CISA REVIEW

CISA REVIEW

The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.

CISA REVIEWChapter 4 – IT Service Delivery and Support

Learning Objectives:• Evaluate service level management practices to ensure that the level

of service from internal and external service providers is defined and managed.

• Evaluate operations management to ensure that IT support functions effectively meet business needs.

• Evaluate data administration practices to ensure the integrity and optimization of databases.

• Evaluate change, configuration and release management practices to ensure that changes made to the organization's production environment are adequately controlled and documented.

• Evaluate problem and incident management practices to ensure that incidents, problems or errors are recorded, analyzed and resolved in a timely manner.


The overall responsibility for all operations within the IS department resides with IS management. The IS auditor is not expected to be a technical expert on computer operations. Rather, the auditor should understand the importance of management controls over operations in support of business functions.


• The purpose of the IS department is to provide service for end users. Often, the level of service guaranteed to users of the IS facilities is documented in service level agreements (SLAs). SLAs are key to effective management of IT services. They should be used to ensure a clear understanding of the expectations and services offered.

• An SLA should fully define the nature, type, time and other relevant information for each service. Factors that should be considered in the delivery of these services include accuracy, completeness, timeliness and proper distribution of output related to application processing.

• SLAs should be used both for outsourcing agreements and internally – between the IS department and its end-user clients. This is especially important where there is a contractual relationship between the IS department and the end user or customer. An SLA may be linked to a chargeback system, in which a specified percentage of the cost is apportioned from the end-user department to the IS department.


SLAs must address a clear business need. For example, this might include: – System availability – regular hours and arrangements for

out-of-hours service and support – Support availability – regular hours and arrangements for

out-of-hours service and support – Throughput – traffic volumes, response times, etc. – Changes – change management rules and agreed-on target

timescales – Security – standards and expectations, escalation

procedures, etc.


An audit of service level management should look for a lack of understanding by the customer of the purpose of service level management. The process requires building a relationship between the business units and IS. Determining the state of the pre-SLA service must be done before the SLA can be agreed on, and achieving a shared perception by customers and IS can be challenging. Unless this is accomplished, other problems will ensue such as SLAs that are based on desires rather than on achievable targets. The audit must also: – Verify targets before the SLA is agreed on– Ensure targets are achievable– Other potential problems include – Lack of focus, confused definitions and inadequate resources – Lack of clearly defined responsibilities of all parties – Targets that are IT-based rather than aligned by business – Failure to communicate the SLA and its targets – Lack of senior management commitment to service level management


Question: Real-World ExampleA multinational bank outsourced processing of its credit and debit card transactions. The maintenance of the SLA is critical to the ability of the bank to provide the required and expected service to their customers. Substantial penalties could be applied to unexpected SLA failures.


Answer: Real-World ExampleThe bank's IS auditor should:

– Verify that the agreed-on SLAs were achievable by the outsourcing vendor.

– Verify that adequate and complete reports of SLA achievement were prepared by the vendor's IS department in good time for the monthly SLA management meetings.

– Verify that the SLA achievement reports highlighted any failures, included a reasonable explanation for the failures and outlined measures in place to ensure the failures did not recur.


A major responsibility of IS management is ensuring the implementation of control functions including: – Authorization and monitoring of IT resource usage based on corporate policy – Identification of internal and external security vulnerabilities, and their timely resolution – Detection of intrusion attempts – Review and authorization of changes to the network, system and applications – Monitoring to ensure compliance with standards – Review of logs from all IT systems to detect critical system events and establish

accountability of IT operations – Capability of IS processing to recover from minor and major disruptions in a timely

manner. – Confidentiality, integrity and availability of the data – Plans for equipment replacement and capacity changes to maximize current job

throughput and efficiently manage future acquisitions – Management of hardware and software changes to avoid undue disruption to normal

processing – Maintenance of job accounting reports and other audit records – Control of logical and physical access to computer resources


Instructions: Here are four issues and four resource monitoring reports that should identify the issue. Match each issue to the corresponding report.

Issues Delayed reports Operator training Poor system testing Security access problems

Reports Console logs Output distribution reportOperations problem reportAbnormal job termination report


Answers: Delayed reportsOutput distribution reportOperator trainingOperations problem reportPoor system testingAbnormal job termination reportSecurity access problemsConsole log


Like any other asset of an organization, computer resources should be used in a way that benefits the entire organization. A variety of tools are available to monitor systems performance and provide information to authorized personnel. This information should be used as part of an established process for systems monitoring that conforms to the organization's strategies and policies.


Monitoring Use of ResourcesControls over computer resources – sometimes referred to as general controls – are essential because of the reliance on computer processing in managing the business. The complexity of software and hardware, and their interrelationships require controls to detect and document any abnormal conditions that could lead to the identification of an error. This generally is in the form of an automated or manual log. Errors that should be entered in the log include: – Program errors – System errors – Operator errors – Network errors – Telecommunication errors – Hardware errors


Example log: An error log entry should include the items shown:– Date– Resolution– Code– Description– Source – Escalation– Status– Responsibility– Department– Status– Narrative


This section gives an overview of various types of computer hardware and networking components. For an IS auditor, what is important is understanding the capabilities of the various devices and how they affect business risk and support business objectives.


Computer system hardware includes components that, while performing interdependent functions, can be classed as either processing components or input/output (I/O) components.

Processing Components • The principal hardware component of a computer is the central processing unit

(CPU). This is made up of an arithmetic logic unit (ALU), a control unit and an internal memory. The control unit's circuits control or direct all system operations. The ALU handles mathematical and logical operations. The internal memory (within the CPU) processes transactions.

• In addition to the CPU, the computer requires random access memory (RAM), read-only memory (ROM) and, usually, permanent storage devices such as a hard disk.

Input/Output Components • I/O components are used to transfer information or instructions to the computer

and to record or collect the output generated. A keyboard, for example, is an input-only device, but a touch screen can serve as both an input and output device. Printers are an example of an output-only device.


A distributed computing environment uses a variety of devices to deliver application services: – Print servers – Allow an organization to consolidate printing resources

rather than provide a number of printers – Application (program) servers – Host the software that provides

application access to client computers, as well as the application processing and communication with the application database. The consolidation of applications and licenses enhances application security and control.

– Web servers – Provide information and services to internal and external users through web pages and applications

– Proxy servers – Serve as an intermediate link between users and resources by accessing services on the user's behalf, offering (depending on the setup) greater speed and/or greater security

– Database servers – Provide a repository for raw data and work with application servers and web servers to provide the processing of the data


A proxy server has a large variety of potential purposes, including:– To keep machines behind it anonymous (mainly for security).– To speed up access to resources (using caching). Web proxies are

commonly used to cache web pages from a web server.– To apply access policy to network services or content, e.g. to block

undesired sites.– To log / audit usage, i.e. to provide company employee Internet usage

reporting.– To scan transmitted content for malware before delivery.– To scan outbound content, e.g., for data leak protection.


Appliances – Specialized devices providing a single type of service more efficiently than would be possible for a multipurpose device. Examples include

• Firewalls – Positioned between network segments, these inspect the traffic and apply security policies. The effectiveness of the firewall depends on the quality of the security policies.

• Switches – Used to divide and interconnect network segments and help to reduce collision domains in Ethernet-based networks

• Routers – Used to link two or more physically separate network segments, which can still function as independent networks

• Load balancers – Distribute traffic across several different devices to increase the performance and availability of IT services


Instructions: Here are five network components and five descriptions. Match each component to its description.

Component Database server Firewall Load balancer Proxy serverRouter

Description – Provides link between user and resources, accessing services on user's

behalf– Provides repository for raw data– Distributes traffic across devices to increase performance– Applies security policies– Links two or more physically separate network but allows them to function

independently


Answer:• Database server

Provides repository for raw data• Firewall

Applies security policies• Load balancer

Distributes traffic across devices to increase performance• Proxy server

Provides link between user and resources, accessing services on user's behalf

• RouterLinks two or more physically separate network but allows them to function independently


Database Management Systems• A DBMS enables an organization to organize, control and use the data

needed by application programs. The principal functions of a DBMS include reducing data redundancy, improving access time and providing basic security for sensitive data.

• A DBMS data dictionary identifies the fields, their characteristics and their use. These dictionaries may be active or passive. A passive dictionary is only a repository of information that can be viewed or printed. An active data dictionary includes entries for all data elements and facilitates application processing – for example, by providing validation characteristics or print formats.


A DBMS offers an organization a number of advantages: – Allowing data to exist independent of the applications that use them – Simplifying support for changing data requirements – Improving efficiency of transaction processing – Reducing data redundancy – Maximizing data consistency – Minimizing maintenance cost through data sharing – Enabling enforcement of data/programming standards – Enforcing data security – Enabling integrity checks on stored data – Facilitating of users' ad hoc access to data, especially through designed

query language and application generators


Instructions: Here are five terms and five descriptions. Match each term to its corresponding description.

Term Data definition language (DDL)Data dictionaryFieldMetadataNormalization

Description – Creates a representation of the schema– Reduces data redundancy– Basic data element– The data elements required to define a database – Description of all the items stored in the database


Answers:• Data definition language (DDL)

Creates a representation of the schema• Data dictionary

A listing of all data stored in the database that describes for each data element the name, data type (numeric, alphanumeric, etc.), length, whether it is required or not, a description, etc.

• FieldBasic data element

• MetadataData about data stored in a system that provides additional relevant information about this data. For example, a customer entry should include metadata about when the customer was created, who created the new customer, changes to the customer master record, etc.

• NormalizationReduces data redundancy


Database ControlsMost DBMSs have internal security features that interact with the OS access control functions. These security features are often combined to cover security concerns associated with maintaining database integrity and availability. Among the controls may be: – Establishing and enforcing definition standards – Establishing and implementing data backup and recovery procedures to

ensure database availability – Establishing necessary levels of access controls for data items, tables and

files to prevent inadvertent or unauthorized access – Establishing controls to ensure only authorized personnel can update the

database


Database ControlsA DBMS can control user access at these levels: – User and the database – Program and the database – Transaction and the database – Program and data field – User and transaction – User and data field


Real-World ExampleGovernment regulations require that a major utility submit certain complex statistical information. To comply with the mandate, the organization used a database that had been created by a member of the finance department who had a great deal of business experience, but no formal IS training or experience with risk management. This large database embedded highly technical algorithms for calculating management information and had been in use for many years. The system used an old version of the database software which was no longer supported by the software vendor. No formal normalization had been carried out, although there was no evidence of data redundancy. Finally, there were no security or resilience controls in place. The database creator was about to retire and was the only person in the organization who had knowledge of the database and how to interpret the information analyses. The finance department management did not have an understanding of how the required data were collected and collated.

Think About It: What would you, as an IS auditor, recommend to management?


Real-World Example: AnswerThe database was critical to the very existence of the business because incomplete, inaccurate or late submission of the data to the governing body would result in legal action resulting in heavy fines and, possibly, the forced closure of the business.In this case, the IS auditor recommended: – Create a new database using current software. – Place the database on a network server, subject to network access

controls and routine backups. – Retain the staff member as a consultant to advise on the design and

implementation of the new database.


IS auditors need an overall understanding of the purpose and function of Operating System (OS) software, database management systems, and utility programs. Although in-depth knowledge of specific software is not necessary, the business purposes and control requirements of each are critical elements in an audit.


An OS manages the sharing and use of the computer resources such as processors, real memory (e.g., RAM), auxiliary memory (e.g., disk storage) and I/O devices. An OS contains programs that interact between the user, the processor and applications software. The functions an OS performs include: – Defining user interfaces – Permitting users to share hardware and data – Scheduling resources among users – Informing users of any errors that occur with the processor, I/O or

programs – Enabling recovery from system errors – Communicating between the OS and application to allocate memory to

processors, and make the memory available when the process is completed

– Allowing system file management


The OS settings enable activity logging, which allows analysis of system functions. Among the areas that can be analyzed based on the activity log are: – Data file versions used for production processing – Program access to sensitive data – Programs scheduled and run – Utilities or service aids usage – OS operation to ensure OS integrity has not been compromised by

improper changes to system parameters and libraries – If an OS is improperly implemented or monitored, the result can be

unauthorized access, inaccurate system usage logs, undetected errors and corrupted data.


Tape and Disk Management SystemsTo provide controls for removable resources such as tapes and disks, organizations can use an automated tape management system (TMS) or disk management system (DMS). This specialized system software tracks and lists tape or disk resources, and includes: – Data set name – Specific tape reel or disk drive location – Creation date – Effective date – Retention period – Expiration date – Contents information


Utility ProgramsUtility programs – the system software used to perform maintenance and routines required during normal processing operations – can be categorized into five functional areas, based on how they are used: – Understanding application systems – Assessing or testing data quality – Testing a program's ability to function correctly and maintain data

integrity – Assisting in faster program development – Improving operational efficiency


Utility Programs, cont.Server and PC operating systems are often equipped with specific utilities to:

– Handle verification, cleaning and defragmenting of hard disk and removable memory units

– Define the file system standard to be used for each unit – Initialize removable data volumes (floppy disk) and volumes of

disk/removable memory – Save/restore system images – Reconstruct and restore (logically) canceled files – Test system units and peripherals – Many of these utility programs can perform outside the security system

or can function without producing an audit trail of activity. As a result, access to and use of these sensitive and powerful utilities should be well controlled and restricted.


Utility Programs, cont.• IBM has a utility called AMSAPZAP, colloquially known as Super Zap, which

bypasses all access control software and has the ability to change data while they are being processed, to change programs while they are running and even change the OS parameters. Super Zap's use must be restricted to emergency access codes only since it may also bypass system logging.

• Many UNIX system managers make use of hacker utilities such as COPS and SATAN to assess system vulnerabilities. By definition, these would provide the same information to an unauthorized user.


Real-World ExampleA major financial processing organization involved with the authorization of credit card transactions at point of sale used software to manage its authorization and fraud control system that includes a large number of system utilities. Some of these utilities have capabilities such as adding users or terminals, or starting and shutting down the system. An audit found that these utilities were contained in a library to which only authorized system support staff had access. However, one utility that system support staff thought could be used only for simple interrogation (such as current usage statistics) was held in a globally available library. Think About It: As an IS auditor, would you be concerned that a system utility was available to all users?


Real-World Example: AnswerThe auditor determined that it was possible, without even logging on, to access the mainframe and use the utility to request full statistical information on all of the hundreds of terminals currently connected to the authorization system. As an OS utility, this program took priority over application programs. This put such demands on the system's processing capabilities that the organization's business-critical applications could be shut down. All utilities should be regarded as a business risk and must be protected.

Documents

CISA REVIEW