CISA REVIEW Chapter 4 IT Service Delivery and Support Learning Objectives Evaluate service level management practices to ensure that the level of service from internal and external service providers is defined and managed ID: 809881
Download The PPT/PDF document "CISA REVIEW The material provided in th..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
CISA REVIEW
The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.
Slide2CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Learning Objectives:
Evaluate service level management practices to ensure that the level of service from internal and external service providers is defined and managed.
Evaluate operations management to ensure that IT support functions effectively meet business needs.
Evaluate data administration practices to ensure the integrity and optimization of databases.
Evaluate change, configuration and release management practices to ensure that changes made to the organization's production environment are adequately controlled and documented.
Evaluate problem and incident management practices to ensure that incidents, problems or errors are recorded, analyzed and resolved in a timely manner.
Slide3CISA REVIEW
Chapter 4 – IT Service Delivery and Support
The overall responsibility for all operations within the IS department resides with IS management. The IS auditor is not expected to be a technical expert on computer operations. Rather,
the auditor should understand the importance of management controls over operations in support of business functions.
Slide4CISA REVIEW
Chapter 4 – IT Service Delivery and Support
The purpose of the IS department is to provide service for end users. Often, the level of service guaranteed to users of the IS facilities is documented in
service level agreements
(SLAs). SLAs are key to effective management of IT services. They should be used to ensure a clear understanding of the expectations and services offered.
An SLA should fully define the nature, type, time and other relevant information for each service. Factors that should be considered in the delivery of these services include accuracy, completeness, timeliness and proper distribution of output related to application processing.
SLAs should be used both for outsourcing agreements and internally – between the IS department and its end-user clients. This is especially important where there is a contractual relationship between the IS department and the end user or customer. An SLA may be linked to a chargeback system, in which a specified percentage of the cost is apportioned from the end-user department to the IS department.
Slide5CISA REVIEW
Chapter 4 – IT Service Delivery and Support
SLAs must address a
clear business need
. For example, this might include:
System availability – regular hours and arrangements for out-of-hours service and support
Support availability – regular hours and arrangements for out-of-hours service and support
Throughput – traffic volumes, response times, etc.
Changes – change management rules and agreed-on target timescales
Security – standards and expectations, escalation procedures, etc.
Slide6CISA REVIEW
Chapter 4 – IT Service Delivery and Support
An audit of service level management should look for a lack of understanding by the customer of the purpose of service level management. The process requires building a relationship between the business units and IS.
Determining the state of the pre-SLA service must be done before the SLA can be agreed on, and achieving a shared perception by customers and IS can be challenging. Unless this is accomplished, other problems will ensue such as SLAs that are based on desires rather than on achievable targets. The audit must also:
Verify targets before the SLA is agreed on
Ensure targets are achievable
Other potential problems include
Lack of focus, confused definitions and inadequate resources
Lack of clearly defined responsibilities of all parties
Targets that are IT-based rather than aligned by business
Failure to communicate the SLA and its targets
Lack of senior management commitment to service level management
Slide7CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Question: Real-World Example
A multinational bank outsourced processing of its credit and debit card transactions. The maintenance of the SLA is critical to the ability of the bank to provide the required and expected service to their customers. Substantial penalties could be applied to unexpected SLA failures.
Slide8CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Answer: Real-World Example
The bank's IS auditor should:
Verify that the agreed-on SLAs were achievable by the outsourcing vendor.
Verify that adequate and complete reports of SLA achievement were prepared by the vendor's IS department in good time for the monthly SLA management meetings.
Verify that the SLA achievement reports highlighted any failures, included a reasonable explanation for the failures and outlined measures in place to ensure the failures did not recur.
Slide9CISA REVIEW
Chapter 4 – IT Service Delivery and Support
A major responsibility of IS management is ensuring the implementation of control functions including:
Authorization and monitoring of IT resource usage based on corporate policy
Identification of internal and external security vulnerabilities, and their timely resolution
Detection of intrusion attempts
Review and authorization of changes to the network, system and applications
Monitoring to ensure compliance with standards
Review of logs from all IT systems to detect critical system events and establish accountability of IT operations
Capability of IS processing to recover from minor and major disruptions in a timely manner.
Confidentiality, integrity and availability of the data
Plans for equipment replacement and capacity changes to maximize current job throughput and efficiently manage future acquisitions
Management of hardware and software changes to avoid undue disruption to normal processing
Maintenance of job accounting reports and other audit records
Control of logical and physical access to computer resources
Slide10CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Instructions:
Here are four issues and four resource monitoring reports that should identify the issue. Match each issue to the corresponding report.
Issues
Delayed reports
Operator training
Poor system testing
Security access problems
Reports
Console logs
Output distribution report
Operations problem report
Abnormal job termination report
Slide11CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Answers:
Delayed reports
Output distribution report
Operator training
Operations problem report
Poor system testing
Abnormal job termination report
Security access problems
Console log
Slide12CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Like any other asset of an organization, computer resources should be used in a way that benefits the entire organization. A variety of tools are available to monitor systems performance and provide information to authorized personnel. This information should be used as part of an established process for systems monitoring that conforms to the organization's strategies and policies.
Slide13CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Monitoring Use of Resources
Controls over computer resources – sometimes referred to as
general controls
– are essential because of the reliance on computer processing in managing the business. The complexity of software and hardware, and their interrelationships require controls to detect and document any abnormal conditions that could lead to the identification of an error. This generally is in the form of an automated or manual log.
Errors that should be entered in the log include:
Program errors
System errors
Operator errors
Network errors
Telecommunication errors
Hardware errors
Slide14CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Example log:
An error log entry should include the items shown:
Date
Resolution
Code
Description
Source
Escalation
Status
Responsibility
Department
Status
Narrative
Slide15CISA REVIEW
Chapter 4 – IT Service Delivery and Support
This section gives an overview of various types of computer hardware and networking components. For an IS auditor, what is important is understanding the capabilities of the various devices and how they affect business risk and support business objectives.
Slide16CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Computer system hardware includes components that, while performing interdependent functions, can be classed as either processing components or input/output (I/O) components.
Processing Components
The principal hardware component of a computer is the central processing unit (CPU). This is made up of an arithmetic logic unit (ALU), a control unit and an internal memory. The control unit's circuits control or direct all system operations. The ALU handles mathematical and logical operations. The internal memory (within the CPU) processes transactions.
In addition to the CPU, the computer requires random access memory (RAM), read-only memory (ROM) and, usually, permanent storage devices such as a hard disk.
Input/Output
Components
I/O components are used to transfer information or instructions to the computer and to record or collect the output generated. A keyboard, for example, is an input-only device, but a touch screen can serve as both an input and output device. Printers are an example of an output-only device.
Slide17CISA REVIEW
Chapter 4 – IT Service Delivery and Support
A distributed computing environment uses a variety of devices to deliver application services:
Print servers
– Allow an organization to consolidate printing resources rather than provide a number of printers
Application (program) servers
– Host the software that provides application access to client computers, as well as the application processing and communication with the application database. The consolidation of applications and licenses enhances application security and control.
Web servers
– Provide information and services to internal and external users through web pages and applications
Proxy servers
– Serve as an intermediate link between users and resources by accessing services on the user's behalf, offering (depending on the setup) greater speed and/or greater security
Database servers
– Provide a repository for raw data and work with application servers and web servers to provide the processing of the data
Slide18CISA REVIEW
Chapter 4 – IT Service Delivery and Support
A
proxy server
has a large variety of potential purposes, including:
To keep machines behind it anonymous (mainly for security).
To speed up access to resources (using caching). Web proxies are commonly used to cache web pages from a web server.
To apply access policy to network services or content, e.g. to block undesired sites.
To log / audit usage, i.e. to provide company employee Internet usage reporting.
To scan transmitted content for malware before delivery.
To scan outbound content, e.g., for data leak protection.
Slide19CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Appliances
– Specialized devices providing a single type of service more efficiently than would be possible for a multipurpose device. Examples include
Firewalls
– Positioned between network segments, these inspect the traffic and apply security policies. The effectiveness of the firewall depends on the quality of the security policies.
Switches
– Used to divide and interconnect network segments and help to reduce collision domains in Ethernet-based networks
Routers
– Used to link two or more physically separate network segments, which can still function as independent networks
Load balancers
– Distribute traffic across several different devices to increase the performance and availability of IT services
Slide20CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Instructions:
Here are five network components and five descriptions. Match each component to its description.
Component
Database server
Firewall
Load balancer
Proxy server
Router
Description
Provides link between user and resources, accessing services on user's behalf
Provides repository for raw data
Distributes traffic across devices to increase performance
Applies security policies
Links two or more physically separate network but allows them to function independently
Slide21CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Answer:
Database server
Provides repository for raw data
Firewall
Applies security policies
Load balancer
Distributes traffic across devices to increase performance
Proxy server
Provides link between user and resources, accessing services on user's behalf
Router
Links two or more physically separate network but allows them to function independently
Slide22CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Database Management Systems
A DBMS enables an organization to organize, control and use the data needed by application programs. The principal functions of a DBMS include reducing data redundancy, improving access time and providing basic security for sensitive data.
A DBMS data dictionary identifies the fields, their characteristics and their use. These dictionaries may be active or passive. A passive dictionary is only a repository of information that can be viewed or printed. An active data dictionary includes entries for all data elements and facilitates application processing – for example, by providing validation characteristics or print formats.
Slide23CISA REVIEW
Chapter 4 – IT Service Delivery and Support
A DBMS offers an organization a number of advantages:
Allowing data to exist independent of the applications that use them
Simplifying support for changing data requirements
Improving efficiency of transaction processing
Reducing data redundancy
Maximizing data consistency
Minimizing maintenance cost through data sharing
Enabling enforcement of data/programming standards
Enforcing data security
Enabling integrity checks on stored data
Facilitating of users'
ad hoc
access to data, especially through designed query language and application generators
Slide24CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Instructions:
Here are five terms and five descriptions. Match each term to its corresponding description.
Term
Data definition language (DDL)
Data dictionary
Field
Metadata
Normalization
Description
Creates a representation of the schema
Reduces data redundancy
Basic data element
The data elements required to define a database
Description of all the items stored in the database
Slide25CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Answers:
Data definition language (DDL)
Creates a representation of the schema
Data dictionary
A listing of all data stored in the database that describes for each data element the name, data type (numeric, alphanumeric, etc.), length, whether it is required or not, a description, etc
.
Field
Basic data element
Metadata
Data about data stored in a system that provides additional relevant information about this data. For example, a customer entry should include metadata about when the customer was created, who created the new customer, changes to the customer master record,
etc
.
Normalization
Reduces data redundancy
Slide26CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Database Controls
Most DBMSs have internal security features that interact with the OS access control functions. These security features are often combined to cover security concerns associated with maintaining database integrity and availability.
Among the controls may be:
Establishing and enforcing definition standards
Establishing and implementing data backup and recovery procedures to ensure database availability
Establishing necessary levels of access controls for data items, tables and files to prevent inadvertent or unauthorized access
Establishing controls to ensure only authorized personnel can update the database
Slide27CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Database Controls
A DBMS can control user access at these levels:
User and the database
Program and the database
Transaction and the database
Program and data field
User and transaction
User and data field
Slide28CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Real-World Example
Government regulations require that a major utility submit certain complex statistical information. To comply with the mandate, the organization used a database that had been created by a member of the finance department who had a great deal of business experience, but no formal IS training or experience with risk management.
This large database embedded highly technical algorithms for calculating management information and had been in use for many years. The system used an old version of the database software which was no longer supported by the software vendor. No formal normalization had been carried out, although there was no evidence of data redundancy. Finally, there were no security or resilience controls in place.
The database creator was about to retire and was the only person in the organization who had knowledge of the database and how to interpret the information analyses. The finance department management did not have an understanding of how the required data were collected and collated.
Think About It:
What would you, as an IS auditor, recommend to management?
Slide29CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Real-World Example: Answer
The database was critical to the very existence of the business because incomplete, inaccurate or late submission of the data to the governing body would result in legal action resulting in heavy fines and, possibly, the forced closure of the business.
In this case, the IS auditor recommended:
Create a new database using current software.
Place the database on a network server, subject to network access controls and routine backups.
Retain the staff member as a consultant to advise on the design and implementation of the new database.
Slide30CISA REVIEW
Chapter 4 – IT Service Delivery and Support
IS auditors need an overall understanding of the purpose and function of Operating System (OS) software, database management systems, and utility programs. Although in-depth knowledge of specific software is not necessary, the business purposes and control requirements of each are critical elements in an audit.
Slide31CISA REVIEW
Chapter 4 – IT Service Delivery and Support
An OS manages the sharing and use of the computer resources such as processors, real memory (e.g., RAM), auxiliary memory (e.g., disk storage) and I/O devices. An OS contains programs that interact between the user, the processor and applications software.
The functions an OS performs include:
Defining user interfaces
Permitting users to share hardware and data
Scheduling resources among users
Informing users of any errors that occur with the processor, I/O or programs
Enabling recovery from system errors
Communicating between the OS and application to allocate memory to processors, and make the memory available when the process is completed
Allowing system file management
Slide32CISA REVIEW
Chapter 4 – IT Service Delivery and Support
The OS settings enable activity logging, which allows analysis of system functions. Among the areas that can be analyzed based on the activity log are:
Data file versions used for production processing
Program access to sensitive data
Programs scheduled and run
Utilities or service aids usage
OS operation to ensure OS integrity has not been compromised by improper changes to system parameters and libraries
If an OS is improperly implemented or monitored, the result can be unauthorized access, inaccurate system usage logs, undetected errors and corrupted data.
Slide33CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Tape and Disk Management Systems
To provide controls for removable resources such as tapes and disks, organizations can use an automated tape management system (TMS) or disk management system (DMS). This specialized system software tracks and lists tape or disk resources, and includes:
Data set name
Specific tape reel or disk drive location
Creation date
Effective date
Retention period
Expiration date
Contents information
Slide34CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Utility Programs
Utility programs – the system software used to perform maintenance and routines required during normal processing operations – can be categorized into five functional areas, based on how they are used:
Understanding application systems
Assessing or testing data quality
Testing a program's ability to function correctly and maintain data integrity
Assisting in faster program development
Improving operational efficiency
Slide35CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Utility Programs, cont.
Server and PC operating systems are often equipped with specific utilities to:
Handle verification, cleaning and defragmenting of hard disk and removable memory units
Define the file system standard to be used for each unit
Initialize removable data volumes (floppy disk) and volumes of disk/removable memory
Save/restore system images
Reconstruct and restore (logically) canceled files
Test system units and peripherals
Many of these utility programs can perform outside the security system or can function without producing an audit trail of activity. As a result, access to and use of these sensitive and powerful utilities should be well controlled and restricted.
Slide36CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Utility Programs, cont.
IBM has a utility called AMSAPZAP, colloquially known as Super Zap, which bypasses all access control software and has the ability to change data while they are being processed, to change programs while they are running and even change the OS parameters. Super Zap's use must be restricted to emergency access codes only since it may also bypass system logging.
Many UNIX system managers make use of hacker utilities such as COPS and SATAN to assess system vulnerabilities. By definition, these would provide the same information to an unauthorized user.
Slide37CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Real-World Example
A major financial processing organization involved with the authorization of credit card transactions at point of sale used software to manage its authorization and fraud control system that includes a large number of system utilities.
Some of these utilities have capabilities such as adding users or terminals, or starting and shutting down the system. An audit found that these utilities were contained in a library to which only authorized system support staff had access.
However, one utility that system support staff thought could be used only for simple interrogation (such as current usage statistics) was held in a globally available library.
Think About It:
As an IS auditor, would you be concerned that a system utility was available to all users?
Slide38CISA REVIEW
Chapter 4 – IT Service Delivery and Support
Real-World Example: Answer
The auditor determined that it was possible, without even logging on, to access the mainframe and use the utility to request full statistical information on all of the hundreds of terminals currently connected to the authorization system. As an OS utility, this program took priority over application programs. This put such demands on the system's processing capabilities that the organization's business-critical applications could be shut down.
All utilities should be regarded as a business risk and must be protected.