IT Service Delivery and Support

Chapter # : 04 - CISAChapter # : 04 - CISA 11

IT Service Delivery and IT Service Delivery and SupportSupport

Chapter No. 4 Chapter No. 4


• Capacity managementCapacity management• Continuous review of HW and SS performance and Continuous review of HW and SS performance and

capacitycapacity• Performance monitoring is based on historical data and Performance monitoring is based on historical data and

IS trouble log, Processing, Schedules, Job Accounting IS trouble log, Processing, Schedules, Job Accounting system reports, Preventive maintenance schedules and system reports, Preventive maintenance schedules and reports.reports.

• Hardware acquisition:Hardware acquisition:• Plan is compared regularly to management's business Plan is compared regularly to management's business

plansplans • If environment is adequate for current and new If environment is adequate for current and new

installationsinstallations • Technical Obsolescence of existing and new HWTechnical Obsolescence of existing and new HW • Proper DocumentationProper Documentation

HARWARE REVIEWS : (P-272)HARWARE REVIEWS : (P-272)


• PC Acquisition CriteriaPC Acquisition Criteria• Policy regarding acquisition of usage of PCPolicy regarding acquisition of usage of PC• Criteria and procedure for approval and acquisition of Criteria and procedure for approval and acquisition of

PCPC • Supporting of cost benefit analysisSupporting of cost benefit analysis• Acquisition through IS purchasing to take advantage of Acquisition through IS purchasing to take advantage of

volume discount and quality volume discount and quality • Review change Management Controls for :Review change Management Controls for :

– Timely instructions to personnel to change HW Timely instructions to personnel to change HW configurationconfiguration

– Allowance of adequate time for installation and testing Allowance of adequate time for installation and testing of HW.of HW.

– Selection of Sample of HW change and procedureSelection of Sample of HW change and procedure– Ascertain that HW change is communicated to all Ascertain that HW change is communicated to all

concerned. concerned. – Effectiveness of change so it do not interfere normal Effectiveness of change so it do not interfere normal

course of production / actioncourse of production / action

HARWARE REVIEWS : HARWARE REVIEWS :


• Interview Technical Services :Interview Technical Services :• Regarding Approval Process, Test Procedures, Regarding Approval Process, Test Procedures,

Implementation Process and documentation Implementation Process and documentation requirementsrequirements

• System Software selection procedures:System Software selection procedures:• Include IS processing and control requirements, Include IS processing and control requirements,

software's capabilities and control optionssoftware's capabilities and control options

• Feasibility and selection process:Feasibility and selection process:• Consistent proposed Sys Objectives and Consistent proposed Sys Objectives and

purposes. Same Criteria for all proposalspurposes. Same Criteria for all proposals

OPERATING SYSTEM REVIEWS : (p-273) OPERATING SYSTEM REVIEWS : (p-273)

During Auditing of Operating Software Development, acquisition or During Auditing of Operating Software Development, acquisition or

maintenance, the following approaches may be adoptedmaintenance, the following approaches may be adopted


• Review Cost/Benefit analysis:Review Cost/Benefit analysis:• For Direct Financial cost, Maintenance, For Direct Financial cost, Maintenance,

requirement and capacity of HW., Training and requirement and capacity of HW., Training and technical support, Impact on Data Securitytechnical support, Impact on Data Security

• Review controls over installation of Review controls over installation of changed System Software:changed System Software:• That all levels of software has been That all levels of software has been

implemented, least impact on IS processing, implemented, least impact on IS processing, tests are completed, debugging, assurance of tests are completed, debugging, assurance of problem resolutionproblem resolution

• Review of Maintenance Activities:Review of Maintenance Activities:• Ensure that changes in Sys Software are Ensure that changes in Sys Software are

documented and support of vendor for latest documented and support of vendor for latest versionversion

OPERATING SYSTEM REVIEWS : OPERATING SYSTEM REVIEWS :


• Sys Software change Controls:Sys Software change Controls:• Controlled access of Libraries to concerned Controlled access of Libraries to concerned

individuals, Changes must be documented and individuals, Changes must be documented and test before implementation. Proper approval to test before implementation. Proper approval to convert testing mode to productionconvert testing mode to production

• Review of System Documentation:Review of System Documentation:• For Installation control statement, Parameter For Installation control statement, Parameter

tables, Exit conditions, activity Logs/reporttables, Exit conditions, activity Logs/report

• Test control during Implementation of SS :Test control during Implementation of SS :• Change Procedures, Authorization procedures, Change Procedures, Authorization procedures,

Access security features, documentation Access security features, documentation requirement, audit trail, Access control over the requirement, audit trail, Access control over the software in productionsoftware in production



• Review Authorization documentation:Review Authorization documentation:• Additions, deletion, or changes authorization Additions, deletion, or changes authorization

has been documented. And attempted violation has been documented. And attempted violation is reportedis reported

• Review System Software security:Review System Software security:• Logical security Access controls are safe to be Logical security Access controls are safe to be

circumvent. Procedures to limit the access circumvent. Procedures to limit the access system interrupts, Security provided by system interrupts, Security provided by Software. Physically security of master consoleSoftware. Physically security of master console

• Database supported IS controls to find:Database supported IS controls to find:• Data Access and organization should be Data Access and organization should be

appropriate, Change procedures to ensure appropriate, Change procedures to ensure integrity. Data dictionary is maintained, Data integrity. Data dictionary is maintained, Data redundancy is minimized.redundancy is minimized.



• Design:Design:• Database model is verified, identified primary Database model is verified, identified primary

and foreign keys. Logical schema including and foreign keys. Logical schema including entities and their relationship. Physical Schema entities and their relationship. Physical Schema including tables, logs, indexes are reviewed.including tables, logs, indexes are reviewed.

• Access:Access:• Indexes are used to have efficient access to the Indexes are used to have efficient access to the

required data.required data.

• Administration:Administration:• Security levels for users and their roles are well Security levels for users and their roles are well

justified Backup and recovery procedures justified Backup and recovery procedures established. Adequate handling for consistency established. Adequate handling for consistency and integrity concurrent accessesand integrity concurrent accesses

DATABASE REVIEWS : (p-274)DATABASE REVIEWS : (p-274)


• Interfaces:Interfaces:• Integrity and confidentiality of data during Integrity and confidentiality of data during

interfacing with other systems.interfacing with other systems.

• Portability:Portability:• Structured query language (SQL) is used as Structured query language (SQL) is used as

much as possiblemuch as possible

DATABASE REVIEWS : DATABASE REVIEWS :


• Physical controls:Physical controls:• Physical controls should protect the LAN Physical controls should protect the LAN

hardware and access point to the LAN by hardware and access point to the LAN by limiting access to authorized personnel onlylimiting access to authorized personnel only ..

• LAN Hardware devices, Wiring closet, cablingLAN Hardware devices, Wiring closet, cabling• Keys to the LAN file ServerKeys to the LAN file Server• LAN files server locking and prevention.LAN files server locking and prevention.

• Test of Physical Controls:Test of Physical Controls:• Check the all of above factorsCheck the all of above factors

LOCAL AREA NETWORK REVIEWS : (275) LOCAL AREA NETWORK REVIEWS : (275)


• Environmental Controls:Environmental Controls:• Static Electricity /surgesStatic Electricity /surges• Power Supply controlsPower Supply controls• UPSUPS• Free of Dust, , smoke, and food, HumidityFree of Dust, , smoke, and food, Humidity

• LAN Logical SecurityLAN Logical Security• Unique encrypted PasswordsUnique encrypted Passwords• Written AuthorizationWritten Authorization• Automatic disability of un-used display for a timeAutomatic disability of un-used display for a time• Logon attempts LogLogon attempts Log• Information about communication line connectedInformation about communication line connected

• Test of Logical Security:Test of Logical Security:

LOCAL AREA NETWORK REVIEWS : LOCAL AREA NETWORK REVIEWS :


• In DDP network there should be appropriate implementation, In DDP network there should be appropriate implementation, conversion and acceptance test plansconversion and acceptance test plans

• Test plans for networks hardware communicationTest plans for networks hardware communication• Ensuring consistency with Laws governing transmission of Ensuring consistency with Laws governing transmission of

datadata• Identified the sensitive files/databases and their securityIdentified the sensitive files/databases and their security• Restart and recovery mechanismRestart and recovery mechanism• Assurance of minimum effect due to any failureAssurance of minimum effect due to any failure• Changes in OS at user site should be controlled by IS Changes in OS at user site should be controlled by IS

ManagementManagement• Access to only allowed applications and dataAccess to only allowed applications and data• Encryption is being used for sensitive dataEncryption is being used for sensitive data• Security policies are implemented at following applied Security policies are implemented at following applied

environmentenvironment : :• Highly DistributedHighly Distributed• DistributedDistributed• MixedMixed• CentralizedCentralized• Highly CentralizedHighly Centralized

NETWORK OPERATING CONTROL REVIEWS : NETWORK OPERATING CONTROL REVIEWS :


• Computer Operations :Computer Operations :• Restricting Operators Access capabilities toRestricting Operators Access capabilities to : :

LibrariesLibraries

Limited peripheral-equipmentLimited peripheral-equipment

Correcting programsCorrecting programs

System fixes Production Source code, data LibrariesSystem fixes Production Source code, data Libraries

• Scheduling Scheduling ::Recording of jobsRecording of jobs

Processing are on a predetermined basisProcessing are on a predetermined basis

Exception processingException processing

Executing Executing

• Identified the sensitive files/databases and their securityIdentified the sensitive files/databases and their security• Restart and recovery mechanismRestart and recovery mechanism• Assurance of minimum effect due to any failureAssurance of minimum effect due to any failure• Re-run handlingRe-run handling

IS OPERATION REVIEW : (p-276)IS OPERATION REVIEW : (p-276)


• Files handling procedure :Files handling procedure :• Control the receipt and release of files and Control the receipt and release of files and

storage media to/from other locationsstorage media to/from other locations• Audit procedure should include review of these Audit procedure should include review of these

procedures that are in line of management’s procedures that are in line of management’s intent and authorizationintent and authorization

IS OPERATION REVIEW : IS OPERATION REVIEW :

• Data Entry Control :Data Entry Control :• Authorization of input documentsAuthorization of input documents• Reconciliation of totals.Reconciliation of totals.• Segregation of dutiesSegregation of duties

• Auditing of above controls and in addition the production Auditing of above controls and in addition the production and review Control reports and their accuracy and and review Control reports and their accuracy and

completenesscompleteness..


• Remote Access :Remote Access :• Secure and leased line/dial-back should be used for Secure and leased line/dial-back should be used for

extensive access security to the remote terminal in case extensive access security to the remote terminal in case of contingencyof contingency

• Contingency plan for proper identification of disaster and Contingency plan for proper identification of disaster and its testits test

• Program Change controls and access controls and its Program Change controls and access controls and its periodical testperiodical test

• Error should not be hidden by software Error should not be hidden by software

LIGHT-OUT OPERATIONSLIGHT-OUT OPERATIONS : :


• Interview with IS operations personnel (p-278)Interview with IS operations personnel (p-278)• Procedures to record, evaluate and resolve or escalate Procedures to record, evaluate and resolve or escalate

problemsproblems• Performance recordsPerformance records• Review of reasons of delay in processing by Application Review of reasons of delay in processing by Application

SoftwareSoftware• Review of procedure of collecting on-line processing Review of procedure of collecting on-line processing

performanceperformance• Establishment of procedure handling data processing Establishment of procedure handling data processing

handling problemshandling problems• Assurance of resolution of all identified problemsAssurance of resolution of all identified problems• Prevention from recurring problemsPrevention from recurring problems• Resolution of problems in timely and complete mannerResolution of problems in timely and complete manner• IS management reporting produced by problem IS management reporting produced by problem

management system as evidence of proper reviewmanagement system as evidence of proper review• Outstanding error logsOutstanding error logs• Documentation of developed escalation procedures Documentation of developed escalation procedures

PROBLEM MANAGEMENT REPORTING REVIEWSPROBLEM MANAGEMENT REPORTING REVIEWS


A layered framework for the design of network systems that A layered framework for the design of network systems that allows communication across all types of computer systems allows communication across all types of computer systems regardless of their underlying architectureregardless of their underlying architecture

The OSI Model (p-252)The OSI Model (p-252)

Please Do Not Touch Shakeel’s Pet Alligator

Network Support Layers 1-3User Support Layers 5-7

Documents

IT Service Delivery and Support