Professional Documents
Culture Documents
PREPARATION
1
Chapter 4
Information Systems Operations and Business Resilience
2
Overview
3
Overview
4
Domain 4
Part A: Information Systems Part B: Business Resilience
Operations
1. Common Technology Components 1. Business Impact Analysis (BIA)
2. IT Asset Management 2. System Resiliency
3. Job Scheduling and Production 3. Data Backup, Storage, and
Process Automation Restoration
4. System Interfaces
4. Business Continuity Plan (BCP)
5. End-User Computing
5. Disaster Recovery Plans (DRPs)
6. Data Governance
7. Systems Performance
Management
8. Problem and Incident
Management
9. Change, Configuration, Release,
and Patch Management
10. IT Service Level Management
11. Database Management
5
Learning Objectives/Task Statement
6
Learning Objectives/Task Statement
7
SELF-ASSESSMENT QUESTIONS 1
A. User satisfaction
B. Goal accomplishment
C. Benchmarking
D. Capacity and growth planning
8
SELF-ASSESSMENT QUESTIONS 2
A. Mobile site
B. Warm site
C. Cold site
D. Hot site
9
SELF-ASSESSMENT QUESTIONS 3
10
SELF-ASSESSMENT QUESTIONS 4
11
SELF-ASSESSMENT QUESTIONS 5
12
SELF-ASSESSMENT QUESTIONS 6
A. system utilities.
B. application program generators.
C. systems security documentation.
D. access to stored procedures.
13
SELF-ASSESSMENT QUESTIONS 7
14
SELF-ASSESSMENT QUESTIONS 8
15
SELF-ASSESSMENT QUESTIONS 9
16
SELF-ASSESSMENT QUESTIONS 10
17
PART A: Information
Systems Operations
18
Introduction
19
4.1 COMMON TECHNOLOGY COMPONENTS
20
4.1.2 COMMON ENTERPRISE BACK-END DEVICES
21
4.1.3 UNIVERSAL SERIAL BUS
22
Security Controls Related to USBs
23
4.1.4 RADIO FREQUENCY IDENTIFICATION
Applications of RFID
Application of RFID include the following:
• Asset management (RFID-based asset management
systems)
• Tracking
• Authenticity verification
• Matching
• Process control
• Access control
• Supply chain management (SCM)
24
Security Controls for RFID
25
4.1.5 HARDWARE MAINTENANCE PROGRAM
26
4.1.6 HARDWARE REVIEWS
Capacity
Hardware
IT asset management
acquisition plan
management and
and execution
monitoring
Hardware
Preventive Problem logs,
availability and
maintenance job accounting
utilization
schedule system reports
reports
27
4.2 IT ASSET MANAGEMENT
28
4.4 SYSTEM INTERFACES
29
4.4.3 CONTROLS ASSOCIATED WITH SYSTEM
INTERFACES
Controls need to be implemented, for example, an
organization may use a software package that can
generate controls during the extraction that
automatically reconcile the data after they are
recorded on the receiving system.
30
4.4.3 CONTROLS ASSOCIATED WITH SYSTEM
INTERFACES
IS auditors should also ascertain if the organization is
using encryption
31
4.5 END-USER COMPUTING
32
4.5 END-USER COMPUTING
33
4.5 END-USER COMPUTING
34
Discussion Question
Justification:
A. End-user computing (EUC) is defined as the ability of end users to design and
implement their own information system utilizing computer software products.
End-user developed applications may not be subjected to an independent
outside review by systems analysts and frequently are not created in the
context of a formal development methodology. These applications may lack
appropriate standards, controls, quality assurance procedures, and
documentation. A risk of end-user applications is that management may rely on
them as much as traditional applications.
B. EUC systems typically result in reduced application development and
maintenance costs.
C. EUC systems typically result in a reduced development cycle time.
D. EUC systems normally increase flexibility and responsiveness to management’s
information requests because the system is being developed directly by the user
community.
35
4.6 DATA GOVERNANCE
36
4.6.1 DATA MANAGEMENT
37
4.6.1 DATA MANAGEMENT
Data Quality
Data quality is key to data management. There are
three subdimensions of quality:
• intrinsic,
• contextual
• security/accessibility.
38
Data Quality
39
Data Life Cycle
40
4.7.3 ACCESS CONTROL SOFTWARE
System software
System software Authorization System
maintenance
implementation documentation documentation
activities
System software
System software installation
change controls change controls
41
4.7.6 SOFTWARE LICENSING ISSUES
42
4.7.6 SOFTWARE LICENSING ISSUES
43
4.7.6 SOFTWARE LICENSING ISSUES
44
Discussion Question
Justification:
A. An IS auditor’s obligation is to report on observations noted and make the best
recommendation, which is to address the situation through policy. The IT
department cannot implement controls in the absence of the authority provided
through policy.
B. Lack of specific language addressing unauthorized software in the acceptable
use policy is a weakness in administrative controls. The policy should be
reviewed and updated to address the issue—and provide authority for the IT
department to implement technical controls.
C. Preventing downloads of unauthorized software is not the complete solution.
Unauthorized software can be also introduced through compact discs (CDs) and
universal serial bus (USB) drives.
D. Requiring approval from the IS manager before installation of the nonstandard
software is an exception handling control. It would not be effective unless a
preventive control to prohibit user installation of unauthorized software is
established first.
45
4.7.7 SOURCE CODE MANAGEMENT
46
4.7.7 SOURCE CODE MANAGEMENT
47
4.7.8 CAPACITY MANAGEMENT
48
4.7.8 CAPACITY MANAGEMENT
49
Capacity Planning and Monitoring Elements
50
4.8.1 PROBLEM MANAGEMENT
51
Fishbone/Ishikawa Cause-and-effect Diagrams
52
4.8.1 PROBLEM MANAGEMENT
53
4.8.1 PROBLEM MANAGEMENT
Objective
Source: ISACA, CISA Review Manual 26th Edition, 4.2.5 Incident and Problem
Management
54
4.8.2 PROCESS OF INCIDENT HANDLING
55
4.8.3 DETECTION, DOCUMENTATION, CONTROL,
RESOLUTION & REPORTING OF ABNORMAL CONDITIONS
56
4.8.4 SUPPORT/HELP DESK
57
Typical Support Functions
58
4.8.5 NETWORK MANAGEMENT TOOLS
59
4.8.5 NETWORK MANAGEMENT TOOLS
60
4.8.5 NETWORK MANAGEMENT TOOLS
61
4.8.6 PROBLEM MANAGEMENT REPORTING
REVIEWS
62
4.9.1 PATCH MANAGEMENT
63
4.9.2 RELEASE MANAGEMENT
Emergency
Major release Minor release
release
• Normally contains • Upgrades, offering • Normally contains
a significant small corrections to a
change or enhancements small number of
addition to a new and fixes known problems
functionality • Usually • These require
• These usually supersedes all implementation
supersede all preceding as quickly as
preceding minor emergency fixes possible, limiting
upgrades the execution of
testing and
release
management
activities
64
Discussion Question
Justification:
A. While system administrators would normally install patches, it is more important
that changes be made according to a formal procedure that includes testing and
implementing the change during nonproduction times.
B. The change management process, which would include procedures regarding
implementing changes during production hours, helps to ensure that this type
of event does not recur. An IS auditor should review the change management
process, including patch management procedures, to verify that the process has
adequate controls and to make suggestions accordingly.
C. While patches would normally undergo testing, it is often impossible to test all
patches thoroughly. It is more important that changes be made during
nonproduction times, and that a backout plan is in place in case of problems.
D. An approval process alone could not directly prevent this type of incident from
happening. There should be a complete change management process that
includes testing, scheduling and approval.
65
Discussion Question
Justification:
A. Ensuring that automatic updates are enabled on production servers may be a
valid way to manage the patching process; however, this would not provide
assurance that all servers are being patched appropriately.
B. Verifying patches manually on a sample of production servers will be less effective
than automated testing and introduces a significant audit risk. Manual testing is
also difficult and time consuming.
C. The change management log may not be updated on time and may not accurately
reflect the patch update status on servers. A better testing strategy is to test the
server for patches, rather than examining the change management log.
D. An automated tool can immediately provide a report on which patches have
been applied and which are missing.
66
Discussion Question
A. Change management
B. Backup and recovery
C. Incident management
D. Configuration management
Justification:
A. Change management is important to control changes to the configuration, but the
baseline itself refers to a standard configuration.
B. Backup and recovery of the configuration are important, but not used to create
the baseline.
C. Incident management will determine how to respond to an adverse event, but is
not related to recording baseline configurations.
D. The configuration management process may include automated tools that will
provide an automated recording of software release baselines. Should the new
release fail, the baseline will provide a point to which to return.
67
Discussion Question
Justification:
A. It may be appropriate to allow programmers to make emergency changes as
long as they are documented and approved after the fact.
B. Restricting release time frame may help somewhat; however, it would not apply
to emergency changes and cannot prevent unauthorized release of the programs.
C. Obtaining secondary approval before releasing to production is not relevant in an
emergency situation.
D. Disabling the compiler option in the production machine is not relevant in an
emergency situation.
68
4.9.3 IS OPERATIONS
69
4.9.3 IS OPERATIONS
70
IS Operations Reviews
Consider adequacy
Observe IS Review operator
of operator
personnel access
manuals
71
4.10 IT SERVICE LEVEL MANAGEMENT
72
4.10.1 SERVICE LEVEL AGREEMENTS
73
4.10.2 MONITORING OF SERVICE LEVELS
74
Discussion Question
Justification:
A. Resolving issues related to exception reports is an operational issue that should
be addressed in the service level agreement (SLA); however, a response time of
one day may be acceptable depending on the terms of the SLA.
B. The complexity of application logs is an operational issue, which is not related to
the SLA.
C. Lack of performance measures will make it difficult to gauge the efficiency and
effectiveness of the IT services being provided.
D. While it is important that the document be current, depending on the term of the
agreement, it may not be necessary to change the document more frequently
than annually.
75
Discussion Question
Justification:
A. There is no reason to postpone an audit because a service agreement is not
documented, unless that is all that is being audited. The agreement can be
documented after it has been established that there is an agreement in place.
B. Reporting to senior management is not necessary at this stage of the audit
because this is not a serious immediate vulnerability.
C. An IS auditor should first confirm and understand the current practice before
making any recommendations. Part of this will be to ensure that both parties
are in agreement with the terms of the agreement.
D. Drafting a service level agreement (SLA) is not the IS auditor’s responsibility.
76
Discussion Question
Justification:
A. The master agreement typically includes terms, conditions and costs but does not
typically include service levels.
B. Metrics allow for a means to measure performance. Service level agreements
(SLAs) are statements related to expected service levels. For example, an
Internet service provider (ISP) may guarantee that their service will be available
99.99 percent of the time.
C. If applicable to the service, results of business continuity tests are typically
included as part of the due diligence review.
D. Independent audits report on the financial condition of an organization or the
control environment. Reviewing audit reports is typically part of the due diligence
review. Even audits must be performed against a set of standards or metrics to
validate compliance.
77
4.11 DATABASE MANAGEMENT
78
4.11.2 DATABASE STRUCTURE
79
4.11.3 DATABASE CONTROLS
80
4.11.4 DATABASE REVIEWS
Logical
Physical schema Access time reports
schema
Database-supported IT asset
IS controls management
81
Discussion Question
A. loss of confidentiality.
B. increased redundancy.
C. unauthorized accesses.
D. application malfunctions.
Justification:
A. Denormalization should not cause loss of confidentiality even though confidential
data may be involved. The database administrator (DBA) should ensure that
access controls to the databases remain effective.
B. Normalization is a design or optimization process for a relational database that
minimizes redundancy; therefore, denormalization would increase redundancy.
Redundancy, which is usually considered positive when it is a question of
resource availability, is negative in a database environment because it demands
additional and otherwise unnecessary data handling efforts. Denormalization is
sometimes advisable for functional reasons.
C. Denormalization pertains to the structure of the database, not the access
controls. It should not result in unauthorized access.
D. Denormalization may require some changes to the calls between databases and
applications, but should not cause application malfunctions.
82
Discussion Question
A. reduced exposure.
B. reduced threat.
C. less criticality.
D. less sensitivity.
Justification:
A. Segmenting data reduces the quantity of data exposed as a result of a particular
event.
B. The threat may remain constant, but each segment may represent a different
vector against which it must be directed.
C. Criticality (availability) of data is not affected by the manner in which it is
segmented.
D. Sensitivity of data is not affected by the manner in which it is segmented.
83
Discussion Question
Justification:
A. Data authorization controls should be driven by the policy. While there may be
some technical controls that could be adjusted, if the data changes happen
infrequently, then an exception process would be the better choice.
B. While adequate segregation of duties is important, it is simpler to fix the policy
versus adding additional controls to enforce segregation of duties.
C. If the users are granted access to change data in support of the business
requirements, but the policy forbids this, then perhaps the policy needs some
adjustment to allow for policy exceptions to occur.
D. Audit trails are needed, but this is not the best long-term solution to address this
issue. Additional resources would be required to review logs.
84
Discussion Question
Justification:
A. The IS auditor should recommend implementation of processes that could
prevent or detect improper changes from being made to the major application
roles. The application role change request process should start and be approved
by the business owner; then, the IS director can make the changes to the
application.
B. While it is preferred that a strict segregation of duties (SoD) be adhered to and
that additional staff be recruited, this practice is not always possible in small
enterprises. The IS auditor must look at recommended alternative processes.
C. An automated process for managing application roles may not be practical to
prevent improper changes being made by the IS director, who also has the most
privileged access to the application.
D. Making the existing process available on the enterprise intranet would not
provide any value to protect the system.
85
Discussion Question
Justification:
A. Creating before and after images is the best way to ensure that the appropriate
data have been updated in a direct data change. The screen shots would include
the data prior to and after the change.
B. Having approved implementation plans would verify that the change was
approved to be implemented but will not ensure that the appropriate change was
made.
C. Having an approved validation plan will ensure that the data change had a
validation plan designed prior to the data change but will not ensure that the data
change was appropriate and correct.
D. Data file security would only ensure that the user making the data change was
appropriate. It would not ensure that the data change was correct.
86
PART B: Business
Resilience
87
4.12 BUSINESS IMPACT ANALYSIS
88
4.12 BUSINESS IMPACT ANALYSIS
89
4.12 BUSINESS IMPACT ANALYSIS
90
4.12 BUSINESS IMPACT ANALYSIS
91
4.12.1 CLASSIFICATION OF OPERATIONS AND
CRITICALITY ANALYSIS
Many organizations use a risk of occurrence to
determine a reasonable cost of being prepared.
92
4.13.1 APPLICATION RESILIENCY AND DISASTER
RECOVERY METHODS
Protecting an application against a disaster entails
providing a way to restore it as quickly as possible.
Clustering makes it possible to do so.
93
4.13.1 APPLICATION RESILIENCY AND DISASTER
RECOVERY METHODS
There are two major types of application clusters:
active-passive and active-active.
94
4.13.2 TELECOMMUNICATION NETWORKS
RESILIENCY AND DISASTER RECOVERY METHODS
Alternative Diverse
Redundancy
routing routing
Long-haul Last-mile
Voice
network circuit
recovery
diversity protection
95
Discussion Question
Justification:
A. After understanding the devices in the network, a good practice for using the
device should be reviewed to ensure that there are no anomalies within the
configuration.
B. Identification of which component is missing can only be known upon reviewing
and understanding the topology and a good practice for deployment of the device
in the network.
C. The first step is to understand the importance and role of the network device
within the organization’s network topology.
D. Identification of which subcomponent is being used inappropriately can only be
known upon reviewing and understanding the topology and a good practice for
deployment of the device in the network.
96
Discussion Question
A. Malware on servers
B. Firewall misconfiguration
C. Increased spam received by the email server
D. Unauthorized network activities
Justification:
A. The existence of malware on the organization’s server could contribute to
network performance issues, but the degraded performance would not likely be
restricted to business hours.
B. Firewall misconfiguration could contribute to network performance issues, but
the degraded performance would not likely be restricted to business hours.
C. The existence of spam on the organization’s email server could contribute to
network performance issues, but the degraded performance would not likely be
restricted to business hours.
D. Unauthorized network activities—such as employee use of file or music sharing
sites or online gambling or personal email containing large files or photos—
could contribute to network performance issues. Because the IS auditor found
the degraded performance during business hours, this is the most likely cause.
97
4.14.1 DATA STORAGE RESILIENCY AND DISASTER
RECOVERY METHODS
Redundant Array of Independent (or Inexpensive)
Disks (RAID) is the most common, basic way to
protect data against a single point of failure, in this
instance, a disk failure.
98
4.14.2 BACKUP AND RESTORATION
99
4.14.2 BACKUP AND RESTORATION
100
4.14.2 BACKUP AND RESTORATION
Maintenance and
protection of a catalog
of information
regarding data files
101
4.14.3 BACKUP SCHEMES
102
4.15 BUSINESS CONTINUITY PLAN
103
4.15 BUSINESS CONTINUITY PLAN
104
4.15.1 IT BUSINESS CONTINUITY PLANNING
The results of risk assessment and BIA are fed into the IS
business continuity strategy.
105
4.15.2 DISASTERS AND OTHER DISRUPTIVE
EVENTS
Disasters are disruptions that cause critical
information resources to be inoperative for a period
of time, adversely impacting organizational
operations.
106
Dealing With Damage to Image, Reputation or
Brand
Consequences of damaging
rumors may be devastating. One
of the worst consequences of
crises is the loss of trust.
107
Business Continuity Planning Life Cycle
108
4.15.4 BUSINESS CONTINUITY POLICY
109
4.15.5 BUSINESS CONTINUITY PLANNING INCIDENT
MANAGEMENT
110
4.15.6 DEVELOPMENT OF BUSINESS CONTINUITY
PLANS
The various factors that should be considered while
developing/reviewing the plan are:
• Predisaster readiness covering incident response
management to address all relevant incidents affecting
business processes
• Evacuation procedures
• Procedures for declaring a disaster (rating and escalation
procedures)
• Circumstances under which a disaster should be declared
• Responsible parties
• Contract information
• The step-by-step explanation of the recovery process
• The clear identification of the various resources required for
recovery and continued operation of the organization
111
4.15.8 COMPONENTS OF A BUSINESS CONTINUITY
PLAN
Occupant Emergency
Evacuation plan
emergency plan relocation plan
Source: ISACA, CISA Review Manual 26th Edition, 2.12.9 Components of a Business
Continuity Plan
112
Components of a BCP
113
Insurance
114
Insurance
115
4.15.9 PLAN TESTING
116
4.15.9 PLAN TESTING
117
4.15.9 PLAN TESTING
118
Business Continuity Management Good Practices
119
4.15.10 SUMMARY OF BUSINESS CONTINUITY
120
4.15.11 AUDITING BUSINESS CONTINUITY
121
4.15.11 AUDITING BUSINESS CONTINUITY
122
Reviewing the Business Continuity Plan
123
Reviewing the Business Continuity Plan
Evaluate offsite
Evaluate key
Evaluate prior test storage facilities,
personnel through
results including security
interviews
controls
124
4.16.1 RECOVERY POINT OBJECTIVE AND RECOVERY
TIME OBJECTIVE
125
4.16.1 RECOVERY POINT OBJECTIVE AND RECOVERY
TIME OBJECTIVE
126
4.16.1 RECOVERY POINT OBJECTIVE AND RECOVERY
TIME OBJECTIVE
127
4.16.1 RECOVERY POINT OBJECTIVE AND RECOVERY
TIME OBJECTIVE
128
4.16.1 RECOVERY POINT OBJECTIVE AND RECOVERY
TIME OBJECTIVE
129
4.16.2 RECOVERY STRATEGIES
130
4.16.3 RECOVERY ALTERNATIVES
Hot sites
• A facility with all of the IT and communications
equipment required to support critical
applications, along with office accommodations
for personnel.
131
4.16.3 RECOVERY ALTERNATIVES
Warm sites
• A complete infrastructure, partially configured for IT,
usually with network connections and essential
peripheral equipment. Current versions of programs
and data would likely need to be installed before
operations could resume at the recovery site.
Cold sites
• A facility with the space and basic infrastructure to
support the resumption of operation but lacking any
IT or communications equipment, programs, data or
office support.
132
4.16.3 RECOVERY ALTERNATIVES
Mirrored sites
• A fully redundant site with real-time data
replication from the production site.
Mobile sites
• Modular processing facilities mounted on
transportable vehicles, ready to be
delivered and set up on an as-needed
basis.
133
4.16.3 RECOVERY ALTERNATIVES
Reciprocal arrangements
134
4.16.4 DEVELOPMENT OF DISASTER RECOVERY
PLANS
Typically, the IT DRP contains:
• Procedures for declaring a disaster (escalation
procedures)
• Criteria for plan activation (i.e., in which circumstances
the disaster is declared, when the IT DRP is put to
action, which scenarios are covered bythe plan [loss of
the IT system, loss of the processing site, loss of the
office])
• Linkage with the overarching plans (for instance,
emergency response plan or crisis management plan or
BCPs for different lines of business)
• The person (or people) responsible for each function in
plan execution
• Recovery teams and their responsibilities
135
4.16.4 DEVELOPMENT OF DISASTER RECOVERY
PLANS
• Contact and notification lists (contact information for
recovery teams, recovery managers, stakeholders, etc.)
• The step-by-step explanation of the whole recovery
process (i.e., where and when the recovery should take
place [the same site or backup site], what has to be
recovered [IT systems, networks, etc.], the order of
recovery)
• Recovery procedures (for each IT system or component).
Note: the level of detail here greatly varies and depends
on the practices used in the organization.
• Contacts for important vendors and suppliers
• The clear identification of the various resources required
for recovery and continued operation of the
organization
136
The Recovery/Continuity/Response Teams
137
4.16.5 DISASTER RECOVERY TESTING METHODS
138
Types of Tests
139
Types of Tests
140
Progression of DR Tests
Test Results
• Time
• Data
• Amount
• Percentage and/or
number
• Accuracy
141
4.16.6 INVOKING DISASTER RECOVERY PLANS
142
Discussion Question
Justification:
A. The incident response plan (IRP) determines the information security responses
to incidents such as cyberattacks on systems and/or networks. This plan
establishes procedures to enable security personnel to identify, mitigate and
recover from malicious computer incidents such as unauthorized access to a
system or data, denial-of-service (DoS) or unauthorized changes to system
hardware or software.
B. The IT contingency plan addresses IT system disruptions and establishes
procedures for recovering from a major application or general support system
failure. The contingency plan deals with ways to recover from an unexpected
failure, but it does not address the identification or prevention of cyberattacks.
C. The business continuity plan (BCP) addresses business processes and provides
procedures for sustaining essential business operations while recovering from a
significant disruption. While a cyberattack could be severe enough to require use
of the BCP, the IRP would be used to determine which actions should be taken—
both to stop the attack as well as to resume normal operations after the attack.
D. The continuity of operations plan (COOP) addresses the subset of an
143
organization’s missions that are deemed most critical and contains procedures to
sustain these functions at an alternate site for a short time period.
143
Discussion Question
Justification:
A. A postincident review examines both the cause and response to an incident.
The lessons learned from the review can be used to improve internal controls.
Understanding the purpose and structure of postincident reviews and follow-up
procedures enables the information security manager to continuously improve
the security program. Improving the incident response plan based on the
incident review is an internal (corrective) control.
B. A postincident review may result in improvements to controls, but its primary
purpose is not to harden a network.
C. The purpose of postincident review is to ensure that the opportunity is presented
to learn lessons from the incident. It is not intended as a forum to educate
management.
D. An incident may be used to emphasize the importance of incident response, but
that is not the intention of the postincident review.
144
Discussion Question
Justification:
A. Regardless of the capability of local IT resources, the most critical risk would be
the lack of testing, which would identify quality issues in the recovery process.
B. The corporate business continuity plan (BCP) may not include disaster recovery
plan (DRP) details for remote offices. It is important to ensure that the local plans
have been tested.
C. Security is an important issue because many controls may be missing during a
disaster. However, not having a tested plan is more important.
D. The backups cannot be trusted until they have been tested. However, this should
be done as part of the overall tests of the DRP.
145
Discussion Question
Justification:
A. The availability of key personnel does not ensure that backup and restore
procedures will work effectively.
B. The effectiveness of backup and restore procedures is best ensured by recovery
time objectives (RTOs) being met because these are the requirements that are
critically defined during the business impact analysis stage, with the inputs and
involvement of all business process owners.
C. The inventory of the backup tapes is only one element of the successful recovery.
D. The restoration of backup tapes is a critical success, but only if they were able to
be restored within the time frames set by the RTO.
146
Discussion Question
A. Executive management
B. IT management
C. Board of directors
D. Steering committee
Justification:
A. Although executive management’s approval is essential, the IT department is
responsible for managing system resources and their availability as related to
disaster recovery (DR).
B. Because a disaster recovery plan (DRP) is based on the recovery and
provisioning of IT services, IT management’s approval would be most important
to verify that the system resources will be available in the event that a disaster
event is triggered.
C. The board of directors may review and approve the DRP, but the IT department is
responsible for managing system resources and their availability as related to DR.
D. The steering committee would determine the requirements for disaster recovery
(recovery time objective [RTO] and recovery point objective [RPO]); however, the
IT department is responsible for managing system resources and their availability
as related to DR.
147
Discussion Question
Justification:
A. Testing a sample population of changes is a test of compliance and operating
effectiveness to ensure that users submitted the proper documentation/requests.
It does not test the effectiveness of the design.
B. Testing changes that have been authorized may not provide sufficient assurance
of the entire process because it does not test the elements of the process related
to authorization or detect changes that bypassed the controls.
C. Interviewing personnel in charge of the change control process is not as effective
as a walk-through of the change controls process because people may know the
process but not follow it.
D. Observation is the best and most effective method to test changes to ensure
that the process is effectively designed.
148
Discussion Question
Justification:
A. Inadequate agreements between two business units is a risk, but generally a
lesser one than the risk that both organizations will suffer a disaster at the same
time.
B. The use of reciprocal disaster recovery is based on the probability that both
organizations will not suffer a disaster at the same time.
C. While incompatible IT systems could create problems, it is a less significant risk
than both organizations suffering from the same disaster at the same time.
D. While one party may utilize the other’s resources more frequently, this can be
addressed by contractual provisions and is not a major risk.
149
Discussion Question
Justification:
A. Problem and severity assessment would provide information necessary in
declaring a disaster, but the lack of a crisis declaration point would not delay the
assessment.
B. Execution of the business continuity and disaster recovery plans would be
impacted if the organization does not know when to declare a crisis.
C. After a potential crisis is recognized, the teams responsible for crisis management
need to be notified. Delaying the declaration of a disaster would impact or negate
the effect of having response teams, but this is only one part of the larger impact.
D. Potential crisis recognition is the first step in recognizing or responding to a
disaster and would occur prior to the declaration of a disaster.
150
Discussion Question
Justification:
A. The interruption window is defined as the amount of time during which the
organization is unable to maintain operations from the point of failure to the time
that the critical services/applications are restored.
B. The recovery time objective (RTO) is determined based on the acceptable
downtime in the case of a disruption of operations.
C. The service delivery objective (SDO) is directly related to the business needs. SDO
is the level of services to be reached during the alternate process mode until the
normal situation is restored.
D. The recovery point objective (RPO) is determined based on the acceptable data
loss in the case of a disruption of operations. RPO defines the point in time
from which it is necessary to recover the data and quantifies, in terms of time,
the permissible amount of data loss in the case of interruption.
151
Discussion Question
Justification:
A. While the strategic alignment of IT with the business is important, it is not directly
related to the gap identified in this scenario.
B. IT risk is managed by embedding accountability into the enterprise. The IS
auditor should recommend the implementation of accountability rules to
ensure that all responsibilities are defined within the organization. Note that
this question asks for the best recommendation—not about the finding itself.
C. Performing more frequent IS audits is not helpful if the accountability rules are
not clearly defined and implemented.
D. Recommending the creation of a new role (CRO) is not helpful if the
accountability rules are not clearly defined and implemented.
152
Discussion Question
Justification:
A. It is a common mistake to overemphasize financial value rather than urgency.
For example, while the processing of incoming mortgage loan payments is
important from a financial perspective, it could be delayed for a few days in
the event of a disaster. On the other hand, wiring funds to close on a loan,
while not generating direct revenue, is far more critical because of the
possibility of regulatory problems, customer complaints and reputation
issues.
B. The business strategy (which is often a long-term view) does not have a
direct impact at this point in time.
C. To ensure the organization’s survival following a disaster, it is important to
recover the most critical business processes first.
D. The mere number of recovered systems does not have a direct impact at this
point in time. The importance is to recover systems that would impact
business survival.
153