Chap4 2007cisareviewcourse 090511233810 Phpapp02

2007 CISA Review Course
Chapter 4
IT Service Delivery and Support
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 1
Process Area Overview
4.1 Information Systems Operations
4.1.1 Management of IS Operations
4.1.2 IT Service Management
4.1.3 Infrastructure Operations
4.1.4 Monitoring Use of Resources
4.1.5 Support / Help Desk
4.1.6 Change Management Process
4.1.7 Program Library Management Systems
4.1.8 Library Control Software
4.1.9 Release Management
4.1.10 Quality Assurance
4.1.11 Information Security Management
4.2 Information Systems Hardware
4.2.1 Computer Hardware Components and Architecture
4.2.2 Hardware Maintenance Program
4.2.3 Hardware Monitoring Preocedures
4.2.4 Capacity Management
4.3 IS Architecture and Software

4.3.1 Operating Systems
4.3.2 Access Control Software
4.3.3 Data Communications Software
4.3.4 Data Management
4.3.5 Database Management System
4.3.6 Tape and Disk Management Systems
4.3.7 Utility Programs
4.3.8 Software Licensing Issues
4.4 IS Network Infrastructure

4.4.1 Enterprise Network Architectures
4.4.2 Type of Networks
4.4.3 Network Services
4.4.4 Network Standards and Protocols
4.4.5 OSI Architecture
4.4.6 Application of the OSI Model in Network Architectures
4.5 Auditing Infrastructure and Operations
4.5.1 Hardware Reviews
4.5.2 Operating System Reviews
4.5.3 Database Reviews
4.5.4 Network Infrastructure and Implementation Reviews
4.5.5 Network Operating Control Reviews
4.5.6 IS Operations Reviews
4.5.7 Lights-out Operations
4.5.8 Problem Management Reporting Reviews
4.5.9 Hardware Availability and Utilization Reporting Reviews
4.5.10 Scheduling Reviews
4.6 Chapter 4 Case Study

4.6.1 Case Study Scenario
4.6.2 Case Study Questions
Chapter Objective
The objective of this area is to ensure that the
CISA candidate understands and can provide
assurance that the IT service management
practices will ensure the delivery of the level of
services required to meet the organizations
objectives.
Chapter Summary
According to the CISA Certification
Board, this area represents 14 % of the
CISA examination
(approximately 28 questions).
4.1 Information
Systems Operations
4.1.1 Management of IS Operations

Control functions
4.1 Information
Systems Operations
4.1.2 IT Service Management

Service level
Abnormal job termination reports
Operator problem reports
Output distribution reports
Console logs
Operator work schedules
4.1 Information
Systems Operations
4.1.2 IT Service Management (cont.)

Service level
Abnormal job termination reports
Operator problem reports
Output distribution reports
Console logs
Operator work schedules
4.1 Information
Systems Operations
4.1.3 Infrastructure Operations
Lights-out Operations (Automated Unattended

Operations)
Input / output control function
Job accounting
Scheduling
Job Scheduling Software
4.1 Information
Systems Operations
4.1.3 Infrastructure Operations (cont.)

Operations)
Job accounting
Scheduling
4.1 Information
Systems Operations

Operations)
Job accounting
Scheduling
4.1 Information
Systems Operations

Operations)
Job accounting
Scheduling
4.1 Information
Systems Operations

Operations)
Job accounting
Scheduling
4.1 Information
Systems Operations
4.1.4 Monitoring use of Resources
Process of Incident Handling

Problem Management
Detection, Documentation, Control, Resolution and
Reporting of Abnormal Conditions
4.1 Information
Systems Operations
4.1.4 Monitoring use of Resources (cont.)
Process of Incident Handling

Problem Management
Detection, Documentation, Control, Resolution and
Reporting of Abnormal Conditions
4.1 Information
Systems Operations
4.1.5 Support/Help Desk

Prioritize the issues, and forward them to the
appropriate managers, accordingly
Follow up on unresolved problems.
Close out resolved problems, noting proper

authorization to close out the problem by the
user.
4.1 Information
Systems Operations
4.1.6 Change Management Process

System, operations and program documentation
Job preparation, scheduling and operating
instructions
System and program test
Data file conversion.
System conversion
4.1 Information
Systems Operations
4.1.7 Program Library Management

Systems
Integrity
Update
Reporting
Interface
4.1 Information
Systems Operations
4.1.8 Library Control Software
Executable and source code integrity;

each production executable module should have
one corresponding source module
Source code comparison; is an effective
and easy-to-use method for tracing changes to
programs.
4.1 Information
Systems Operations
4.1.8 Library Control Software (cont.)
Executable and source code integrity;

each production executable module should have
one corresponding source module
Source code comparison; is an effective
and easy-to-use method for tracing changes to
programs.
4.1 Information
Systems Operations
4.1.9 Release Management
Major releases
Minor software releases
Emergency software fixes
4.1 Information
Systems Operations
4.1.10 Quality Assurance
Verify that system changes are authorized,

tested and implemented in a controlled manner
prior to being introduced into the production
environment.
4.1 Information
Systems Operations
4.1.11 Information Security

Management
Performing risk assessments on information assets
Performing business impact analyses
Conducting security assessments on a regular basis
Implementing a formal vulnerability management
process
Chapter 4 Question 1
When reviewing a service level agreement for an outsourced

computer center an IS auditor should FIRST determine that:
A. the cost proposed for the services is reasonable.

B. security mechanisms are specified in the agreement.
C. the services in the agreement are based on an analysis of
business needs.
D. audit access to the computer center is allowed under the
agreement.
Which of the following is the MOST effective method for an

IS auditor to use in testing the program change management
process?
A. Trace from system generated information to the change

management documentation.
B. Examine change management documentation for
evidence of accuracy.
C. Trace from the change management documentation to a
system generated audit trail.
D. Examine change management documentation for
evidence of completeness.
A universitys IT department and financial services office (FSO)

have an existing service level agreement that requires availability
during each month to exceed 98 percent. FSO has analyzed
availability and noted that it has exceeded 98 percent for each of
the last 12 months, but has averaged only 93 percent during
month-end closing. Which of the following options BEST reflects
the course of action FSO should take?
A. Renegotiate the agreement.

B. Inform IT that it is not meeting the required availability standard.
C. Acquire additional computing resources.
D. Streamline the month-end closing process.
4.2 Information
Systems Hardware
4.2.1 Computer Hardware Components
and Architectures
Processing Components
Input/Output Components
Types of Computers
4.2 Information
Systems Hardware
4.2.1 Computer Hardware Components and
Architectures
Types of Computers (cont.)
Supercomputers
Large (mainframes)
Midrange computer
Microcomputer (personal computers, PC
Notebook / laptop computers
Personal digital assistant (PDA)
4.2 Information
Systems Hardware
4.2.1 Computer Hardware Components and
Architectures
Types of Computers (cont.)
Supercomputers
Large (mainframes)
Midrange computer
Microcomputer (personal computers, PC
Notebook / laptop computers
Personal digital assistant (PDA)
4.2 Information
Systems Hardware
and Architectures
Common Characteristics of Different
Types of Computers
Multitasking
Multiprocessing
Multiusing
Multithreading
4.2 Information
Systems Hardware

and Architectures
Common Computer Roles
Print servers
File servers
Program (application) servers
Web servers
4.2 Information
Systems Hardware

and Architectures
Common Computer Roles (cont.)
Proxy servers
Database servers
Appliances (specialized devices)
4.2 Information
Systems Hardware

and Architectures
Universal Serial Bus
Memory Cards
Radio Frequency Identification
Write Once and Read Many

4.2 Information
Systems Hardware

and Architectures
Universal Serial Bus
Memory Cards
Radio Frequency Identification
Write Once and Read Many
4.2 Information
Systems Hardware
4.2.2 Hardware Maintenance Program

Reputable service company
Maintenance schedule
Maintenance cost
Maintenance performance history, planned
and exceptional
4.2 Information
Systems Hardware
4.2.3 Hardware Monitoring

Procedures
Availability reports
Hardware error reports
Utilization reports
4.2 Information
Systems Hardware
4.2.4 Capacity Management

CPU utilization (processing power)
Computer storage utilization
Telecommunications and WAN bandwidth
utilization
Terminal utilization
I/O channel utilization
Number of users
New technologies
New applications
Service level agreements
Which one of the following provides the BEST method for

determining the level of performance provided by similar
information-processing-facility environments?
A. User satisfaction
B. Goal accomplishment
C. Benchmarking
D. Capacity and growth planning
The key objective of capacity planning procedures is to

ensure that:
A. available resources are fully utilized.

B. new resources will be added for new applications in a
timely manner.
C. available resources are used efficiently and effectively.
D. utilization of resources does not drop below 85%.
4.3 Information Systems
Architecture and Software
Operating systems
Software Control Features or Parameters
Data communication software
Data management
Database management system (DBMS)
Tape and Disk Management System
Utility Programs
Software Licensing Issues
4.3.1 Operating systems

Defines user interfaces
Permits users to share hardware
Permits users to share data
Inform users of any error
Permits recovery from system error
Communicates completion of a process
Allows system file management
Allows system accounting management
4.3.1 Operating systems (cont.)

Defines user interfaces
Permits users to share hardware
Permits users to share data
Inform users of any error
Permits recovery from system error
Communicates completion of a process
Allows system file management
Allows system accounting management
Software Control Features or

Parameters
Data management
Resource management
Job management
Priority setting
Software Integrity Issues

Protect itself from deliberate and inadvertent
modification.
Ensure that privileged programs cannot be

interfered with by user programs.
Provide for effective process isolation.
Software Integrity Issues (cont.)

Protect itself from deliberate and inadvertent
modification.
Ensure that privileged programs cannot be

interfered with by user programs.
Provide for effective process isolation.
Activity Logging and Reporting

Options
Data file versions used for production processing.
Program accesses to sensitive data
Programs scheduled and run
Utilities or service aids usage
Operating system operation
Changes to system parameters and libraries
Databases
Access control
4.3.2 Access Control Software

Prevent unauthorized access to data
Unauthorized use of system functions and programs
Unauthorized updates/changes to data
Detect or prevent unauthorized attempts to access
computer resources.
4.3.3 Data communication software

Transmits information or data
Consists of three components
The transmitter (source)
The transmission path (channel or line)
The receiver (the sink)
4.3.4 Data management

File Organization
Sequential
Indexed sequential
Direct random access
4.3.5 Database management system

(DBMS)
DBMS architecture
Detailed DBMS metadata architecture

Data dictionary/directory system (DD/DS)
Database structure
Database controls

(DBMS) (cont.)
DBMS architecture

Database structure
Database controls

(DBMS) (cont.)
DBMS architecture

Database structure
Database controls

(DBMS) (cont.)
DBMS architecture

Database structure
Database controls
4.3.6 Tape and Disk Management

System
An automated tape management system (TMS) or

disk management system (DMS) is specialized
system software that tracks and lists tape/disk
resources needed for data center processing.
4.3.7 Utility Programs

Understanding application systems
Assessing or testing data quality
Testing a programs ability to function correctly
and maintain data integrity
Assisting in faster program development
Improving operational efficiency
4.3.8 Software Licensing Issues

Documented policies and procedures that guard
against unauthorized use or copying of software.
Listing of all standard, used and licensed
application and system software.
Centralizing control and automated distribution
and the installation of software
Requiring that all PCs be diskless workstations
and access applications from a secured LAN
Regularly scanning user PCs
When conducting an audit of client-server database security,

the IS auditor should be MOST concerned about the
availability of:
A. system utilities.
B. application program generators.
C. systems security documentation.
D. access to stored procedures.
The PRIMARY benefit of database normalization is the:
A. minimization redundancy of information in tables required

to satisfy users needs.
B. ability to satisfy more queries.
C. maximization of database integrity by providing
information in more than one table.
D. minimization of response time through faster processing
of information.
4.4 Information Systems Network
Infrastructure
Telecommunications links for networks can be:

Analog
Digital
Methods for transmitting signals over analog

telecommunication links are:
Baseband
Broadband network
Infrastructure
4.4.1 Enterprise Network
Architectures
Todays networks are part of a large, centrally-
managed, inter-networked architecture solution of high-
speed local- and wide-area computer networks serving
organizations client-server-based environments. Such
architectures may include clustering common types of
IT functions together in network segments each
uniquely identifiable and specialized to task.
Infrastructure
4.4.2 Types of Networks

Personal Area Networks (PANs)
Local area networks (LANs)
Wide area networks (WANS)
Storage Area Networks (SANs)
Infrastructure
4.4.3 Networks Services
File sharing
E-mail services
Print services
Remote access services
Terminal emulation software (TES)
Directory services
Network management
Infrastructure
4.4.4 Network Standards and Protocols

Critical Success Factors
Interoperability
Availability
Flexibility
Maintainability
Infrastructure
ISO/OSI: is a proof of a concept model
composed of seven layers, each specifying
particular specialized tasks or functions
Objective: to provide a set of open system

standards for equipment manufacturers and
to provide a benchmark to compare different
communication systems
Infrastructure
Functions of the layers of the ISO/OSI Model

Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer
Infrastructure
Functions of the layers of the ISO/OSI
Model
Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer
Infrastructure
4.4.5 OSI Architecture

The International Organization for Standardization
formulated the OSI model to establish standards
for vendors developing protocols supporting open
system architecture.
Infrastructure
4.4.6 Application of the OSI Model in
Network Architectures
Local Area Network (LAN)
Wide Area Network (WAN)
Wireless Networks
Public Global Internet Infrastructure
Infrastructure
Network physical media specifications
Local Area Network (LAN)
Copper (twisted-pairs) circuits
Fiber-optic systems
Radio Systems (wireless)
Wide Area Network (WAN)
Fiber-optic systems
Microwave radio systems
Satellite radio link systems
Infrastructure
LAN Components
Repeaters
Hubs
Bridges
Switches
Routers
Infrastructure
WAN Message transmission
techniques
Message switching
Packet switching
Circuit switching
Virtual circuits
WAN dial-up services
Infrastructure
WAN Components
WAN switch
Routers
Modems
Infrastructure
WAN Technologies
Point to point protocol
X.25
Frame Relay
Integrated services digital network (ISDN)
Asynchronus transfer mode
Multiprotocol label switching
Digital suscriber lines
Virtual Private Networks
Infrastructure
Wireless Networks
Wireless Wide Area Network (WWAN)
Wireless Local Area network (WLAN)
Wireless Personal Area Network (WPAN)
Wireless ad hoc networks
Infrastructure
Wireless Access: Exposures
Interception of sensitive information
Loss or theft of devices
Misuse of devices
Loss of data contained in devices
Distraction caused by devices
Possible health effects of device usage
Wireless user authentication
File security
Interoperability
Use of wireless subnets
Infrastructure
Network Administration and Control

Network performance metrics
Network management issues

Network management tools
Infrastructure
Network Administration and Control (cont.)

Network performance metrics
Network management issues

Network management tools
Infrastructure
Applications in a Networked
Environment
Client-Server Technology
Middleware
Infrastructure
Applications in a Networked
Environment (cont.)
Client-Server Technology
Middleware
An IS auditor when reviewing a network used for Internet

communications will FIRST examine the:
A. validity of password change occurrences.

B. architecture of the client-server application.
C. network architecture and design.
D. firewall protection and proxy servers.
Which of the following would allow a company to extend its

enterprises intranet across the Internet to its business
partners?
A. Virtual private network

B. Client-server
C. Dial-up access
D. Network service provider
Which of the following statements relating to packet

switching networks is correct?
A. Packets for a given message travel the same route.

B. Passwords cannot be embedded within the packet.
C. Packet lengths are variable and each packet contains the
same amount of information.
D. The cost charged for transmission is based on the packet,
not the distance or route traveled.
4.5 Auditing Infrastructure
and Operations
4.5.1 Hardware Reviews

Review the capacity management
procedures
Review the hardware acquisition plan
Review the PC acquisition criteria
Review (hardware) change management
controls
and Operations
4.5.2 Operating System Reviews

Interview technical service and other personnel
Review system software selection procedures
Review the feasibility study and selection process
Review cost-benefit analysis of system software
procedures
Review controls over the installation of changed
system software
and Operations
4.5.2 Operating System Reviews (cont)
Review system software maintenance activities

Review system software change controls
Review systems documentation
Review and test system software implementation
Review authorization documentation
Review system software security
and Operations
4.5.3 Database Reviews
Design
Access
Administration
Interfaces
Portability
Database-supported IS controls
and Operations
4.5.4 Network infrastructure and

implementation reviews
Review controls over network implementations
Physical controls
Environmental controls
Logical security controls
and Operations
4.5.5 Network Operating Control Reviews

Appropriate implementation, conversion and acceptance test plans
Implementation and testing plans for the networks hardware and
communications links
Operating provisions for distributed data processing networks
All sensitive files / datasets have been identified
Procedures established to assure effective controls over hardware
and software
Adequate restart and recovery mechanisms
and Operations
4.5.5 Network Operating Control Reviews (cont)
The IS distributed network has been designed to assure that failure

of service at any one site will have a minimal effect
All changes made to the operating systems software used by the
network are controlled
Individuals have access only to authorized applications, transaction
processors and datasets
System commands affecting more than one network site are
restricted to one terminal and to an authorized individual
Encryption is being used on the network to encode sensitive data
Appropriate security policies and procedures have been
implemented
and Operations
4.5.6 IS Operations Reviews

Computer operations
File handling procedures
Data entry control
and Operations
4.5.6 IS Operations Reviews (cont.)

Computer operations
File handling procedures
Data entry control
and Operations
4.5.7 Lights Out Operations

Remote access to the master console
Contingency plans
Program change controls
Assurance that errors are not hidden
and Operations
4.5.8 Problem Management Reporting Reviews

Reviews of the procedures used for recording, evaluating, and
resolving or escalating any problem
Reviews of the performance records
Reviews of the reasons for delays in application program
processing
Reviews of the procedures used by the IS department to collect
statistics regarding online processing performance
The determination that significant and recurring problems have
been identified and actions are being taken
The determination that processing problems were resolved
Reviews of operations documentation
Reviews of help desk call logs
and Operations
4.5.9 Hardware availability and utilization

Reporting Reviews
Review the problem log
Review the preventive maintenance schedule
Review the control and management of equipment
Review the hardware availability and utilization reports
Review the workload schedule and the hardware availability
and utilization reports
and Operations
4.5.10 Scheduling Reviews

Review the console log
Review the schedule
Determine whether the scheduling of rush/rerun jobs is consistent
Determine whether critical applications have been identified
Determine whether scheduling procedures are used to facilitate optimal
use of computer resources
Determine whether the number of personnel assigned to each shift is
adequate
Review the procedures for collecting, reporting and analyzing key
performance indicators
4.6 Chapter 4: Case Study
4.6.1 Case Study Scenario
The IS auditor has recently been asked to perform an external
and internal network security assessment for an organization
that processes health benefit claims. The organization has a
complex network infrastructure with multiple local area and
wireless networks, a Frame Relay network crosses
international borders. Additionally, there is an Internet site
that is accessed by doctors and hospitals. The Internet site
has both open areas and sections containing medical claim
information that requires an ID and password to access. An
Intranet site is also available that allows employees to check
on the status of their personal medical claims and purchase
prescription drugs at a discount using a credit card. The
frame relay network carries unencrypted nonsensitive
statistical data that are sent to regulatory agencies but do not
include any customer identifiable information. The last review
of network security was performed more than five years ago.
4.6 Chapter 4: Case Study
At that time, numerous exposures were noted in the areas of firewall
rule management and patch management for application servers.
Internet applications were also found to be susceptible to SQL
injection. It should be noted that wireless access as well as the
Intranet portal had not been installed at the time of the last review.
Since the last review, a new firewall has been installed and patch
management is now controlled by a centralized mechanism for
pushing patches out to all servers. Internet applications have been
upgraded to take advantage of newer technologies. Additionally, an
intrusion detection system has been added, and reports produced
by this system are monitored on a daily basis. Traffic over the
network involves a mixture of protocols, as a number of legacy
systems are still in use. All sensitive network traffic traversing the
Internet is first encrypted prior to being sent. Traffic on the internal
local area and wireless networks is encoded in hexadecimal so
that no data appears in cleartext. A number of devices also utilize
Bluetooth to transmit data between PDAs and laptop computers.
1. In performing an external network security
assessment, which of the following should
normally be performed FIRST?
A. Exploitation
B. Enumeration
C. Reconnaissance
D. Vulnerability scanning
2. Which of the following presents the GREATEST
risk to the organization?
A. Not all traffic traversing the Internet is
encrypted.
B. Traffic on internal networks is unencrypted.
C. Cross-border data flow is unencrypted.
D. Multiple protocols are being used.

Chap4 2007cisareviewcourse 090511233810 Phpapp02

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Chap4 2007cisareviewcourse 090511233810 Phpapp02

Hochgeladen von

Copyright:

Verfügbare Formate

2007 CISA Review Course

IT Service Delivery and Support

4.3 IS Architecture and Software

4.4 IS Network Infrastructure

4.6 Chapter 4 Case Study

According to the CISA Certification

Board, this area represents 14 % of the

4.1.1 Management of IS Operations

4.1.2 IT Service Management

4.1.2 IT Service Management (cont.)

4.1.3 Infrastructure Operations

Lights-out Operations (Automated Unattended

4.1.3 Infrastructure Operations (cont.)

Lights-out Operations (Automated Unattended

Input / output control function

Job Scheduling Software

4.1.3 Infrastructure Operations (cont.)

Lights-out Operations (Automated Unattended

Input / output control function

Job Scheduling Software

4.1.3 Infrastructure Operations (cont.)

Lights-out Operations (Automated Unattended

Input / output control function

Job Scheduling Software

4.1.3 Infrastructure Operations (cont.)

Lights-out Operations (Automated Unattended

Input / output control function

Job Scheduling Software

4.1.4 Monitoring use of Resources

Process of Incident Handling

4.1.4 Monitoring use of Resources (cont.)

Process of Incident Handling

4.1.5 Support/Help Desk

Close out resolved problems, noting proper

4.1.6 Change Management Process

4.1.7 Program Library Management

4.1.8 Library Control Software

Executable and source code integrity;

4.1.8 Library Control Software (cont.)

Executable and source code integrity;

4.1.9 Release Management

4.1.10 Quality Assurance

Verify that system changes are authorized,

4.1.11 Information Security

When reviewing a service level agreement for an outsourced

A. the cost proposed for the services is reasonable.

Which of the following is the MOST effective method for an

A. Trace from system generated information to the change

A universitys IT department and financial services office (FSO)

A. Renegotiate the agreement.

4.2.1 Computer Hardware Components

4.2.1 Computer Hardware Components

4.2.1 Computer Hardware Components

Appliances (specialized devices)

4.2.1 Computer Hardware Components

Radio Frequency Identification

Write Once and Read Many

4.2.1 Computer Hardware Components

4.2.2 Hardware Maintenance Program

4.2.3 Hardware Monitoring

Hardware error reports

4.2.4 Capacity Management

Which one of the following provides the BEST method for

The key objective of capacity planning procedures is to