INFORMATION SYSTEMS OPERATIONS COMPUTER HARDWARE COMPONENTS
AND MAINTENANCE (AIS5135) AND ARCHITECTURES
Interdependent components that perform MODULE 1: COMMON TECHNOLOGY specific functions and can be classified as either COMPONENTS processing or input/output.
Information systems operations and PROCESSING COMPONENTS
business resilience are important to provide Processors respond to and processes all the assurance to users and management that the instructions from hardware and software running expected level of service will be delivered. in the computer. The central component of a Service level expectations are derived from the computer is the central processing unit organization’s business objectives. Information (CPU). Computers may: technology (IT) service delivery includes Have the CPU on a single chip information systems (IS) operations, IT services (microprocessors) and management of IS and the groups Have more than one CPU (multi- responsible for supporting them. processor) Contain multiple CPUs on a single Disruptions are also an often-unavoidable factor chip (multi-core processors) of doing business. Preparation is key to being able to continue business operations while The CPU consists of an arithmetic logic unit protecting people, assets and reputation. (ALU), a control unit and an internal memory. Employing business resiliency tactics helps The control unit contains electrical circuits that organizations address these issues and limit the control/direct all operations in the computer impact. system. The ALU performs mathematical and logical operations. The internal memory (i.e., INTRODUCTION CPU registers) is used for processing IT service management practices are transactions. important to provide assurance to users and to management that the expected level of service Other key components of a computer will be delivered. include: a. Motherboard Service level expectations are derived from the o Main printed circuit board within organization’s business objectives. IT service a computer delivery includes IS operations, IT services, and o Primary piece of circuitry that all management of IS and the groups responsible of the other pieces plug into to for supporting them. IT services are built on create a cohesive whole service management frameworks. b. Random access memory (RAM) o Computer’s primary working COMMON TECHNOLOGY COMPONENTS memory This section introduces: o Volatile part - Temporary nature Technology components of the stored data; when the power is turned off or Hardware platforms interrupted, the data stored in Basic concepts of, and history behind, volatile memory is lost, as if it the different types of computers evaporates or disappears. Advances in IT o Each byte can be accessed randomly regardless of adjacent Also discussed are the key audit bytes considerations, such as capacity management, c. Read-only memory (ROM) system monitoring, maintenance of hardware o Data can only be read and is and typical steps in the acquisition of new near impossible to modify hardware. o Non-volatile d. Permanent storage devices (hard disk drive or solid-state drive [SSD]) oSDD - nonvolatile storage and real-time (online) programs device that stores persistent operating parallel applications. data on solid-state flash o Mainframes have traditionally memory. SSDs have no moving been the main data processing components and, therefore, and data warehousing resource require less energy. Data are of large organizations and, as stored in integrated circuits flash such, have long been protected memory by a number of the early o HDD - contain spinning disks security and control tools. and movable read/write heads, where data are stored 3. HIGH-END AND MIDRANGE magnetically SERVERS. Multiprocessing systems e. A power supply unit capable of supporting thousands of simultaneous mid-range servers users. INPUT/OUTPUT (I/O) COMPONENTS o In size, power, and speed, they Used to pass instructions/information to the can be comparable to a computer and to display or record the output mainframe. generated by the computer: o High-end/midrange servers Some components, such as the have many of the control keyboard and mouse, are input-only features of mainframes such as devices online memory and CPU While others, such as the touch screen, management, physical and are both input and output devices. logical partitioning, etc. Printers are an example of an output- o Their capabilities are also only device. comparable to mainframes in terms of speed for processing TYPES OF COMPUTERS data and execution of client Computers can be categorized according to programs, but they cost much several criteria – mainly their: (1) Processing less than mainframes. Power, (2) Size, and (3) Architecture. o Their OSs and system software 1. SUPERCOMPUTERS. Very large and base components are often expensive computers with the highest commercial products. processing speed o The higher-end devices o Designed to be used for generally use UNIX and, in specialized purposes or fields many cases, are used as that require extensive database servers. processing power (e.g., complex o While smaller devices are more mathematical or logical likely to utilize the Windows OS calculations). and be used as application o They are typically dedicated to a servers and file/print servers. few specific specialized system or application programs. 4. PERSONAL COMPUTERS. Small computer systems referred to as PCs or 2. MAINFRAMES. Large, general-purpose workstations that are designed for computers that are made to share their computers (PCs) individual users, processing power and facilities with inexpensively priced and based on thousands of internal or external users. microprocessor technology. o Mainframes accomplish this by o Their use includes office executing a large variety of automation functions such as tasks almost simultaneously. word processing, spreadsheets, o The range of capabilities of and email; small database these computers is extensive. management; interaction with o A mainframe computer often web-based applications; and has its own proprietary OS that others such as personal can support background (batch) graphics, voice, imaging, design, web access and web browser, and an entertainment. assortment of other functions. o Although designed as single- o Such devices can also combine user systems, these computers computing, telephone/fax and are commonly linked together to networking features together so form a network. they can be used anytime and anywhere. 5. THIN CLIENT COMPUTERS. These are o Handheld devices are also personal computers that are generally capable of interfacing with PCs configured with minimal computers to back up or transfer important hardware features (e.g., diskless information. Likewise, workstation). information from a PC can be o With the intent being that most downloaded to a handheld processing occurs at the server device. level using software, such as Microsoft Terminal Services or COMMON ENTERPRISE BACK-END Citrix Presentation Server, to DEVICES access a suite of applications. In a distributed environment, many different o Computers used in bank which devices are used to deliver application services. open to open al the system and One factor that has significantly changed in closes at the end of the banking recent years is the rapid growth of the Internet of day. Things (IoT). Organizations need to know and embrace the many connected items in use, 6. LAPTOP COMPUTERS. Lightweight including cars, thermostats, video cameras, (under 10 pounds/5 kilograms) personal mattresses and medical equipment, and computers that are easily transportable understand how they are affecting operations. and are powered by a normal AC connection or by a rechargeable battery 1. PRINT SERVERS. Businesses of all pack. sizes require that printing capability be o Similar to the desktop variety of made available to users across multiple personal computers in sites and domains. Generally, a network capability, they have similar printer is configured based on where the CPUs, memory capacity and printer is physically located and who disk storage capacity. within the organization needs to use it. o But the battery pack makes Print servers allow businesses to them less vulnerable to power consolidate printing resources for cost failures. savings. o Being portable, these are vulnerable to theft. Devices may 2. FILE SERVERS. File servers provide for be stolen to obtain information organization-wide access to files and contained therein and hijack programs. Document repositories can connectivity, either within an be centralized to a few locations within internal local area network the organization and controlled with an (LAN) or remotely. access-control matrix. Group collaboration and document 7. SMARTPHONES. Handheld devices management are easier when a that enable their users to use a small document repository is used, rather than computing device as a tablets and other dispersed storage across multiple substitute for a laptop computer. workstations. o Some of its uses include a scheduler, a handheld devices 3. APPLICATION (PROGRAM telephone and address book, SERVERS). Application servers typically creating and tracking to-do lists, host software programs that provide an expense manager, eReader, application access to client computers, including processing the application business logic and communication with c. Intrusion prevention systems the application’s database. (IPSs). Actively attempts to Consolidation of applications and prevent intrusion by monitoring licenses in servers enables centralized traffic and identifying irregular management and a more secure usage patterns. Its environment. disadvantage is that they may be false positive, over 4. WEB SERVERS. Web servers provide restrictive. information and services to external d. Switches. Data link level customers and internal employees devices that can divide and through web pages. They are normally interconnect network segments accessed by their uniform resource and help to reduce collision locators (URLs). domains in Ethernet based networks. 5. PROXY SERVERS. Proxy servers e. Routers. Link two or more provide an intermediate link between physically separated network users and resources. As opposed to segments. The network direct access, proxy servers will access segments linked by router services on a user’s behalf. Depending remain logically separated and on the services being proxied, a proxy can function as independent server may render more secure and network. faster response than direct access. f. Virtual private networks (VPNs). Provide remote access 6. DATABASE SERVERS. Database of the enterprise IT resources or servers store data and act as a can link two or more physically repository. The servers concentrate on separate networks through a storing information rather than security tunnel. presenting it to be usable. Application g. Load balancers. Distributes servers and web servers use the data traffic across several different stored in database servers and process devices to increase the the data into usable information. performance and availability of IT services 7. APPLIANCES (SPECIALIZED DEVICES). Appliances provide a UNIVERSAL SERIAL BUS specific service and normally are not The universal serial bus (USB) is a capable of running other services. As a serial bus standard that interfaces result, the devices are significantly devices with a host. smaller and faster, and very efficient. USB was designed to allow connection Capacity and performance demands of many peripherals to a single require certain services to be run on standardized interface socket and to appliances instead of generic servers. improve the plug-and-play capabilities by allowing hot swapping or allowing Examples of appliances: devices to be connected and a. Firewalls. Inspects all traffic disconnected without rebooting the going between segments and computer or turning off the device. applies security policies to help Other convenient features include ensure a secure network. providing power to low-consumption b. Intrusion detection systems devices without the need for an external (IDSs). Listens to all incoming power supply and allowing many and outgoing traffic to deduce devices to be used without requiring and warn of potentially installation of manufacturer-specific, malicious connections. Used to individual device drivers. attract hackers to determine USB ports can connect computer their behavior, not as a form of peripherals, such as mice, keyboards, security. tablets, gamepads, joysticks, scanners, digital cameras, printers, personal are removed. Users of USB drives must media players, flash drives and external alert the computer when they intend to hard drives. Most operating systems remove the device; otherwise, the (OSs) recognize when a USB device is computer will be unable to perform the connected and load the necessary necessary clean-up functions required device drivers. to disconnect the device, especially if A memory card or flash drive is a solid-state files from the device are currently open. electronic data storage device that is used with digital cameras, handheld and mobile 5. Loss of Confidentiality. Because of its computers, telephones, music players, video convenient small physical size and large game consoles and other electronics. They offer logical size, a significant amount of data high recordability, power-free storage, a small can be stored on a USB drive. Some form factor and rugged environmental stored information is confidential, and specifications. loss of data becomes a risk when the Examples include Memory Stick, drive is lost, increasing the risk of the CompactFlash, SD (secure digital) and data falling into the hands of a flash drive. competitor. Legal issues can also be associated with loss of confidentiality. RISKS RELATED TO USBs For example, in the United States, lost 1. Viruses and other Malicious or compromised patient data can Software. USB drives present a vector indicate a breach of patient privacy, thus for computer viruses that is very difficult violating the Health Insurance Portability to defend against. Whenever files are and Accountability Act (HIPAA). transferred between two machines, there is a risk that malware (e.g., 6. Encryption. An ideal encryption viruses, spyware and keyloggers) will be strategy allows data to be stored on the transmitted, and USB drives are no USB drive but renders the data useless exception. Some USB drives include a without the required encryption key, physical switch that can put the drive in such as a strong password or biometric read-only mode. data. Products are available to implement strong encryption and comply 2. Data Theft. Hackers, corporate spies with the latest Federal Information and disgruntled employees steal data, Processing Standards (FIPS). and in many cases, these are crimes of Encryption is a good method to protect opportunity. With a USB drive, any information written to the device from unattended and unlocked PC with a loss or theft of the device. But unless USB port provides an opportunity for the information is also encrypted on the criminal activity. Social engineering can network or local workstation hard drive, give a hacker physical access to a sensitive data still are exposed to theft. corporate PC to steal data or plant spyware. 7. Granular Control. Products are available to provide centralized 3. Data and Media Loss. The portability of management of ports. Because USB drives presents an increased risk management is accomplished via the for lost data and media. If an use of specialized software, centralized unencrypted USB device is lost, any management from the enterprise to the individual who finds the device will be individual system is possible. As with all able to access the data on the drive. security issues, a technological solution in isolation is insufficient. Strong 4. Corruption of Data. If the drive is policies, procedures, standards and improperly unplugged, then data loss guidelines must be put in place to can occur due to corruption. USB drives ensure secure operation of memory differ from other types of removable card and USB drives. Further, an media, such as CD-ROM and DVDROM aggressive user awareness program is devices, because the computer is not necessary to effect changes in automatically alerted when USB drives employee behavior. strategically placed radio frequency SECURITY CONTROLS RELATED TO USBs readers to track and locate the item. 1. Security Personnel Education. Flash drives are so small and unobtrusive that The power needed to drive the tag can be they are easily concealed and removed derived in two modes. from an enterprise. Physical security The first mode, used in passive tags, personnel should understand USB draws power from the incidental devices and the risk they present. radiation arriving from the reader. The second and more expensive mode, 2. The Lock Desktop Policy used in active tags, derives its power Enforcement. In higher-risk from batteries and therefore is capable environments, desktop computers of using higher frequencies and should be configured to automatically achieving longer communication lock after short intervals. distances. An active tag is reusable and can contain more data. 3. Antivirus Policy. Antivirus software should be configured to scan all APPLICATIONS OF RFID attached drives and removable media. 1. Asset Management. RFID-based asset Users should be trained to scan files management systems are used to before opening them. manage inventory of any item that can be tagged. Asset management systems 4. Use of Secure Devices Only. Enforce using RFID technology offer significant the use of encryption. Software is advantages over paper-based or available to manage USBs, enforcing barcode systems, including the ability to encryption or only accepting encrypted read the identifiers of multiple items devices. nearly simultaneously without optical line of sight or physical contact. 5. Inclusion of Return Information. If a USB drive is lost or misplaced, including 2. Tracking. RFID asset management a small, readable text file containing systems are used to identify the location return information may help with device of an item or, more accurately, the retrieval. It would be prudent to NOT location of the last reader that detected include company details, but rather a the presence of the tag associated with phone number or post office box. It also the item. would be prudent to include a legal disclaimer that clearly identifies the 3. Authenticity Verification. The tag information on the drive as confidential provides evidence of the source of a and protected by law. tagged item. Authenticity verification often is incorporated into a tracking RADIO FREQUENCY IDENTIFICATION application. Radio frequency identification (RFID) uses radio waves to identify tagged objects within a 4. Matching. Two tagged items are limited radius. matched with each other and a signal (e.g., a light or tone) is triggered if one Tags consist of a microchip and an antenna. of the items is later matched with an The microchip stores information along with an incorrect tagged item. ID to identify a product, while the antenna transmits the information to an RFID reader. 5. Process Control. This allows business Can be used to identify an item based processes to use information associated on either direct product identification or with a tag (or the item attached to the carrier identification. tag) and to take customized action. In the case of the latter, an article’s ID is manually fed into the system (e.g., using 6. Access Control. The system uses a bar code) and is used along with RFID to automatically check whether an individual is authorized to physically access a facility (e.g., a gated campus or a specific building) or logically access daily basis by the system’s an information technology system. administrators and users. For example, RFID systems need operational controls 7. Supply Chain Management (SCM). that ensure the physical security of the SCM involves the monitoring and control systems and their correct use. of products from manufacture to 3. Technical. A technical control uses distribution to retail sale. SCM typically technology to monitor or restrict the bundles several application types, actions that can be performed within the including asset management, tracking, system. RFID systems need technical process control and payment systems. controls for several reasons, such as protecting or encrypting data on tags, RISKS ASSOCIATED WITH RFID causing tags to self-destruct and 1. Business Process Risk. Direct attacks protecting or encrypting wireless on RFID system components can communications. undermine the business processes that the RFID system was designed to Controls to protect the tag data: enable. a. A feature which disables all the tag’s functionalities when it 2. Business Intelligence Risk. An received a specific “kill” adversary or competitor can gain instruction. unauthorized access to RFID-generated b. Cryptography and access information and use the information to control mechanisms to protect harm the interests of the organization from anyone using the “kil” implementing the RFID system. command. c. Authentication mechanisms 3. Privacy Risk. Personal privacy rights or where the tag authenticates the expectations may be compromised if an reader and/or the reader RFID system uses what is considered authenticates the tag. personally identifiable information for a d. Tamper resistance mechanisms purpose other than originally intended or to prevent the tag from being understood. The personal possession of removed from the object to functioning tags also is a privacy risk which it is attached. because possession can enable tracking of those tagged items. Controls to protect radio-frequency interface 4. Externality Risk. RFID technology can a. The use of frequency which represent a threat to nonRFID- avoids specific interference. networked or non-RFID-collocated b. Adjusting the power level to systems, assets and people. An mitigate the propagation of radio important characteristic of RFID that waves and risks of impacts the risk is that RF eavesdropping. communication is invisible to operators c. Shielding of the tag when it is and users. not supposed to operate (to protect against unauthorized SECURITY CONTROLS FOR RFID access or shielding of the 1. Management. A management control environment to protect against involves oversight of the security of the eavesdropping). RFID system. For example, d. Temporary deactivation of tags management staff of an organization may need to update existing policies to HARDWARE MAINTENANCE PROGRAM address RFID implementations, such as To ensure proper operation, hardware must be security controls needed for an RF routinely cleaned and serviced. Maintenance subsystem. requirements vary based on complexity and performance workloads (e.g., processing 2. Operational. An operational control requirements, terminal access and number of involves the actions performed on a applications running). Maintenance should be scheduled to closely coincide with vendor- 2. Hardware Error Reports. These provided specifications. reports identify CPU, I/O, power and storage failures. These reports should Maintenance is also important for environmental be reviewed by IS operations hardware that controls temperature and management to ensure that equipment humidity, fire protection and electrical power. is functioning properly, to detect failures The hardware maintenance program is and to initiate corrective action. The IS designed to document the performance of this auditor should be aware that attribution maintenance. of an error in hardware or software is not necessarily easy and immediate. Information typically maintained by this Reports should be checked for program includes: intermittent or recurring problems, which Reputable service company information might indicate difficulties in properly for each hardware resource requiring diagnosing the errors. routine maintenance o Identified service company for 3. Asset Management Reports. These maintenance for each hardware reports provide an inventory of network- resource requiring routine connected equipment, such as PCs, maintenance servers, routers and other devices. Maintenance schedule information Maintenance cost information 4. Utilization Reports. These automated Maintenance performance history reports document the use of the information, such as planned versus machine and peripherals. Software unplanned, executed and exceptional monitors are used to capture utilization measurements for processors, channels When performing an audit of this area, the IS and secondary storage media, such as auditor should: disk and tape drives. Depending on the Ensure that a formal maintenance plan OS, resource utilization for multiuser has been developed and approved by computing environments found in management and is being followed. mainframe/large-scale computers should average in the 85 to 95 percent Identify maintenance costs that exceed range, with allowances for utilization budget or are excessive. These occasionally reaching 100 percent and overages may be an indication of a lack falling below 70 percent. Trends from of adherence to maintenance utilization reports can be used by IS procedures or of upcoming changes to management to predict whether more or hardware. Proper inquiry and follow-up fewer processing resources are procedures should be performed. required. HARDWARE MONITORING PROCEDURES HARDWARE REVIEWS 1. Availability Reports. These reports 1. Hardware Acquisition Plan indicate the time periods during which o Is the plan aligned with business the computer is in operation and available for use by users or other requirements? processes (logs). A key concern o Is the plan aligned with the addressed by this report is excessive IS enterprise architecture? unavailability, referred to as downtime. o Is the plan compared regularly This unavailability may indicate to business plans to ensure inadequate hardware facilities, continued synchronization with excessive OS maintenance, the need business requirements? for preventive maintenance, inadequate o Is the plan synchronized with IS environmental facilities (e.g., power plans? supply or air conditioning) or inadequate o Have criteria for the acquisition training for operators. of hardware been developed? o Is the environment adequate to accommodate the currently installed hardware and new o Is continuous review performed hardware to be added under the of hardware and system approved hardware acquisition software performance and plan? capacity? o Are the hardware and software o Is monitoring adequate for specifications, installation equipment that has been requirements and the likely lead programmed to contact its time associated with planned manufacturer (without manual or acquisitions adequately human intervention) in the case documented? of equipment failure? 5. Preventive Maintenance Schedule 2. Acquisition of Hardware o Is the prescribed maintenance o Is the acquisition in line with the frequency recommended by the hardware acquisition plan? respective hardware vendors o Have the IS management staff being observed? issued written policy statements o Is maintenance performed regarding the acquisition and during off-peak workload use of hardware, and have periods? these statements been o Is preventive maintenance communicated to the users? performed at times other than o Have procedures and forms when the system is processing been established to facilitate the critical or sensitive applications? acquisition approval process? o Are requests accompanied by a 6. Hardware Availability and Utilization cost-benefit analysis? Reports o Are purchases routed through o Is scheduling adequate to meet the purchasing department to workload schedules and user streamline the process, avoid requirements? duplications, ensure compliance o Is scheduling sufficiently flexible with tendering requirements and to accommodate required legislation and to take hardware preventive advantage of quantity and maintenance? quality benefits such as volume o Are IS resources readily discounts? available for critical application programs? 3. IT Asset Management o Has the hardware been tagged? 7. Problem Logs Job Accounting o Has an owner been designated? System Reports o Where will the hardware be o Have IS management staff located? reviewed hardware o Have we retained a copy of the malfunctions, reruns, abnormal contracts/SLAs? system terminations and operator actions? 4. Capacity Management and Monitoring MODULE 2: IT ASSET MANAGEMENT, JOB o Are criteria used in the SCHEDULING, AND PRODUCTION PROCESS hardware performance AUTOMATION monitoring plan based on historical data and analysis An asset is something of either tangible or obtained from the IS trouble intangible value that is worth protecting and logs, processing schedules, job includes people, information, infrastructure, accounting system reports, finances and reputation. However, an asset preventive maintenance cannot be effectively protected or managed if it schedules and reports? is not identified. Likewise, it makes it more difficult to protect an asset if its location is backups and other maintenance unknown or no owner is assigned. activities. Job scheduling is a major function within IT ASSET MANAGEMENT the IT department. The schedule The first step in IT asset management includes the jobs that must be run, the is the process of identifying and creating sequence of job execution and the an inventory of IT assets. conditions that cause program The inventory record of each execution. Low-priority jobs can also be information asset should include: scheduled, if time becomes available. a. Owner High-priority jobs should be given b. Designated Custodian (Should optimal resource availability, and be different from the owner) maintenance functions (such as backup c. Specific identification of the and system reorganization) should, if asset (Ex. Product Code) possible, be performed during nonpeak d. Relative value to the times. Schedules provide a means of organization keeping customer demand at a e. Loss implications and recovery manageable level and permit priority unexpected or on-request jobs to be f. Location processed without unnecessary delay. g. Security/Risk Classification Job scheduling procedures are h. Asset group necessary to ensure that IS resources are used optimally, based on processing Common methods to build the initial requirements. Applications are inventory include consulting the increasingly required to be continually purchasing system, reviewing contracts available; therefore, job scheduling and reviewing the software currently (maintenance or long processing times) installed, using tools, such as represents a greater challenge than Microsoft® System Center Configuration before. Manager, Spiceworks and ManageEngine. JOB SCHEDULING SOFTWARE IT asset management is a fundamental Job scheduling software is a system prerequisite to developing a meaningful software used by installations that process security strategy. Developing a list of a large number of batch routines. The assets is the first step in managing scheduling software sets up daily work software licenses and classifying and schedules and automatically determines protecting information assets. which jobs are to be submitted to the IT asset management should be system for processing. employed for software and hardware o Job information is set up only assets. It is common to physically tag once, reducing the probability of hardware assets. an error. o Job dependencies are defined JOB SCHEDULING AND PRODUCTION so that if a job fails, subsequent PROCESS AUTOMATION jobs relying on its output will not In complex IS environments, computer be processed. (“Which job systems transfer hundreds to thousands should be finished first in order of data files daily. A job schedule is to proceed to the next one?”) typically created that lists the jobs that o Records are maintained of all must be run and the order in which they job successes and failures. are run, including any dependencies. o Security over access to Due to the inherent complexity of this production data can be process, automated job scheduling provided. software provides control over the o Reliance on operators is scheduling process. In addition to the reduced. scheduling of batch jobs, job scheduling software can be used to schedule tape SCHEDULING REVIEWS the schedule provide each shift of The following describes an audit computer operators approach to be considered when with the work to be reviewing workload job scheduling and carried out, the personnel scheduling. sequence in which programs are to be run and indication AREAS TO REVIEW QUESTIONS TO when lower-priority CONSIDER work can be Regularly Are the items performed? scheduled included in SLAs? At the end of a shift, applications Are the items does each operator Input deadlines functioning pass to the work Data preparation according to the scheduler or the time SLAs? next shift of Estimated operators a processing time statement of the Output deadlines work completed and Procedures for the reasons any collecting, scheduled work was reporting and not finished? analyzing key Console Log Were jobs run and performance completed according indicators to the schedule? Job Schedule Have critical If not, are the applications been reasons valid? identified and the Exception Processing Do operators obtain highest priority Logs written or electronic assigned to them? approval from Have processing owners when priorities been scheduling request- established for other only jobs? applications and are Do operators record the assigned all exception priorities justified? processing Is scheduling of requests? rush/rerun jobs Do operators review consistent with their the exception assigned priority? processing request Do scheduling log to determine the procedures facilitate appropriateness of optimal use of procedures computer resources performed? while meeting Reexecuted jobs Are all reexecution service of jobs properly requirements? authorized and Do operators record logged for IS jobs that are to be management processed and the review? required data files? Are procedures Do operators established for schedule jobs for rerunning jobs to processing on a ensure that the predetermined basis correct input files are and perform them being used and using either subsequent jobs in automated the sequence also scheduling software are rerun, if or a manual appropriate? schedule? Daily Job Schedule Is the number of Personnel Are personnel who personnel assigned are capable of to each shift assigning, changing adequate to support job schedules or job the workload? priorities authorized Does the daily job to do so? schedule serve as an audit trail? Does MODULE 3: SYSTEM INTERFACES AND centralized methodology for tracking and END-USER COMPUTING (EUC), DATA managing system interfaces and that there are GOVERNANCE documentation and audit trails for relevant government regulations. Unmanaged SYSTEM interfaces can add to risk regarding data security, privacy and error. A set of elements including hardware and software, that work together to run one or more It is critical that organizations are able to rely computers. System interfaces exist where data on the integrity of the data exchanged through output from one application is sent as input to system interfaces. If an interface is not another, with little or no human interaction. functioning correctly, one possible consequence Interfaces that involve humans are usually called is that incorrect management reports (e.g., user interfaces. research, financial, intelligence, performance, and competitive) have a significant negative SYSTEM INTERFACES impact on a business and decision-making. System interfaces provide the ability to transfer Beyond an effect on business value, even a data even if the systems use different small error can invoke potential legal programming languages or were created by compliance liability. different developers. This offers organizations a greater level of flexibility to choose the SECURITY ISSUES WITH SYSTEM applications that best serve different areas even INTERFACES if those areas need to share data. The primary objective of maintaining security of data being transferred through system Generally, data transfers through system interfaces is to ensure that the data is interfaces can be sorted into three categories: intended to be extracted from the originating 1. System-to system. Occurs when data system are the same as the data that were is transferred between two systems, downloaded and recorded in the recipient whether internal or external. Data ma system. The data need to be protected and also be transferred to specialized tools secured throughout the transfer process. for analysis. These uses have increased in part because of the growing The secondary objective is to prevent popularity of business analytics, which unauthorized access to data via interception, involves transferring data from a malicious activity, error or other means. repository to an analytic tool to obtain Unavailability of system interfaces can also intelligence and insights via data mining. affect the reliability of data. 2. Partner-to-partner. Occurs when two partners (those who are involved in CONTROLS ASSOCIATED WITH SYSTEM your supply chain, from your suppliers to INTERFACES customers) are continuously transferring The IS Auditor should ensure that the data back and forth across agreed-upon organization has a program that tracks and systems. These transfers are generally manages all system interfaces and data done on a regular basis. Example of transfers, whether internal or external, in line such is the communication between a with the business needs and goals. company and their suppliers, concerning their inventory levels. This includes the ability to see all the transfers 3. Person-to-person. This is often the made, including those that are ad hoc, whether most unnoticed and unmanaged. They the organization is using a commercial or can be as easy as attaching a data file custom managed file transfer (MFT) system. to an email and sending it. These forms of transfer tend to be more difficult to IS Auditor should ensure that the program is observe, manage, secure, and control. able to: 1. Manage multiple file transfer RISKS ASSOCIATE WITH SYSTEM mechanisms INTERFACES 2. Use multiple protocols. Recognizing this growth, organizations are 3. Automatically encrypt, decrypt and focusing more on ensuring that there is a electronically sign data files. 4. Compress/decompress data files. encryption and/or digital signatures or 5. Connect to common database approved some information. servers. 6. Send and receive files via email and To ensure that an audit trail is associated with secure email. the system interface, the organization needs to 7. Automatically schedule regular data capture important information, including: transfers. a. Who sent the data, w 8. Analyze, track, and report any b. When they were sent, w attributes of the data being transferred. c. When they were received, w 9. Ensure compliance with appropriate d. What data structure (e.g., xls, csv, txt or regulatory laws and mandates. xml) was used, 10. Offer a checkpoint or restart e. How the data were sent, and w capability for interruptions. f. Who received the data. 11. Integrate with back-office applications (e.g., MS Office) to automate data This includes assessing automated logs of transfers as much as feasible. servers along the path, especially if the data are transmitted to an external system where Controls need to be implemented with the they touch multiple Internet hosts and are objective of ensuring that the data residing on more exposed to hackers and the sending system are precisely the same cybercriminals. data that are recorded on the receiving system. For example, an organization may use a software package that can generate controls during the extraction that automatically reconcile the data after they are recorded on the receiving system.
Although automated controls are generally
preferred over manual controls, another control can be manual reconciliation by running a report of the data sent and comparing it to a report on the data received, This should be done by a qualified person who has the ability to detect material difference in the data.
IS Auditors should also ascertain if the
organization is using encryption, as appropriate for each use, to protect data during the transfer. Encryption is necessary when the risk of unauthorized access or interception is relatively high (e.g., industrial espionage, identity theft, credit card data theft). Additionally, the transfer process may require strong access and authentication controls, and the data files might be password-protected.
There also should be a control over
nonrepudiation, which ensures that the intended recipient is the actual recipient of the data. Nonrepudiation combines the concept of authentication and integrity. This authenticates the identify of a user who performed a transaction and ensures the integrity of that transaction. No party can deny that it sent or received a message via