CISA Student Handout Domain4

CISA Review Course 26th Edition Domain 4: Information Systems Operations,
Maintenance and Service Management
Domain 4
Domain 4 Provide assurance that the processes for

information systems operations,
Information Systems Operations, maintenance and service management
objectives.
©Copyright 2016 ISACA. All rights reserved. 2 © Copyright 2016 ISACA. All rights reserved.
Domain 4 Domain Objectives

The focus of Domain 4 is on providing The objective of this domain is to ensure that the CISA
candidate possesses a sound understanding of key service
assurance that IT service level expectations are delivery elements, such as:
derived from the business objectives of the o Service management frameworks
enterprise. o Service level agreements
o Incident handling
o Network administration and control
o Data quality and data life cycle management
o Planning for service delivery interruptions
3 © Copyright 2016 ISACA. All rights reserved. 4 © Copyright 2016 ISACA. All rights reserved.
©2016. ISACA. All Rights Reserved. 1

On the CISA Exam Domain Tasks

Domain 4 represents 20% of the questions on the CISA 4.1 Evaluate the IT service management framework and
exam (approximately 30 questions). practices (internal or third party) to determine whether
Domain 4 incorporates 10 tasks related to information the controls and service levels expected by the
systems operations, maintenance and service organization are being adhered to and whether strategic
management. objectives are met.
4.2 Conduct periodic reviews of information systems to
determine whether they continue to meet the
architecture (EA).
4.3 Evaluate IT operations (e.g., job scheduling, 4.5 Evaluate database management practices to
configuration management, capacity and performance determine the integrity and optimization of databases.
management) to determine whether they are controlled 4.6 Evaluate data quality and life cycle management to
determine whether they continue to meet strategic
objectives. objectives.
4.4 Evaluate IT maintenance (patches, upgrades) to 4.7 Evaluate problem and incident management
determine whether they are controlled effectively and practices to determine whether problems and incidents
. are prevented, detected, analyzed, reported and
resolved in a timely manner to support the
objectives.

Task 4.1
4.8 Evaluate change and release management practices
to determine whether changes made to systems and
applications are adequately controlled and documented.
4.9 Evaluate end-user computing to determine whether
Evaluate the IT service management framework
the processes are effectively controlled and support the
and practices (internal or third party) to
4.10 Evaluate IT continuity and resilience determine whether the controls and service
(backups/restores, disaster recovery plan [DRP]) to levels expected by the organization are being
determine whether they are controlled effectively and adhered to and whether strategic objectives
. are met.
Key Terms Task to Knowledge Statements

Key Term Definition How does Task 4.1 relate to each of the following
IT service The day-to-day provision to customers of IT knowledge statements?
infrastructure and applications, and support for their
use e.g., service desk, equipment supply and moves, Knowledge Statement Connection
and security authorizations (COBIT 5 perspective) K4.1 Knowledge of service The IS auditor should have awareness
Service level An agreement, preferably documented, between a management frameworks and knowledge of the major service
agreement (SLA) service provider and customer/user defining minimum management frameworks (e.g., IT
performance targets for a service and how they will be Infrastructure Library, International
measured Organization for Standardization [ISO]
20000), their contents and their
objectives.

How does Task 4.1 relate to each of the following How does Task 4.1 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K4.2 Knowledge of service Service level management ensures K4.5 Knowledge of the functionality of The IS auditor must be familiar with
management practices and service fundamental technology (e.g., the functionality of information system
level management expectations and that service level hardware and network components, hardware and network components.
agreements (SLAs) are continuously system software, middleware, This includes understanding the
maintained and improved as needed. database management systems) importance of the physical part of all
IS/IT solutions that support the
K4.3 Knowledge of the techniques for It is essential for the IS auditor to
organizational objectives and goals.
monitoring third-party performance understand the latest approaches in
and compliance with service contracting strategies, processes and
agreements and regulatory contract management practices.
requirements
K4.10 Knowledge of capacity planning The IS auditor is expected to be aware K4.11 Knowledge of systems IT performance monitoring of critical
and related monitoring tools and of the concepts of capacity performance monitoring processes, processes and assets should be
techniques management and the essential tools and techniques (e.g., network conducted on a continuous basis to
information requirements of the task, analyzers, system utilization reports, ensure reliable IT services that meet
such as technical performance reports load balancing) SLAs and achieve defined business
and information on projected business objectives.
needs. K4.14 Knowledge of data quality It is necessary for the IS auditor to
(completeness, accuracy, integrity) understand the concepts of data
and life cycle management (aging, quality and data life cycle
retention) management.

IT Service Management
How does Task 4.1 relate to each of the following IT service management (ITSM) supports business needs
knowledge statements? through the implementation and management of IT
services.
Knowledge Statement Connection
K4.18 Knowledge of regulatory, legal, The IS auditor needs to understand People, processes, and information technology are each
contractual and insurance issues and be able to evaluate the following: a part of IT services.
related to disaster recovery The applicable regulatory and
contractual environment
A service management framework provides support for
The disaster recovery strategies the implementation of ITSM.
needed to enable the organization
to meet these requirements
regardless of the operational state
of the IS environment
ITSM Frameworks The ITSM Premise

Two primary frameworks guide ITSM: The bases of ITSM are:
o The IT Infrastructure Library (ITIL)
o IT can be managed through a series of discrete
The ITIL is a reference for service delivery good practice. These processes.
should be adapted to the needs of the specific organization.
o ISO 20000-1:2011 Information technology Service management o business and
Part 1: Service management system requirements are interdependent.
ISO 20000 is primarily used as a demonstration of compliance Service level agreements (SLA) detail service
to accepted good practice. It requires service providers to expectations.
implement the plan-do-check-act (PDCA) methodology
it to their service To ensure high levels of service, ITSM metrics are
management processes. compared against the SLA expectations.

SLA Tools
Several reporting tools aid in determining whether When there is a contractual relationship between the IT
service expectations are being met. These include: department and the end user or customer, SLA service
o Exception reports level definition is particularly important.
o System and application logs o The IS auditor should be aware of these defined
o Operator problem reports expectations, ensuring that they are comprehensive.
o Operator work schedules o These should include measures to address:
Risk, security and control
Efficiency and effectiveness
Audit of Infrastructure
Enterprise architecture (EA) describes the design of the When auditing infrastructure and operations, the IS
components of a business system or subsystem. auditor should:
o o Follow the overall EA.
structured form, facilitating consideration of IT o Use the EA as a main source of information.
investments and clarifying interrelationships between o Ensure that IT systems are aligned with the EA and
IT components. meet organizational objectives.

In the Big Picture Discussion Question

Which of the following issues should be a MAJOR concern
to an IS auditor who is reviewing a service level agreement
(SLA)?
The Big A. A service adjustment resulting from an exception
Task 4.1
Evaluate the IT service management Picture report took a day to implement.
ITSM is the
B. The complexity of application logs used for service
framework and practices (internal or
third party) to determine whether implementation and
the controls and service levels management of IT monitoring made the review difficult.
expected by the organization are services to meet business
being adhered to and whether needs. C. Performance measures were not included in the
strategic objectives are met.
SLA.
D. The document is updated on an annual basis.
Discussion Question Task 4.2

During a human resources (HR) audit, an IS auditor is
informed that there is a verbal agreement between the IT
and HR departments as to the level of IT services
expected. In this situation, what should the IS auditor do
FIRST? Conduct periodic reviews of information
A. Postpone the audit until the agreement is systems to determine whether they continue to
documented.
B. Report the existence of the undocumented enterprise architecture (EA).
agreement to senior management.
C. Confirm the content of the agreement with both
departments.
D. Draft a service level agreement (SLA) for the two
departments.


Enterprise Description of the fundamental underlying design of the knowledge statements?
architecture (EA) components of the business system, or of one element
of the business system (e.g., technology), the Knowledge Statement Connection
relationships among them and the manner in which they K4.2 Knowledge of service IT can be managed through a series
management practices and service of discrete processes that provide
Enterprise Description of the fundamental underlying design of the level management service to the business. ITSM focuses
architecture for IT IT components of the business, the relationships among on the business deliverables and
them and the manner in which they support the covers infrastructure management of
IT applications that support and
deliver these IT services.
K4.3 Knowledge of techniques for The IS auditor should verify
monitoring third-party performance management participation in the
and compliance with service contracting process and ensure a
agreements and regulatory proper level of timely contract
requirements compliance review.
K4.4 Knowledge of enterprise The IS auditor needs to understand K4.10 Knowledge of capacity planning Capacity planning ensures that all the
architecture (EA) EA processes used in documenting an and related monitoring tools and current and future capacity and
techniques performance aspects of business
manner to facilitate understanding, requirements are anticipated in
management and planning for IT advance, assessed and, as
investments. necessary, provided in a cost-effective
K4.5 Knowledge of the functionality of The IS auditor must be familiar with manner.
fundamental technology (e.g., the functionality of information
hardware and network components, system hardware, platform operating
system software, middleware, systems, common database
database management systems) applications and network components.

K4.11 Knowledge of systems IT performance monitoring of critical K4.14 Knowledge of data quality Data management processes should
performance monitoring processes, processes and assets should be (completeness, accuracy, integrity) be in place to ensure data creation,
tools and techniques (e.g., network conducted on a continuous basis to and life cycle management (aging, categorization, protection, retention
analyzers, system utilization reports, ensure reliable IT services that meet retention) and destruction policies are in
load balancing) SLAs and achieve defined business alignment with current and emerging
objectives. business and regulatory requirements.
Hardware Review Operating System Review
System software Feasibility study

System software IT asset
Hardware Capacity selection and selection
security management
IT asset procedures process
acquisition plan management
management
and execution and monitoring
Authorization System software
System software System
documentation maintenance
implementation documentation activities
Hardware
Preventive Problem logs,
availability and
maintenance job accounting
utilization System software
schedule system reports System software
reports change controls
installation
change controls
Source: ISACA, CISA Review Manual 26th Edition, figure 4.26 Source: ISACA, CISA Review Manual 26th Edition, figure 4.27

Database Review Network Infrastructure Review

When auditing a network, the IS auditor should review
Logical
Physical schema Access time reports controls over network implementations, ensuring that
schema
standards are present for:
o The design and selection of network architecture
Database security Interfaces with other
Backup and disaster o A suitable cost-benefit relationship between network
procurement and operation
recovery procedures
controls software
and controls
Database-supported IT asset
IS controls management
Source: ISACA, CISA Review Manual 26th Edition, figure 4.28
Network Review Areas

Effective review requires the identification of:
Environmental Logical security
o Network topology and network design Physical controls
controls controls
o Significant networking components Network hardware Controls in the server Passwords
o Interconnected boundary networks devices facility, including
temperature,
Network user access
File server and change requests
o Network uses Documentation humidity, static Test plans
electricity, surge and
Key logs Security reports and
o Networking administrator, operator and groups of Network wiring closet
fire protection
mechanisms
users
Protection of backup
and transmission Network operation
media
wiring procedures
o Network gateway to the Internet Cleanliness
Personnel awareness
of risks
o Defined security standards or procedures

IS Operations Review In the Big Picture
Consider
Observe IS Review operator Examine access to
The Big
adequacy of
personnel access the library
operator manuals
Task 4.2 Picture

Conduct periodic reviews of Monitoring the
Consider Examine file information systems to determine implementation of an
Examine data Review lights-out
contents/location handling whether they continue to meet the enterprise architecture
entry processes operations
of offline storage procedures (EA) helps an organization
enterprise architecture (EA). in aligning service delivery.
Discussion Question Discussion Question

Which of the following is the BEST reference for an IS When reviewing the configuration of network devices, an IS
auditor should FIRST identify:
agreement (SLA) requirements for a critical IT security A. the good practices for the type of network devices
service? deployed.
A. Compliance with the master agreement B. whether components of the network are missing.
B. Agreed-on key performance metrics C. the importance of the network devices in the
C. Results of business continuity tests topology.
D. Results of independent audit reports D. whether subcomponents of the network are being
used appropriately.

Task 4.3 Key Terms

Key Term Definition
Configuration The control of changes to a set of configuration
management items over a system life cycle.
Performance In IT, the ability to manage any type of
Evaluate IT operations (e.g., job scheduling, management measurement, including employee, team, process,
configuration management, capacity and operational or financial measurements. The term
performance management) to determine connotes closed-loop control and regular
monitoring of the measurement.
whether they are controlled effectively and
objectives.
Task to Knowledge Statements

K4.6 Knowledge of system resiliency The IS auditor should be able to identify K4.7 Knowledge of IT asset The IS auditor should be aware that IT
tools and techniques (e.g., fault-tolerant potential single points of failure within a management, software licensing, asset management is key to
hardware, elimination of single point of process and understand related tools source code management and information security. An asset cannot
failure, clustering) and techniques such as high inventory practices be protected if it is not identified.
availability (HA), load balancing and
clustering solutions utilized to improve K4.8 Knowledge of job scheduling The IS auditor must understand
system resiliency. practices, including exception handling operations management practices and
controls to ensure the delivery of
quality IT services to the business and
to ensure the security of the
information.

K4.9 Knowledge of the control System interfaces including K4.16 Knowledge of change All changes to the production system
techniques that ensure the integrity of middleware, application program management, configuration or infrastructure should be approved
system interfaces interfaces (APIs) and other similar management, release management according to an established change
software present special risk, and patch management practices management process. Adequate
because they may not be subject to segregation of duties (SoD) should be
the same security and control rigor enforced.
that is found in large-scale application
systems.
K4.15 Knowledge of problem and
incident management practices understanding of good practices for
incident and problem management is
essential.
IS Operations
The IS operations function is responsible for the ongoing The organization of IS operations varies
depending on the size of the computing
environment, ensuring:
environment.
o Computer processing requirements are met
The IS auditor should understand the scope of
o End users are satisfied
IS operations when conducting an audit of this
o Information is processed securely
area.
o Outside parties (third parties, cloud computing) meet

IS Operations Documentation
The IS control environment requires procedures Such documentation includes procedures for:
detailing operational tasks and processes as o Operating instructions and job flows for computers
well as IS management oversight. and peripheral equipment
o Monitoring systems and applications
o Detection of system and application errors and issues
o Handling of IS problems and the escalation of
unresolved issues
o Backup and recovery
Job Scheduling
Job scheduling is a major function within the IT The schedule includes:
department, and in environments in which a large
number of batch routines are processed, this may be
o Jobs that must be run
managed through the use of job scheduling software. o The sequence of job execution
It is necessary to ensure that IS resources are optimized o The conditions that cause job execution
based on processing requirements.
o The ability to prioritize jobs according to time
availability

Scheduling Review In the Big Picture

Regularly Data Estimated
Input
scheduled preparation processing
deadlines
applications time time
The Big
Task 4.3
Output Procedures for Processing Daily job Evaluate IT operations (e.g., job Picture
deadlines use of KPIs priorities schedule scheduling, configuration IT operations is the hub of
management, capacity and the IT wheel and its
performance management) to processes must be
determine whether they are controlled evaluated to ensure these
effectively and continue to support the processes are in
Exception Re-executed
Console log Personnel alignment with goals and
processing log jobs objectives.

Which of the following processes should an IS auditor An IS auditor is evaluating network performance for an
recommend to assist in the recording of baselines for organization that is considering increasing its Internet
software releases? bandwidth due to a performance degradation during
A. Change management business hours. Which of the following is MOST likely the
cause of the performance degradation?
B. Backup and recovery
C. Incident management A. Malware on servers
D. Configuration management B. Firewall misconfiguration
C. Increased spam received by the email server
D. Unauthorized network activities

Task 4.4 Key Terms

Key Term Definition
Patch Fixes to software programming errors and vulnerabilities
Patch management An area of systems management that involves acquiring,
testing and installing multiple patches (code changes) to
an administered computer system in order to maintain
Evaluate IT maintenance (patches, up-to-date software and often to address security risks
upgrades) to determine whether they are

Recovery The phase in the incident response plan that ensures
that affected systems or services are restored to a
controlled effectively and continue to condition specified in the service delivery objectives or
business continuity plan
Task to Knowledge Statements Hardware Maintenance

How does Task 4.4 relate to each of the following To perform optimally, hardware must be cleaned and serviced
knowledge statements? on a routine basis.
When performing an audit of this area, the IS auditor should:
Knowledge Statement Connection
o Ensure that a formal maintenance plan has been
K4.12 Knowledge of data backup, In order to prevent system outages
storage, maintenance and restoration and data loss, backup processes must
developed. This must be:
practices be in place during system upgrades Approved by management
and patching.
Implemented and followed
K4.16 Knowledge of change Integral to patch management
management, configuration practices, the essential element of o Identify maintenance costs that exceed budget or are
management, release management change and release management excessive.
and patch management practices must be in place to provide assurance
of system integrity and availability.

Capacity Management Release Management

Computing and network resources must be planned and
Emergency
monitored to ensure that they are used efficiently and Major release Minor release
release
effectively.
A capacity plan should be developed based on input from Normally contains a Upgrades, offering Normally contains
significant change or small enhancements corrections to a small
both users and IS managers, and should be reviewed and addition to a new and fixes number of known
updated at least annually. functionality Usually supersedes problems
These usually all preceding These require
The IS audit should take into account that capacity supersede all emergency fixes implementation as
requirements may: preceding minor quickly as possible,
upgrades limiting the execution
o Fluctuate according to business cycles of testing and release
management
o Be interdependent across the capacity plan activities
Patch Management
A patch is software code that is installed to maintain Patch management tasks include:
software as current between full-scale version releases. o Maintaining current knowledge of available patches
A patch often addresses security risks that have been o Determining which patches are appropriate for
detected in the original code. particular systems
o Ensuring that patches are properly installed
o Testing systems after installation
o Documenting all patch-related procedures
Because a patch can introduce new problems to a
system, it is a good practice to test a patch on a
non-critical system and perform backups prior to
installing patches.

Quality Assurance (QA) Backup Schemes

Prior to the introduction of system changes to the
production environment, a QA process should be in
Features Full Backup Incremental Backup Differential Backup
place to verify that these changes are: What it does? Copies all main Copies files and Copies files and
o Authorized files and folders to
the backup media
folders that have
changed or are new
folders that have been
added or changed
o Tested since last backup since a full backup
was performed
o Implemented in a controlled manner What are its Creates a unique Requires less time and Faster than full
QA personnel also oversee the proper maintenance of
advantages? archive in case of media than full backup backup; requires only
restoration latest full and
program versions and source code to object. differential backup sets
for full restoration
What are its Requires more time All backup sets are Requires more time
disadvantages? and media capacity required to implement and media capacity
than other methods a full restoration, than incremental
taking more time backup
Contractual Provisions In the Big Picture

The use of third-party recovery alternatives should be
guided by contractual provisions such as the following:
o Hardware and software configurations
o Disaster magnitude definition The Big
o Private versus shared facility use Task 4.4 Picture
Evaluate IT maintenance (patches, The systems supported
o upgrades) to determine whether they by IT operations are
are controlled effectively and continue dependent on agile and
o Immediacy and duration of availability reliable patching and
objectives. upgrade capabilities to
o Security and audit considerations reasonably assure the
security of these systems.


During fieldwork, an IS auditor experienced a system crash Which of the following ways is the BEST for an IS auditor
caused by a security patch installation. To provide to verify that critical production servers are running the
reasonable assurance that this event will not recur, the IS latest security updates released by the vendor?
auditor should ensure that: A. Ensure that automatic updates are enabled on
A. only systems administrators perform the patch critical production servers.
process. B. Verify manually that the patches are applied on a
B. sample of production servers.
adequate. C. Review the change management log for critical
C. patches are validated using parallel testing in production servers.
production. D. Run an automated tool to verify the security patches
D. an approval process of the patch, including a risk on production servers.
assessment, is developed.
Task 4.5 Key Terms

Key Term Definition
Database A stored collection of related data needed by
enterprises and individuals to meet their
information processing and retrieval
requirements
Evaluate database management
practices to determine the integrity and
optimization of databases.


K4.8 Knowledge of job scheduling The IS auditor must understand the K4.13 Knowledge of database The IS auditor must understand the
practices, including exception handling importance and processes required to management and optimization concepts of database design,
perform database reorganization to practices database administration, relationships
reduce unused disk space and verify between database objects, potential
defined data relationships. problems in transaction processing
and security issues associated with
database management systems
(DBMSs).
Database Management System

How does Task 4.5 relate to each of the following Database management system (DBMS) software offers
knowledge statements? several benefits:
Knowledge Statement Connection o Aids in organizing, controlling and using the data
K4.16 Knowledge of change The IS auditor must understand how needed by application programs
management, configuration database modifications, patches and o Provides the facility to create and maintain a
management, release management upgrades are being evaluated, tested
and patch management practices and deployed so as to prevent system well-organized database
degradation or data loss. o Reduces data redundancy and access time, while
offering basic security over sensitive data

Database Controls In the Big Picture
Enforced Data backup and Updates by

Access control
definition recovery authorized
levels
standards procedures personnel only
The Big
Controls on Checks on data Picture
concurrent accuracy, Job stream
Database
reorganization to
Task 4.5 Database management
updating of same completeness checkpoints Evaluate database management practices must include
ensure efficiency
data and consistency practices to determine the integrity repeatable, reliable and
and optimization of databases. agile maintenance to
sustain schemes,
Database Use of Minimize use of software, utilities and
restructuring performance non-system tools interfaces.
procedures reporting tools or utilities

The database administrator (DBA) suggests that database Segmenting a highly sensitive database results in:
efficiency can be improved by denormalizing some tables. A. reduced exposure.
This would result in: B. reduced threat.
A. loss of confidentiality. C. less criticality.
B. increased redundancy. D. less sensitivity.
C. unauthorized accesses.
D. application malfunctions.

Task 4.6 Key Terms

Key Term Definition
Asset Something of either tangible or intangible value that is
worth protecting, including people, information,
infrastructure, finances and reputation.
Source code The language in which a program is written. Source
code is translated into object code by assemblers and
Evaluate data quality and life cycle compilers. In some cases, source code may be
converted automatically into another language by a
management to determine whether they conversion program. Source code is not executable by
continue to meet strategic objectives.

the computer directly. It must first be converted into a
machine language.

K4.7 Knowledge of IT asset The IS auditor must understand the K4.14 Knowledge of data quality Based on the type and value of data,
management, software licensing, quantity, type and value of data and (completeness, accuracy, integrity) the IS auditor must evaluate the
source code management and the associated attributes of sensitivity and life cycle management (aging, controls in place to ensure these
inventory practices and criticality to on-going business retention) assets are secured to meet goals and
operations. objectives.
K4.17 Knowledge of the operational The IS auditor must be able to identify
risk and controls related to end-user operational and end-user risk to data
computing security (confidentiality, integrity
and availability).

Data Life Cycle Data Quality Criteria

Data quality is key to data management, and the IS auditor
should ensure that data is of sufficient quality to allow the
organization to meet its strategic objectives.
Questions such as the following can aid in this determination:
Plan Design
Build/ Use/
Monitor Dispose o Are the data being captured and processed to required
Acquire Operate
standards?
o
and database management systems aligned with
organizational objectives?
o Are data being archived, retained or destroyed in line with
a data retention policy?
Adapted from: ISACA, COBIT 5: Enabling Information, USA, 2013, figure 23
IT Asset Management
COBIT 5 defines the management of assets in the following To achieve the objectives of asset management, assets must
way: be identified.
The inventory record of each information asset should
Manage IT assets through their life cycle to make include:
sure that their use delivers value at optimal cost, o Specific identification of the asset
they remain operational (fit for purpose), they are o Relative value to the organization
accounted for and physically protected, and those o Loss implications and recovery priority
assets that are critical to support service capability o Location
are reliable and available. o Security/risk classification
o Asset group, when the asset is part of a larger information
system
o Owner and designated custodian
COBIT 5 BAI09
Manage assets

Types of Software Licenses

IT asset management is a fundamental prerequisite to
developing a meaningful security strategy. Free software licensing types Paid software licensing types
It is also the first step in managing software licenses and
classifying and protecting information assets. Open source Per central processing unity
Freeware (CPU)
IT asset management procedures should be employed Shareware Per seat
for both software and hardware assets. Concurrent users
Utilization
Per workstation
Enterprise
Adapted from: ISACA, CISA Review Manual 26th Edition, figures 4.18 and 4.19
Software Licensing Issues Detecting Licensing Issues

A software licensing agreement is a contract that To detect software licensing violations, the IS auditor should:
establishes the terms and conditions under which o Review the listing of all standard, used and licensed
software is made legally available to users. application and system software.
Organizations must follow software copyright laws to o Obtain copies of all software contracts for such software to
protect against penalties levied for violations and the determine the nature of the license agreements.
loss of reputation that may occur if misuse is detected. o Scan the entire network to produce a list of installed
software.
o If required, review a list of server specifications, including
CPUs and cores.
o Compare the license agreements with installed software,
noting any violations.

Source Code Management

Source code is the language in which a program is Source code should be managed using a version control
written; it tells the computer what to do. system (VCS), which maintains a central repository.
Source code may contain intellectual property that This allows programs to check program source code out
should be protected, and access should be restricted. and in to the repository. With check-in, a new version is
The management of source code is related to change created.
management, release management, quality assurance
and information security management.
Source Code Audit

Advantages of a VCS include: The IS auditor must be aware of the following items
o Provides the ability to synchronize source changes relating to source code:
with changes from other developers o Who has access to the code
o Provides a methodology for conflict resolution, when o Who can commit code, pushing it into production
separate changes have been made on the same o Alignment of program source code to program objects
section of source code o Alignment with change and release management
o Allows for branching, providing a child of the original o Backup of source code, including those located offsite
code to allow customization for specific circumstances and in escrow agreements


An IS auditor observed that users are occasionally granted
the authority to change system data. This elevated system
access is not consistent with company policy yet is required
The Big for smooth functioning of business operations. Which of the
Task 4.6 Picture following controls would the IS auditor MOST likely
Evaluate data quality and life Data is an asset and recommend for long-term resolution?
must be managed
cycle management to determine
accordingly
A. Redesign the controls related to data authorization.
whether they continue to meet
strategic objectives. inventoried, B. Implement additional segregation of duties controls.
categorized, managed
and secured. C. Review policy to see if a formal exception process is
required.
D. Implement additional logging controls.

Which of the following choices BEST ensures
accountability when updating data directly in a production
database?
A. Before and after screen images
B. Approved implementation plans Evaluate problem and incident management
C. Approved validation plan practices to determine whether problems and
D. Data file security incidents are prevented, detected, analyzed,
reported and resolved in a timely manner to
support the objectives.


Incident Any event that is not part of the standard operation of a knowledge statements?
service and that causes, or may cause, an interruption
to, or a reduction in, the quality of that service. Knowledge Statement Connection
Problem In IT, the unknown underlying cause of one or more K4.8 Knowledge of job scheduling The IS auditor must understand the
incidents. practices, including exception handling normal operations required to support
Problem escalation The process of escalating a problem up from junior to the IT environment and how the failure
procedure senior support staff, and ultimately to higher levels of of these process can affect the
management. Problem escalation procedure is often organization.
used in help desk management, when an unresolved
problem is escalated up the chain of command until it is
solved.
K4.9 Knowledge of the control The IS auditor needs to understand K4.15 Knowledge of problem and The IS auditor must ensure the
techniques that ensure the integrity of and be able to recommend the incident management practices organization has processes in place to
system interfaces appropriate application of incident and ensure all incidents or problems are
problem, change and release detected, reported, managed and
management and quality assurance resolved in a timely manner.
processes. K4.17 Knowledge of the operational It is necessary for the IS auditor to
K4.11 Knowledge of systems In order to identify incidents and risk and controls related to end-user understand the risk associated with
performance monitoring processes, problems, IT performance monitoring computing end-user computing (e.g., Microsoft®
tools and techniques (e.g., network of critical processes and assets should Excel, Access, etc.).
analyzers, system utilization reports, be conducted on a continuous basis.
load balancing)

Incident Management
Incident management focuses on providing continuity of A critical element of an incident management process is
service through the removal or reduction of the adverse the prioritization of incidents.
effect of disruptions to IT services. o Both urgency and impact must be considered.
It covers nearly all nonstandard operations and events o IS management should have parameters in place for
related to IT services. assigning incident priority.
The IS auditor should examine problem reports and logs
to ensure that incidents have been resolved in a timely
manner by those most capable of resolving the problem.
Problem Management Incident and Problem Documentation
Objective A mechanism should exist to detect and document any

abnormal conditions that could lead to the identification
Reduce the number and/or severity of
Problem incidents. of an error.
Management Improve the quality of service of an IS Such documentation usually takes the form of an
organization.
automated or manual log.
React to issues as they arise. For control purposes, the ability to add to the log should
Incident Return the affected process back to normal not be restricted, but the log should only be updated by
Management service quickly. an authorized person.
Minimize business impacts of incidents.
o Proper SoD requires that the ability to close an error
log be assigned to a different person than the one
responsible for initiating or maintaining the error log
entry.

Problem Reporting Review The Support Function

Determine source of Obtain detailed
Interviews with IS Procedures and Initiate problem
Logs and records computer incidents; knowledge of
personnel documentation take appropriate
reports; ensure timely
network, system and
incident resolution.
corrective action. applications.
Have documented Are procedures Are the reasons for
procedures been adequate for recording, delays in application
developed to guide the evaluating, resolving or program processing
Provide technical
logging, analysis, escalating problems? valid? Answer inquiries
Provide second- and
support for
resolution and Is IT statistics collection Are significant and regarding specific
third-tier support to
computerized
escalation of business user and
and analysis adequate, recurring problems systems.
customer.
telecommunications
problems? accurate and identified and actions processing.
Are these actions complete? taken to prevent their
performed in a timely Are all identified recurrence?
manner, in accordance problems recorded for Are there any recurring Maintain Communicate with IS
verification and problems that are not documentation of operations to signal
intent and resolution? being reported to IS vendor software and abnormal incident
authorization? proprietary systems. patterns.
management?

Which of the following specifically addresses how to detect
to recover from an attack?

The Big A. An incident response plan (IRP)
Task 4.7
Evaluate problem and incident Picture B. An IT contingency plan
management practices to determine Timely and accurate
whether problems and incidents are incident and problem C. A business continuity plan (BCP)
D. A continuity of operations plan (COOP)
prevented, detected, analyzed, resolution practice must
reported and resolved in a timely be in place to ensure the
manner to support the organization´s organization has reliable
objectives. and secure IT operations.


The PRIMARY objective of performing a postincident
review is that it presents an opportunity to:
A. improve internal control procedures.
B. harden the network to industry good practices.
Evaluate change and release
C. highlight the importance of incident response
management to management. management practices to determine
D. improve employee awareness of the incident whether changes made to systems and
response process. applications are adequately controlled
and documented.

Production software Software that is being used and executed to support knowledge statements?
normal and authorized organizational operations.
Production software is to be distinguished from test Knowledge Statement Connection
software, which is being developed or modified but has K4.9 Knowledge of the control The IS auditor must understand the
not yet been authorized for use by management. techniques that ensure the integrity of controls needed to address system
System testing Testing conducted on a complete, integrated system to system interfaces interface risks, including middleware,
evaluate the system's compliance with its specified application program interfaces (APIs)
requirements. System test procedures typically are and other similar software.
performed by the system maintenance staff in their K4.13 Knowledge of database The IS auditor must understand the
development library. management and optimization control practices associated with those
practices database administrator roles and
responsibilities, and the technology
managed by these personnel.

Change Management
How does Task 4.8 relate to each of the following The change management process is implemented when:
knowledge statements? o Hardware is changed.
Knowledge Statement Connection o Software is installed or upgraded.
K4.16 Knowledge of change The IS auditor should also be aware of o Network devices are configured.
management, configuration the need for established procedures Change control is part of the broader change management
management, release management to control changes made to systems in
process.
and patch management practices normal and emergency situations.
It is designed to control the movement of application changes
from the test environment through QA and into the production
environment.
Change Requests
The change management process ensures that: Formalized and documented change processes
o Relevant personnel are aware of the change and its timing. incorporate the following elements:
o Documentation is complete and in compliance. o Change request
o Job preparation, scheduling and operating instructions have been
established. o Authorization
o System and program results have been reviewed and approved o Testing
by both project management and the end user. o Implementation
o Data file and system conversions have been completed
accurately and completely.
o Communication to end users
o All aspects of jobs turned over have been tested, reviewed and
approved by control/operations personnel.
o Legal and compliance issues have been addressed.
o Risk associated with the change has been planned for, and a
rollback plan has been developed to back out the changes
should that become necessary.

In the Big Picture

Procedures associated with these may vary according to
the type of change request, including:
o Emergency changes
The Big
o Major changes Task 4.8
o Minor changes Evaluate change and release Picture
management practices to Controlled change
determine whether changes made management and
to systems and applications are subsequent release
adequately controlled and processes are critical to
documented. reliable and secure
system operations.

In a small organization, developers may release During an audit of a small enterprise, the IS auditor noted that
emergency changes directly to production. Which of the the IS director has superuser-privilege access that allows the
following will BEST control the risk in this situation? director to process requests for changes to the application
access roles (access types). Which of the following should the IS
A. Approve and document the change the next auditor recommend?
business day.
A. Implement a properly documented process for
B. Limit developer access to production to a specific application role change requests.
time frame. B. Hire additional staff to provide a segregation of duties
C. Obtain secondary approval before releasing to (SoD) for application role changes.
production. C. Implement an automated process for changing
D. Disable the compiler option in the production application roles.
machine. D. Document the current procedure in detail, and make it
available on the enterprise intranet.

Task 4.9 Key Terms

Key Term Definition
End-user The ability of end users to design and implement
computing their own information system utilizing computer
software products
Evaluate end-user computing to Quality assurance A planned and systematic pattern of all actions
determine whether the processes are

(QA) necessary to provide adequate confidence that an
item or product conforms to established technical
effectively controlled and support the requirements (ISO/IEC 24765)

K4.4 Knowledge of enterprise The IS auditor should follow the K4.17 Knowledge of the operational The IS auditor should understand that
architecture (EA) overall EA and use the EA as a main risk and controls related to end-user these tools can be used to create key
source of information. Further, the IS computing applications that are relied upon by
auditor should ensure that the the organization but not controlled by
systems are in line with the EA and the IT department. This, in turn,
means that they may not be backed
K4.9 Knowledge of the control The IS auditor needs to understand up and under change management
techniques that ensure the integrity of how end-user computer interfaces are processes.
system interfaces controlled and secured.

End-User Computing End-

End-user computing (EUC) refers to the ability of end Applications created through EUC may have the
users to design and implement their own information following issues:
system using computer software products. o They may contain errors and give incorrect results.
EUC allows users to quickly build and deploy o They are not subject to change management or
applications but brings the risk that applications may not release management, creating version control
be independently reviewed and created using a formal challenges.
development methodology. o They are not secured or backed up.
End- In the Big Picture

The IS auditor should ensure that the policies for use of
EUC exist.
o An inventory of all such applications should be in
place. The Big
o Those deemed critical enough should be subject to Task 4.9 Picture
Evaluate end-user computing to
the same controls of any other application. determine whether the processes
While end-user
computing enables
are effectively controlled and great productivity, it can
also lead to greater risk
objectives. to the enterprise unless
properly controlled.


An IS auditor discovers that some users have installed Which of the following is a prevalent risk in the
personal software on their PCs. This is not explicitly development of end-user computing (EUC) applications?
forbidden by the security policy. Of the following, the BEST A. Applications may not be subject to testing and IT
approach for an IS auditor is to recommend that the: general controls.
A. IT department implement control mechanisms to B. Development and maintenance costs may be
prevent unauthorized software installation. increased.
B. security policy be updated to include specific C. Application development time may be increased.
language regarding unauthorized software. D. Decision-making may be impaired due to diminished
C. IT department prohibit the download of unauthorized responsiveness to requests for information.
software.
D. users obtain approval from an IS manager before
installing nonstandard software.
Task 4.10 Key Terms

Key Term Definition
Continuity Preventing, mitigating and recovering from disruption.
The terms "business resumption planning," "disaster
recovery planning" and "contingency planning" also may
be used in this context; they all concentrate on the
Evaluate IT continuity and resilience recovery aspects of continuity.
(backups/restores, disaster recovery plan Resilience The ability of a system or network to resist failure or to
recover quickly from any disruption, usually with minimal
[DRP]) to determine whether they are recognizable effect.
controlled effectively and continue to support


K4.18 Knowledge of the regulatory, An IS auditor should know how to K4.20 Knowledge of the development An IS auditor should be well-versed in
legal, contractual and insurance analyze the degree to which the and maintenance of disaster recovery the practices and techniques followed
issues related to disaster recovery BCP/DRP is aligned with regulatory, plans (DRPs) for development and maintenance of
legal, contractual and insurance BCPs/DRPs, including the need to
requirements. coordinate recovery plans across the
K4.19 Knowledge of business impact The IS auditor must be able to organization.
analysis (BIA) related to disaster determine whether BIA and BCP are
recovery planning suitably aligned.
KS4.21 Knowledge of the benefits and An IS auditor must be able to analyze KS 4.23 Knowledge of the processes An IS auditor must understand the
drawbacks of alternate processing used to invoke the disaster recovery concepts behind the decision to
sites (e.g., hot sites, warm sites, cold alternate processing facility is plans (DRPs) declare a disaster and to invoke a
sites) BCP/DRP and should understand the
recovery requirements. impact of the decision on an
KS4.22 Knowledge of disaster An IS auditor should know the testing organization, remembering that
recovery testing methods approaches and methods for invocation of the BCP/DRP can, in
BCP/DRP to evaluate the itself, be a disruption.
effectiveness of the plans.

Disaster Recovery Planning DRP Compliance Requirements

Planning for disasters is an important part of the risk DRP may be subject to compliance requirements depending
management and BCP processes. on:
The purpose of this continuous planning process is to o Geographic location
ensure that cost-effective controls are in place to prevent o Nature of the business
possible IT disruptions and to recover the IT capacity of o The legal and regulatory framework
the organization in the event of a disruption. Most compliance requirements focus on ensuring continuity of
service with human safety as the most essential objective.
Organizations may engage third parties to perform
DRP-related activities on their behalf; these third parties are
also subject to compliance.
Disaster Recovery Testing RPO and RTO Defined

The IS auditor should ensure that all plans are regularly
tested and be aware of the testing schedule and tests to be Recovery point objective Recovery time objective
conducted for all critical functions. (RPO) (RTO)
Test documentation should be reviewed by the IS auditor to
confirm that tests are fully documented with pre-test, test and Determined based on the The amount of time allowed for
acceptable data loss in case of a the recovery of a business
post-test reports. disruption of operations. It function or resource after a
o It is also important that information security is validated to indicates the earliest point in time disaster occurs.
that is acceptable to recover the
ensure that it is not compromised during testing. data.
The RPO effectively quantifies
the permissible amount of data
loss in case of interruption.

RPO and RTO Responses Additional Parameters

Both RPO and RTO are based on time parameters. The nearer the The following parameters are also important in defining recovery
time requirements are to the center, the more costly the recovery strategies:
strategy. Note the strategies employed at each time mark in the o Interruption window The maximum period of time an
graphic below. organization can wait from point of failure to critical services
restoration, after which progressive losses from the interruption
Recovery Point Objective Recovery Time Objective cannot be afforded.
o Service delivery objective (SDO) Directly related to business
4-24 hrs 1-4 hrs 0-1 hr 0-1 hr 1-4 hrs 4-24 hrs needs, this defines the level of services that must be reached
Tape backups Disk-based Mirroring Active-active Active-passive Cold standby during the alternate processing period.
backups Real-time clustering
o Maximum tolerable outages The amount of time the
Log shipping clustering
Snapshots replication Hot standby
Delayed
replication
Log shipping
organization can support processing in the alternate mode, after
which new problems can arise from lower than usual SDO, and
the accumulation of information pending update becomes
unmanageable.
Recovery Strategies
Documented recovery procedures ensure a return to The selection of a recovery strategy depends on the criticality
normal system operations in the event of an interruption. of the business process and its associated applications, cost,
security and time to recover.
These are based on recovery strategies, which should
be: In general, each IT platform running an application that
supports a critical business function will need a recovery
o Recommended to and selected by senior strategy.
management Appropriate strategies are those in which the cost of recovery
o Used to further develop the business continuity plan within a specific time frame is balanced by the impact and
(BCP) likelihood of an occurrence.
The cost of recovery includes both the fixed costs of providing
redundant or alternate resources and the variable costs of
putting these into use should a disruption occur.

Recovery Alternatives
Hot sites Warm sites
A facility with all of the IT and communications equipment required A complete infrastructure, partially configured for IT, usually with
to support critical applications, along with office accommodations network connections and essential peripheral equipment. Current
for personnel. versions of programs and data would likely need to be installed
before operations could resume at the recovery site.
Cold sites
A facility with the space and basic infrastructure to support the

resumption of operation but lacking any IT or communications
equipment, programs, data or office support.
Mirrored sites Reciprocal arrangements

A fully redundant site with real-time data replication from the Agreements between separate, but similar, companies to
production site. temporarily share their IT facilities in the event that a partner to the
agreement loses processing capability.
Mobile sites
Reciprocal arrangements with other organizations
Modular processing facilities mounted on transportable vehicles,
ready to be delivered and set up on an as-needed basis.
Agreements between two or more organizations with unique
equipment or applications. Participants promise to assist each
other during an emergency.

Application Resiliency
The ability to protect an application against a disaster Clustering protects against single points of failure in
depends on providing a way to restore it as quickly as which the loss of a resource would result in the loss of
possible. service or production.
A cluster is a type of software installed on every server in There are two major types of application clusters, active-
which an application runs. It includes management passive and active-active.
software that permits control of and tuning of the cluster
behavior.
Data Storage Resiliency

The data protection method known as RAID, or Data replication may be:
Redundant Array of Independent (or Inexpensive) Disks, o Synchronous Local disk write is confirmed upon data
is the most common and basic method used to protect replication at other site.
data against loss at a single point of failure. o Asynchronous Data are replicated on a scheduled
Such storage arrays provide data replication features, basis.
ensuring that the data saved to a disk on one site o Adaptive Switching between synchronous and
appears on the other site. asynchronous depending on network load.

Telecommunications Resiliency Network Protection
telecommunication networks.
These are susceptible to the same interruptions as data Alternative Diverse
Redundancy
centers and several other issues, for example: routing routing
o Central switching office disasters
o Cable cuts
o Security breaches Long-haul Last-mile
Voice
To provide for the maintenance of critical business processes, network circuit
recovery
telecommunications capabilities must be identified for various diversity protection
thresholds of outage.
Offsite Library Controls In the Big Picture
Secure physical Location of the library

Ensuring that the
access to library Encryption of backup away from the data
physical construction
contents, accessible media, especially center and disasters
The Big
can withstand heat,
only to authorized during transit that may strike both
fire and water
Task 4.10
persons together
Evaluate IT continuity and resilience

Picture
Maintenance of an
Maintenance and BCP/DRP processes must
inventory of all Maintenance of library
protection of a catalog (backups/restores, disaster recovery
storage media and records for specified be maintained to ensure
of information plan [DRP]) to determine whether they
files for specified retention periods
regarding data files the organization has the
retention periods are controlled effectively and continue
ability to continue
operations during any
objectives.
probable event.


During an IS audit of the disaster recovery plan (DRP) of a Which of the following is the BEST indicator of the
global enterprise, the IS auditor observes that some remote effectiveness of backup and restore procedures while
offices have very limited local IT resources. Which of the
following observations would be the MOST critical for the IS restoring data after a disaster?
auditor? A. Members of the recovery team were available.
A. A test has not been made to ensure that local resources B. Recovery time objectives (RTOs) were met.
could maintain security and service standards when
recovering from a disaster or incident. C. Inventory of backup tapes was properly maintained.
B. The corporate business continuity plan (BCP) does not D. Backup tapes were completely restored at an
accurately document the systems that exist at remote alternate site.
offices.
C. Corporate security measures have not been incorporated
into the test plan.
D. A test has not been made to ensure that tape backups
from the remote offices are usable.
Domain 4 Summary
Evaluate IT service management framework and Evaluate data quality and life cycle management.
practices. Evaluate problem and incident management practices.
Evaluate IT operations (e.g., job scheduling, Evaluate change and release management practices.
configuration management, capacity and performance Evaluate end-user computing.
management).
Evaluate IT continuity and resilience (backups/restores,
Evaluate IT maintenance (patches, upgrades). disaster recovery plan [DRP]).
Evaluate database management practices.


An IS auditor is reviewing the most recent disaster recovery Which of the following is the MOST efficient way to test the
plan (DRP) of an organization. Which approval is the design effectiveness of a change control process?
MOST important when determining the availability of A. Test a sample population of change requests
system resources required for the plan? B. Test a sample of authorized changes
A. Executive management C. Interview personnel in charge of the change control
B. IT management process
C. Board of directors D. Perform an end-to-end walk-through of the process
D. Steering committee
Discussion Question
Which of the following is the GREATEST risk of an
organization using reciprocal agreements for disaster
recovery between two business units?
A. The documents contain legal deficiencies.
B. Both entities are vulnerable to the same incident.
C. IT systems are not identical.
D. One party has more frequent disruptions than the
other.
171 © Copyright 2016 ISACA. All rights reserved.

CISA Student Handout Domain4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISA Student Handout Domain4

Uploaded by

Copyright:

Available Formats

CISA Review Course 26th Edition Domain 4: Information Systems Operations,

Maintenance and Service Management

Domain 4 Provide assurance that the processes for

Domain 4 Domain Objectives

©2016. ISACA. All Rights Reserved. 1

On the CISA Exam Domain Tasks

©2016. ISACA. All Rights Reserved. 2

Key Terms Task to Knowledge Statements

©2016. ISACA. All Rights Reserved. 3

©2016. ISACA. All Rights Reserved. 4

ITSM Frameworks The ITSM Premise

©2016. ISACA. All Rights Reserved. 5

©2016. ISACA. All Rights Reserved. 6

In the Big Picture Discussion Question

Discussion Question Task 4.2

©2016. ISACA. All Rights Reserved. 7

Key Terms Task to Knowledge Statements

©2016. ISACA. All Rights Reserved. 8

Hardware Review Operating System Review

System software Feasibility study

©2016. ISACA. All Rights Reserved. 9

Database Review Network Infrastructure Review

Source: ISACA, CISA Review Manual 26th Edition, figure 4.28

Network Review Areas

Source: ISACA, CISA Review Manual 26th Edition, figure 4.29

©2016. ISACA. All Rights Reserved. 10

IS Operations Review In the Big Picture

Task 4.2 Picture

Source: ISACA, CISA Review Manual 26th Edition, figure 4.30

Discussion Question Discussion Question

©2016. ISACA. All Rights Reserved. 11

Task 4.3 Key Terms

Task to Knowledge Statements

©2016. ISACA. All Rights Reserved. 12

©2016. ISACA. All Rights Reserved. 13

©2016. ISACA. All Rights Reserved. 14

Scheduling Review In the Big Picture

Source: ISACA, CISA Review Manual 26th Edition, figure 4.31

Discussion Question Discussion Question

©2016. ISACA. All Rights Reserved. 15

Task 4.4 Key Terms

upgrades) to determine whether they are

Task to Knowledge Statements Hardware Maintenance

©2016. ISACA. All Rights Reserved. 16

Capacity Management Release Management

Source: ISACA, CISA Review Manual 26th Edition, figure 4.8

©2016. ISACA. All Rights Reserved. 17

Quality Assurance (QA) Backup Schemes

Contractual Provisions In the Big Picture

©2016. ISACA. All Rights Reserved. 18

Discussion Question Discussion Question

Task 4.5 Key Terms

©2016. ISACA. All Rights Reserved. 19

Task to Knowledge Statements

Database Management System

©2016. ISACA. All Rights Reserved. 20

Database Controls In the Big Picture

Enforced Data backup and Updates by

Discussion Question Discussion Question

©2016. ISACA. All Rights Reserved. 21

Task 4.6 Key Terms

continue to meet strategic objectives.

Task to Knowledge Statements

©2016. ISACA. All Rights Reserved. 22