Beruflich Dokumente
Kultur Dokumente
Chapter 4
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 1
Process Area Overview
4.1 Information Systems Operations
4.1.1 Management of IS Operations
4.1.2 IT Service Management
4.1.3 Infrastructure Operations
4.1.4 Monitoring Use of Resources
4.1.5 Support / Help Desk
4.1.6 Change Management Process
4.1.7 Program Library Management Systems
4.1.8 Library Control Software
4.1.9 Release Management
4.1.10 Quality Assurance
4.1.11 Information Security Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 2
Process Area Overview
4.2 Information Systems Hardware
4.2.1 Computer Hardware Components and Architecture
4.2.2 Hardware Maintenance Program
4.2.3 Hardware Monitoring Preocedures
4.2.4 Capacity Management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 3
Process Area Overview
4.3.7 Utility Programs
4.3.8 Software Licensing Issues
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 4
Process Area Overview
4.5 Auditing Infrastructure and Operations
4.5.1 Hardware Reviews
4.5.2 Operating System Reviews
4.5.3 Database Reviews
4.5.4 Network Infrastructure and Implementation Reviews
4.5.5 Network Operating Control Reviews
4.5.6 IS Operations Reviews
4.5.7 Lights-out Operations
4.5.8 Problem Management Reporting Reviews
4.5.9 Hardware Availability and Utilization Reporting Reviews
4.5.10 Scheduling Reviews
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 5
Chapter Objective
The objective of this area is to ensure that the
CISA candidate understands and can provide
assurance that the IT service management
practices will ensure the delivery of the level of
services required to meet the organizations
objectives.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 6
Chapter Summary
CISA examination
(approximately 28 questions).
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 7
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 8
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 9
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 10
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 11
4.1 Information
Systems Operations
Job accounting
Scheduling
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 12
4.1 Information
Systems Operations
Job accounting
Scheduling
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 13
4.1 Information
Systems Operations
Job accounting
Scheduling
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 14
4.1 Information
Systems Operations
Job accounting
Scheduling
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 15
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 16
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 17
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 18
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 19
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 20
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 21
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 22
4.1 Information
Systems Operations
Major releases
Minor software releases
Emergency software fixes
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 23
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 24
4.1 Information
Systems Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 25
Chapter 4 Question 1
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 26
Chapter 4 Question 2
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 27
Chapter 4 Question 3
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 28
4.2 Information
Systems Hardware
and Architectures
Processing Components
Input/Output Components
Types of Computers
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 29
4.2 Information
Systems Hardware
4.2.1 Computer Hardware Components and
Architectures
Types of Computers (cont.)
Supercomputers
Large (mainframes)
Midrange computer
Microcomputer (personal computers, PC
Notebook / laptop computers
Personal digital assistant (PDA)
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 30
4.2 Information
Systems Hardware
4.2.1 Computer Hardware Components and
Architectures
Types of Computers (cont.)
Supercomputers
Large (mainframes)
Midrange computer
Microcomputer (personal computers, PC
Notebook / laptop computers
Personal digital assistant (PDA)
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 31
4.2 Information
Systems Hardware
4.2.1 Computer Hardware Components
and Architectures
Common Characteristics of Different
Types of Computers
Multitasking
Multiprocessing
Multiusing
Multithreading
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 32
4.2 Information
Systems Hardware
Print servers
File servers
Program (application) servers
Web servers
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 33
4.2 Information
Systems Hardware
Proxy servers
Database servers
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 34
4.2 Information
Systems Hardware
Memory Cards
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 37
4.2 Information
Systems Hardware
Utilization reports
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 38
4.2 Information
Systems Hardware
A. User satisfaction
B. Goal accomplishment
C. Benchmarking
D. Capacity and growth planning
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 40
Chapter 4 Question 5
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 41
4.3 Information Systems
Architecture and Software
Operating systems
Software Control Features or Parameters
Data communication software
Data management
Database management system (DBMS)
Tape and Disk Management System
Utility Programs
Software Licensing Issues
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 42
4.3 Information Systems
Architecture and Software
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 45
4.3 Information Systems
Architecture and Software
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 46
4.3 Information Systems
Architecture and Software
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 47
4.3 Information Systems
Architecture and Software
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 49
4.3 Information Systems
Architecture and Software
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 50
4.3 Information Systems
Architecture and Software
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 51
4.3 Information Systems
Architecture and Software
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 52
4.3 Information Systems
Architecture and Software
DBMS architecture
DBMS architecture
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 54
4.3 Information Systems
Architecture and Software
DBMS architecture
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 55
4.3 Information Systems
Architecture and Software
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 56
4.3 Information Systems
Architecture and Software
A. system utilities.
B. application program generators.
C. systems security documentation.
D. access to stored procedures.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 59
Chapter 4 Question 7
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 60
4.4 Information Systems Network
Infrastructure
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 61
4.4 Information Systems Network
Infrastructure
4.4.1 Enterprise Network
Architectures
Todays networks are part of a large, centrally-
managed, inter-networked architecture solution of high-
speed local- and wide-area computer networks serving
organizations client-server-based environments. Such
architectures may include clustering common types of
IT functions together in network segments each
uniquely identifiable and specialized to task.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 62
4.4 Information Systems Network
Infrastructure
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 63
4.4 Information Systems Network
Infrastructure
4.4.3 Networks Services
File sharing
E-mail services
Print services
Remote access services
Terminal emulation software (TES)
Directory services
Network management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 64
4.4 Information Systems Network
Infrastructure
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 65
4.4 Information Systems Network
Infrastructure
ISO/OSI: is a proof of a concept model
composed of seven layers, each specifying
particular specialized tasks or functions
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 66
4.4 Information Systems Network
Infrastructure
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 67
4.4 Information Systems Network
Infrastructure
Functions of the layers of the ISO/OSI
Model
Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 68
4.4 Information Systems Network
Infrastructure
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 69
4.4 Information Systems Network
Infrastructure
4.4.6 Application of the OSI Model in
Network Architectures
Local Area Network (LAN)
Wide Area Network (WAN)
Wireless Networks
Public Global Internet Infrastructure
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 70
4.4 Information Systems Network
Infrastructure
Network physical media specifications
Local Area Network (LAN)
Copper (twisted-pairs) circuits
Fiber-optic systems
Radio Systems (wireless)
Wide Area Network (WAN)
Fiber-optic systems
Microwave radio systems
Satellite radio link systems
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 71
4.4 Information Systems Network
Infrastructure
LAN Components
Repeaters
Hubs
Bridges
Switches
Routers
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 72
4.4 Information Systems Network
Infrastructure
WAN Message transmission
techniques
Message switching
Packet switching
Circuit switching
Virtual circuits
WAN dial-up services
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 73
4.4 Information Systems Network
Infrastructure
WAN Components
WAN switch
Routers
Modems
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 74
4.4 Information Systems Network
Infrastructure
WAN Technologies
Point to point protocol
X.25
Frame Relay
Integrated services digital network (ISDN)
Asynchronus transfer mode
Multiprotocol label switching
Digital suscriber lines
Virtual Private Networks
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 75
4.4 Information Systems Network
Infrastructure
Wireless Networks
Wireless Wide Area Network (WWAN)
Wireless Local Area network (WLAN)
Wireless Personal Area Network (WPAN)
Wireless ad hoc networks
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 76
4.4 Information Systems Network
Infrastructure
Wireless Access: Exposures
Interception of sensitive information
Loss or theft of devices
Misuse of devices
Loss of data contained in devices
Distraction caused by devices
Possible health effects of device usage
Wireless user authentication
File security
Interoperability
Use of wireless subnets
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 77
4.4 Information Systems Network
Infrastructure
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 78
4.4 Information Systems Network
Infrastructure
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 79
4.4 Information Systems Network
Infrastructure
Applications in a Networked
Environment
Client-Server Technology
Middleware
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 80
4.4 Information Systems Network
Infrastructure
Applications in a Networked
Environment (cont.)
Client-Server Technology
Middleware
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 81
Chapter 4 Question 8
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 82
Chapter 4 Question 9
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 83
Chapter 4 Question 10
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 84
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 86
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 87
4.5 Auditing Infrastructure
and Operations
4.5.3 Database Reviews
Design
Access
Administration
Interfaces
Portability
Database-supported IS controls
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 88
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 89
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 90
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 91
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 92
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 93
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 94
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 95
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 96
4.5 Auditing Infrastructure
and Operations
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 97
4.6 Chapter 4: Case Study
4.6.1 Case Study Scenario
The IS auditor has recently been asked to perform an external
and internal network security assessment for an organization
that processes health benefit claims. The organization has a
complex network infrastructure with multiple local area and
wireless networks, a Frame Relay network crosses
international borders. Additionally, there is an Internet site
that is accessed by doctors and hospitals. The Internet site
has both open areas and sections containing medical claim
information that requires an ID and password to access. An
Intranet site is also available that allows employees to check
on the status of their personal medical claims and purchase
prescription drugs at a discount using a credit card. The
frame relay network carries unencrypted nonsensitive
statistical data that are sent to regulatory agencies but do not
include any customer identifiable information. The last review
of network security was performed more than five years ago.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 98
4.6 Chapter 4: Case Study
At that time, numerous exposures were noted in the areas of firewall
rule management and patch management for application servers.
Internet applications were also found to be susceptible to SQL
injection. It should be noted that wireless access as well as the
Intranet portal had not been installed at the time of the last review.
Since the last review, a new firewall has been installed and patch
management is now controlled by a centralized mechanism for
pushing patches out to all servers. Internet applications have been
upgraded to take advantage of newer technologies. Additionally, an
intrusion detection system has been added, and reports produced
by this system are monitored on a daily basis. Traffic over the
network involves a mixture of protocols, as a number of legacy
systems are still in use. All sensitive network traffic traversing the
Internet is first encrypted prior to being sent. Traffic on the internal
local area and wireless networks is encoded in hexadecimal so
that no data appears in cleartext. A number of devices also utilize
Bluetooth to transmit data between PDAs and laptop computers.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 99
4.6.2 Case Study Questions
1. In performing an external network security
assessment, which of the following should
normally be performed FIRST?
A. Exploitation
B. Enumeration
C. Reconnaissance
D. Vulnerability scanning
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 100
4.6.2 Case Study Questions
2. Which of the following presents the GREATEST
risk to the organization?
A. Not all traffic traversing the Internet is
encrypted.
B. Traffic on internal networks is unencrypted.
C. Cross-border data flow is unencrypted.
D. Multiple protocols are being used.
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 101