hardware Reviews

– Review the capacity management procedures

– Review the hardware acquisition plan

– Review the PC acquisition criteria

– Review (hardware) change management controls

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 86

4.5.2 Operating System Reviews

– Interview technical service and other personnel

– Review system software selection procedures

– Review the feasibility study and selection process

– Review cost-benefit analysis of system software procedures

– Review controls over the installation of changed system software

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 87

4.5.2 Operating System Reviews (cont)

– Review system software maintenance activities

– Review system software change controls

– Review systems documentation

– Review and test system software implementation

– Review authorization documentation

– Review system software security

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 88

4.5.3 Database Reviews

– Design

– Access

– Administration

– Interfaces

– Portability

– Database-supported IS controls

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure

and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 89

4.5.4 Network infrastructure and implementation reviews

– Review controls over network implementations

• Physical controls

• Environmental controls

• Logical security controls

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 90

4.5.5 Network Operating Control Reviews

– Appropriate implementation, conversion and acceptance test plans– Implementation and testing plans for the network’s hardware and

communications links– Operating provisions for distributed data processing networks– All sensitive files / datasets have been identified– Procedures established to assure effective controls over hardware

and software– Adequate restart and recovery mechanisms

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 91

4.5.5 Network Operating Control Reviews (cont)

– The IS distributed network has been designed to assure that failure of service at any one site will have a minimal effect

– All changes made to the operating systems software used by the network are controlled

– Individuals have access only to authorized applications, transaction processors and datasets

– System commands affecting more than one network site are restricted to one terminal and to an authorized individual

– Encryption is being used on the network to encode sensitive data– Appropriate security policies and procedures have been

implemented

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 92

4.5.6 IS Operations Reviews

– Computer operations

– File handling procedures

– Data entry control

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 93

4.5.6 IS Operations Reviews (cont.)

– Computer operations

– File handling procedures

– Data entry control

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 94

4.5.7 Lights Out Operations

– Remote access to the master console

– Contingency plans

– Program change controls

– Assurance that errors are not hidden

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 95

4.5.8 Problem Management Reporting Reviews– Reviews of the procedures used for recording, evaluating, and

resolving or escalating any problem – Reviews of the performance records – Reviews of the reasons for delays in application program

processing – Reviews of the procedures used by the IS department to collect

statistics regarding online processing performance – The determination that significant and recurring problems have

been identified and actions are being taken – The determination that processing problems were resolved – Reviews of operations documentation– Reviews of help desk call logs

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 96

4.5.9 Hardware availability and utilization

Reporting Reviews – Review the problem log

– Review the preventive maintenance schedule

– Review the control and management of equipment

– Review the hardware availability and utilization reports

– Review the workload schedule and the hardware availability

and utilization reports

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 97

4.5.10 Scheduling Reviews – Review the console log– Review the schedule– Determine whether the scheduling of rush/rerun jobs is consistent– Determine whether critical applications have been identified– Determine whether scheduling procedures are used to facilitate optimal

use of computer resources– Determine whether the number of personnel assigned to each shift is

adequate– Review the procedures for collecting, reporting and analyzing key

performance indicators

4.5 Auditing Infrastructure 4.5 Auditing Infrastructure and Operationsand Operations

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 98

4.6 Chapter 4: Case Study4.6 Chapter 4: Case Study4.6.1 Case Study Scenario

The IS auditor has recently been asked to perform an external and internal network security assessment for an organization that processes health benefit claims. The organization has a complex network infrastructure with multiple local area and wireless networks, a Frame Relay network crosses international borders. Additionally, there is an Internet site that is accessed by doctors and hospitals. The Internet site has both open areas and sections containing medical claim information that requires an ID and password to access. An Intranet site is also available that allows employees to check on the status of their personal medical claims and purchase prescription drugs at a discount using a credit card. The frame relay network carries unencrypted nonsensitive statistical data that are sent to regulatory agencies but do not include any customer identifiable information. The last review of network security was performed more than five years ago.

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 99

4.6 Chapter 4: Case Study4.6 Chapter 4: Case StudyAt that time, numerous exposures were noted in the areas of firewall

rule management and patch management for application servers. Internet applications were also found to be susceptible to SQL injection. It should be noted that wireless access as well as the Intranet portal had not been installed at the time of the last review. Since the last review, a new firewall has been installed and patch management is now controlled by a centralized mechanism for pushing patches out to all servers. Internet applications have been upgraded to take advantage of newer technologies. Additionally, an intrusion detection system has been added, and reports produced by this system are monitored on a daily basis. Traffic over the network involves a mixture of protocols, as a number of legacy systems are still in use. All sensitive network traffic traversing the Internet is first encrypted prior to being sent. Traffic on the internal local area and wireless networks is encoded in hexadecimal so that no data appears in cleartext. A number of devices also utilize Bluetooth to transmit data between PDAs and laptop computers.

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 100

4.6.2 Case Study Questions

1. In performing an external network security assessment, which of the following should normally be performed FIRST?A. ExploitationB. EnumerationC. ReconnaissanceD. Vulnerability scanning

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 101

4.6.2 Case Study Questions

2. Which of the following presents the GREATEST risk to the organization?A. Not all traffic traversing the Internet is encrypted.B. Traffic on internal networks is unencrypted.C. Cross-border data flow is unencrypted.D. Multiple protocols are being used.

top related